Jump to content

Recommended Posts

Posted

Hello community,

 

Can anyone, please, point me into the right direction on how to strengthen the security for a standard Nginx on Ubuntu 18.04 when it comes to install Revive ?

I saw into documentation that in case of no .htaccess files, extra security steps need to be done. 

 

Thank you very much,

  • 11 months later...
Posted (edited)

Which Nginx version are you using?

Use 775 rather than 777 on directories:

var
var/cache
var/plugins
var/templates_compiled
plugins
www/admin/plugins
www/images

Setup robots.txt - block search engines and bots to follow and index:

User-agent: *
Disallow: /

Use the newest version of Nginx, PHP and Revive AdServer.

Prefer to use HTTPS. Add HSTS header too.

Use Gzip or Brotli, and add Cache headers (expiries, etag, cache-control for html, js, css, images ...).

This can help too for security:

location ~* \.(git|rb|inc|ht|bak|htaccess|sql|log|htpasswd|engine|info|install|test|po|sh|theme|pl|cgi|py|lua)$ {
    deny all;
    # log_not_found off;
    access_log off;
}

location ~ /\. {
    deny all;
    # log_not_found off;
    access_log off;
}

# XSS
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
}

if ($http_user_agent ~ (Acunetix|libwww|libwww-perl|sqlmap|WinHttp.WinHttpRequest|WinHTTP|Zeus|curl|wget|scan|winhttp|HTTrack|havij|WVS) ) {
    return 403;
}

if ( $request_method ~* ^(TRACE|DELETE|TRACK)$ ) { return 403; }

set $susquery 0;
if ($args ~* "\.\./") { set $susquery 1; }
if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
if ($args ~* "etc/passwd") { set $susquery 1; }
if ($args ~* "boot.ini") { set $susquery 1; }
if ($args ~* "ftp:") { set $susquery 1; }
if ($args ~* "http:") { set $susquery 1; }
if ($args ~* "https:") { set $susquery 1; }
if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
if ($args ~* "base64_encode") { set $susquery 1; }
if ($args ~* "(%24&x)") { set $susquery 1; }
if ($args ~* "(127.0)") { set $susquery 1; }
if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
if ($args !~ "^loggedout=true"){ set $susquery 0; }
if ($args !~ "^action=jetpack-sso"){ set $susquery 0; }
if ($args !~ "^action=rp"){ set $susquery 0; }
if ($http_referer !~ "^http://maps.googleapis.com(.*)$"){ set $susquery 0; }
if ($susquery = 1) { return 403; }

location = /robots.txt {
    allow all;
    # log_not_found off;
    access_log off;
}

location ~ /nginx.conf {
    deny all;
    access_log off;
    # log_not_found off;
}

 

You can also use .htpasswd to protect the filder where your Revive Adserver is installed. So, if wrong user/pass, the visitor/client would get 401 error.

Edited by Fritex
htpasswd protected folder

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...