Skip to main content
Security & Cloud 24/7

Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

·616 words·3 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

  1. Login to the server using Root account.

  2. Create a new account: groupadd nginx useradd -g nginx -d /dev/null -s /sbin/nologin nginx

  3. Mount RHEL 5.4 DVD, and move to the RPM folder: mount /dev/hdc /media cd /media/Server

  4. Before compiling the Nginx environment, install the following RPM: rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm rpm -ivh glibc-headers-2.5-42.x86_64.rpm rpm -ivh glibc-devel-2.5-42.x86_64.rpm rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm

  5. Download Nginx 0.7.65 from: http://wiki.nginx.org/NginxInstall

  6. Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp

  7. Move to /tmp cd /tmp

  8. Extract the nginx-0.7.65.tar.gz file: tar -zxvf nginx-0.7.65.tar.gz

  9. Move to the Nginx source folder: cd /tmp/nginx-0.7.65

  10. Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from: static char ngx_http_server_string[] = "Server: nginx" CRLF; static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF; To: static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF; static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;

  11. Run the commands bellow to compile the Nginx environment: ./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module make make install

  12. Remove the Nginx source files: rm -rf /tmp/nginx-0.7.65 rm -f /tmp/nginx-0.7.65.tar.gz

  13. Remove Default Content rm -rf /usr/local/nginx/html

  14. Updating Ownership and Permissions on Nginx folders: chown -R root:root /usr/local/nginx chmod 750 /usr/local/nginx/sbin/nginx chmod -R 640 /usr/local/nginx/conf chmod -R 770 /usr/local/nginx/logs

  15. Create folder for the web content: mkdir -p /www

  16. Updating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www

  17. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings: From: #user nobody;To: user nginx nginx;

    From: #error_log logs/error.log notice;To: error_log logs/error.log notice;

    From: server_name localhost;To: server_name Server_FQDN;

    From: root html;To: root /www;

  18. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file: server_tokens off; client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; client_body_timeout 10; client_header_timeout 10; send_timeout 10;

  19. Create using VI, the file /etc/init.d/nginx with the following content: #!/bin/sh # # nginx - this script starts and stops the nginx daemon # # chkconfig: - 85 15 # description: Nginx is an HTTP(S) server, HTTP(S) reverse \ # proxy and IMAP/POP3 proxy server # processname: nginx # config: /etc/nginx/nginx.conf # config: /etc/sysconfig/nginx # pidfile: /var/run/nginx.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ "$NETWORKING" = "no" ] && exit 0 nginx="/usr/local/nginx/sbin/nginx" prog=$(basename $nginx) NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf" [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx lockfile=/var/lock/subsys/nginx start() { [ -x $nginx ] exit 5 [ -f $NGINX_CONF_FILE ] exit 6 echo -n $"Starting $prog: " daemon $nginx -c $NGINX_CONF_FILE retval=$? echo [ $retval -eq 0 ] && touch $lockfile return $retval } stop() { echo -n $"Stopping $prog: " killproc $prog -QUIT retval=$? echo [ $retval -eq 0 ] && rm -f $lockfile return $retval } restart() { configtest return $? stop sleep 1 start } reload() { configtest return $? echo -n $"Reloading $prog: " killproc $nginx -HUP RETVAL=$? echo } force_reload() { restart } configtest() { $nginx -t -c $NGINX_CONF_FILE } rh_status() { status $prog } rh_status_q() { rh_status >/dev/null 2>&1 } case "$1" in start) rh_status_q && exit 0 $1 ;; stop) rh_status_q exit 0 $1 ;; restartconfigtest) $1 ;; reload) rh_status_q exit 7 $1 ;; force-reload) force_reload ;; status) rh_status ;; condrestarttry-restart) rh_status_q exit 0 ;; *) echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}" exit 2 esac

  20. Change the permissions of the file /etc/init.d/nginx chmod +x /etc/init.d/nginx

  21. To start Nginx service at server start-up, run the command: chkconfig nginx on

  22. To manually start the Nginx service, use the command: /etc/init.d/nginx start

  23. Uninstall the following RPM: rpm -e gcc-4.1.2-46.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-42 rpm -e glibc-headers-2.5-42 rpm -e kernel-headers-2.6.18-164.el5