Options to harden node server against ddos and other attacks

Discussion in 'Web Hosting' started by OrangeJuiceJones, Dec 29, 2021.

  1. #1
    Hi,
    I'm in the process of choosing a cloud service (running Ubuntu vps). Most likely it will be Digital Ocean or AWS ec2.
    The server us to run node.js and optionally nginX. I'm looking at how to secure it against attacks from malicious users / bots.
    There are several Front Ends that connect via an API to the node server and these run on different domains (enabled CORS on the server).

    I know of Cloudflare and on a recent test, it blocked header infomation from the front-ends and I could not get it to work. :( - Still looking into why this is.
    Hence, I could utilise AWS Cloudfront which may provide the defence I'm looking for, unless I run into the same issues as Cloudflare.
    Alternatively, nginX may provide the required security and it hopefully would be easier to configure but I have no experience with it. Cloudflare has a good dashboard, but I'm not too sure about nginX. I found a link that describes some of the tools available - https://www.nginx.com/blog/monitoring-nginx) but unsure how it compares and if its adequate.

    Does anyone have any suggestions please ?
     
    Last edited by a moderator: Dec 30, 2021
    OrangeJuiceJones, Dec 29, 2021 IP
  2. SolaDrive

    SolaDrive Well-Known Member

    Messages:
    139
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    153
    #2
    If you setup CloudFlare correctly it works very well at stopping front end web attacks. You need to add exceptions for your headers if its blocking them or any other elements.

    Secondly I would add CSF firewall and tune it to your needs. Change SSH port, disable root user, and use key based access. As long as your scripts are secure with no bad coding, it would be very hard to hack your server. But you may need an application firewall to prevent xml and brute force attacks.
     
    SolaDrive, Dec 29, 2021 IP
  3. OrangeJuiceJones

    OrangeJuiceJones Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #3
    I've never heard of CSF firewall but from what I read it has a lot of functionality and it has remote admin access :) - Thanks for this piece of information.
    Does CSF offer the similiar functionality as Cloudflare (i.e. Network Firewall), in which case could Cloudflare be omitted?
    When installing CSF, should UFW firewall be switched off?
    Do I need to add some sort of control panel for CSF to work ? (I read about Cpanel) - I'm managing a Digital Ocean Droplet with SSH access.

    Regarding Application Firewalls for NodeJS/Express, I'm unsure what you exactly mean - Will something like nginX with ModSecurity add-in be suitable?
    I understand nginX by default has some rate limiting and other benefits, so not sure if ModSecurity would be needed until the site gets traction.
     
    Last edited: Dec 30, 2021
    OrangeJuiceJones, Dec 30, 2021 IP
  4. monovm

    monovm Active Member

    Messages:
    29
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    73
    #4
    Besides the Cloudflare attractive security facilities like the DDoS protection, WAF, Bot Fight Mode, we suggest you turn on and configure SELinux policies and strong firewalls like ModSecurity, pfSense, CSF, NAXSI.
    Also, you can protect your server and avoid smurf attacks and bad ICMP requests by configuring sysctl.conf file.
    Also, you can set buffer limits in the Nginx config file to avoid buffer attacks. You can use some tools like Gixy for analysing and managing Nginx webserver configurations.
     
    monovm, Aug 4, 2022 IP
  5. Mark Elijah

    Mark Elijah Greenhorn

    Messages:
    145
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    18
    #5
    To harden your Node.js server, leverage cloud service firewalls, use Nginx for load balancing, rate limiting, WAF integration, and header management. Implement strong authentication, input validation, error handling, and keep dependencies updated. Utilize security libraries and manage secrets securely. Regularly monitor and consider Cloudflare after addressing potential header configuration issues.
     
    Mark Elijah, Jun 1, 2024 IP