Created
February 7, 2018 21:37
-
-
Save mko-x/4b63b6a1528151bd5c6a2dbd84dac006 to your computer and use it in GitHub Desktop.
Simple script to harden an nginx webserver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Firewall Seup: | |
| apt-get install ufw | |
| ufw default deny incomming | |
| ufw default allow outgoing | |
| ufw allow from $yourIP to any port 22 | |
| ufw allow 443 | |
| #Nginx Versionen verbergen | |
| sed -i "s/# server_tokens off;/server_tokens off;/g" /etc/nginx/nginx.conf | |
| #ETags entfernen | |
| sed -i 's/server_tokens off;/server_tokens off;\netag off;/' /etc/nginx/nginx.conf | |
| #Standardseite entfernen | |
| echo "" > /var/www/html/index.html | |
| #Starke Kryptographie verwenden | |
| sed -i "s/ssl_prefer_server_ciphers on;/ssl_prefer_server_ciphers on;\nssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;/" /etc/nginx/nginx.conf | |
| #SSL session timeout | |
| sed -i "s/ssl_prefer_server_ciphers on;/ssl_prefer_server_ciphers on;\nssl_session_timeout 5m;/" /etc/nginx/nginx.conf | |
| #SSL session cache | |
| sed -i "s/ssl_session_timeout 5m;/ssl_session_cache shared:SSL:10m;\nssl_session_timeout 5m;/" /etc/nginx/nginx.conf | |
| #Aktivieren von HttpOnly and Secure flags | |
| sed -i "s|^\s*try_files \\\$uri \\\$uri/ =404;|try_files \\\$uri \\\$uri/ =404;\nproxy_cookie_path / \"/; secure; HttpOnly\";|" /etc/nginx/sites-available/default | |
| #Clickjacking Attack Protection | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header X-Frame-Options DENY;|" /etc/nginx/sites-available/default | |
| #XSS Protection | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header X-XSS-Protection \"1; mode=block\";|" /etc/nginx/sites-available/default | |
| #Sichere Verbindungen zum erzwingen | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubdomains;\";|" /etc/nginx/sites-available/default | |
| #MIME sniffing Schutz | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header X-Content-Type-Options nosniff;|" /etc/nginx/sites-available/default | |
| #XXS erschweren | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header Content-Security-Policy \"default-src 'self';\";|" /etc/nginx/sites-available/default | |
| #X-Robots-Tag setzen | |
| sed -i "s|root /var/www/html;|root /var/www/html;\nadd_header X-Robots-Tag none;|" /etc/nginx/sites-available/default | |
| #Ngnix neustarten | |
| service nginx restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment