Automated Scripts for Web Server Hardening (Nginx, Apache, Caddy, IIS) 🚀

🛡️ Nginx Hardening Script (Bash)

bash#!/bin/bash

# Update system & install required packages
apt update && apt upgrade -y
apt install -y nginx ufw fail2ban

# Disable server tokens (hide Nginx version)
echo "server_tokens off;" >> /etc/nginx/nginx.conf

# Enable rate limiting & security settings
cat <<EOF > /etc/nginx/conf.d/security.conf
client_max_body_size 10M;
client_body_timeout 10s;
client_header_timeout 10s;
keepalive_timeout 15s;

limit_conn_zone \$binary_remote_addr zone=conn_limit:10m;
limit_req_zone \$binary_remote_addr zone=req_limit:10m rate=5r/s;
EOF

# Enable HTTPS with strong TLS settings
cat <<EOF > /etc/nginx/conf.d/ssl.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
EOF

# Secure access to .ht* files
echo "location ~ /\.ht { deny all; }" >> /etc/nginx/nginx.conf

# Reload Nginx
nginx -t && systemctl restart nginx

# Set up firewall rules
ufw allow 80,443/tcp
ufw enable

# Restart Fail2Ban
systemctl restart fail2ban

echo "✅ Nginx security hardening complete!"

💡 Usage:

bash
chmod +x nginx_hardening.sh
sudo ./nginx_hardening.sh

---

🛡️ Apache Hardening Script (Bash)

bash#!/bin/bash

# Update system & install required packages
apt update && apt upgrade -y
apt install -y apache2 ufw fail2ban

# Disable server signature & tokens
echo "ServerTokens Prod" >> /etc/apache2/conf-enabled/security.conf
echo "ServerSignature Off" >> /etc/apache2/conf-enabled/security.conf
echo "TraceEnable Off" >> /etc/apache2/conf-enabled/security.conf

# Enable rate limiting
a2enmod reqtimeout

# Enable SSL settings
a2enmod ssl
cat <<EOF > /etc/apache2/conf-available/ssl.conf
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5
EOF
a2enconf ssl

# Disable access to hidden files
echo "<Directory /var/www/>" >> /etc/apache2/apache2.conf
echo "    Require all denied" >> /etc/apache2/apache2.conf
echo "</Directory>" >> /etc/apache2/apache2.conf

# Restart Apache
systemctl restart apache2

# Set up firewall rules
ufw allow 80,443/tcp
ufw enable

# Restart Fail2Ban
systemctl restart fail2ban

echo "✅ Apache security hardening complete!"

💡 Usage:

bash
chmod +x apache_hardening.sh
sudo ./apache_hardening.sh

---

🛡️ Caddy Hardening Script (Bash)

bash#!/bin/bash

# Install Caddy (if not installed)
apt update && apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -s https://api.github.com/repos/caddyserver/caddy/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -qi -
mv caddy_linux_amd64 /usr/local/bin/caddy
chmod +x /usr/local/bin/caddy

# Create a secure Caddyfile
cat <<EOF > /etc/caddy/Caddyfile
example.com {
    root * /var/www/html
    file_server

    tls {
        protocols tls1.2 tls1.3
        ciphers X25519:CHACHA20-POLY1305:AES256-GCM-SHA384
    }
    
    header {
        Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Referrer-Policy "strict-origin"
    }

    log {
        output file /var/log/caddy/access.log
    }
}
EOF

# Start Caddy
caddy stop
caddy start

echo "✅ Caddy security hardening complete!"

💡 Usage:

bash
chmod +x caddy_hardening.sh
sudo ./caddy_hardening.sh

---

🛡️ IIS Hardening Script (PowerShell)

powershell# Disable Weak TLS Versions
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name Enabled -Value 0
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name Enabled -Value 0

# Disable Weak Ciphers
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -Name Enabled -Value 0
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -Name Enabled -Value 0

# Set Log Path
New-Item -Path "D:\IIS_Logs" -ItemType Directory -Force
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/sites/siteDefaults/logFile' -name directory -value 'D:\IIS_Logs'

# Restart IIS
Restart-Service W3SVC

Write-Host "✅ IIS security hardening complete!"

💡 Usage:

powershell
powershell -ExecutionPolicy Bypass -File iis_hardening.ps1

---

🔥 Bonus: Fail2Ban for Nginx & Apache (Linux)

Fail2Ban protects against brute force attacks. Here’s a quick setup:

bash
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Fail2Ban Jail for Apache & Nginx

bash
cat <<EOF > /etc/fail2ban/jail.local

[nginx-http-auth]

enabled = true filter = nginx-http-auth logpath = /var/log/nginx/error.log maxretry = 3 bantime = 600

[apache-auth]

enabled = true filter = apache-auth logpath = /var/log/apache2/error.log maxretry = 3 bantime = 600 EOF

bash
sudo systemctl restart fail2ban

---

🚀 Summary: Automated Hardening

Server	Hardening Script
Nginx	nginx_hardening.sh
Apache	apache_hardening.sh
Caddy	caddy_hardening.sh
IIS	iis_hardening.ps1