Hey, I enjoyed the video. I think it would be good to add three pieces of information though. 1) Since you are not using https, your httpauth, and thus your username and password, are going to be sent in plaintext over your network connection. 2) Always add a non-root user with a different password than root, disable root login and enable certificate-only logins 3) If you feel removing banners is going to help your be more sure, then definitely go all the way and disable standard status pages. If the attacker has no information at all, he/she might first try, say, Apache exploits and wast some time and energy trying that, before it has a chance to try any relevant exploits.
BACK AGAIN with another hacking tutorial! I remember watching the proxychain tut a few years back when I was just getting into Linux...done moved into development now... He wasn't showing his face back then...
Timestamps: 0:00 Introduction to the series 2:14 Video starts You can register for part 2 of this series here: event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&partnerref=website&eventid=2649692&sessionid=1&key=FDD7D40926383C11B3392509222D8368®Tag=1558905&sourcepage=register
The argument for the location directive is the URI of said location. In this case it probably should have been "/", not "/var/www/html". That's why the access rules demonstration did not work. Also the auth_basic example is backwards. If you apply auth_basic to the whole server section it works in every location by default. You add auth_basic off; to the locations where you don't want auth.
I came here looking to learn something meaningful, instead your tutorial felt like something being regurgitated form your own cyber-security training..the mail settings in the config file were already commented, what does removing them achieve. Hiding the server version is 101 and thats more precautionary than preventative..to what benefit does applying a htpassword to my web directory serve..Great hope my visitors have telepathy to know it..like I said it just feels like your disseminating what youve been taught in theory with no real world application..and what is applicable most people already know
Great video. I am newby , i have some question. If I put auth_basic for the default Nginx server it's asking me for the password. Can I put the same thing for the project inside the file in the same way for the hacker?
@@NERO-ez1mn I think so, yes. Looking at Google results it can be used for a few other things as well. There are a lot of write-ups and articles you can find on what it can do
Linode denied my registration. I raised the issue and I haven't received any feedback. I wonder why they invest in all this marketing when their customer service is wack.
21 minutes and I keep waiting for the "securing" part -- is that adding htaccess, and disabling server token? You could have talked about this in 1 minute. Your video is about basic installation. Even at 10 minute mark you are barely starting.... just configuring a listen port and then docroot. You should change the title to "installation basic configuration of nginx"
Apologies for the lengthy introduction and the implementation of basic techniques. Our videos are designed to start off from the ground up and build on each other. We will still be releasing more videos on securing Nginx that will cover more advanced features and techniques.
Too much bullshit in this video, although some good info. But: - root should (even "must", as best practice) specified in server block - location means url, not doc root path location - reload is enough (and it's cleaner for production servers), afaik use restart only when modifying listen parameters (simple reload didn't worked), not 100% sure when changing tls keys/certificates - use configuration parameters as "up" as they can be (i.e.: if possible, prefer configuration in server block, or even up, not in location block)
Nginx is actually fairly secure. Of all the components of you tech stack, it's probably the least likely to specifically be the cause of a breach... As opposed to the JavaScript frameworks, PHP, Python, SQL, etc. Improperly written code is more than likely going to be the downfall of many a website.
you can test your config without restarting, using sudo nginx -t
You have one of the most concise and thorough catalogues on TH-cam. Thank you.
Security concerns starts at 12:15
Hey, I enjoyed the video. I think it would be good to add three pieces of information though. 1) Since you are not using https, your httpauth, and thus your username and password, are going to be sent in plaintext over your network connection. 2) Always add a non-root user with a different password than root, disable root login and enable certificate-only logins 3) If you feel removing banners is going to help your be more sure, then definitely go all the way and disable standard status pages. If the attacker has no information at all, he/she might first try, say, Apache exploits and wast some time and energy trying that, before it has a chance to try any relevant exploits.
I look up to professional like this man, more than I look up to celebrities. I love seeing people who just know what the fuck they are talking about
BACK AGAIN with another hacking tutorial! I remember watching the proxychain tut a few years back when I was just getting into Linux...done moved into development now... He wasn't showing his face back then...
Timestamps:
0:00 Introduction to the series
2:14 Video starts
You can register for part 2 of this series here: event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&partnerref=website&eventid=2649692&sessionid=1&key=FDD7D40926383C11B3392509222D8368®Tag=1558905&sourcepage=register
The argument for the location directive is the URI of said location. In this case it probably should have been "/", not "/var/www/html". That's why the access rules demonstration did not work. Also the auth_basic example is backwards. If you apply auth_basic to the whole server section it works in every location by default. You add auth_basic off; to the locations where you don't want auth.
I learnd more about security nginx in the comments, then from the Video :(
Thanks for making this series. Lots of great information. One thing I noticed though. You don't need sudo if you are root
Hey you always making awesome content i am very thankful to you
Thanks for making these awesome videos😘😘😘
thank you
why deny all did not work @ 15:57
I love ur work
I came here looking to learn something meaningful, instead your tutorial felt like something being regurgitated form your own cyber-security training..the mail settings in the config file were already commented, what does removing them achieve. Hiding the server version is 101 and thats more precautionary than preventative..to what benefit does applying a htpassword to my web directory serve..Great hope my visitors have telepathy to know it..like I said it just feels like your disseminating what youve been taught in theory with no real world application..and what is applicable most people already know
Same here, a big titel but not so much content
Great video. I am newby , i have some question. If I put auth_basic for the default Nginx server it's asking me for the password. Can I put the same thing for the project inside the file in the same way for the hacker?
How to my hide my All information in cyber war ,,,, plz
Great
What is the use of nginx
@@CpLKaNeZA just for clarifications NGINX is the backend database?
@@NERO-ez1mn I think so, yes. Looking at Google results it can be used for a few other things as well. There are a lot of write-ups and articles you can find on what it can do
Linode denied my registration. I raised the issue and I haven't received any feedback. I wonder why they invest in all this marketing when their customer service is wack.
Ubuntu?
It was really helpful
21 minutes and I keep waiting for the "securing" part -- is that adding htaccess, and disabling server token? You could have talked about this in 1 minute. Your video is about basic installation. Even at 10 minute mark you are barely starting.... just configuring a listen port and then docroot. You should change the title to "installation basic configuration of nginx"
Apologies for the lengthy introduction and the implementation of basic techniques. Our videos are designed to start off from the ground up and build on each other. We will still be releasing more videos on securing Nginx that will cover more advanced features and techniques.
Work
Hello, Can you please provide the installation and configure file in docx file
Too much bullshit in this video, although some good info. But:
- root should (even "must", as best practice) specified in server block
- location means url, not doc root path location
- reload is enough (and it's cleaner for production servers), afaik use restart only when modifying listen parameters (simple reload didn't worked), not 100% sure when changing tls keys/certificates
- use configuration parameters as "up" as they can be (i.e.: if possible, prefer configuration in server block, or even up, not in location block)
I tried "ssh root@192.155.95.165"
that is HIS ip, not yours. Log into your server and look at the ip, and connect to it. Hope this helps.
njinx. lol thats how it should be pronounced
First
I m terorisme siber divisi II kostrad sever up-error
please provide a platform where we ask question. I also try to contact you on insta twitter everywhere but no reply. please.
#Pakistan
"Securing Nginx" is an oxymoron right ?
Nginx is actually fairly secure. Of all the components of you tech stack, it's probably the least likely to specifically be the cause of a breach... As opposed to the JavaScript frameworks, PHP, Python, SQL, etc. Improperly written code is more than likely going to be the downfall of many a website.
official manual from Nginx: www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/