Web Application with Nginx Security PHP

Malsious and bots always looking for a point of weakness in your server, however, some basic weaknesses can be solved by our minimum guide line, which explained below. Attackers usually depending on your server headers as normally they are trying to find out more information, to know which path to take in case they are looking to hack your server. Another path, attackers would look into your web ability to do a quick changes into the main files like including uploaded file from the index file or maybe in your settings files , to do this process they need some permissions and the ability to upload or run scripts into your web server, and the minimum we knew about is running scripts in forms, fields and upload fields like images with a script instead of a real image, ex test.php.png. 

 

To avoid being an easy victom, you should follow the minimum security flows like hidding your headers, no servers infoemation exposed and more. I will go through the minimum security steps through this article, and please feel free to add comments and details if i missed some, or can help engineers/developers later on.

 

Starting with checking your server for the minimum exposed information, as OS, content-types, backlinks refrences to a settings or configs file or even your DB connection credentials and type. to start with this prevention we should start with our min config that would help us avoid indexing and sharing our source of codes and server infromation.

 

Minimum Prerequisites

**- Prerequisites for Limiting the Malicious attacks, we should limit the minimum amount of Malicious attacks from our Nginx 

1- Hide web server information, 

  • Make changes in Nginx’s default configuration

    etc/nginx/site.config

  • Add the required codes under the HTTP configuration section, as shown below

...

server {

    server_tokens off;

    ...

2- Protection Against Cross-Site Scripting, Clickjacking Attacks, Content-Type Sniffing

  • Make changes in Nginx’s default configuration

    etc/nginx/site.config

  • Add the required codes under the HTTP configuration section, as shown below

 

server {

    server_tokens off;

    add_header X-XSS-Protection "1; mode=block";

    add_header X-Frame-Options "SAMEORIGIN";

    add_header X-Content-Type-Options nosniff;

    ...

3- Admin IP based 

  • We should limit the admin pages access by our VPN ip addresses not open

server {

    server_tokens off;

    add_header X-XSS-Protection "1; mode=block";

    add_header X-Frame-Options "SAMEORIGIN";

    add_header X-Content-Type-Options nosniff;

    ...

 

    location /admin {

        # Allow all in 1.1.1.0/24 subnet

        allow 1.1.1.0/24;

        # Deny for everyone else

        deny all;

    }

....

3-  Empty Folders from indexing

  • We should hide our Empty Folders from indexing

 

Final Config should look like the code below

server {

    # Hide webserver information

    server_tokens off;

    # Protection Against Cross-Site Scripting

    add_header X-XSS-Protection "1; mode=block";

    # Protection Against Clickjacking Attacks

    add_header X-Frame-Options "SAMEORIGIN";

    # Protection Against Content-Type Sniffing

    add_header X-Content-Type-Options nosniff;

    ...

 

    # Deny all access from outside SVB VPN its to access Admin pages

    location /admin {

        # Allow all in 1.1.1.0/24 subnet

        allow 1.1.1.0/24;

        # Deny for everyone else

        deny all;

    }

 

    # Hide auto index

    location / {

        autoindex off;

    }

     

....

 

 

Now, let's talk about the web application itself, which can be MVC like Zend, Laravel, and more, or a CMS like WordPress, Drupal, Joomla and more. We should take care of the code base permissions and security, as one of the main weakness in any attack is the permissions of the files, which would effect the process in case of loading an effect file in all of your pages, like index or htaccess files in case of an apache server or maybe your public folder indexed empty folders which would show the source of codes.

 

Drupal Security and Permissions

1- Check all Folders to be 0755 as a starting point 

 

cd /root/before/web && find . -type d -exec chmod 755 {} \;

 

2- Check all files to be read for all but write only by the owner 0644

 

cd /root/before/web && find . -type f -exec chmod 644 {} \;

3- Now making sure that our exposed folders for Vendors,  Images, JS and CSS is open to be used as write and read

 

cd /root/before/web && chmod -R 0777 web/sites/default/files && chmod -R 0755 vendor

 

4- Now we are securing our Settings and credentials files

 

cd /root/before/web && chmod -R 0444 .htaccess  */.htaccess web/sites/default/settings.php web/index.php

 

Wordpress Security and Permissions

1- Check all Folders to be 0755 as a starting point 

 

cd /path/to/web && find . -type d -exec chmod 755 {} \;

 

2- Check all files to be read for all but write only by the owner 0644

 

cd /path/to/web && find . -type f -exec chmod 644 {} \;

3- Now making sure that our exposed folders for Vendors,  Images, JS and CSS is open to be used as write and read

 

cd /path/to/web && chmod -R 0777 wp-contents/wp-uploads && chmod -R 0755 vendor

 

4- Now we are securing our Settings and credentials files

 

cd /path/to/web && chmod -R 0444 .htaccess  */.htaccess wp-settings.php  index.php

 

 

Laravel Security and Permissions

1- Check all Folders to be 0755 as a starting point 

 

cd /path/to/web && find . -type d -exec chmod 755 {} \;

 

2- Check all files to be read for all but write only by the owner 0644

 

cd /path/to/web && find . -type f -exec chmod 644 {} \;

3- Now making sure that our exposed folders for Vendors,  Images, JS and CSS is open to be used as write and read

 

cd /path/to/web && chmod -R 0777 storage bootstrap/cache && chmod -R 0755 vendor

 

4- Now we are securing our Settings and credentials files

 

cd /path/to/web && chmod -R 0444 .htaccess  */.htaccess .env public/index.php

 

 

Other web applications Security and Permissions

1- Check all Folders to be 0755 as a starting point 

 

cd /path/to/web && find . -type d -exec chmod 755 {} \;

 

2- Check all files to be read for all but write only by the owner 0644

 

cd /path/to/web && find . -type f -exec chmod 644 {} \;

3- Now making sure that our exposed folders for Vendors,  Images, JS and CSS is open to be used as write and read

 

cd /path/to/web && chmod -R 0777 public-storage-folder && chmod -R 0755 vendor

 

4- Now we are securing our Settings and credentials files

 

cd /path/to/web && chmod -R 0444 .htaccess  */.htaccess  config.php .env  index.php

 

 

Thank you, please leave your comments and suggestions.

By: Mutasem Elayyoub