Saturday, August 23, 2014

HOWTO : Highest secured Hiawatha Web Server 9.7 on Ubuntu 14.04 LTS Server


June 28, 2014 : THERE IS A SERIOUS BUG IN APPARMOR ON UBUNTU 14.04 LTS, PLEASE SET THE HIAWATHA TO COMPLAIN MODE AT THE MOMENT.

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

There is a testing report on DoS at here which is against the web server itself, namely SlowLoris.

Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with PHPStress (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 14.04 LTS.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get dist-upgrade

sudo apt-get autoclean
sudo apt-get --purge autoremove


Select unattendance update to your system. It will push all the updates to your system when there is some. Or, you can create a cron job later to update your system in a certain of time if you prefer.

If the kernel or kernel modules have been updated, you are required to reboot your system before going further.

Step 1 - Installation of PHP5

sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm mysql-server mysql-client

Step 2 - Installation of Hiawatha

Install required dependenices for Hiawatha.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Download the latest version of CMake at http://www.cmake.org/

wget http://www.cmake.org/files/v3.0/cmake-3.0.1.tar.gz
tar -xvzf cmake-3.0.1.tar.gz
cd cmake-3.0.1
./configure
make
sudo make install


Download the latest version of Hiawatha (the current version at this writing is 9.7).

wget http://www.hiawatha-webserver.org/files/hiawatha-9.7.tar.gz
tar -xzvf hiawatha-9.7.tar.gz

cd hiawatha-9.7/extra


./make_debian_package

cd ..

sudo dpkg -i hiawatha_9.7_amd64.deb

Step 3 - Configure PHP5

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6


Step 3a - Configure PHP5 (Optional for security purpose)

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
session.cookie_httponly = 1
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
cgi.fix_pathinfo = 0

*** According to the author of Hiawatha, the cgi.fix_pathinfo should be set to 0 at this moment.

*** There will be something at the end of "disable_functions" at Ubuntu 12.04 LTS, you just append the captioned list to the end of the previous list.

*** some PHP applications may require safe_mode = off

Step 4 - Configure php-fpm

Append the following to the php-fpm.conf.

sudo nano /etc/php5/fpm/php-fpm.conf

[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000
pm = static
pm.max_children = 100
chroot = /var/www/
chdir = /

Step 5 - Configure Hiawatha (Part 1)

sudo nano /etc/hiawatha/hiawatha.conf

The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.



*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".

Step 5a :

Add the following line at VIRTUAL HOSTS.

Include /etc/hiawatha/enable-sites/

*Make sure the make a directory enable-sites and disable-sites under /etc/hiawatha.

sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites

Step 6 - Configure Hiawatha (Part 2)

If your domain is mysite.com, you are required to create a file namely mysite.com and place it under /etc/hiawatha/enable-sites/mysite.com.



*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".

Furthermore, if you want to disable this virtual site, you can move the "mysite.com" to /etc/hiawatha/disable-sites/ and then restart hiawatha server.

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart


Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi


Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data

Step 8 - Configure Apparmor (Optional for security purpose)

Install the following packages :

sudo apt-get install apparmor-profiles apparmor-utils

Execute the following command and then let the web site running for a while, maybe a week or so.

sudo aa-genprof hiawatha

About one week later or the web page/site is misbehaving, issue the following command to update the profile. Remember to reload the profile after the command has been issued.

sudo aa-logprof

Or, if you are impatient, you can edit the following file instead.

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

The content of usr.sbin.hiawatha should look like this or make it look like this.



Make the profile in enforce mode (activate the above settings).

sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper


The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Step 10 - Configure logwatch (Optional)

Please refer to this link to make the LogWatch to know your Hiawatha webserver's log files.

Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.

Step 11 - Change the ownership of the log files

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log


* "php-fcgi.log" and "system.log" leave them untouched (root:root).

Step 11a - Change ownership of all directories and files at the /var/www/mysite

Put the web application files to /var/www/mysite and then change the ownership of all directories and files under /var/www/mysite to root:root.

cd /var/www/mysite
sudo chown -R root:root *


Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart


Step 13 - Performance tuning for MySQL or Percona Server (Optional)

You can fine tune the MySQL as per this link.

Step 14 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 15 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Step 16 - URL Rewrite rules (Optional)

For the url rewrite rules for your PHP applications, please refer to this link

Make sure you add "UseToolkit" at the VirtualHost section.

Step 17 - Send email to GMail via Postfix (Optional)

Please refer to this link

Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)

Please refer to this link

Step 19 - Linux Malware Detect (Optional)

Please refer to this link

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

In order to further hardened your Hiawatha web server, please consider the following options :

Optional #1 :

For SSH connection security, you also may consider to implement the Port Knocking feature.

sudo apt-get install knockd

Optional #2 :

You may also consider to enable your firewall at your router or on the Hiawatha Web Server with UFW.

If ufw does not exist in your server, you can install it :

sudo apt-get install ufw

Optional #3 :

Consider to use Cloudflare (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.

Optional #4 :

If budget is allowed, you can consider to implement Untangle and Croissants.

That's all! See you.