Last active
January 21, 2019 21:47
-
-
Save grambas/a978ae5cdea456a5f8a55796a6cd6e7f to your computer and use it in GitHub Desktop.
[Webserver Security]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Common bandwidth hoggers and hacking tools. | |
map $http_user_agent $limit_bots { | |
default 0; | |
~*(AltaVista|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1; | |
~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1; | |
~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1; | |
~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1; | |
~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1; | |
~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1; | |
} | |
server { | |
#redirect www to non-www | |
server_name www.example.de; | |
return 301 $scheme://example.de$request_uri; #@CHANGE TO YOUR DOMAIN | |
} | |
server { | |
root /var/www/example.de; #@CHANGE TO YOUR DOMAIN ROOT FOLDER | |
index index.html index.php; | |
listen 80; | |
server_name example.de; #@CHANGE TO YOUR DOMAIN | |
access_log /var/logs/access.log; #@CHANGE TO LOG YOUR LOGFILE | |
error_log /var/logs.error.log info; #@CHANGE TO LOG YOUR LOGFILE | |
##################### | |
##SEO / PERFORMANCE # | |
##################### | |
# This block will catch static file requests, such as images, css, js | |
# The ?: prefix is a 'non-capturing' mark, meaning we do not require | |
# the pattern to be captured into $1 which should help improve performance | |
location ~* \.(?:ico|css|js|gif|jpe?g|png|woff|ttf|otf|svg|woff2|eot)$ { | |
# Some basic cache-control for static files to be sent to the browser | |
expires 30d; # or use max | |
add_header Pragma public; | |
add_header Cache-Control "public, must-revalidate, proxy-revalidate"; | |
} | |
# | |
##################### | |
##SECURITY # | |
##################### | |
#BLOCK FROM MAP | |
if ($limit_bots = 1) { | |
return 403; | |
} | |
## | |
## Deny certain Referers ### | |
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) | |
{ | |
return 403; | |
} | |
## | |
## Block SQL injections | |
set $block_sql_injections 0; | |
if ($query_string ~ "union.*select.*\(") { | |
set $block_sql_injections 1; | |
} | |
if ($query_string ~ "union.*all.*select.*") { | |
set $block_sql_injections 1; | |
} | |
if ($query_string ~ "concat.*\(") { | |
set $block_sql_injections 1; | |
} | |
if ($block_sql_injections = 1) { | |
return 403; | |
} | |
## Block file injections | |
set $block_file_injections 0; | |
if ($query_string ~ "[a-zA-Z0-9_]=http://") { | |
set $block_file_injections 1; | |
} | |
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { | |
set $block_file_injections 1; | |
} | |
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { | |
set $block_file_injections 1; | |
} | |
if ($block_file_injections = 1) { | |
return 403; | |
} | |
## Block common exploits | |
set $block_common_exploits 0; | |
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "proc/self/environ") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { | |
set $block_common_exploits 1; | |
} | |
if ($query_string ~ "base64_(en|de)code\(.*\)") { | |
set $block_common_exploits 1; | |
} | |
if ($block_common_exploits = 1) { | |
return 403; | |
} | |
## Block spam | |
set $block_spam 0; | |
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { | |
set $block_spam 1; | |
} | |
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { | |
set $block_spam 1; | |
} | |
if ($block_spam = 1) { | |
return 403; | |
} | |
# Protect specific TXT and config files | |
location ~ /(\.|wp-config.php|readme.html|license.txt|schema.txt|password.txt|passwords.txt) | |
{ | |
deny all; | |
} | |
# Protect ~ files | |
location ~ ~$ | |
{ | |
access_log off; | |
log_not_found off; | |
deny all; | |
} | |
# Protect .git files | |
location ~ /\.git | |
{ | |
access_log off; | |
log_not_found off; | |
deny all; | |
} | |
# Protect Perl/CGI/etc files | |
location ~* \.(pl|cgi|py|sh|lua)\$ | |
{ | |
return 444; | |
} | |
# Block web attacks | |
location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) | |
{ | |
return 444; | |
} | |
# Protect other sensitive files | |
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ | |
{ | |
return 444; | |
} | |
# Block execution of PHP files in uploads folders | |
location ~* /(?:uploads|files)/.*\.php$ | |
{ | |
deny all; | |
} | |
##################### | |
##LOCATIONS # | |
##################### | |
## Location example with auth## | |
#location /auth-example { | |
# auth_basic "Administrator Login"; | |
# auth_basic_user_file /var/www/.htpasswd-example; | |
#} | |
location / { | |
try_files $uri $uri/ /index.php?q=$uri&$args; | |
} | |
#@IMPORTANT CHECK YOUR PHP VERSION!!! | |
## For php5-fpm | |
location ~ \.php$ { | |
try_files $uri =404; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/var/run/php5-fpm.sock; | |
fastcgi_index index.php; | |
include fastcgi_params; | |
} | |
## For php7.0-fpm | |
#location ~ \.php$ { | |
# include snippets/fastcgi-php.conf; | |
# fastcgi_pass unix:/run/php/php7.0-fpm.sock; | |
#} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user www-data; | |
worker_processes 1; | |
pid /run/nginx.pid; | |
events { | |
worker_connections 1024; | |
multi_accept on; | |
} | |
http { | |
#don't send the nginx version number in error pages and Server header | |
server_tokens off; | |
proxy_hide_header X-Powered-By; | |
more_set_headers 'Server: Windows 98'; #trololo | |
# config to don't allow the browser to render the page inside an frame or iframe | |
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
add_header X-Frame-Options SAMEORIGIN; | |
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
# to disable content-type sniffing on some browsers. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
add_header X-Content-Type-Options nosniff; | |
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
# this particular website if it was disabled by the user. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
add_header X-XSS-Protection "1; mode=block"; | |
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
### Directive describes the zone, in which the session states are stored i.e. store in slimits. ### | |
### 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session ### | |
limit_zone slimits $binary_remote_addr 5m; #maybe be depreciated (google it) | |
### Control maximum number of simultaneous connections for one session i.e. ### | |
### restricts the amount of connections from a single ip address ### | |
limit_conn slimits 5; #maybe be depreciated (google it) | |
##Controlling Buffer Overflow Attacks | |
client_max_body_size 20M; | |
client_body_buffer_size 15K; | |
client_body_timeout 12; | |
client_header_timeout 12; | |
keepalive_timeout 15; | |
send_timeout 10; | |
## | |
# Basic Settings | |
## | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
types_hash_max_size 2048; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
## | |
# Logging Settings | |
## | |
access_log /srv/LOGS/nginx-access.log; #@CHANGE TO LOG YOUR LOGFILE | |
error_log /src/LOGS/nginx-error.log; #@CHANGE TO LOG YOUR LOGFILE | |
## | |
# Gzip Settings | |
## | |
gzip_disable "msie6"; | |
gzip on; | |
gzip_comp_level 2; | |
gzip_min_length 1000; | |
gzip_buffers 4 32k; | |
gzip_types text/plain application/x-javascript text/xml text/css application/xml; | |
gzip_vary on; | |
# end gzip configuration | |
## | |
# Virtual Host Configs | |
## | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/etc/sysctl.conf | |
# Avoid a smurf attack | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
# Turn on protection for bad icmp error messages | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
# Turn on syncookies for SYN flood attack protection | |
net.ipv4.tcp_syncookies = 1 | |
# Turn on and log spoofed, source routed, and redirect packets | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.conf.default.log_martians = 1 | |
# No source routed packets here | |
net.ipv4.conf.all.accept_source_route = 0 | |
net.ipv4.conf.default.accept_source_route = 0 | |
# Turn on reverse path filtering | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.conf.default.rp_filter = 1 | |
# Make sure no one can alter the routing tables | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.conf.all.secure_redirects = 0 | |
net.ipv4.conf.default.secure_redirects = 0 | |
# Don't act as a router | |
net.ipv4.ip_forward = 0 | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
# Turn on execshild | |
kernel.exec-shield = 1 | |
kernel.randomize_va_space = 1 | |
# Tuen IPv6 | |
net.ipv6.conf.default.router_solicitations = 0 | |
net.ipv6.conf.default.accept_ra_rtr_pref = 0 | |
net.ipv6.conf.default.accept_ra_pinfo = 0 | |
net.ipv6.conf.default.accept_ra_defrtr = 0 | |
net.ipv6.conf.default.autoconf = 0 | |
net.ipv6.conf.default.dad_transmits = 0 | |
net.ipv6.conf.default.max_addresses = 1 | |
# Optimization for port usefor LBs | |
# Increase system file descriptor limit | |
fs.file-max = 65535 | |
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 | |
kernel.pid_max = 65536 | |
# Increase system IP port limits | |
net.ipv4.ip_local_port_range = 2000 65000 | |
# Increase TCP max buffer size setable using setsockopt() | |
net.ipv4.tcp_rmem = 4096 87380 8388608 | |
net.ipv4.tcp_wmem = 4096 87380 8388608 | |
# Increase Linux auto tuning TCP buffer limits | |
# min, default, and max number of bytes to use | |
# set max to at least 4MB, or higher if you use very high BDP paths | |
# Tcp Windows etc | |
net.core.rmem_max = 8388608 | |
net.core.wmem_max = 8388608 | |
net.core.netdev_max_backlog = 5000 | |
net.ipv4.tcp_window_scaling = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment