How to set basic defense on Nginx-CMS?

Question

As an Information Security amateur I did all in my might to protect my Ubuntu-Nginx-CMS (WordPress) environment from BFAs, MITMs, and database injections.

sudo add-apt-repository ppa:certbot/certbot -y && apt-get update -y && apt-get upgrade -y
sudo apt-get install zip unzip tree unattended-upgrades sshguard postfix \ 
nginx python-certbot-nginx mysql-server php-fpm php-mysql php-mbstring php-mcrypt -y
sudo ufw enable && ufw allow 22/tcp 25/tcp 80/tcp 443/tcp 9000/tcp

To prevent MITM attacks, generally all data transmission of all sites is via TLS, via a Let'sEncrypt SSL certificate (Green padlock in browser for all pages).

To prevent CMS DB injections I've enabled frequent updates via *nix cron (and kept forms minimal):

0 1 * * * for dir in /var/www/html/*/; do cd "$dir" && /usr/local/bin/wp plugin update --all --allow-root; done
0 2 * * * for dir in /var/www/html/*/; do cd "$dir" && /usr/local/bin/wp core update --allow-root; done
0 3 * * * for dir in /var/www/html/*/; do cd "$dir" && /usr/local/bin/wp theme update --all --allow-root; done

But it seems I didn't do anything against DDoS. What can I do against someone who sends a robot to load my webpages about 50,000 times per hour (or something of that sort)?

Is there something that can be done directly form Ubuntu/Nginx/WordPress or by some Linux software?

Notes:

• AFAIK, BFA, DBI and DDoS are the 3 most common types of attacks DoS attacks (to be distinguished from MITM which isn't a DoS attack). Sorry if I missed anything.

• I ran a search here in Information Security StackExchange with the phrase Nginx Ubuntu DDOS but didn't find a thread session this.

Answer 1

I think your conclusion that brute force, SQL injection, and DDoS are the most common types of attacks doesn't include some of the other significant attacks. XSS and CSRF are also notable, (see the OWASP top 10) and without doing detailed research into each type, it would be hard to know which is most prevalent.

General system hardening makes sense first:

1. Only allow public-key based SSH into the system.
2. Limit the inbound connections (as you've done with firewall rules)
3. Ensure each service runs as an isolated user.
4. Limit Unix permissions to the minimum necessary (0700 on directories, 0600 on files).
5. Where possible, remove write permissions to folders (limits possibilities for uploading malicious code)

Note that, since you're using nginx instead of Apache, some of the directives from the .htaccess file supplied by Wordpress should be enacted as equivalent nginx directives: e.g., preventing PHP execution anywhere user files are uploaded, limiting access to sensitive files.

For Wordpress specifically, I would review the Wordpress Hardening Guide. Some specifics come to mind:

1. Use as few plugins as possible, and (if possible) review them for vulnerabilities.
2. Ensure that custom theming does not introduce XSS vulnerabilities.
3. If it's very important, consider a 2FA plugin for Wordpress to minimize the risk from brute force or password reuse.

If you're concerned about application-level DoS attacks, you can rate limit in Nginx.

Without more infrastructure (Cloudflare, Loud Balancers, etc.), you'll be unable to mitigate pure volumetric DDoS -- it's just a fact of the internet that if your attacker has more bandwidth than you do, you will lose. These include attacks like reflected DNS/NTP DDoS, IoT botnets, etc. Basically, any attack that allows the attacker to send more traffic than the internet connection of your host (all the way to the virtual interface on your VPS) can handle. While Digital Ocean and other hosts have considerable bandwidth, your single VPS will quickly be saturated around (or before) 1 Gbps.