Preventing common attacks, including DDoS and brute force attacks, requires a combination of strategies at different layers of your infrastructure. These step is crucial for maintaining the availability and performance of your Nginx web server.
Here are some steps you can take specifically with Nginx to enhance your server's security:
ngx_http_limit_req_module (rate limiting):
This module is designed to limit the request rate from a single IP address. The module uses a token bucket algorithm to control the rate of incoming requests. Clients are given tokens at a certain rate, and a token is consumed for each request. Once a client runs out of tokens, additional requests are delayed or rejected.
http {
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s;
server {
location / {
limit_req zone=mylimit burst=10;
# Other location configurations...
}
}
}In this example, the request rate is limited to 5 requests per second per IP address, with a burst limit of 10 requests.
ngx_http_limit_conn_module (connection limiting):
This module is used to limit the number of simultaneous connections from a single IP address. It tracks the number of active connections for each IP address. If the connection limit is exceeded, additional connection attempts are delayed or denied.
http {
limit_conn_zone $binary_remote_addr zone=myconnlimit:10m;
server {
location / {
limit_conn myconnlimit 20;
# Other location configurations...
}
}
} In this example, the number of simultaneous connections from a single IP address is limited to 20.
Notes:
- Adjust the rate and connection limits based on your server's capacity and expected traffic patterns. Conduct load testing to determine appropriate values.
- Regularly monitor server metrics and adjust the configuration as needed to adapt to changing traffic conditions.
- Thoroughly test your configuration to ensure that it effectively mitigates HTTP flood attacks without adversely affecting legitimate users.
IP Whitelisting:
Allow access only from known, trusted IP addresses and block access from all other IP addresses. This approach is suitable for situations where you have a small set of users who need access to your server.
location / {
allow 192.168.1.1;
deny all;
# ...
}
GeoIP filtering:
If your website is region-specific, consider using GeoIP filtering to block traffic from certain countries or regions known for malicious activities.
http {
# ...
geoip_country /path/to/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
RU no; # Example: Block traffic from Russia
}
server {
# ...
location / {
if ($allowed_country = no) {
return 403;
}
# ...
}
}
}
Secure Headers:
Use security headers to enhance browser security. These headers are typically placed within the server block or specific location blocks
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
- X-Content-Type-Options: "nosniff"
This header prevents browsers from interpreting files as a different MIME type than declared in the Content-Type header. It reduce the risk of attacks such as MIME-sniffing, where a browser may attempt to interpret a file as a different type than intended, potentially leading to security vulnerabilities.
- X-Frame-Options: "SAMEORIGIN"
Prevents the browser from embedding the web page in an iframe unless the site embedding it is from the same origin. This header helps protect against clickjacking attacks by ensuring that your web page is not embedded in an iframe on an attacker's site. It restricts where your site can be framed, enhancing security.
- X-XSS-Protection: "1; mode=block"
Enables the browser's built-in Cross-Site Scripting (XSS) filter. This header instructs the browser to activate its XSS filter, which helps prevent certain types of XSS attacks. If the filter detects a potential XSS attack, it will block the rendering of the page, mitigating the risk of malicious script injection.
Notes
- Consider using a cloud-based DDoS protection service that can absorb and mitigate large-scale attacks before they reach your server. Services like Cloudflare, Akamai, or AWS Shield can provide additional layers of protection.
- Implement a Web Application Firewall to filter and block malicious traffic based on predefined rules. Some cloud providers and security services offer WAF functionality.
- Use Fail2Ban to automatically ban IP addresses that show malicious behavior, such as multiple failed login attempts or other suspicious patterns. Although primarily used for securing SSH, it can be configured to monitor Nginx logs as well.
Remember that DDoS attack patterns and techniques evolve, so it's essential to stay updated on the latest threats and continuously adjust your defense strategies accordingly. Combining multiple layers of defense will help create a more robust security posture for your Nginx server.