Nginx日志安全是服务器安全的重要组成部分,不当的日志管理可能导致信息泄露或被攻击者利用。以下是全面的Nginx日志安全防范措施:
# 设置日志目录和文件权限
chown -R root:nginx /var/log/nginx/
chmod -R 750 /var/log/nginx/
find /var/log/nginx/ -type f -exec chmod 640 {} \;
在nginx配置中过滤敏感信息:
http {
# 移除User-Agent中的敏感信息
map $http_user_agent $filtered_user_agent {
default $http_user_agent;
"~*(password|token|secret)" "REDACTED";
}
# 移除Referer中的敏感信息
map $http_referer $filtered_referer {
default $http_referer;
"~*(password|token|secret)" "REDACTED";
}
log_format secure '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$filtered_referer" "$filtered_user_agent"';
access_log /var/log/nginx/access.log secure;
}
location = /favicon.ico {
access_log off;
log_not_found off;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
access_log off;
}
配置/etc/logrotate.d/nginx:
/var/log/nginx/*.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}
# 移除查询字符串中的敏感参数
map $args $log_args {
default "";
"~*(^|&)(password|token|secret|auth)=[^&]*" "$1$2=REDACTED";
}
server {
set $sanitized_args $args;
if ($sanitized_args ~* "(password|token|secret|auth)=[^&]*") {
set $sanitized_args $log_args;
}
log_format sanitized '$remote_addr - $remote_user [$time_local] '
'"$request_method $uri?$sanitized_args $server_protocol" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"';
}
# 安装并配置AIDE(高级入侵检测环境)
sudo apt-get install aide
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
配置远程syslog服务器:
error_log syslog:server=10.0.0.1:514,facility=local7,tag=nginx,severity=error;
access_log syslog:server=10.0.0.1:514,facility=local7,tag=nginx,severity=info secure;
# 检查异常访问模式
grep -E '/(admin|wp-login|phpmyadmin)' /var/log/nginx/access.log
grep -i 'sql' /var/log/nginx/access.log
grep -i 'union select' /var/log/nginx/access.log
通过实施这些措施,您可以显著提高Nginx日志的安全性,减少信息泄露风险,并增强对潜在安全威胁的检测能力。