Linux Security - Securing Nginx

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] before we get started with today's video i just want to take you through the structure of this particular series um so i've actually partnered with linux to bring you this series this series will involve two parts so if you head over to linux.com under events you should find the hack exploit linux live linux server security series and you can just click on more info here so this series is going to be a 12-part series on how to set up secure and audit linux servers uh and we'll begin on on the 1st of october and the first series will be available on youtube and will include ssh security essentials configuring sudo access securing apache 2 securing engine x and the uncomplicated firewall the second part of the series will be hosted on linux live and it's absolutely free you don't have to pay anything and again you can access you can actually register for that there this is going to be an advanced series that will build up or build off the first series and we'll cover things like brute force protection ip tables wordpress security and security auditing on linux with the linux tool um so to access that just click on the registration link on on the on24 platform and that'll take you here so that'll give you an idea of all the various web costs and when they're going to be posted and it'll give you a summary of what will be covered exactly these are advanced uh webcasts that will be about 40 minutes and you can register for them absolutely free of charge we've also partnered with lino to give you guys a free credit uh so again if you are interested in using lynode for your virtual private server or for your hosting whether you're a developer or a administrator uh you can get a hundred dollars of 90 day credit uh and this is for new accounts um so that's fantastic definitely do take advantage of this if you're getting started with linux or you're actually following uh you're following along with this series however make sure to actually redeem this offer or this code uh which is under promo.linu.com and the code is hackersploit100 this offer will only be limited till the 15th of december so definitely check that out that being said let's get started with today's video hey guys hackersploit here back again with another video welcome back to the linux security series in this video i'm going to be showing you how to secure how to set up and secure nginx now nginx and apache are very similar but again uh slightly different in terms of their the way they're designed and the way they work apache is much more success is much more popular uh i was about to say successful but it's much more popular much more widely adopted than nginx nginx is uh more of an upcoming piece of technology that again is getting a lot of uh it's gaining a lot of traction and momentum so again it's it's worthwhile to know how nginx works how to configure it and how to secure uh nginx you know you know from basic security miss configurations and then of course as i mentioned we'll be talking about uh web application firewalls like mod security and how they can be uh in integrated with nginx and apache in the next videos these videos are just focusing on getting nginx up and running and ensuring that it's as secure as possible right out of the box that being said our wordpress server that we set up was using the lamp stack so it's using apache by default uh that means we're going to have to create our own layout and we'll just set up a quickly node here and we'll install nginx manually so for our base operating system i'll just i'll just use ubuntu by default ubuntu 20.04 for the region we can stick with atlanta and for the um the actual plan i'll stick with a nano that's perfectly fine and we'll just call this nginx security right and i'll specify a root password again we're just creating another uh linode uh you know so where i can actually demonstrate how to install it how to configure it because nginx uh needs a bit of configuration uh right as soon as you install it so we'll just hit create here and i'm just gonna let this uh create the um well it's going to start provisioning the lynnode for us and then after it's done that we can get started with installing um nginx we'll also take a look at how to set up uh you know authentication using a username and password similar to what we did with apache so i'm just going to let this boot up all right so all the node is created and i'll just copy the ip right over here and we'll try and log in via so i'll just say ssh and we say root specify the ip address right over here it's going to ask us to add it to the known hosts we'll do that specify the password i had set earlier and we should be able to log in there we are so the first thing i'm going to do is i'm going to install nginx and we'll also install the apache 2 utilities which will allow us to create or to use the hd password utility so what i'm going to do now is i'm just going to say sudo apt install or act update first of all we'll update our repositories and then we say um apt install we'll say we'll just say nginx and we then specify apache to utils and that's very simple to install as well and we're just going to let this run so what we're going to do now after we set up the installation i'm just going to explain to you how nginx works the default directory and the default configuration file so again we're just going to let this complete installing it shouldn't take too much time at all after it's completed installing i'll enable the service so it runs on startup and then we'll start the nginx service so to enable the service we'll just say system control enable nginx like so and that's going to start this it's going to enable it we then want to start the service right so we're going to say start nginx and you can see it's going to tell you where we need to actually correct that so it's nginx there we are and we can then check the status and the status tells us that it's active and running so we can actually test this out and see whether nginx is currently running on the ip so we paste this and hit go you can see it tells us welcome to nginx if you see this page uh the njinx web server is or the nginx web server is successfully installed and working further configuration is required so the thing uh the the important thing to understand about nginx is that you need to work with the configuration quite a bit uh to specify exactly uh how you want your environment so by default uh the the default directory as to where you'll be storing your web applications or your html files will be under var www.html so that is the the actual default directory and you can actually see we have the index.nginx debian html file which is this file currently being displayed so for example i can remove the file and again it would change and i would then be able to access i would then not be able to access any particular file on the server that being said as i said earlier on nginx is very similar to apache in that firstly the configuration file lies within the etsy folder but that's that's the same of almost all linux utilities and of course if i say vim etsy nginx and we then look for the nginx.com file and i open that up uh you can see there's a ton of options that we need to configure here now uh by default nginx will work with the default configuration that you can see right now and you can use it that way but that's not recommended the first thing we want to do is we want to go all the way to the bottom and get rid of the mail section uh because we don't need that at the moment so i'll just get rid of that i'll specify the visual mode and i'll hit delete because we don't need that and also get rid of the virtual host configs here and of course if you're going to use your own virtual host configurations you can do that i'll be configuring mine here so that's just going to specify include sc nginx conf dot d and yeah so we'll just get rid of that or you can just comment them if you don't want to use them right now now the thing about nginx is we need to specify our server we need to specify the server option and the actual directory now the way we do this is um if we just scroll all the way to the top here you can see nginx sorts it out into http so that's the service we know this is a web server so it's using http we then specify the server and then the server options and then after that we specify the location similar to the directory on apache so the best way to explain this is to actually just take you through it so all these are all the options that you can configure regarding ssl logging options gzip etc etc we'll take a look at the virtual host configs and we're going to go all the way to the bottom of it here and this is where we add our server our server option so we say server and we use two curly braces and open that up uh like so so i'll just um we'll just indent that and you want to make sure that you indent uh your code so that it matches it um right so the first option we need to provide within the server configuration is the port we want nginx to listen on so by default this is we can say that is with the option name is listen and then we use the tab option and we then specify the port so for example right now nginx is currently using port 80. i can also specify port 8080 if i want but for now let's leave it to port 80 and then the second option we can specify is the server name so we say server name is going to be localhost and we'll just leave the default settings as they are so that is pretty much what is kept or that is pretty much the de facto option there we then provide the location which is where we specify our root uh directory that we want to that we want to use as opposed to the default one and to do this i'll just indent right over here and we then say location right and then we use two curly braces as well because this is uh where we specify the location so i'll just indent that as well and then within the location we specify the uh the root directory so the roots directory is going to be var dub dub dub sorry var dub dub html and uh i'll just say html there we are and we use the semicolon to terminate that command there and we can also specify the location here so verb dub dub dub html so that we know uh what directory this is referencing two so that is the location now we can actually test this out so i'll save and quit and we'll restart nginx so system control restart nginx and hit enter it's going to tell us we have an error here so i'll just uh check check out if we have any potential errors um so within the server name yeah i think that's the issue here we need to use a um we need to use a we need to use an underscore here so server name and i'll quit and we can then restart the service and it's always important to restart the service after you've made changes so that you can test them out so if i now restart you can see it's going to work because we haven't changed anything if we want to see if our new configuration is working and active we can change for example the default port and we can change that to something like hey 8080 right and let's see if that actually registers so if we write in quit and we restart the service uh we can see that when we refresh it on port 80 it's not going to work so we can actually just say port 8080 here and now that works and the the web server is currently listening on port 8080. so we know that our configuration is working i'll just change that back to port 80 right and we can get started with the basic security configurations that we can work with so i'll just write and quit and i'll restart the service here and let's get started with our first vulnerability now as i mentioned with apache uh one of the the main issues is uh giving giving out too much information right and web servers are notorious for this now we talk about nginx if i try and access a directory that i'm not supposed to access for example uh uploads which doesn't exist i'm just using an example you can see that it gives us a very interesting banner or a response it tells us a 404 not found which isn't interesting but a user is able to tell what version of nginx is running and the host operating system which is a huge security leak because now the attacker can use this information to target their attacks more efficiently so we want to get rid of this now the first thing we want to do is we want to go into all the configuration file and we want to disable server tokens server tokens will just get rid of all you know information that is passed through the server token so we just get rid of server tokens we can also disable the server signature uh and in this case the nginx banner by going right over here before we can actually add it before the virtual host configs and we can just add our option right over here so uh i'll just go back a step and we'll add the options here so the first option we want to add is we want to make sure server tokens is off which we've already done we then can specify proxy um we say proxy hide header right and that's going to hide the header and we then disable x powered by so x powered by um so x powered by uh and we can also disable click jacking attacks uh by specifying the actual host uh as the origin so proxy high data powered by will disable the signature and then we say add header add header we then specify the x frame so x frame added x frame and the options are going to be the origin so same origin we say same origin right over here there we are and we use the semicolon that's very important and that's going to prevent the server or protect us from click checking attacks now this is very very basic stuff when we set up you know mod security things are going to get much more interesting uh right okay so these are just the basic options that we can add here now if we save and we restart the server so system control restart nginx and we try and reload this webpage you can now see that it only displays nginx it does not display the version number nor does it display the operating system that's being used fantastic we can now take a look at how to configure access right now access is very important so for example we can allow or deny access to various ip addresses so for example if i go to the location right over here i can specify uh what i p addresses are allowed to access the server so this is great for administrators who want to protect their their server from you know anonymous access or from access from particular ips so for example i can say i can specify allow all right uh the option allow all will allow everyone if i say deny all so i can also say deny all right and what this will do is it'll prevent anyone from accessing the web server so if i restart and i go back into here sorry let me just go back and make sure that that is configured correctly so uh when you talk about i just want to specify a few options here and make sure that everything makes sense so when we talk about [Music] when we talk about access permissions or specifying ips that you know specifying who can access what in terms of the resources it's very important that you you you ensure that you're not locking yourself out of the web server so you can specify an ip that you want to deny in this case i can say i want to deny my own ip i can also deny a local host or i can only allow the local host so that's how you set that up now that's of course something that you you can do if you're interested in doing that uh what i'm uh particularly interested in demonstrating is how to set up a user and password authentication for directories as i had done with apache so what i'm going to do now is i'm just going to save this and we can restart the nginx service here and let me just make sure that it's working there we are fantastic so if we want to protect the var www.html directory with a username and password combo what would we need to do well firstly we would need to use um the apache 2util the hd password command so we say sudo hd password and then we specify uh the directory here so we say hc nginx and i'll just call it 8.hd password so hd password sorry that is under pass ht password like so and then we specify the user in this case we'll just specify the user dev hit enter it's going to ask us to enter the password right over here and we'll enter the password right over there it's going to add the password and if we catch the contents of etsy nginx and hd password you can see the user and if the appropriate hash has been added now to add the authentication to nginx it's really very simple uh all that we need to do first of all is specify the uh the off options the auth password uh and then specify what directory we want to use the authentication in so i'll open up the nginx configuration file and we'll go to the server options which is where we specify um these the various options uh regarding the server so within this i'll specify the i'll say off basic so the off basic option and then i specified the name of the authentication type so in this case i can just say development development team only just a simple uh you know basic banner regarding the type of authentication or why i need to authenticate and then i specify the auth um basic user file and um this will just indent everything so it fits correctly or is displayed correctly here so i'll just indent that one more time and we go to the auth basic user file this is the hd password file which again is under the directory at c nginx nginx and we then specify hd password right over here and we'll use the semicolon and also add the semicolon for the message there and then that will essentially enable the authentication here now we need to enable it within the directories that we can that we currently have created and we can add more than one location if we want so i'll enable it within var www.html and to do this we simply say off basic and we'll indent and also indent this appropriately appropriately right over here and we'll set that to on so we want to enable it and we can write and quit and we can then restart nginx so i'll just restart the nginx service and we can restart that now and as you as you can see it's going to ask me uh to enter username and password so if i hit an incorrect one so i can just say you know test and one two three hit enter it's gonna tell me that is that authentication failed and you can see once that is filled it's going to tell us authentication required so if i restart again i can then specify dev and the password here so hit enter and it's working i just want to take a moment to thank all our patreons at patreon.com forward slash hackersploit for all the support your support and help is truly appreciated you keep us making newer and fresher and better content so i just want to say thank you to all the patreons so thank you murph the surf daniel bork jonathan kyle adam mack jamal guillory defean barry jeremy nicolai marihara max ciao dustin empress michael hubbard and jerry speds
Info
Channel: HackerSploit
Views: 21,942
Rating: undefined out of 5
Keywords: hackersploit, hacker exploit, kali linux, hacking, linux, mastering linux security and hardening, security, linux security, linux security tutorial, linux security hardening, linux security course, linux server security, linux tutorial for beginners, linux commands, linux tutorial, securing linux, securing linux server, how to secure linux, how to secure linux server, how to secure linux server from hackers, linode, linode tutorial, securing nginx, nginx security
Id: -lrSPJTeGhQ
Channel Id: undefined
Length: 20min 59sec (1259 seconds)
Published: Mon Oct 05 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.