Sunday, December 20, 2009

HOWTO : Highest secured Hiawatha Web Server 6.19 on Ubuntu 9.10 Server

Hiawatha is a web server that equipped with a lot of security features. It is developed by Hugo Leisink since 2002. 

Hiawatha supports PHP, Perl, Python and Ruby. It is a lightweight and fast as well as secured web server.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.10

Install Ubuntu 9.10 Server and OpenSSH.  If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

*Note : some modules will not be required, such as php5-sqlite and php5-snmp.  If your web application requires them, make sure to install them.

Step 2 - Install Hiawatha

Download the current Hiawatha, 6.19 at this time of writing.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.19.tar.gz
tar -xzvf hiawatha-6.19.tar.gz
cd hiawatha-6.19


Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

At the hiawatha-6.19 directory, build the Hiawatha deb package.

./configure
make deb


The deb package will be created at your home directory, such as /home/samiux.  You can install it now.

cd ..

For 64-bit system :
sudo dpkg -i hiawatha_6.19_amd64.deb

For 32-bit system :
sudo dpkg -i hiawatha_6.19_i386.deb

Step 3 - Configure PHP5

Edit the php.ini.

sudo nano /etc/php5/cgi/php.ini

Make change as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd


*Note : some PHP application may requires safe_mode = Off.

Edit Hiawatha's php-fcgi.conf.

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf


Step 4 - Configure Hiawatha

Edit the file hiawatha.conf.

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.
ServerId = www-data

Add the following line at the GENERAL SETTINGS. Apache compatible log file format.
LogFormat = extended
ExploitLogfile = /var/log/hiawatha/exploit.log
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper


Uncomment the following entries at BINDING SETTINGS.
Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}


Uncomment all the entries at BANNING SETTINGS.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24


*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi


Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}


Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}


*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   #Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog_access.log
   ErrorLogfile = /var/log/hiawatha/blog_error.log
   TimeForCGI = 5
   #UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail
}


Configure cgi-wrapper.conf.
sudo nano /etc/hiawatha/cgi-wrapper.conf

Make changes to the file.
CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi


Wrap = jail ; /var/www ; www-data:www-data

*Note : DenyBot entries are optional.  If you do not want spiders and bots to crawl your site, you should enable it.  Those entries are examples only.  UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data.  If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.
# Last Modified: Thu Oct 1 10:00:57 2009
#include <tunables/global>


/usr/sbin/hiawatha {
#include <abstractions/base>


   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,


   network inet tcp,


   /bin/dash rix,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /etc/php5/cgi/php.ini r,
   /etc/php5/conf.d/ r,
   /etc/php5/conf.d/**.ini r,
   /etc/phpmyadmin/** r,
   /etc/postfix/**.cf r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /usr/bin/php5-cgi rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/hiawatha mr,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/dbconfig-common/** r,
   /usr/share/file/magic.mime r,
   /usr/share/mysql/charsets/Index.xml r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /usr/share/zoneinfo/ r,
   owner /var/lib/** rwk,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid rw,
   owner /var/spool/postfix/maildrop/** rw,
   /var/spool/postfix/public/pickup w,
   /var/www/ r,
   /var/www/** rw,
}


* suppose you are using postfix.

Make the profile in enforce mode (active).
sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Step 6 - Improve the security of CGI-Wrapper

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper


The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Step 7 - logwatch configuration

LogWatch configuration as per Ubuntu 9.04

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

Known Issue
Alias cannot be functioned with this configuration so far.

That's all.  See you!

Thursday, October 1, 2009

HOWTO : Highest secured Hiawatha Web Server (6.17.1) on Ubuntu 9.04 Server

What is Hiawatha?

Hiawatha is a web server that developed by Hugo Leisink since 2002.  Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of.  Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite.  Hiawatha is already built-in.  She can ban some bad traffic and bad activities on your web server.  Her footprint is also small, that is 130kb, surprise?!  She is the default web server for Austrumi and Puppy Linux. 

Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server.  There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it requires to modify the source code to solve the problem.

Hiawatha runs MySQL and PHP great in cgi mode.  It can run in Windows environment too (but not yet tried).  This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.04

Install Ubuntu 9.04 Server and OpenSSH.  If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

*Note : some modules will not be required, such as php5-sqlite and php5-snmp.  If your web application requires them, make sure to install them.

Step 2 - Install Hiawatha

Download the current Hiawatha, 6.17.1 at this time of writing.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1


Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Fix bug on Hiawatha.
sudo nano cgi-wrapper.c

At line 103, just below rest = uncomment(line); add the following lines :

if (*rest == '\0') {
   continue;
}


At the hiawatha-6.17.1 directory, build the Hiawatha deb package.

./configure
make deb


The deb package will be created at your home directory, such as /home/samiux.  You can install it now.

cd ..

For 64-bit system :
sudo dpkg -i hiawatha_6.17.1_amd64.deb

For 32-bit system :
sudo dpkg -i hiawatha_6.17.1_i386.deb

Step 3 - Configure PHP5

Edit the php.ini.

sudo nano /etc/php5/cgi/php.ini

Make change as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd


*Note : some PHP application may requires safe_mode = Off.

Edit Hiawatha's php-fcgi.conf.

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf


Step 4 - Configure Hiawatha

Edit the file hiawatha.conf.

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.
ServerId = www-data

Add the following line at the GENERAL SETTINGS. Apache compatible log file format.
LogFormat = extended
CGIwrapper = /usr/sbin/cgi-wrapper


Uncomment the following entries at BINDING SETTINGS.
Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}


Uncomment all the entries at BANNING SETTINGS.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24


*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi


Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}


Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}


*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   #Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog/access.log
   ErrorLogfile = /var/log/hiawatha/blog/error.log
   TimeForCGI = 5
   #UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCMDi = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   WrapCGI = jail
}


Configure cgi-wrapper.conf.
sudo nano /etc/hiawatha/cgi-wrapper.conf

Make changes to the file.
CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
#CGIhandler = /usr/bin/python
#CGIhandler = /usr/bin/ruby
#CGIhandler = /usr/bin/ssi-cgi


Wrap = jail ; /var/www ; www-data:www-data

*Note : Some CMS will not well when PreventCMDi = yesDenyBot entries are optional.  If you do not want spiders and bots to crawl your site, you should enable it.  Those entries are examples only.  UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data.  If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.
# Last Modified: Thu Oct 1 10:00:57 2009
#include <tunables/global>


/usr/sbin/hiawatha {
#include <abstractions/base>


   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,


   network inet tcp,


   /bin/dash rix,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /etc/php5/cgi/php.ini r,
   /etc/php5/conf.d/ r,
   /etc/php5/conf.d/**.ini r,
   /etc/phpmyadmin/** r,
   /etc/postfix/**.cf r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /usr/bin/php5-cgi rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/hiawatha mr,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/dbconfig-common/** r,
   /usr/share/file/magic.mime r,
   /usr/share/mysql/charsets/Index.xml r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /usr/share/zoneinfo/ r,
   owner /var/lib/** rwk,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid rw,
   owner /var/spool/postfix/maildrop/** rw,
   /var/spool/postfix/public/pickup w,
   /var/www/ r,
   /var/www/** rw,
}


* suppose you are using postfix.

Make the profile in enforce mode (active).
sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Step 6 - Improve the security of CGI-Wrapper

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper


The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

Known Issue
Alias cannot be functioned with this configuration so far.

That's all.  See you!

Sunday, September 20, 2009

HOWTO : Logwatch for Hiawatha on Ubuntu 9.04 Server

Logwatch reads your log files and alert you about the unusual log entries. It is working perfect for Apache. However, the log directory of Hiawatha is different from Apache. You should do something else on logwatch in order to make it to read Hiawatha log files.

Step 0 :

Install logwatch.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install logwatch


Step 1 :

Make changes to the logwatch configure file in order to tell her to send you a email report.

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the settings of the following lines.

Output = mail
Format = html
MailTo = samiux@gmail.com


Step 2 :

You should also change the setting at the daily cron job.

sudo nano /etc/cron.daily/00logwatch

Make the entry like this.

/usr/sbin/logwatch --mailto samiux@gmail.com

Step 3 :

Make logwatch to read Hiawatha log files.

sudo nano /usr/share/logwatch/default.conf/logfiles/http.conf

Add the following lines on the appropriate sections.

LogFile = hiawatha/*access.log
LogFile = hiawatha/*access.log.1
LogFile = hiawatha/*error.log
LogFile = hiawatha/*error.log.1
LogFile = hiawatha/*system.log
LogFile = hiawatha/*system.log.1
LogFile = hiawatha/*garbage.log
LogFile = hiawatha/*garbage.log.1
LogFile = hiawatha/*php-fcgi.log
LogFile = hiawatha/*php-fcgi.log.1

Archive = hiawatha/*access.log.*.gz
Archive = hiawatha/*error.log.*.gz
Archive = hiawatha/*system.log.*.gz
Archive = hiawatha/*garbage.log.*.gz
Archive = hiawatha/*php-fcgi.log.*.gz


See also (Hiawatha 6.17.1 installation) :
Samiux's Blog
or
Almost Secure and Perfect Ubuntu Server

That's all. See you!

Tuesday, September 15, 2009

HOWTO : Most secure web server (Hiawatha 6.17.1) on Ubuntu 9.04 Server

What is Hiawatha?

Hiawatha is a web server that developed by Hugo Leisink since 2002. Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of. Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite. Hiawatha is already built-in. She can ban some bad traffic and bad activities on your web server. Her footprint is also small, that is 130kb, surprise?! She is the default web server for Austrumi and Puppy Linux.

Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server. There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it cannot be configured to run PHP5 in cgi-wrapper mode at the moment. However, perl is no problem.

Hiawatha runs MySQL and PHP great in cgi mode. It can run in Windows environment too (but not yet tried). This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.04

Install Ubuntu 9.04 Server and OpenSSH. If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

*Note : some modules will not be required, such as php5-sqlite and php5-snmp. If your web application requires them, make sure to install them.

Step 2 - Install Hiawatha

Download the current Hiawatha, 6.17.1 at this time of writing.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1


Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

At the hiawatha-6.17.1 directory, build the Hiawatha deb package.

./configure
make deb


The deb package will be created at your home directory, such as /home/samiux. You can install it now.

cd ..

For 64-bit system :
sudo dpkg -i hiawatha_6.17.1_amd64.deb

For 32-bit system :
sudo dpkg -i hiawatha_6.17.1_i386.deb

Step 3 - Configure PHP5

Edit the php.ini.

sudo nano /etc/php5/cgi/php.ini

Make change as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd


*Note : some PHP application may requires safe_mode = Off.

Edit Hiawatha's php-fcgi.conf.

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf


Step 4 - Configure Hiawatha

Edit the file hiawatha.conf.

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.
ServerId = www-data

Add the following line at the GENERAL SETTINGS. Apache compatible log file format.
LogFormat = extended

Uncomment the following entries at BINDING SETTINGS.
Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}


Uncomment all the entries at BANNING SETTINGS.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24


*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.
#CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi


Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}


Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}


*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog/access.log
   ErrorLogfile = /var/log/hiawatha/blog/error.log
   TimeForCGI = 5
   UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCMDi = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
}


*Note : Some CMS will not well when PreventCMDi = yes. DenyBot entries are optional. If you do not want spiders and bots to crawl your site, you should enable it. Those entries are examples only. UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data. If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.

# Last Modified: Tue Sep 1 10:28:15 2009
#include <tunables/global>


/usr/sbin/hiawatha {
   #include <abstractions/base>


   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,


   network inet tcp,

   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/log/hiawatha/blog/* r,
   /var/log/hiawatha/blog/** a,
   /var/run/hiawatha.pid w,
   /var/www/ r,
   /var/www/** rw,
}


Make the profile in enforce mode (active).
sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Step 6 - Configure CGI-Wrapper

To be continue ....

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

That's all. See you!

Sunday, August 30, 2009

HOWTO : Hiawatha 6.16 web server on Ubuntu 9.04 Server

Hiawatha is a web server which is developed by Hugo Leisink who is in a great interest in IT security. It is designed with security in mind. It comes with Cross-site Scripting (XSS) prevention, Cross-site Request Forgery (CSRF) prevention, DoS/flooding protection, and SQL injection prevention.

It works with PHP and MySQL. Therefore, the LAMP (Linux, Apache, MySQL and PHP) should be renamed to LHMP (Linux, Hiawatha, MySQL and PHP).

Step 0 :

Install Ubuntu 9.04 Server and OpenSSH as usual. Make sure to perform the following.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


Step 1 :

Download Hiawatha, the current version at this writing is 6.16, at http://www.hiawatha-webserver.org/download.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.16.tar.gz
tar -xzvf hiawatha-6.16.tar.gz
cd hiawatha-6.16


Configure and compile the Hiawatha.

sudo apt-get install build-essentail libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev


sudo ./configure
sudo make deb


The deb package will be created at /home/samiux. You can install it by :

sudo dpkg -i hiawatha_6.16_amd64.deb

or
sudo dpkg -i hiawatha_6.16_i386.deb


Step 2 :

Install mysql and php5.

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl


Enter the password for the MySQL and write it down for further usage.

Step 3 :

sudo nano /etc/hiawatha/php-fcgi.conf


Uncomment the following line :

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data


Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf


Kill it with -k, such as :

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf


*Make sure you have been activated php-fcgi; otherwise, php5 cannot be run.

Step 4 :

sudo nano /etc/hiawatha/hiawatha.conf


Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data


Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}


Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24


Uncomment all the entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS.

CGIhandler = /usr/hin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php,php5
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
GCIextension = cgi


Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}


Uncomment all the entries of URL TOOLKIT.

UrlToolkit {
   ToolkitID = banshee
   RequestURI isfile Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}


Uncomment all the entries of VIRTUAL HOSTS and alert it when necessary.

VirtualHost {
   Hostname = www.samiux.com
   WebsiteRoot = /var/www/www.samiux.com
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForGCI = 5
   UseFastCGI = PHP5
   UseToolkit = banshee
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
}


Assumed that your domain name is samiux.com and the site is at /var/www/www.samiux.com.

Step 5 :

sudo nano /etc/php5/cgi/php.ini


Change the following line to Off.

allow_url_fopen = Off


Step 6 :

Restart the Hiawatha.

sudo /etc/init.d/hiawatha restart


Step 7 :

Use AppArmor with Hiawatha.

sudo aa-genprof hiawatha


sudo nano /etc/apparmor.d/usr.sbin.hiawatha


Add the following lines.

#include <tunables/global>
/usr/sbin/hiawatha {
   #include <abstractions/base>
   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,
   network inet tcp,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/ r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid w,
   /var/www/ r,
   /var/www/** rw,
   /home/*/public_html/** r,
}


Make it enforce.

sudo aa-enforce hiawatha


That's all. See you!

Tuesday, August 18, 2009

HOWTO : Quota with ext4 on Ubuntu 9.04 Server

There is a bug in quota package when filesystem is ext4 in Ubuntu 9.04 Server. You cannot activate quota function under ext4 on Ubuntu 9.04. However, we can use Ubuntu 9.10's package instead. It is in alpha stage at the moment.

Step 1 :

Download the package at here and the current version is 3.17-3 by this writing.

Install the package and configure the package as usual.

sudo dpkg -i <package_name>


Step 2 :

Edit /etc/fstab and add "usrquota,grpquota" on the partition with the mount point /.

sudo touch /quota.user /quota.group
sudo chmod 600 /quota.*
sudo mount -o remount /


Step 3 :

sudo quotacheck -avugm
sudo quotaon -avug


That's all. See you!

Saturday, August 15, 2009

HOWTO : Torrentflux-b4rt with Cherokee on Ubuntu 9.04 Server

I am going to build a Bittorrent server with Cherokee web server instead of Apache. I call it as LCMP - Linux, Cherokee, MySQL and PHP. It may be the fastest web server in the world so far. You are not require to edit the config files. All settings are completed by your browser.

Bittorrent server front-end is using Torrentflux-b4rt. It is running on PHP and MySQL with bittornado.

Step 0 :

Install Ubuntu 9.04 Server edition as usual. Select OpenSSH only when install.

After the installation, perform the system update.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


Assume your server's IP is 192.168.0.200

Step 1 :

sudo nano /etc/apt/sources.list.d/cherokee.list


Add the following lines.

deb http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main


Add the key.

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EBA7BD49


sudo apt-get update
sudo apt-get install cherokee




Step 2 :

sudo apt-get install mysql-server mysql-client


Enter the MySQL root password when asked. Make sure you have write it down.

Step 3 :

sudo apt-get install php5-cgi


sudo nano /etc/php5/cgi/php.ini


Append the following line at the end of the file.

cgi.fix_pathinfo = 1


sudo /etc/init.d/cherokee restart


sudo apt-get install php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl


sudo /etc/init.d/cherokee restart


Step 4 :

sudo cherokee-admin -b


The following will be displayed.

Login:
User: admin
One-time Password: W0K2jR961aYaeiwu


Web Interface:
URL: http://localhost:9090/


Cherokee Web Server 0.99.22 (Aug 5 2009): Listening on port ALL:9090, TLS disabled, IPv6 disabled, using epoll, 4096 fds system limit, max. 2041 connections, caching I/O, single thread


Open browser and point to http://192.168.0.200:9090 or http://localhost:9090

Enter the user name as "admin" and password as "W0K2jR961aYaeiwu" (which will be changed each time).

Step 5 :

Clone a virtual host from default. Add the domain name, document root and etc.

The document root should be "/var/www/torrentflux".

Go back to the terminal and press Ctrl + C to quit the Cherokee's admin page.

sudo /etc/init.d/cherokee restart


Step 6 :

sudo apt-get install unrar unzip vlc uudeview build-essential bittornado


Download and compile cksfv that is required by torrentflux-b4rt.

wget http://zakalwe.fi/~shd/foss/cksfv/files/cksfv-1.3.14.tar.bz2
tar -xjvf cksfv-1.3.14.tar.bz2


cd cksfv-1.3.14
./configure
make
sudo make install


Get and install torrentflux-b4rt.

wget http://download.berlios.de/tf-b4rt/torrentflux-b4rt_1.0-beta2.tar.bz2
tar -xjvf torrentflux-b4rt_1.0-beta2.tar.bz2


cd torrentflux-b4rt_1.0-beta2
sudo cp -R html /var/www/torrentflux
sudo chmod -R 0777 /var/www/torrentflux/inc/config


sudo mkdir /home/samiux/torrent
sudo chmod -R 0777 /home/samiux/torrent


Step 7 :

Point your browser to http://192.168.0.200/setup.php and configure it.

** You keyin the username and password on the torrentflux-b4rt will be recorded for the admin account. Please write it down.

The download directory should be "/home/samiux/torrent".

After the configuration, delete the setup.php.

sudo rm /var/www/torrentflux/setup.php


Step 8 :

Make sure to forward the default ports 49160 to 49300 at your router or firewall.

Step 9 (Optional) :

Install vsftpd when necessary.

** Make sure you change the IP address at "pasv_address".

Step 10 (Optional) :

Make your server bootless.


That's all. See you!

Friday, July 31, 2009

HOWTO : Godaddy.com's Relay Mail Server with Postfix on Ubuntu 9.04 Server

Your Internet Services Provider (ISP) may block SMTP port (Port 25) if you are not using a business plan (like in Hong Kong). However, you can still send email with reverse lookup of your domain name when your domain registrar is Godaddy.com.

Step 1 :

Create and enable your free email account at Godaddy.com when you have a domain name there. Set the password accordingly. Your username of the account may be look like this : yourname@yourdomain.

Incoming Mail Server Type : POP3
Incoming Mail Server : pop.secureserver.net
Incoming Mail Server Port : 110

Outgoing Mail Server : smtpout.secureserver.net
Outgoing Mail Server Port : 25, 80, 587 or 3535

Step 2 :

Create a file namely "sasl_passwd".

sudo nano /etc/postfix/sasl/sasl_passwd

Add the following line.

smtpout.secureserver.net username:password


Step 2a :

Save and quit. Issue the following commands.

chown root:root /etc/postfix/sasl/sasl_passwd
chmod 600 /etc/postfix/sasl/sasl_passwd
postmap /etc/postfix/sasl/sasl_passwd

Step 3 :

Go to your mail server (Postfix).

sudo nano /etc/postfix/main.cf


Edit or/and add the following lines.

relayhost = [smtpout.secureserver.net]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
mynetworks = 192.168.0.0/24, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

*If your network is 192.168.0.0/24, otherwise; change it accordingly.

Step 4 :

Restart the Postfix to make it work.

sudo /etc/init.d/postfix restart

Step 5 :

Now, you can send email with reverse lookup via Godaddy.com's relay mail server. Your email will not be blocked or redirected to "Junk Mail" folder by Gmail, Yahoo Mail or others.

Be keep in mind that you have 250 quota every day. Or, you are required to purchase more quota.

Point to your email server on other servers that will send email.

That's all. See you!

Sunday, July 26, 2009

HOWTO : Performance tuning for PostgreSQL on Ubuntu 9.04 Server

Step 1 :

Edit postgresql.conf.

sudo nano /etc/postgresql/8.3/main/postgresql.conf

Step 2 :

The performance tuning setting is as the following :

(1) shared_buffers

Recommended : 0.25 * Available Memory

(2) work_mem

Recommended : Available Memory / max_connections
(If your queries tend to be more complicated, then divide that by 2. If you typically run very close to max_connections connections, then consider dividing by 2 again. If that gives you a number that isn't at least 16MB, buy more memory.)

(3) maintenance_work_mem

Recommended : Available Memory / 8

(4) wal_buffers

Recommended : 8MB

(5) checkpoint_segments

Recommended : 16 to 128

(6) effective_cache_size

Recommended : Available Memory * 0.75

(7) cpu_tuple_cost

Recommended : 0.0030

(8) cpu_index_tuple_cost

Recommended : 0.0010

(9) cpu_operator_cost

Recommended : 0.0005

(10) fsync

Recommended : off

Warning : If “fsync” is set to “off”, you may encounter data loss when the power failure unless you have a battery backup unit at your hardware RAID card.

(11) max_connection


Recommended : 140% (100 clients average means 140 max connections)

(12) checkpoint_timeout

Recommended : 1h

Step 3 :

Restart PostgreSQL server.

sudo /etc/init.d/postgresql-8.3 restart


Step 4 :

If it produces error message and cannot restart, change the setting for "kernel.shmmax" on sysctl.conf as suggested.

Edit the sysctl.conf as suggested.

sudo nano /etc/sysctl.conf




Reference #1 :

The following is the my setting of a 8GB RAM server which is running PostgreSQL.

/etc/postgresql/8.3/main/postgresql.conf

max_connections = 140
shared_buffers = 2GB
temp_buffers = 8MB
work_mem = 16MB
maintenance_work_mem = 1GB
wal_buffers = 8MB
checkpoint_segments = 128
effective_cache_size = 6GB
cpu_tuple_cost = 0.0030
cpu_index_tuple_cost = 0.0010
cpu_operator_cost = 0.0005
fsync = off
checkpoint_timeout = 1h


Reference #2 :

The following is my setting of sysctl.conf on the same server.

/etc/sysctl.conf

kernel.sem = 250 32000 100 128
kernel.shmall = 2097152
kernel.shmmax = 2209914880
kernel.shmmni = 4096
fs.file-max = 262140
vm.vfs_cache_pressure = 50
vm.min_free_kbytes = 65536

net.core.rmem_default = 33554432
net.core.rmem_max = 33554432
net.core.wmem_default = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 10240 87380 33554432
net.ipv4.tcp_wmem = 10240 87380 33554432
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_mem = 786432 1048576 26777216
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 360000



Step 5 :

Add the following parameters to the kernel tag of Grub.

reservation,nodiratime,noatime


Step 6 :

sudo mount -a


If no error message produced, issue the following command to make it work.

sudo mount -o remount /


That's all. See you!

Friday, July 17, 2009

HOWTO : Sockso 1.1.8 (Music Server) on Ubuntu 9.04 Server

Sockso is a cross platform music server and requires no installation. She runs on a standalone personal computer or on a server. For running on personal computer with GUI, please refer to her official site.

The client computer requires no mp3 player to play the music but needs a Flash player.

The advantage of Sockso is that you can listen to your mp3 files at anytime and anywhere under the condition that fast internet connection is available. The disadvantage is that you should have at least IEEE 802.11g (54M) Wifi connection for smooth operation.

Sockso requires Sun Java only and it is requires no Apache or other web server to run.

Step 1 :

Sockso requires Sun Java to work. You should install the following packages.
sudo apt-get install sun-java6-bin sun-java6-fonts sun-java6-jre unzip


Step 2 :

Download the latest version of Sockso. The current version is 1.1.8 at the time of this writing.
wget http://sockso.googlecode.com/files/sockso-1.1.8.zip

unzip sockso-1.1.8.zip

sudo mkdir /usr/share/sockso

sudo cp -R /home/samiux/sockso-1.1.8/* /usr/share/sockso/*

sudo mkdir /var/sockso
sudo chmod -R 0755 /var/sockso

Step 3 :

Run the Sockso at command prompt.
sudo sh /usr/share/sockso/linux.sh --nogui --datadir /var/sockso

If you have some mp3 at /home/samiux/music and /home/mary/mp3, just runs the following command to make the music collection.
#SockSo#>coladd /home/samiux/music
#SockSo#>coladd /home/mary/mp3

If you want to list all collections, use the following command.
collist
If you want to delete one of the collections, use the following command.
coldel
Add a user to the Sockso.
#SockSo#>useradd samiux <your_password_here> samiux@gmail.com

To exit the #SockSo#> command prompt.
exit


Step 4 :

Copy the init.d script to /etc/init.d/
sudo cp /usr/share/sockso/scripts/init.d/sockso /etc/init.d/sockso.pl


Create a sockso script file.
sudo nano /etc/init.d/sockso


-------- CUT HERE ---------
#!/bin/bash

perl /etc/init.d/sockso.pl $1

exit 0
-------- CUT HERE ---------


Edit the sockso.pl as the following.
sudo nano /etc/init.d/sockso.pl

use constant SOCKSO_DIR => "/usr/share/sockso/";

system( 'sh linux.sh --nogui --datadir /var/sockso > /dev/null 2>&1 &' );

Step 5 :

Now, you can start the sockso with the following command.

sudo chmod +x /etc/init.d/sockso
sudo chmod +x /etc/init.d/sockso.pl

sudo /etc/init.d/sockso start


You can also stop the sockso with the following command.
sudo /etc/init.d/sockso stop


Listen to the music with your browser.
http://192.168.0.100:4444

Step 6 :

Make the script to be ran automatically after reboot.

sudo update-rc.d sockso defaults

Remarks : Make sure you have stopped the Sockso before reboot or shutdown; otherwise, the mp3 databases would be corrupted. If so, you should delete everything inside /var/sockso and redo the Step 3.


Remarks : Don't broadcast copyrighted musics or songs. Or, you may be in lawsuit.

That's all. See you!

Tuesday, July 14, 2009

HOWTO : WebDAV on Ubuntu 9.04 Server

WebDAV is a file manager that running on web server. You can access it like on your desktop. Easy and enjoyable.

Install Ubuntu 9.04 server as usual and select LAMP and OpenSSH when asked for choice. You can also install vsFTPd if you want to but it is optional.

Step 1 :

sudo a2enmod dav_fs
sudo a2enmod dav
sudo a2enmod dav_lock

sudo a2dissite default

sudo /etc/init.d/apache2 restart

Step 2 :

To create a virtual host for the WebDAV.

sudo mkdir -p /var/www/webdav
chown www-data /var/www/webdav

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/webdav

sudo nano /etc/apache2/sites-available/webdav

Make the a portion of the file as the following :


....
DocumentRoot /var/www/webdav
<Directory /var/www/webdav/>
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
</Directory>
<Location />
   DAV On
   AuthType Basic
   AuthName "webdav"
   AuthUserFile /var/www/.passwd.dav
   Require valid-user
   DavMinTimeout 600
   <LimitExcept GET PUT HEAD OPTIONS POST>
      Require valid-user
   </LimitExcept>

</Location>
....

Step 3 :

sudo htpasswd -c /var/www/.passwd.dav samiux

chown root:www-data /var/www/.passwd.dav
chmod 640 /var/www/.passwd.dav

suod chmod -R 0777 /var/www/webdav
sudo chown www-data:www-data /var/www/webdav

sudo /etc/init.d/apache2 restart

Step 4 :

To test if WebDAV works or not.

sudo apt-get install cadaver

sudo cadaver http://localhost/

If you got “dav:/” prompt, enter “quit” to quit. Otherwises, fix the problem.

Step 5 (Windows only) :

Download NetDrive at http://www.netdrive.net/ and set it accordingly. The port should be 80.

Now you can access your WebDAV server from Windows.

Step 6 (Ubuntu only) :

Go to “Place” > “Connect to Server“. Select “WebDAV (HTTP)“. Enter the IP of your WebDAV server and then press “Connect“. Submit the username and password. An icon will be displayed on your desktop. Double click it and go.

Now you can access your WebDAV server from Ubuntu.


OpenOffice

If you open the OpenOffice files on the WebDAV by clicking, you can only open it in read only mode. However, there is method to overcome this problem. You open OpenOffice Write (for example), click the “Open file” and at the “Name of file” enter the following :

vnd.sun.star.webdav://192.168.0.100/openoffice_readonly_on_webdav.odt

Now you can edit and save it on WebDAV.


Limitation of WebDAV


You can paste a file onto WebDAV directly but there is a file size limitation, that is, the file should be less than 1GB. If you want to paste a file larger than 1GB, I suggest to use FTP instead.

Make sure to change the ownership of the files that you have uploaded by FTP.

sudo chown -R www-data:www-data /var/www/webdav


That’s all!

Friday, July 10, 2009

HOWTO : Rebootless with Ksplice Uptrack on Ubuntu 9.04 Server

By using Ksplice Uptrack, your Ubuntu Server 9.04 will become rebootless even the kernel is updated.

Step 1 :

Get the access key of Ksplice Uptrack at the following link.

http://www.ksplice.com/uptrack/key

The access key will email to you.

Step 2 :

sudo nano /etc/apt/sources.list.d/ksplice.list

Append the following lines to the file.

deb http://www.ksplice.com/apt jaunty ksplice
deb-src http://www.ksplice.com/apt jaunty ksplice

Add the key to repository.

sudo wget -N https://www.ksplice.com/apt/ksplice-archive.asc
sudo apt-key add ksplice-archive.asc

Step 3 :

Install Ksplice Uptrack.

sudo apt-get update
sudo apt-get install uptrack

When installing uptrack, you will be asked for the access key. Go to your email and copy the just received access key to the space provided on the screen.

Step 4 :

sudo nano /etc/uptrack/uptrack.conf

Change the following line and makes Ksplice Uptrack to be installed automatically.

autoinstall = yes

Step 5 :

sudo /etc/init.d/uptrack restart


That's all. See you!

HOWTO : SSH to use RSA key for login

Generate RSA key.

ssh-keygen -t rsa -b 2048

or

ssh-keygen -t rsa -b 4096

“Enter file in which to save the key (/home/samiux/.ssh/id_rsa): (Hit Enter)”

Press “Enter”

“Enter passphrase (empty for no passphrase):”

Enter your password twice.

nano /home/samiux/.ssh/id_rsa.pub

Copy the content.

SSH to your server. At the username directory.

sudo mkdir .ssh
sudo nano /home/username/.ssh/authorized_keys

Then pasted the previous copied key onto the authorized_keys file. Save it.

Still at the server.

sudo nano /etc/ssh/sshd_config

Change the following settings as is.

AuthorizedKeysFile %h/.ssh/authorized_keys
IgnoreUserKnownHosts yes
PasswordAuthentication no
#UseLogin no
UsePAM no

sudo /etc/init.d/ssh restart

When you login to the server again, you will ask for your RSA key passphrase once. Later, you will not be asked for any passphrase or password in the same session.

For Ubuntu Desktop users, you may consider to install SSHMenu. It will make your work more easily.

http://sshmenu.sourceforge.net/
That's all. See you!

HOWTO : Fail2ban on Ubuntu 9.04 Server

Fail2ban cannot work properly with Ubuntu 9.04 Server as Ubuntu installed with Python 2.6. It is very easy to overcome this problem.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python2.5

sudo nano /usr/bin/fail2ban-server

Change the first line from

#!/usr/bin/python
to

#!/usr/bin/python2.5

Set the /etc/fail2ban/jail.conf as usual.

sudo /etc/init.d/fail2ban restart

Make change to the related services to "True". By default, any unauthorized access will be blocked after 6 invalid attempts.

sudo nano /etc/fail2ban/jail.conf

After that, restart fail2ban.

sudo /etc/init.d/fail2ban restart

That's all. See you!

HOWTO : Make sure no rootkit on Ubuntu 9.04 Server

To ensure your server will not be installed rootkits or trojans as well as worm without your approval, you should check it frequently.

ChkRootKit

Get the chkrootkit package :

sudo apt-get install chkrootkit

Make a Cron Job to do the scan daily at 0700 hours :

sudo crontab -e

0 7 * * * /usr/sbin/chkrootkit; /usr/sbin/chkrootkit -q 2 >&1 | mail -s "Daily ChkRootKit Scan" samiux@gmail.com

Do a manual scan :

sudo /usr/sbin/chkrootkit


Rootkit Hunter

sudo apt-get install rkhunter


Make a Cron Job to do the scan daily at 0500 hours :

sudo crontab -e

0 5 * * * rkhunter --cronjob --rwo | mail -s "Daily Rootkit Hunter Scan" samiux@gmail.com


Do a manual scan :

sudo rkhunter --check


Forensic tool to find hidden processes and ports – unhide

Get the unhide package :

sudo apt-get install unhide

Make a Cron Job to do the scan daily between 0800 and 0930 hours :

sudo crontab -e

0 8 * * * unhide proc; unhide proc -q 2 >&1 | mail -s "Daily unhide proc Scan" samiux@gmail.com

30 8 * * * unhide sys; unhide sys -q 2 >&1 | mail -s "Daily unhide sys Scan" samiux@gmail.com

0 9 * * * unhide brute; unhide brute -q 2 >&1 | mail -s "Daily unhide brute Scan" samiux@gmail.com

30 9 * * * unhide-tcp; unhide-tcp -q 2 >&1 | mail -s "Daily unhide-tcp Scan" samiux@gmail.com

Do a manual scan :

sudo unhide proc
sudo unhide sys
sudo unhide brute
sudo unhide-tcp

Beware :
There will be produced some false positive by RootKit Hunter or ChkRootKit when your packages or files had been updated or have the similar behavior as the rootkit.

If this happened, you can do the following the reset it if anything is alright.

sudo rkhunter --propupd

Remarks :
It is not 100% to proof that your system is away from the attack of Rootkits.

That's all. See you!

HOWTO : Logwatch on Ubuntu 9.04 Server

Logwatch reads your log files and can send you email daily about the most interesting parts.

Step 1 :

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install logwatch


Step 2 :

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the following as shown :

Output = mail
Format = html
MailTo = samiux@gmail.com


Step 3 :

sudo nano /etc/cron.daily/00logwatch


/usr/sbin/logwatch --mailto samiux@gmail.com


That's all. See you!

HOWTO : Secure Ubuntu 9.04 Server in a passive way

Part 1

When root or sudoers access the server, you will be informed. It will also alert you when crackers gain rights of your server.

Add the following to the top of the file /root/.bashrc or sudoer's account and you will be informed by email when the root or sudoer account is being accessed.

echo -e "Root Shell Access on `tty` \n `w`" | mail -s "Alert: Root Access" samiux@gmail.com

or

echo -e "Sudoer Shell Access on `tty` \n `w`" | mail -s "Alert: Sudoer Access" samiux@gmail.com

Part 2

The official port of SSH is 22. You can change it to any port that between 1024 and 65535. You can do it at the router or firewall and you can do it at the configure file of SSH at /etc/ssh/sshd_config. You are recommended to disable the root account login via SSH even you are using Ubuntu.

Port 65535
PermitRootLogin no

sudo /etc/init.d/sshd restart
That's all. See you!

HOWTO : vsFTPd on Ubuntu Server 9.04

Your LAMP server requires FTP server to upload files to the related directory.

Install the vsFTPd.

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install vsftpd

Edit the configure file of vsFTPd.

sudo nano /etc/vsftpd.conf

Change the setting as the following.

# If you allow anonymous login then
anonymous_enable=YES
# If you do not allow anonymous login then
#anonymous_enable=NO
local_enable=YES
write_enable=YES
# Users are allowed to walk around at his directory only
chroot_local_user=YES


If you are behind a firewall or router, the following setting should be implemented and append to the end of the file.

pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=50000
pasv_max_port=50100
# If your server's IP address is 192.168.0.15
pasv_address=192.168.0.15

Make sure port 20 and 21 are opened at your firewall or router. Anonymous user can be download the files at /home/ftp directory.

Restart vsFTPd.

sudo /etc/init.d/vsftpd restart


That's all. See you!

HOWTO : Secure Socket Layer (SSL) for LAMP on Ubuntu 9.04 Server

Enable the mod_ssl module.

sudo a2enmod ssl


Edit the default or copy the default to another file for editing.

sudo nano /etc/apache2/sites-available/default

Add the following inside the mod_rewrite.c bracket.

RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]

Enable the default-ssl site.

sudo a2ensite default-ssl

Restart apache to reload the setting and make it active.

sudo /etc/init.d/apache2 restart

That's all. See you!

Wednesday, July 8, 2009

HOWTO : Performance tuning of LAMP and Ubuntu 9.04 Server

Performance tuning of LAMP

Step 1:

To control the bandwidth and allow faster cgi browsing, you should install the following modules.

sudo apt-get install libapache2-mod-bw libapache2-mod-fastcgi



Step 2 :

sudo a2enmod deflate

sudo nano /etc/apache2/conf.d/deflate.conf


Add the following lines at the file.

<IfModule mod_deflate.c>
   DeflateCompressionLevel 6
   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/atom_xml
   AddOutputFilterByType DEFLATE application/x-javascript
   AddOutputFilterByType DEFLATE application/x-httpd-php
   AddOutputFilterByType DEFLATE application/x-httpd-fastphp
   AddOutputFilterByType DEFLATE application/x-httpd-eruby
   AddOutputFilterByType DEFLATE image/svg+xml
   AddOutputFilterByType DEFLATE application/postscript
   <IfModule mod_headers.c>
      Header append Vary User-Agent
   </IfModule>
</IfModule>
sudo /etc/init.d/apache2 restart

Step 3 :

wget http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2

tar xvf eaccelerator-0.9.5.3.tar.bz2

sudo apt-get install build-essential php5-dev

cd eaccelerator-0.9.5.3
phpize
./configure
make
sudo make install

sudo mkdir /tmp/eaccelerator
sudo chmod 0777 /tmp/eaccelerator

Step 4 :

sudo nano /etc/php5/apache2/php.ini

Append the following lines at the end of the file.

extension="eaccelerator.so"
; shm_size default is 16, you may change to 64 or 128 depends on your RAM
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

sudo /etc/init.d/apache2 restart


Performance tuning of Ubuntu 9.04 Server

Step 5 :

sudo nano /etc/sysctl.conf


Append the following lines at the end of the file.

kernel.sem = 250 32000 100 128
kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
# If you have more than 512MB RAM, use this setting (uncomment it and comment the setting just below)
#fs.file-max = 262140
# If you have 512MB RAM or less, use this setting
fs.file-max = 65535
vm.swappiness = 1
vm.vfs_cache_pressure = 50
vm.min_free_kbytes = 65536

net.core.rmem_default = 33554432
net.core.rmem_max = 33554432
net.core.wmem_default = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 10240 87380 33554432
net.ipv4.tcp_wmem = 10240 87380 33554432
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_mem = 786432 1048576 26777216
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 360000

sudo /sbin/sysctl -p


Step 6 :

sudo nano /etc/rc.local

Add the following lines before "exit 0".

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 256 > /sys/block/sda/queue/nr_requests

*The captioned lines are for sda only.

Step 7 :

sudo nano /etc/fstab


Add "noatime" before "relatime". For example :

UUID=0e57987f-...... / ext3 noatime,relatime,errors=remount-ro 0 1

or

UUID=0e57987f-...... / ext4 noatime,relatime,errors=remount-ro 0 1


sudo mount -a


If there is no error message, you can now reboot your system.

That's all. See you!

Tuesday, July 7, 2009

HOWTO : Hardening your Apache and PHP on Ubuntu 9.04 Server

You have installed LAMP and OpenSSH on your Ubuntu 9.04 Server. The first thing to do is to harden it in order to avoid some kind of attacks.

You can do the following steps in front of your Ubuntu 9.04 Server or remote access it via OpenSSH.

For OpenSSH, your Ubuntu 9.04 Server is at 192.168.0.10 :

ssh 192.168.0.10 -l samiux


Step 1 :

The avoid someone to list your files on your Apache directory, you should do the following step.

sudo nano /etc/apache2/sites-available/default


Add a minus "-" in the front of "Indexes" and it will looking like this :

<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>


Step 2 :

To enable the rewrite module of Apache.

sudo a2enmod rewrite


To avoid Cross-Site-Tracing attack. Add the following lines within " <VirtualHost *:80>" :

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>


Step 3 :

To avoid HTTP DoS, DDoS or Brute Force attack, you should install this module.

sudo apt-get install libapache2-mod-evasive


Step 4 :

To screen out bad URL requests, such as /etc/shadow or MySQL injection and etc. You should install mod_security module. If you installed a amd64 (64-bit) version of Ubuntu Server, please replaced i386 with amd64 for the following commands.

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/libapache-mod-security_2.5.9-1_i386.deb

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/mod-security-common_2.5.9-1_all.deb

sudo dpkg -i libapache-mod-security_2.5.9-1_i386.deb mod-security-common_2.5.9-1_all.deb

Step 5 :

Do not allow any Apache and Ubuntu Server information to be print on the error pages.

sudo nano /etc/apache2/conf.d/security


Change the following lines as the following :

ServerToken Prod
ServerSignature Off

Step 6 :

Now, it is time to harden the PHP.

sudo nano /etc/php5/apache2/php.ini


Change the following lines as the following :

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd


Step 7 :

Final step is to restart Apache server.

sudo /etc/init.d/apache2 restart

Step 8 :

sudo nano /etc/sysctl.conf
Uncomment the following line and make it look like this.

#Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

Make the change active.

sudo /sbin/sysctl -p


That's all. See you!

Sunday, July 5, 2009

HOWTO : Install Ubuntu 9.04 Server

Introduction

Ubuntu is one of the most user-friendly Linux in the world so far. Not only her Desktop edition is user-friendly but so her Server edition. The current version of Ubuntu Desktop and Server edition is 9.04 at the time of this writing.

9.04 stands for released on April 2009. The next version will be 9.10, that is October 2009. Normally, she will release new version on every April and October. However, there is an exceptional. It is 6.06 which is released on June 2006 due to delay of bugs fix.

Hardware requirements

I suggest you have at least a Pentium 4 CPU with 512MB RAM and 40GB hard drive. For the minimum hardware requirement, please see her official site.

You can also install it on VMWare, Linux KVM (Kernal based Virtual Machine) or VirtualBox. It is running flawlessly on them.

Installation of Ubuntu 9.04 Server

Now, I am going to talk about how to install Ubuntu Server 9.04. First of all, you should download Ubuntu 9.04 from her official site. Burn the .iso file as disk image with your disc burning software, such as Nero (in Windows) or K3b (in Linux). Please do not extract the files from the .iso or just burn the file directly on a CD-R.

I suggest to change the ext3 filesystem to ext4 as it is much faster and it will be the next generation of Linux default filesystem. Selects LVM on the entire disk when asking. You may ask for entering user name and password. Please use a more complicated password which should includes uppercase and lowercase letters, numbers and symbols. In addition, it should be longer than 8 characters.

At the end of installation, you may asked to select some servers to install, such as LAMP, mail server, OpenSSH, virtual machine and etc. If you want to build a web server, I suggest you select LAMP, mail server and OpenSSH. I assumed you install LAMP, mail server and OpenSSH as it will be discussed in future tutorials of mine.

Make sure you are connecting to the internet while you are installing Ubuntu. The system will be reboot after the install.

That's all. See you!