Skip to main content

Basic iptables configuration

One of the priorities after installing the system is to correctly configure iptables to filter traffic. The default policy allows everything that is not prohibited. This is not the most successful method in terms of security, because in this mode the server is exposed to intruders.

You can, for example, scan the ports open on the server. Based on this, it is possible to determine the services used, their version, the name and version of the operating system. Next - the selection of vulnerabilities to them. Or some icmp - messages can give extra information.

(Further…)

How to hide the fact of using nginx on the server

Once I read an article where it was said that you can hide the fact of using nginx on the server. To do this, you need to edit the source code of the ngx_http_header_filter_module module and change the lines

  static char ngx_http_server_string [] = "Server: nginx" CRLF;
 static char ngx_http_server_full_string [] = "Server:" NGINX_VER CRLF; 

But in order to rebuild nginx from source, you need to have some knowledge.

However, there is a simpler method that does not require any special actions at all, such as editing source codes and recompiling.

(Further…)

Using nginx http_referer_module to protect the admin site from brute force

While reading the nginx web server documentation, I came across an interesting module called http referer module . It allows you to block access to the site, or its sections, if the request does not have the correct referer header.

This module can be used to protect the admin of any site from brute force. For example, the site works on WordPress, but blocking access by ip will be inappropriate if the site has registered users. They also need to authenticate, and collecting their ip is a meaningless exercise. :)

(Further…)

Restricting access to wp-login by ip in nginx

Recently, fail2ban has ceased to protect normally from brute force on wordpress , because ip is unique in every request and blocking every address is meaningless.

Since such nonsense, I decided to restrict access to the wp-login.php file by ip. There is one nuance here: for the location specified in the nginx configuration file, you need to add a script handler when using php-fpm .

As a result, the design looks like this: (more ...)