Question

How Can I Secure Nginx in Addition to Lets Encrypt

Posted January 3, 2022 106 views
NginxLet's EncryptUbuntu 20.04

I’ve secured Nginx with Let’s Encrypt but would like to know if there is anything I can install in addition for security purposes, such as to monitor or prevent malicious bots and attacks?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi @mpasquali,

I don’t think that there is anything on the network level that inspects the TCP packets for such activities.

I personally use Cloudflare and their Bot Fight Mode option which challenges requests that match patterns of known bots, before they access your site.

Alternatively, you can use Fail2Ban. In general will manage a list, using activity to add new sources to a method of blocking them (usually a firewall).

  • Okay I’ll check it out. Thank you so much!

    • Hi @mpasquali,

      Did you manage to check both options out?

      I’m eager to hear what you think about them.

      • Yes, I’ve actually decided to utilize Cloudflare and enable the Bot Fight Mode. Cloudflare appears to have vastly more options than Fail2Ban. At the moment, I am using the “free version” and want to research additional options they may have to securing my site. I have Let’s Encrypt on my site and am utilizing Cloudflair’s Universal SSL/TLS edge certificate. I’m wondering whether I should order a dedicated certificate instead. I’m also wondering whether I should opt for Cloudflair’s origin certficate instead of Let’s Encrypt? I’m still new to this, so is it normal for the Nginx access log to have entries which show status code of 200? I am showing a couple of entries for status 200 in addition to 404 but no patterns as of yet. Please advise. Thank you in advance.

        • I’ve also added the Cloudflare IPs to my firewall whitelist, blocked all incoming, with exception of SSH and Nginx. I have Full Strict mode on Cloudflare.

          • Update: Since I’ve added the Cloudflare IPs to my FW whitelist, I’ve observed my Nginx access log and it seems to be clear of anything unusual for status 200. I’ll maintain watch on it though. I’ve also run a security scan via Cloudflare and it does not show major security issues.

          • Hi @mpasquali,

            I don’t think you need to allow Cloudflare IPs for SSH though, I mean when you are connecting via SSH you are using your machine and essentially your personal IP address and not CloudFlare’s.

        • Hi @mpasquali,

          Yes, showing a code 200 means everything is okay. The HTTP 200 OK success status response code indicates that the request has succeeded.

          As for the certificates, yes, I’ll suggest trying the Cloudflare SSL.