Nginx – How to put snort in front of nginx server

nginxsnort

I want to prevent attacks to my nginx server. How can I proxy the requests through snort to nginx server.

NFQueue's are a solution.I am able to pass packets to snort using the following rules

sudo snort -Q --daq nfq --daq-var --daq-var queue=1 -c /etc/snort/snort.conf

Now I have created the queue

sudo /usr/sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -I FORWARD -j NFQUEUE --queue-num 1

Is this enough or we need to do something else apart from this.

Nginx is running in the same system as snort.

Best Answer

If your question is about configure Snort as an IPS to protect your server, I believe you followed the right instructions to set it up. The rules you created seem legit; you'll have to download and keep rules up to date (I think PulledPork or Oinkcodes may help) if you haven't done it yet, and test it. It may also be convenient to create a service to start / restart / stop Snort.

If you want to know if using Snort is enough to secure your web server, sadly the answer is no…

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Can Snort be installed on VPS

Snort can be pretty memory hungry, which on a VPS may be a problem. It can run alongside ossec quite nicely - the two are both included in Ossim which correlates infosecurity events from various sources.

I'd argue that it is probably overkill for a single VPS though. If you keep all your software updated against any security releases, have good configuration settings, use tripwire and monitor logs then you're doing a really good job. And if you are protecting an entire network then I'd consider running ossim on a dedicated box.

If you're using Apache then consider mod_security to help protect potentially vulnerable scripts you are hosting. And finally be proactive in the security, scanning your box for vulnerabilities with something like Nessus.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Can Snort be installed on VPS

Related Topic