Options to harden node server against ddos and other attacks

Hi,
I'm in the process of choosing a cloud service (running Ubuntu vps). Most likely it will be Digital Ocean or AWS ec2.
The server us to run node.js and optionally nginX. I'm looking at how to secure it against attacks from malicious users / bots.
There are several Front Ends that connect via an API to the node server and these run on different domains (enabled CORS on the server).

I know of Cloudflare and on a recent test, it blocked header infomation from the front-ends and I could not get it to work. - Still looking into why this is.
Hence, I could utilise AWS Cloudfront which may provide the defence I'm looking for, unless I run into the same issues as Cloudflare.
Alternatively, nginX may provide the required security and it hopefully would be easier to configure but I have no experience with it. Cloudflare has a good dashboard, but I'm not too sure about nginX. I found a link that describes some of the tools available - https://www.nginx.com/blog/monitoring-nginx) but unsure how it compares and if its adequate.

Does anyone have any suggestions please ?

 

If you setup CloudFlare correctly it works very well at stopping front end web attacks. You need to add exceptions for your headers if its blocking them or any other elements.

Secondly I would add CSF firewall and tune it to your needs. Change SSH port, disable root user, and use key based access. As long as your scripts are secure with no bad coding, it would be very hard to hack your server. But you may need an application firewall to prevent xml and brute force attacks.

 

I've never heard of CSF firewall but from what I read it has a lot of functionality and it has remote admin access - Thanks for this piece of information.
Does CSF offer the similiar functionality as Cloudflare (i.e. Network Firewall), in which case could Cloudflare be omitted?
When installing CSF, should UFW firewall be switched off?
Do I need to add some sort of control panel for CSF to work ? (I read about Cpanel) - I'm managing a Digital Ocean Droplet with SSH access.

Regarding Application Firewalls for NodeJS/Express, I'm unsure what you exactly mean - Will something like nginX with ModSecurity add-in be suitable?
I understand nginX by default has some rate limiting and other benefits, so not sure if ModSecurity would be needed until the site gets traction.

 

Besides the Cloudflare attractive security facilities like the DDoS protection, WAF, Bot Fight Mode, we suggest you turn on and configure SELinux policies and strong firewalls like ModSecurity, pfSense, CSF, NAXSI.
Also, you can protect your server and avoid smurf attacks and bad ICMP requests by configuring sysctl.conf file.
Also, you can set buffer limits in the Nginx config file to avoid buffer attacks. You can use some tools like Gixy for analysing and managing Nginx webserver configurations.