How to Harden NginX Security

Last updated:

While there are many ways to harden the security on your NginX server with peripheral applications like  Google PAM, OSSEC, Fail2Ban and SNORT, the best place to start is probably the default security policies that are implemented natively in NginX and on your Linux Distro. In this instance, we’ll be bolstering the security on NginX only.

To keep things clean and easily readable, I like to create separate .conf files my own best practice for security policies. So in this example we’ll create the policies using this logic.

First we’ll write a new file via Nano Editor and call it sec.conf. We’ll place this file in the NginX native folder located at /etc/nginx/common:

sudo nano /etc/nginx/common/sec.conf

Inside this file we’re going to add 8 security policies to guard and protect against some of the most common threats. You’ll note that I use return 404 for all of them. This is because rendering specific error codes actually provides better insight to hackers than you probably want them to have. You’ll need to copy and paste each one so that the end result looks like figure #9: