1 - NGINX Security Initial Setup

 

  NGINX Security Initial Setup

This section contains recommendations for the installation and maintenance of an NGINX server.

Installation and Configure Software Updates

1. Ensure NGINX is installed (Automated)
2. Ensure NGINX is installed from source (Manual)
   
3. Ensure package manager repositories are properly configured (Manual)
4. Ensure the latest software package is installed (Manual)

1 - Ensure NGINX is installed:

To automate the installation of NGINX using a shell script, you can create a simple script that checks whether NGINX is installed and, if not, installs it. Below is a sample shell script for this purpose:

#!/bin/bash

# Check if NGINX is already installed
if command -v nginx &>/dev/null; then
    echo "NGINX is already installed."
    exit 0
fi

# Update the package repository and install NGINX
echo "Installing NGINX..."
if [ -f /etc/debian_version ]; then
    # For Debian/Ubuntu-based systems
    sudo apt-get update
    sudo apt-get install -y nginx
elif [ -f /etc/redhat-release ]; then
    # For Red Hat/CentOS-based systems
    sudo yum install -y epel-release
    sudo yum install -y nginx
else
    echo "Unsupported operating system."
    exit 1
fi

# Start NGINX and enable it to start on boot (if not already started)
sudo systemctl start nginx
sudo systemctl enable nginx

echo "NGINX is installed and running."

exit 0


Here's what this script does:

1. It checks if NGINX is already installed by attempting to execute `nginx` using `command -v`. If NGINX is found, it prints a message and exits.

2. If NGINX is not installed, the script proceeds to install it based on the detected Linux distribution. It includes support for both Debian/Ubuntu and Red Hat/CentOS systems. If the distribution is not supported, it prints an error message and exits.

3. After installing NGINX, the script starts NGINX and enables it to start on boot.

4. Finally, it prints a message indicating that NGINX is installed and running.

Make sure to save this script to a file (e.g., `install_nginx.sh`), make it executable

 (`chmod +x install_nginx.sh`), and run it with superuser privileges (`sudo ./install_nginx.sh`) to install NGINX automatically on your system.
 

2 - Ensure NGINX is installed from source

To install NGINX from source using an automated shell script, you can create a script that downloads the NGINX source code, compiles it, and installs it. Here's a sample shell script for this purpose:


#!/bin/bash

# Set NGINX version (change this to the desired version)
NGINX_VERSION="1.22.0"

# Check if NGINX is already installed
if [ -f /usr/sbin/nginx ]; then
    INSTALLED_VERSION=$(nginx -v 2>&1 | grep -oE "nginx/[0-9]+\.[0-9]+\.[0-9]+" | cut -d'/' -f2)
    if [ "$INSTALLED_VERSION" == "$NGINX_VERSION" ]; then
        echo "NGINX $NGINX_VERSION is already installed."
        exit 0
    else
        echo "NGINX version $INSTALLED_VERSION is already installed. Removing it..."
        sudo apt-get remove -y nginx
        sudo apt-get autoremove -y
    fi
fi

# Install build dependencies
echo "Installing build dependencies..."
sudo apt-get update
sudo apt-get install -y build-essential zlib1g-dev libpcre3-dev libssl-dev libxslt1-dev libxml2-dev libgd-dev libgeoip-dev libperl-dev

# Download and compile NGINX from source
echo "Downloading NGINX source code..."
wget "http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" -O nginx-source.tar.gz
tar -xzvf nginx-source.tar.gz
cd "nginx-$NGINX_VERSION"

# Configure, compile, and install NGINX
echo "Configuring NGINX..."
./configure --with-http_ssl_module --with-http_realip_module --with-http_geoip_module --with-threads

echo "Compiling NGINX..."
make

echo "Installing NGINX..."
sudo make install

# Clean up
cd ..
rm -rf "nginx-$NGINX_VERSION" nginx-source.tar.gz

echo "NGINX $NGINX_VERSION is installed from source."

exit 0


Here's what this script does:

1. It sets the NGINX version you want to install. You can change the `NGINX_VERSION` variable to your desired version.

2. It checks if NGINX is already installed. If it is, the script removes the existing NGINX installation to avoid conflicts.

3. It installs the required build dependencies for compiling NGINX from source.

4. The script downloads the NGINX source code, extracts it, and navigates to the source code directory.

5. It configures NGINX with the desired modules using the `./configure` command.

6. It compiles NGINX using the `make` command.

7. It installs NGINX using the `make install` command.

8. Finally, it cleans up by removing the downloaded source code and archives.

Save this script to a file (e.g., `install_nginx_from_source.sh`), make it executable 

(`chmod +x install_nginx_from_source.sh`), and run it with superuser privileges

 (`sudo ./install_nginx_from_source.sh`) to install NGINX from source on your system. Make sure to adapt the script for your specific requirements and environment.

3. Ensure package manager repositories are properly configured

To ensure that package manager repositories are properly configured, you can create a shell script that checks and updates the repository information for various Linux distributions. Here's a sample script that handles both APT (Debian/Ubuntu) and YUM (Red Hat/CentOS) package managers:

#!/bin/bash

# Function to update APT repositories (Debian/Ubuntu)
update_apt_repositories() {
    echo "Updating APT repositories..."
    sudo apt-get update
}

# Function to update YUM repositories (Red Hat/CentOS)
update_yum_repositories() {
    echo "Updating YUM repositories..."
    sudo yum clean all
    sudo yum makecache
}

# Check if the system is using APT or YUM and update repositories accordingly
if [ -f /etc/apt/sources.list ]; then
    update_apt_repositories
elif [ -f /etc/yum.conf ] || [ -f /etc/yum.repos.d ]; then
    update_yum_repositories
else
    echo "Unsupported package manager or repository configuration not found."
    exit 1
fi

echo "Repository configuration is updated."

exit 0


Here's what this script does:

1. It defines two functions, `update_apt_repositories` and `update_yum_repositories`, to update APT and YUM repositories, respectively.

2. It checks whether the system is using APT (Debian/Ubuntu) by looking for the existence of the `/etc/apt/sources.list` file. If it's present, the script updates APT repositories using `sudo apt-get update`.

3. If the system is not using APT, it checks whether it's using YUM (Red Hat/CentOS) by looking for the presence of either `/etc/yum.conf` or `/etc/yum.repos.d` files. If either is found, the script updates YUM repositories using `sudo yum clean all` and `sudo yum makecache`.

4. If neither APT nor YUM is detected, it prints an error message indicating that the package manager or repository configuration is not supported and exits.

5. Finally, it prints a message indicating that the repository configuration is updated.

Save this script to a file (e.g., `update_repositories.sh`), make it executable

 (`chmod +x update_repositories.sh`), and run it with superuser privileges

 (`sudo ./update_repositories.sh`) to update the package manager repositories on your system.

4. Ensure the latest software package is installed

To ensure that all installed software packages are updated to their latest versions, you can create a shell script that uses the package manager relevant to your Linux distribution. Below is a script that works for both APT (Debian/Ubuntu) and YUM (Red Hat/CentOS) package managers:

#!/bin/bash

# Function to update packages using APT (Debian/Ubuntu)
update_apt_packages() {
    echo "Updating packages using APT..."
    sudo apt-get update
    sudo apt-get upgrade -y
    sudo apt-get dist-upgrade -y
}

# Function to update packages using YUM (Red Hat/CentOS)
update_yum_packages() {
    echo "Updating packages using YUM..."
    sudo yum update -y
}

# Check if the system is using APT or YUM and update packages accordingly
if [ -f /etc/apt/sources.list ]; then
    update_apt_packages
elif [ -f /etc/yum.conf ] || [ -f /etc/yum.repos.d ]; then
    update_yum_packages
else
    echo "Unsupported package manager or package manager configuration not found."
    exit 1
fi

echo "All packages are up to date."

exit 0


Here's what this script does:

1. It defines two functions, `update_apt_packages` and `update_yum_packages`, to update packages using APT and YUM package managers, respectively.

2. It checks whether the system is using APT (Debian/Ubuntu) by looking for the existence of the `/etc/apt/sources.list` file. If it's present, the script updates packages using `sudo apt-get update`, `sudo apt-get upgrade -y`, and `sudo apt-get dist-upgrade -y`.

3. If the system is not using APT, it checks whether it's using YUM (Red Hat/CentOS) by looking for the presence of either `/etc/yum.conf` or `/etc/yum.repos.d` files. If either is found, the script updates packages using `sudo yum update -y`.

4. If neither APT nor YUM is detected, it prints an error message indicating that the package manager or package manager configuration is not supported and exits.

5. Finally, it prints a message indicating that all packages are up to date.

Save this script to a file (e.g., `update_packages.sh`), make it executable 

(`chmod +x update_packages.sh`), and run it with superuser privileges (`sudo ./update_packages.sh`) to ensure that all installed software packages are updated to their latest versions on your system.