New Server Checklist for Digital Ocean (6CPU, 16gb, SSD, New York)

By on

JMeter Testing the Server

jmeter for stress testing the connections (requires java jdk @ https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html).

SlowLoris and Slow Body Attacks

slowhttptest @https://github.com/shekyan/slowhttptest install using “pip install slowhttptest”

slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u https://www.siteurl.com -x 24 -p 3

Wapiti for App Owasp Testing

*Requires Python 3 for app testing.

Download the distribution and unzip. CD into the directory. Then run ./wapiti -u https://www.siteurl.com/ -v 1 -d 2….

Counting/Viewing Connections

All Connections
netstat -nalt | grep :443

Open Connections
netstat -nalt | grep :80 | grep ESTA

Count Open Connections
netstat -nalt | grep :80 | grep ESTA -c

Find Number of Processors

grep processor /proc/cpuinfo | wc -l

Find the number of open files allowed by ulimit: ulimit -a

max clients = worker_processes * worker_connections (* =multiply) and worker_processes = number of processors

Actually with reverse proxy: max_clients = (worker_processes * worker_connections ) / (X * 2) where X is however many concurrent connections these clients make to you.

*A single process can open as may connection as the ulimits allow. num_workers * max_connections is the formula but outside loadbalancer/proxy max connections and ulimits need to be taken into account for a reasonable values. Setting max_connection to a really high value may backfire as ulimits will be a limiting factor.

Resources

Slowloris DoS Attack and Mitigation on NGINX Web Server


https://fralef.me/nginx-hardening-some-good-security-practices.html

Fine tuning Nginx

Adjust worker_connections 100000; and worker_processes 6; See the resource links for more information.

In /etc/nginx/nginx.conf


http {
...
        # Optimize and prevent slow body/header slowloris attacks.
        # limit the number of connections per single IP. 10m is a queue of 10000
        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
        # limit the number of requests for a given session. 10m is a queue of 10000
        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=25r/s;
        client_body_buffer_size 10K;
        client_header_buffer_size 1K;
        client_max_body_size 22m;
        large_client_header_buffers 2 1k;
        client_header_timeout 12s;
        client_body_timeout 12s;
        send_timeout 10s;
...
}

Then in sites-available/siteurl.conf Virtual Hosts config


server {
...
       server_name siturl.com www.siteurl.com;

       root /var/www/default/htdocs;
       index index.php index.html;

        # conn_limit_per_ip is set in nginx.conf
        limit_conn conn_limit_per_ip 10;
        limit_req zone=req_limit_per_ip burst=40 nodelay;
...
}