Close access to files that may be of high interest:

            location ~ /.svn/ {
               deny all;
            }
    

    You can allow/deny access to files only from certain ip-addresses using allow and deny directives:

      location /server-status {
          allow 111.111.111.111;
          allow 11.11.11.11;
                deny all;
      }
    

    You can also use directives auth_basic and auth_basic_user_file to differentiate access to files - in this case user will have to enter login/password for access:

      location /admin/ {
          auth_basic "Enter password to access";
          auth_basic_user_file /etc/nginx/basic.auth;
      }
    

    You can also combine these two methods:

      location /admin/ {
          satisfy any;
          allow 111.111.111.111;
          allow 11.11.11.11;
          deny all;
    
          auth_basic "Enter password to access";
          auth_basic_user_file /etc/nginx/basic.auth;
      }
    

    To protect against requests to non-existent files on Nginx you can do the following:

            location ~\.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ {
               try_files $uri =404;
            }
    

    After that we restart Nginx with one of the commands:

    systemctl reload nginx  
    service nginx reload  
    

    Depending on the specific IP address, Nginx can perform actions such as redirecting:

    location / {  
    
        if ($remote_addr != 111.111.111.111) {
            return 301 https://$host$request_uri;
        }
    
    }
    
    • In this example we redirect all visitors to the path https://$host$request_uri, except requests from IP-address 111.111.111.111.

    Protection against password brute-forcing can be arranged using iptables:

    Blocking IP for a time if the number of requests per second exceeds a reasonable amount

    iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW  
                -m recent --name bhttp --set
    iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW  
                -m recent --name bhttp --update --seconds 120
                --hitcount 360 -j DROP
    iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -j ACCEPT