Skip to content
Enforce HTTPS for secure connections.Restrict access to specific resources (/report.html) by IP address.Implement custom error pages for better user experience and troubleshooting.Hide server version information for security.Log access and errors in a detailed and structured format.Optimize performance through NGINX best practices.
Set User and Worker Processes:Why: Defines the NGINX user (www-data) and automatically adjusts worker processes based on available CPU cores for optimal performance.Configuration:
Optimize Events Block:Why: Configures event handling for high-performance and multi-acceptance connections.Configuration:
Hide Server Tokens:Why: Prevents exposing the NGINX version in responses, reducing the risk of targeted attacks.Configuration:
Logging:Why: Structured access and error logs help in troubleshooting and analytics.Configuration:
Performance Optimizations:Why: Improves file transfer performance and reduces latency.Configuration:
Restrict Access to /report.html:Why: Limits access to sensitive resources based on IP addresses for added security.Configuration:
Redirect All HTTP Traffic to HTTPS:Why: Ensures all traffic is encrypted and secure.Configuration:
Custom Error Page for 403 Forbidden:Why: Provides a user-friendly response for restricted access attempts.Configuration:
Enable SSL for Secure Connections:Why: Protects data in transit using SSL certificates.Configuration:
Custom Error Pages for 403 and 404:Why: Provides user-friendly error responses for restricted and not-found resources.Configuration:
Restrict Access to /report.html:Configuration:
Fallback Location for General Requests:Why: Serves the requested resource or returns a 404 error if not found.Configuration:
Security Enhancements:IP-based restrictions and hidden server tokens reduce attack surfaces.HTTPS ensures secure communication.User-Friendly Error Handling:Custom error pages provide better user experience and debugging support.Performance Optimization:Efficient event handling and file transfer mechanisms improve server responsiveness.Simplified Maintenance:Structured logs enable easier troubleshooting and analytics.
Save Configuration: Save the updated configuration to /etc/nginx/nginx.conf.Test Configuration: Run the following command to validate:
Reload NGINX: Apply the changes:
IP-Based Restriction:Restricts access to /report.html to specific IPs while denying all others.Custom Error Pages:403: Custom error page displayed for forbidden access.404 and 50x: User-friendly pages for missing resources or server errors.HTTPS Enforcement:All HTTP traffic is redirected to HTTPS for secure connections.Performance Optimizations:Includes optimizations like sendfile, tcp_nopush, and tcp_nodelay for better performance.Secure Logging:Configures structured logging with access and error logs for debugging.Hides Server Version:server_tokens off ensures that NGINX version details are not exposed.
Save the Configuration: Copy the above content into the file /etc/nginx/nginx.conf.Test Configuration: Run:
Ensure the output shows:
Reload NGINX: Apply the configuration:
Verify Functionality:Access http://www.wisewalletai.com to confirm HTTPS redirection.Access /report.html from an allowed IP to verify restricted access.Test custom error pages (403, 404, 50x).
Reason: This rule prevents accidental lockout by ensuring SSH access is always allowed.
Reason: These rules ensure the web server can handle incoming web traffic.
Limit New Connections to 10/s:
Restrict Concurrent Connections to 20:
Reason: These rules prevent abusive traffic while allowing legitimate users to access the server.
Share
Explore
Security Configuration and Implementation Report
NGINX Configuration Documentation
Overview
This document provides a detailed explanation of the changes and enhancements made to the NGINX configuration for the www.wisewalletai.com server. The configuration focuses on optimizing security, performance, and access control. It includes the implementation of IP-based restrictions, HTTPS enforcement, custom error pages, and efficient logging for better debugging and maintenance.
1. Objectives
2. Configuration Changes
2.1 General Configuration
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
2.2 HTTP Block
server_tokens off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 15;
2.3 HTTP Server Block
location /report.html {
root /usr/share/nginx/html;
index report.html;
allow 206.84.167.234;
allow 84.68.111.180;
deny all;
}
location / {
return 301 https://$host$request_uri;
}
error_page 403 /custom_403.html;
location = /custom_403.html {
root /usr/share/nginx/html;
internal;
}
2.4 HTTPS Server Block
ssl_certificate /etc/ssl/wisewalletai/wisewalletai.com_ssl_certificate.cer;
ssl_certificate_key /etc/ssl/wisewalletai/_.wisewalletai.com_private_key.key;
error_page 403 /custom_403.html;
location = /custom_403.html {
root /usr/share/nginx/html;
internal;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
internal;
}
location /report.html {
root /usr/share/nginx/html;
index report.html;
allow 206.84.167.234;
allow 84.68.111.180;
deny all;
}
location / {
try_files $uri $uri/ =404;
}
3. Key Benefits
4. Deployment Instructions
sudo nginx -t
sudo systemctl reload nginx
Here is the entire NGINX configuration file rewritten for www.wisewalletai.com, reflecting all the discussed enhancements:
Complete nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Hide server version
server_tokens off;
# Log format for access logs
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
# Basic performance optimizations
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 15;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
# HTTP server block
server {
listen 80;
server_name www.wisewalletai.com;
# Custom error page for 403 Forbidden
error_page 403 /custom_403.html;
location = /custom_403.html {
root /usr/share/nginx/html;
internal;
}
location /report.html {
root /usr/share/nginx/html;
index report.html;
# Restrict access by IP
allow 206.84.167.234;
allow 84.68.111.180;
deny all;
}
# Redirect all other HTTP traffic to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS server block
server {
listen 443 ssl;
server_name www.wisewalletai.com;
ssl_certificate /etc/ssl/wisewalletai/wisewalletai.com_ssl_certificate.cer;
ssl_certificate_key /etc/ssl/wisewalletai/_.wisewalletai.com_private_key.key;
root /usr/share/nginx/html;
index index.html report.html;
# Custom error page for 403 Forbidden
error_page 403 /custom_403.html;
location = /custom_403.html {
root /usr/share/nginx/html;
internal;
}
location /report.html {
root /usr/share/nginx/html;
index report.html;
# Restrict access by IP
allow 206.84.167.234;
allow 84.68.111.180;
deny all;
}
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
internal;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
internal;
}
}
}
Key Features in This Configuration
Instructions for Deployment
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
sudo systemctl reload nginx
This is a complete, production-ready configuration tailored to the requirements of www.wisewalletai.com. Let me know if further refinements are needed! 🚀
Objective
This report documents the setup of Suricata (IDS/IPS), Fail2Ban (anti-brute-force), and iptables (firewall rules) on the server. The goal was to enhance server security while maintaining accessibility for legitimate users.
1. iptables Configuration
1.1 Allow SSH Access
To ensure uninterrupted access to the server, SSH traffic was prioritized and explicitly allowed through iptables.
Command Implementation:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
1.2 Allow HTTP and HTTPS Traffic
To serve the website and GoAccess report, HTTP (port 80) and HTTPS (port 443) traffic were allowed.
Command Implementation:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
1.3 Rate Limiting and Connection Limits
To mitigate DDoS attacks and prevent resource exhaustion, rate limiting and connection limits were implemented.
Command Implementation:
sudo iptables -A INPUT -p tcp --syn -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROP
sudo iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 -j DROP
1.4 Log Dropped Packets (Optional)
To monitor dropped packets for debugging purposes:
sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
1.5 Save iptables Rules
To persist iptables rules across reboots:
sudo iptables-save > /etc/iptables/rules.v4
2. Fail2Ban Configuration
2.1 Installation
Fail2Ban was installed to protect the server against brute-force attacks on SSH and NGINX.
Command Implementation:
sudo apt install fail2ban -y
2.2 Jail Configuration
Fail2Ban was configured to monitor SSH and NGINX logs for suspicious activity.
Jail File: /etc/fail2ban/jail.local
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.