How to Secure Your Nginx Server and Set Up a Secure Onion Site

[D2]

Author : BlackHunt
Exclusively for XSS.is


How to Secure Your Nginx Server and Set Up a Secure Onion Site

Introduction: In today's world, website and server security is of utmost importance. Nginx is one of the most popular web servers, offering a multitude of features that make it an excellent choice for managing web traffic. Additionally, creating an Onion site on the Tor network can help provide an extra layer of security and anonymity. In this article, we will guide you on how to secure your Nginx server and create a secure Onion site.

Part One: Securing Your Nginx Server

1. Regularly Update Nginx: Always ensure your Nginx version is up-to-date. Use the following commands:

Код: Скопировать в буфер обмена

sudo apt update
sudo apt upgrade nginx

Configure Firewall:
To prevent unauthorized access, configure your firewall. Use ufw (Uncomplicated Firewall):

Код: Скопировать в буфер обмена

sudo ufw allow 'Nginx Full'
sudo ufw enable

Enable HTTPS:
Use SSL/TLS to encrypt traffic between the server and users. Due to current limitations, you cannot use Let's Encrypt for Onion sites. Therefore, you need to create and configure a self-signed SSL certificate:
Create a self-signed certificate and key:
Код: Скопировать в буфер обмена
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Configure Nginx to use the self-signed certificate:
Код: Скопировать в буфер обмена

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";

    location / {
        try_files $uri $uri/ =404;
      }
    }

Secure Nginx Configuration:

Update your Nginx configuration file with appropriate security settings. Example:
Код: Скопировать в буфер обмена

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
    }

    server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";

    location / {
        try_files $uri $uri/ =404;
      }
    }

Explanation:

- `add_header X-Content-Type-Options nosniff;`: This directive instructs the server not to MIME-sniff the content and respond instead to the request with the declared content-type.
- `add_header X-Frame-Options "SAMEORIGIN";`: This directive tells browsers to only display frames from the same origin as the main page.
- `add_header X-XSS-Protection "1; mode=block";`: This directive enables the XSS protection mechanism.

Disable nginx server_tokens :​

By default, the server_tokens directive in nginx displays the nginx version number. It is directly visible in all automatically generated error pages but also present in all HTTP responses in the Server header.

This could lead to information disclosure – an unauthorized user could gain knowledge about the version of nginx that you use. You should disable the server_tokens directive in the nginx configuration file by setting server_tokens off.


SELINUX AND NGINX :
Explaining why SELinux should be installed on Nginx:

Installing and activating SELinux on a Nginx server is a critical step to enhance server security. SELinux is a policy-based access control system that is enabled as a part of the operating system in many Linux distributions.

When SELinux is active, it introduces a new layer of system-level access management. Without SELinux, software and services may have access to system resources that they don't necessarily need for their operation. This could lead to increased possibilities of intrusion and security vulnerabilities.

By enabling SELinux and configuring it properly on the Nginx server, features such as precise control over access to files, directories, ports, and other system resources by Nginx are established. This fine-grained control contributes to enhancing server security and reduces the potential risks of intrusion and security attacks.

To install and enable SELinux on the system, you can use the following commands:
Код: Скопировать в буфер обмена

sudo apt-get install selinux-utils selinux-basics
sudo selinux-activate

Install ModSecurity v3 for Enhanced Security:

ModSecurity is a web application firewall (WAF) that can be used to protect your server against various attacks. Follow these steps to install and configure ModSecurity v3:

Install ModSecurity v3:

First, install the required packages:
Код: Скопировать в буфер обмена
sudo apt install libapache2-mod-security2

Then download and compile ModSecurity:
Код: Скопировать в буфер обмена

sudo apt install git build-essential libtool libpcre3 libpcre3-dev libxml2 libxml2-dev libyajl-dev
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
sudo make install

Configure ModSecurity:

Add ModSecurity to Nginx:
Код: Скопировать в буфер обмена

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx
cd ModSecurity-nginx

Recompile Nginx with ModSecurity support:
Код: Скопировать в буфер обмена

wget http://nginx.org/download/nginx-1.26.0.zip
tar zxvf nginx-1.20.1.tar.gz
cd nginx-1.20.1
./configure --add-module=../ModSecurity-nginx
make
sudo make install

Then update your Nginx configuration file with ModSecurity settings:
Код: Скопировать в буфер обмена

load_module modules/ngx_http_modsecurity_module.so;

    events {}

    http {
    modsecurity on;
    modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
    }

Preventing DOS and Other Vulnerabilities:
Rate Limiting:

By limiting the rate of requests, you can prevent DOS attacks:

Код: Скопировать в буфер обмена

http {
    ...
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

    server {
        ...
        location / {
            limit_req zone=one burst=5;
        }
       }
    }

Firewall Configuration:

To prevent scanners like Censys and Shodan and avoid backend leaks, properly configure your firewall. Follow these steps:

First, retrieve the Tor exit node list and set up firewall rules:
Код: Скопировать в буфер обмена
curl -s https://check.torproject.org/torbulkexitlist | awk '{print "sudo ufw allow from " $1 " to any port 80"}' | sudo bash
Код: Скопировать в буфер обмена
sudo ufw status

Then enable the firewall and set up the following rules:
Код: Скопировать в буфер обмена

sudo ufw enable
sudo ufw allow ssh
sudo ufw deny 80

The command that sets the firewall to block port 80 (`sudo ufw deny 80`) is used to prevent unauthorized access to the HTTP port (port 80). This ensures that only traffic from specific Tor exit nodes has access to port 80, preventing backend server exposure and blocking unauthorized access by internet scanners like Shodan and Censys.

Adding Reverse Proxy:

To further protect your backend server, you should use a Reverse Proxy. This setup hides your main server behind a proxy server, adding an extra layer of security. Here is an example configuration of Nginx as a Reverse Proxy:
Код: Скопировать в буфер обмена

server {
    listen 80;
    server_name youronionaddress.onion;

    location / {
        proxy_pass http://reversproxy:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
      }
    }

Part Two: Setting Up a Secure Onion Site

Install Tor

First, you need to install Tor. Use the following commands:
Код: Скопировать в буфер обмена

sudo apt update
sudo apt install tor

Configure Tor for Hidden Service:

Edit the Tor configuration file:
Код: Скопировать в буфер обмена
sudo nano /etc/tor/torrc

Add the following lines:
Код: Скопировать в буфер обмена

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

Then restart Tor:
Код: Скопировать в буфер обмена
sudo systemctl restart tor

Get Your Onion Address:

Your Onion address is stored in the `hostname` file:
Код: Скопировать в буфер обмена
sudo cat /var/lib/tor/hidden_service/hostname

Configure Nginx for Onion Site:

Configure Nginx to serve Tor traffic:
Код: Скопировать в буфер обмена

server {
    listen 127.0.0.1:80;
    server_name youronionaddress.onion;

    location / {
        proxy_pass http://reversproxy:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
      }
    }

Conclusion:

By following these steps, you can secure your Nginx server and create a secure and anonymous Onion site. Security is an ongoing process and requires continuous updates and monitoring. This article is written for XSS.is , and we thank Dastardy for suggesting ways to avoid detection by Shodan and Censys.