Sunday, August 30, 2009

HOWTO : Hiawatha 6.16 web server on Ubuntu 9.04 Server

Hiawatha is a web server which is developed by Hugo Leisink who is in a great interest in IT security. It is designed with security in mind. It comes with Cross-site Scripting (XSS) prevention, Cross-site Request Forgery (CSRF) prevention, DoS/flooding protection, and SQL injection prevention.

It works with PHP and MySQL. Therefore, the LAMP (Linux, Apache, MySQL and PHP) should be renamed to LHMP (Linux, Hiawatha, MySQL and PHP).

Step 0 :

Install Ubuntu 9.04 Server and OpenSSH as usual. Make sure to perform the following.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Step 1 :

Download Hiawatha, the current version at this writing is 6.16, at

sudo wget
tar -xzvf hiawatha-6.16.tar.gz
cd hiawatha-6.16

Configure and compile the Hiawatha.

sudo apt-get install build-essentail libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

sudo ./configure
sudo make deb

The deb package will be created at /home/samiux. You can install it by :

sudo dpkg -i hiawatha_6.16_amd64.deb

sudo dpkg -i hiawatha_6.16_i386.deb

Step 2 :

Install mysql and php5.

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Enter the password for the MySQL and write it down for further usage.

Step 3 :

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line :

Server = /usr/bin/php5-cgi ; ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Kill it with -k, such as :

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf

*Make sure you have been activated php-fcgi; otherwise, php5 cannot be run.

Step 4 :

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data

Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20

Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow

Uncomment all the entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS.

CGIhandler = /usr/hin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php,php5
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
GCIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo =
   Extension = php, php5
   SessionTimeout = 30

Uncomment all the entries of URL TOOLKIT.

UrlToolkit {
   ToolkitID = banshee
   RequestURI isfile Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php

Uncomment all the entries of VIRTUAL HOSTS and alert it when necessary.

VirtualHost {
   Hostname =
   WebsiteRoot = /var/www/
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForGCI = 5
   UseFastCGI = PHP5
   UseToolkit = banshee
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes

Assumed that your domain name is and the site is at /var/www/

Step 5 :

sudo nano /etc/php5/cgi/php.ini

Change the following line to Off.

allow_url_fopen = Off

Step 6 :

Restart the Hiawatha.

sudo /etc/init.d/hiawatha restart

Step 7 :

Use AppArmor with Hiawatha.

sudo aa-genprof hiawatha

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Add the following lines.

#include <tunables/global>
/usr/sbin/hiawatha {
   #include <abstractions/base>
   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,
   network inet tcp,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/ r,
   /var/log/hiawatha/** rw,
   /var/run/ w,
   /var/www/ r,
   /var/www/** rw,
   /home/*/public_html/** r,

Make it enforce.

sudo aa-enforce hiawatha

That's all. See you!