Harden nginx from malicious scanners

There is a lot of information out there on hardening nginx, including this Mozilla guide on ssl configuration, which I would highly recommend.

I wanted to go over a lesser know technique to help shield your site from some types of malicious internet scanners. I’ve heard estimates that malicious scanners only take 15 minutes before discovering your server and probing it for weaknesses.

Most example nginx configs start out like this:

server {
    listen 443 ssl http2 default_server;
    server_name mysite.com
...

The problem is if you hit this server and specify any other server_name it will still serve up content from your mysite.com backend. This mean just knowing an IP address is enough to probe a website or web applications for known weaknesses.

Instead what I recommend is removing default_server and add another server section to your config:

server {
    listen 443 ssl http2 default_server;
    server_name _;
    ssl_certificate ssl/blackhole.crt.pem;
    ssl_certificate_key ssl/blackhole.key.pem;
    return 404;
}

This way if someone hits your website, yet doesn’t know which domain you’re using they get nothing but 404. This should be better than 401 or 403 as you aren’t confirming or denying access, just that what they asked for does not exist. Also we can serve it up via an self signed ssl certificate that says nothing but blackhole as the CNAME, making it much harder to get additional intel.

This same technique can be used for location blocks as well.

location = / {
   ...
}
location ~ ^/(path1|path2|path3)/.* {
    ...
}
location / { return 404; }

So if you have whitelisted paths and routes in your nginx config, basically anything that doesn’t match known paths will also return a 404 rather than hammering your backend with bogus requests. Note that even if you don’t have a default location / section, nginx may send your request to another location block. Therefore it’s always best to specify a default location / section to make that behavior explicit.

Using these techniques by no means prevents hackers from compromising your servers but it’s another layer to add to a robust security program. It also has the added benefit of lowering CPU by shielding your backend servers from unnecessary load.