Almost Secure and Perfect Ubuntu Server

HOWTO : Highest secured Hiawatha Web Server 8.0 on Ubuntu 12.04 LTS Server

2012-02-01T13:49:00.021+08:00

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 12.04 LTS.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Select unattendance update to your system. It will push all the updates to your system when there is some. Or, you can create a cron job later to update your system in a certain of time if you prefer.

If the kernel or kernel modules have been updated, you are required to reboot your system before going further.

Step 1 - Installation of PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd ksplice

Step 2 - Installation of Hiawatha

Install required dependenices for Hiawatha.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Download the latest version of CMake at http://www.cmake.org/

wget http://www.cmake.org/files/v2.8/cmake-2.8.7.tar.gz
tar -xvzf cmake-2.8.7.tar.gz
cd cmake-2.8.7
./configure
sudo make install

Download the latest version of Hiawatha (the current version at this writing is 8.0).

wget http://www.hiawatha-webserver.org/files/hiawatha-8.0.tar.gz
tar -xzvf hiawatha-8.0.tar.gz
cd hiawatha-8.0/extra

./make_debian_package

cd ..

sudo dpkg -i hiawatha_8.0_amd64.deb

or

sudo dpkg -i hiawatha_8.0_i386.deb

Step 3 - Configure PHP5

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6

Step 3a - Configure PHP5 (Optional for security only)

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
cgi.fix_pathinfo = 0

*** According to the author of Hiawatha, the cgi.fix_pathinfo should be set to 0 at this moment.

*** There will be something at the end of "disable_functions" at Ubuntu 12.04 LTS, you just append the captioned list to the end of the previous list.

*** some PHP applications may require safe_mode = off

Step 4 - Configure php-fcgi (PHP's FastCGI)

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line and change it as is.

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data ; /etc/php5/cgi/php.ini

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by the following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Step 5 - Configure Hiawatha (Part 1)

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data

Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
#   Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper

Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1

ReconnectDelay = 3

Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Step 5c :

Add the following line at VIRTUAL HOSTS.

Include /etc/hiawatha/enable-sites/

*Make sure the make a directory enable-sites and disable-sites under /etc/hiawatha.

sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites

Step 6 - Configure Hiawatha (Part 2)

If your domain is mysite.com, you are required to create a file namely mysite.com and place it under /etc/hiawatha/enable-sites/mysite.com.

VirtualHost {
   Hostname = www.mysite.com, mysite.com
   WebsiteRoot = /var/www/mysite
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   # <script .. </script>
   # e.g. <script>alert("xss");</script>
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$
   DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$
   # <meta .. />
   # e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/>
   DenyBody = ^.*%3Cmeta.*%2F%3E.*$
   DenyBody = ^.*%3CMETA.*%2F%3E.*$
   DenyBody = ^.*%3CMeTa.*%2F%3E.*$
   DenyBody = ^.*%3CmEtA.*%2F%3E.*$
   # <iframe .. />
   DenyBody = ^.*%3Ciframe.*%2F%3E.*$
   DenyBody = ^.*%3CIFRAME.*%2F%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
#   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail_mysite
}

*** You can ignore the "DenyBot" entries when you want the search engines to find your site easily.

*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".

*** "PreventSQLi" is set to "yes" when your web application is vulnerable to SQL Injection and you cannot fix it at the moment.

Furthermore, if you want to disable this virtual site, you can move the "mysite.com" to /etc/hiawatha/disable-sites/ and then restart hiawatha server.

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data

Step 8 - Configure Apparmor (Optional for security purpose)

Install the following packages :

sudo apt-get install apparmor-profiles apparmor-utils

Execute the following command and then let the web site running for a while, maybe a week or so.

sudo aa-genprof hiawatha

About one week later or the web page/site is misbehaving, issue the following command to update the profile. Remember to reload the profile after the command has been issued.

sudo aa-logprof

Or, if you are impatient, you can edit the following file instead.

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

The content of usr.sbin.hiawatha should look like this or make it look like this.

# Last Modified: Thu Jun  3 01:52:13 2010
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/php5>

   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
   capability setuid,

   /bin/dash rix,
   owner /etc/hiawatha/ r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   owner /etc/passwd r,
   /etc/php5/ r,
   /etc/php5/** r,
   /etc/postfix/** r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /etc/snmp/snmp.conf r,
   /sys/devices/system/cpu/ r,
   /tmp/** rwk,
   /usr/bin/php5-cgi rix,
   /usr/lib/postfix/cleanup rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/ r,
   /usr/share/** r,
   /var/www/ r,
   /var/www/** rwk,
   /var/lib/ r,
   /var/lib/** rw,
   /var/lib/hiawatha/** rw,
   owner /var/log/hiawatha/** w,
   /var/log/hiawatha/** r,
   owner /var/run/ r,
   owner /var/run/** w,
   /var/run/** r,
   owner /run/ r,
   owner /run/** w,
   /run/** r,
   /var/spool/postfix/** rw,
   /var/spool/postfix/pid/** wk,
}

Make the profile in enforce mode (activate the above settings).

sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Step 10 - Configure logwatch (Optional)

Please refer to this link to make the LogWatch to know your Hiawatha webserver's log files.

Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.

Step 11 - Change the ownership of the log files

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log

* "php-fcgi.log" and "system.log" leave them untouched (root:root).

Step 11a - Change ownership of all directories and files at the /var/www/mysite

Put the web application files to /var/www/mysite and then change the ownership of all directories and files under /var/www/mysite to root:root.

cd /var/www/mysite
sudo chown -R root:root *

Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart

Step 13 - Performance tuning for MySQL (Optional)

You can fine tune the MySQL as per this link.

Step 14 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 15 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Step 16 - URL Rewrite rules (Optional)

For the url rewrite rules for your PHP applications, please refer to this link

Make sure you add "UseToolkit" at the VirtualHost section.

Step 17 - Send email to GMail via Postfix (Optional)

Please refer to this link

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

In order to further hardened your Hiawatha web server, please consider the following options :

Optional #1 :

For SSH connection security, you also may consider to implement the Port Knocking feature.

sudo apt-get install knockd

Optional #2 :

You may also consider to enable your firewall at your router or on the Hiawatha Web Server with UFW.

If ufw does not exist in your server, you can install it :

sudo apt-get install ufw

Optional #3 :

Consider to place your web server behind this free service at Cloudflare. The main point is you can manage the DNS yourself and have a fixed IP address.

That's all! See you.

HOWTO : Bootless with Ksplice Uptrack on Ubuntu Server 11.10

2012-01-02T07:06:00.001+08:00

With Ksplice Uptrack, your Ubuntu Server is not required to reboot when the kernel is updated or upgraded. It makes your servers up to almost 99,99% uptime.

Step 1 :

Go to the following link and get your access key.
Get Ksplice Uptrack Access Key

Step 2 :

nano /etc/apt/sources.list.d/ksplice.list

Add the following lines to the file ksplice.list.

deb http://www.ksplice.com/apt oneiric ksplice
deb-src http://www.ksplice.com/apt oneiric ksplice

Step 3 :
Replace INSERT_ACCESS_KEY with your access key. Please use the same
access key for all of your systems:

sudo apt-get install ca-certificates
wget -N https://www.ksplice.com/apt/ksplice-archive.asc
sudo apt-key add ksplice-archive.asc
echo 'uptrack uptrack/accesskey string INSERT_ACCESS_KEY' | sudo debconf-set-selections
sudo apt-get update
sudo apt-get install uptrack

Step 4 :

nano /etc/uptrack/uptrack.conf

Change the following as is :
autoinstall = yes

Step 5 :

uptrack-upgrade -y

Remarks :

Ksplice Uptrack updates your running kernel in memory only. Enabling autoinstall does not mean the Uptrack client itself is automatically upgraded. You will be notified via e-mail when a new Uptrack client is available, and it can be upgraded through your package manager.

uptrack-upgrade -y

That's all! See you.

HOWTO : Highest secured Hiawatha Web Server 8.0 beta on Ubuntu 11.10 Server

2012-01-02T06:44:00.003+08:00

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 11.10.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

If the kernel or kernel modules have been updated, you are required to reboot your system before going further.

Step 1 - Installation of PHP5 and MariaDB

Since MySQL is now owned by Oracle, the developers of previous MySQL reformed and developed MariaDB under GPL v2. It is compatible to MySQL and running much faster than MySQL too. You can use MariaDB as alternative. The commands and API are the same, such as "mysql -u root -p".

Prepare for installation of MariaDB
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1BB943DB

sudo nano /etc/apt/sources.list.d/mariadb.list

Append the following lines.

deb http://ftp.yz.yamagata-u.ac.jp/pub/dbms/mariadb/repo/5.1/ubuntu oneiric main
deb-src http://ftp.yz.yamagata-u.ac.jp/pub/dbms/mariadb/repo/5.1/ubuntu oneiric main

Save the change and install the following.

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd

Step 1a - Apparmour of MySQL (Essential)

Make change to the usr.sbin.mysqld at /etc/apparmor.d according to this link in order to make MariaDB compatible to MySQL in Ubuntu 11.10.

Step 2 - Installation of Hiawatha

Install required dependenices for Hiawatha.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Download the latest version of CMake at http://www.cmake.org/

wget http://www.cmake.org/files/v2.8/cmake-2.8.7.tar.gz
tar -xvzf cmake-2.8.7.tar.gz
cd cmake-2.8.7
./configure
sudo make install

Download the latest version of Hiawatha (the current version at this writing is 8.0 beta).

wget http://www.hiawatha-webserver.org/files/hiawatha-8.0-beta.tar.gz
tar -xzvf hiawatha-8.0-beta.tar.gz
cd hiawatha-8.0/extra

./make_debian_package

cd ..

sudo dpkg -i hiawatha_8.0_amd64.deb

or

sudo dpkg -i hiawatha_8.0_i386.deb

Step 3 - Configure PHP5 (Optional for security only)

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
cgi.fix_pathinfo = 0

*** According to the author of Hiawatha, the cgi.fix_pathinfo should be set to 0 at this moment.

*some PHP applications may require safe_mode = off

Step 4 - Configure php-fcgi (PHP's FastCGI)

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line and change it as is.

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data ; /etc/php5/cgi/php.ini

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by the following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Binding {
   Port = 80
#   Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper

Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1

ReconnectDelay = 3

Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

VirtualHost {
   Hostname = www.mysite.com, mysite.com
   WebsiteRoot = /var/www/mysite
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   # <script .. </script>
   # e.g. <script>alert("xss");</script>
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$
   DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$
   # <meta .. />
   # e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/>
   DenyBody = ^.*%3Cmeta.*%2F%3E.*$
   DenyBody = ^.*%3CMETA.*%2F%3E.*$
   DenyBody = ^.*%3CMeTa.*%2F%3E.*$
   DenyBody = ^.*%3CmEtA.*%2F%3E.*$
   # <iframe .. />
   DenyBody = ^.*%3Ciframe.*%2F%3E.*$
   DenyBody = ^.*%3CIFRAME.*%2F%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
#   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail_mysite
}

You can ignore the "DenyBot" entries when you want the search engines to find your site easily.

"PreventSQLi" is set to "yes" when your web application is vulnerable to SQL Injection.

Furthermore, if you want to disable this virtual site, you can move the "mysite.com" to /etc/hiawatha/disable-sites/ and then restart hiawatha server.

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data

Step 8 - Configure Apparmor (Optional for security purpose)

Execute the following command and then let the web site running for a while, maybe a week or so.

sudo aa-genprof hiawatha

About one week later or the web page/site is misbehaving, issue the following command to update the profile. Remember to reload the profile after the command has been issued.

sudo aa-logprof

Or, if you are impatient, you can edit the following file instead.

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

The content of usr.sbin.hiawatha should look like this or make it look like this.

# Last Modified: Thu Jun  3 01:52:13 2010
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/php5>

   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
   capability setuid,

   /bin/dash rix,
   owner /etc/hiawatha/ r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   owner /etc/passwd r,
   /etc/php5/ r,
   /etc/php5/** r,
   /etc/postfix/** r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /etc/snmp/snmp.conf r,
   /sys/devices/system/cpu/ r,
   /tmp/** rwk,
   /usr/bin/php5-cgi rix,
   /usr/lib/postfix/cleanup rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/ r,
   /usr/share/** r,
   /var/www/ r,
   /var/www/** rwk,
   /var/lib/ r,
   /var/lib/** rw,
   /var/lib/hiawatha/** rw,
   owner /var/log/hiawatha/** w,
   /var/log/hiawatha/** r,
   owner /var/run/ r,
   owner /var/run/** w,
   /var/run/** r,
   owner /run/ r,
   owner /run/** w,
   /run/** r,
   /var/spool/postfix/** rw,
   /var/spool/postfix/pid/** wk,
}

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log

cd /var/www/mysite
sudo chown -R root:root *

Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart

Step 13 - Performance tuning for MariaDB (Optional)

You can fine tune the MariaDB as per this link.

Step 14 - Performance tuning for Ubuntu (Optional)

You can fine tune the Ubuntu Server as per this link.

Step 15 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 16 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Step 17 - Bootless with Ksplice Uptrack on Ubuntu Server 11.10 (Optional)

This link shows you how to make your Ubuntu Server box bootless when kernel is updated or upgraded.

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

That's all! See you.

HOWTO : Highest secured Hiawatha Web Server 7.8.2 on Ubuntu 11.10 Server

2011-11-23T02:04:00.004+08:00

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 11.10.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

deb http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main
deb-src http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main

** Yes, it is Natty as the Oneiric is not available at the moment. Natty version is compatible to Ubuntu 11.10.

Save the change and install the following.

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd

wget http://www.hiawatha-webserver.org/files/hiawatha-7.8.2.tar.gz
tar -xzvf hiawatha-7.8.2.tar.gz
cd hiawatha-7.8.2

./configure
make deb

cd ..

sudo dpkg -i hiawatha_7.8.2_amd64.deb

or

sudo dpkg -i hiawatha_7.8.2_i386.deb

Step 3 - Configure PHP5 (Optional for security only)

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
cgi.fix_pathinfo = 0

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Binding {
   Port = 80
#   Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper

Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1

ReconnectDelay = 3

Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

VirtualHost {
   Hostname = www.mysite.com, mysite.com
   WebsiteRoot = /var/www/mysite
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   # <script .. </script>
   # e.g. <script>alert("xss");</script>
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$
   DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$
   # <meta .. />
   # e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/>
   DenyBody = ^.*%3Cmeta.*%2F%3E.*$
   DenyBody = ^.*%3CMETA.*%2F%3E.*$
   DenyBody = ^.*%3CMeTa.*%2F%3E.*$
   DenyBody = ^.*%3CmEtA.*%2F%3E.*$
   # <iframe .. />
   DenyBody = ^.*%3Ciframe.*%2F%3E.*$
   DenyBody = ^.*%3CIFRAME.*%2F%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
#   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail_mysite
}

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

# Last Modified: Thu Jun  3 01:52:13 2010
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/php5>

   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
   capability setuid,

   /bin/dash rix,
   owner /etc/hiawatha/ r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   owner /etc/passwd r,
   /etc/php5/ r,
   /etc/php5/** r,
   /etc/postfix/** r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /etc/snmp/snmp.conf r,
   /sys/devices/system/cpu/ r,
   /tmp/** rwk,
   /usr/bin/php5-cgi rix,
   /usr/lib/postfix/cleanup rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/ r,
   /usr/share/** r,
   /var/www/ r,
   /var/www/** rwk,
   /var/lib/ r,
   /var/lib/** rw,
   /var/lib/hiawatha/** rw,
   owner /var/log/hiawatha/** w,
   /var/log/hiawatha/** r,
   owner /var/run/ r,
   owner /var/run/** w,
   /var/run/** r,
   owner /run/ r,
   owner /run/** w,
   /run/** r,
   /var/spool/postfix/** rw,
   /var/spool/postfix/pid/** wk,
}

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log

cd /var/www/mysite
sudo chown -R root:root *

Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart

Step 13 - Performance tuning for MariaDB (Optional)

You can fine tune the MariaDB as per this link.

Step 14 - Performance tuning for Ubuntu (Optional)

You can fine tune the Ubuntu Server as per this link.

Step 15 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 16 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Step 17 - Bootless with Ksplice Uptrack on Ubuntu Server 11.04 (Optional)

This link shows you how to make your Ubuntu Server box bootless when kernel is updated or upgraded.

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

That's all! See you.

HOWTO : Bootless with Ksplice Uptrack on Ubuntu Server 11.04

2011-08-24T12:29:00.003+08:00

deb http://www.ksplice.com/apt natty ksplice

deb-src http://www.ksplice.com/apt natty ksplice

Step 3 :
Replace INSERT_ACCESS_KEY with your access key. Please use the same
access key for all of your systems:

sudo apt-get install ca-certificates

wget -N https://www.ksplice.com/apt/ksplice-archive.asc

sudo apt-key add ksplice-archive.asc

echo 'uptrack uptrack/accesskey string INSERT_ACCESS_KEY' | sudo debconf-set-selections

sudo apt-get update

sudo apt-get install uptrack

HOWTO : Highest secured Hiawatha Web Server 7.6 on Ubuntu 11.04 Server

2011-08-24T01:24:00.011+08:00

*** Please noted that I added some security settings to this post on September 16, 2011 (GMT +8), such as DenyBody and cgi.fix_pathinfo ***

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 11.04.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

deb http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main
deb-src http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main

Save the change and install the following.

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd

wget http://www.hiawatha-webserver.org/files/hiawatha-7.6.tar.gz
tar -xzvf hiawatha-7.6.tar.gz
cd hiawatha-7.6

./configure
make deb

cd ..

sudo dpkg -i hiawatha_7.6_amd64.deb

or

sudo dpkg -i hiawatha_7.6_i386.deb

Step 3 - Configure PHP5 (Optional for security only)

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
cgi.fix_pathinfo = 0

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Binding {
   Port = 80
#   Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper

Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1

ReconnectDelay = 3

Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

VirtualHost {
   Hostname = www.mysite.com, mysite.com
   WebsiteRoot = /var/www/mysite
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   # <script .. </script>
   # e.g. <script>alert("xss");</script>
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$
   DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$
   DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$
   DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$
   # <meta .. />
   # e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/>
   DenyBody = ^.*%3Cmeta.*%2F%3E.*$
   DenyBody = ^.*%3CMETA.*%2F%3E.*$
   DenyBody = ^.*%3CMeTa.*%2F%3E.*$
   DenyBody = ^.*%3CmEtA.*%2F%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
#   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail_mysite
}

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

# Last Modified: Thu Jun  3 01:52:13 2010
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/php5>

   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
   capability setuid,

   /bin/dash rix,
   owner /etc/hiawatha/ r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   owner /etc/passwd r,
   /etc/php5/ r,
   /etc/php5/** r,
   /etc/postfix/** r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /etc/snmp/snmp.conf r,
   /sys/devices/system/cpu/ r,
   /tmp/** rwk,
   /usr/bin/php5-cgi rix,
   /usr/lib/postfix/cleanup rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/ r,
   /usr/share/** r,
   /var/www/ r,
   /var/www/** rwk,
   /var/lib/ r,
   /var/lib/** rw,
   /var/lib/hiawatha/** rw,
   owner /var/log/hiawatha/** w,
   /var/log/hiawatha/** r,
   owner /var/run/ r,
   owner /var/run/** w,
   /var/run/** r,
   /var/spool/postfix/** rw,
   /var/spool/postfix/pid/** wk,
}

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log

cd /var/www/mysite
sudo chown -R root:root *

Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart

Step 13 - Performance tuning for MariaDB (Optional)

You can fine tune the MariaDB as per this link.

Step 14 - Performance tuning for Ubuntu (Optional)

You can fine tune the Ubuntu Server as per this link.

Step 15 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 16 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Step 17 - Bootless with Ksplice Uptrack on Ubuntu Server 11.04 (Optional)

This link shows you how to make your Ubuntu Server box bootless when kernel is updated or upgraded.

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

That's all! See you.

HOWTO : Highest secured Hiawatha Web Server 7.5 on Ubuntu 11.04 Server

2011-06-01T13:48:00.003+08:00

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 11.04.

Update the fresh install system to the latest status.

sudo apt-get update

sudo apt-get upgrade

sudo apt-get dist-upgrade

deb http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main

deb-src http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main

Save the change and install the following.

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd

wget http://www.hiawatha-webserver.org/files/hiawatha-7.5.tar.gz

tar -xzvf hiawatha-7.5.tar.gz

cd hiawatha-7.5

./configure

make deb

cd ..

sudo dpkg -i hiawatha_7.5_amd64.deb

or

sudo dpkg -i hiawatha_7.5_i386.deb

Step 3 - Configure PHP5 (Optional for security only)

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1



zlib.output_compression = On

zlib.output_compression_level = 6



display_errors = Off

log_errors = On

allow_url_fopen = Off

safe_mode = On

expose_php = Off

enable_dl = Off

disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

*some PHP applications may require safe_mode = off

Step 4 - Configure php-fcgi (PHP's FastCGI)

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line and change it as is.

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data ; /etc/php5/cgi/php.ini

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by the following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Binding {

   Port = 80

#   Interface = 127.0.0.1

   MaxKeepAlive = 30

   TimeForRequest = 3,20

}

Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000

ConnectionsPerIP = 30

SystemLogfile = /var/log/hiawatha/system.log

GarbageLogfile = /var/log/hiawatha/garbage.log

ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended

ServerString = Apache

CGIwrapper = /usr/sbin/cgi-wrapper

Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300

BanOnMaxPerIP = 300

BanOnMaxReqSize = 300

BanOnTimeout = 300

KickOnBan = yes

RebanDuringBan = yes

BanOnDeniedBody = 300

BanOnSQLi = 300

BanOnFlooding = 30/1:300

BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1

ReconnectDelay = 3

Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl

CGIhandler = /usr/bin/php5-cgi:php

CGIhandler = /usr/bin/python:py

CGIhandler = /usr/bin/ruby:rb

CGIhandler = /usr/bin/ssi-cgi:shtml

CGIextension = cgi

FastCGIserver {

   FastCGIid = PHP5

   ConnectTo = 127.0.0.1:2005

   Extension = php, php5

   SessionTimeout = 30

}

VirtualHost {

   Hostname = www.mysite.com, mysite.com

   WebsiteRoot = /var/www/mysite

   StartFile = index.php

   AccessLogfile = /var/log/hiawatha/access.log

   ErrorLogfile = /var/log/hiawatha/error.log

   TimeForCGI = 15

#   UseFastCGI = PHP5

#   UseToolkit = banshee

   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$

   ExecuteCGI = yes

   PreventCSRF = yes

#   PreventSQLi = yes

   PreventXSS = yes

   DenyBot = Googlebot:/

   DenyBot = twiceler:/

   DenyBot = MSNBot:/

   DenyBot = yahoo:/

   DenyBot = BaiDuSpider:/

   DenyBot = Ask:/

   DenyBot = Yahoo! Slurp:/

   DenyBot = Sogou web spider:/

   DenyBot = Sogou-Test-Spider:/

   DenyBot = Baiduspider+:/

   DenyBot = Yandex:/

   DenyBot = UniversalFeedParser:/

   DenyBot = Mediapartners-Google:/

   DenyBot = Sosospider+:/

   DenyBot = YoudaoBot:/

   DenyBot = ParchBot:/

   DenyBot = Curl:/

   DenyBot = msnbot:/

   DenyBot = NaverBot:/

   DenyBot = taptubot:/

   WrapCGI = jail_mysite

}

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/

sudo /etc/init.d/hiawatha restart

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl

CGIhandler = /usr/bin/php5-cgi

CGIhandler = /usr/bin/python

CGIhandler = /usr/bin/ruby

CGIhandler = /usr/bin/ssi-cgi

# Last Modified: Thu Jun  3 01:52:13 2010

#include <tunables/global>

/usr/sbin/hiawatha {

   #include <abstractions/apache2-common>

   #include <abstractions/base>

   #include <abstractions/nameservice>

   #include <abstractions/php5>

   capability chown,

   capability dac_override,

   capability fowner,

   capability fsetid,

   capability setgid,

   capability setuid,

   /bin/dash rix,

   owner /etc/hiawatha/ r,

   /etc/hiawatha/** r,

   /etc/host.conf r,

   /etc/hosts r,

   /etc/mailname r,

   /etc/nsswitch.conf r,

   owner /etc/passwd r,

   /etc/php5/ r,

   /etc/php5/** r,

   /etc/postfix/** r,

   /etc/protocols r,

   /etc/resolv.conf r,

   /etc/services r,

   /etc/snmp/snmp.conf r,

   /sys/devices/system/cpu/ r,

   /tmp/** rwk,

   /usr/bin/php5-cgi rix,

   /usr/lib/postfix/cleanup rix,

   /usr/lib{,32,64}/** mr,

   /usr/sbin/cgi-wrapper rix,

   /usr/sbin/postdrop rix,

   /usr/sbin/sendmail rix,

   /usr/share/ r,

   /usr/share/** r,

   /var/www/ r,

   /var/www/** rwk,

   /var/lib/ r,

   /var/lib/** rw,

   /var/lib/hiawatha/** rw,

   owner /var/log/hiawatha/** w,

   /var/log/hiawatha/** r,

   owner /var/run/ r,

   owner /var/run/** w,

   /var/run/** r,

   /var/spool/postfix/** rw,

   /var/spool/postfix/pid/** wk,

}

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/

sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

sudo chmod u-s /usr/sbin/cgi-wrapper

sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

cd /var/log/hiawatha

sudo chown www-data:www-data access.log

sudo chown www-data:www-data error.log

sudo chown www-data:www-data exploit.log

cd /var/www/mysite

sudo chown -R root:root *

Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start

sudo /etc/init.d/hiawatha stop

suod /etc/init.d/hiawatha restart

Step 13 - Performance tuning for MariaDB (Optional)

You can fine tune the MariaDB as per this link.

Step 14 - Performance tuning for Ubuntu (Optional)

You can fine tune the Ubuntu Server as per this link.

Step 15 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 16 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

That's all! See you.

HOWTO : Highest secured Hiawatha Web Server 7.4.1 on Ubuntu 11.04 Server

2011-05-09T09:19:00.018+08:00

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 11.04.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

deb http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main
deb-src http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main

Save the change and install the following.

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd

wget http://www.hiawatha-webserver.org/files/hiawatha-7.4.1.tar.gz
tar -xzvf hiawatha-7.4.1.tar.gz
cd hiawatha-7.4.1

./configure
make deb

cd ..

sudo dpkg -i hiawatha_7.4.1_amd64.deb

or

sudo dpkg -i hiawatha_7.4.1_i386.deb

Step 3 - Configure PHP5 (Optional for security only)

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Binding {
   Port = 80
#   Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper

Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1

KickOnBan = yes
ReconnectDelay = 3

Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

VirtualHost {
   Hostname = www.mysite.com, mysite.com
   WebsiteRoot = /var/www/mysite
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail_mysite
}

You can ignore the "DenyBot" entries when you want the search engines to find your site easily.

Furthermore, if you want to disable this virtual site, you can move the "mysite.com" to /etc/hiawatha/disable-sites/ and then restart hiawatha server.

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

# Last Modified: Thu Jun  3 01:52:13 2010
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/php5>

   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
   capability setuid,

   /bin/dash rix,
   owner /etc/hiawatha/ r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   owner /etc/passwd r,
   /etc/php5/ r,
   /etc/php5/** r,
   /etc/postfix/** r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /etc/snmp/snmp.conf r,
   /sys/devices/system/cpu/ r,
   /tmp/** rwk,
   /usr/bin/php5-cgi rix,
   /usr/lib/postfix/cleanup rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/ r,
   /usr/share/** r,
   /var/www/ r,
   /var/www/** rwk,
   /var/lib/ r,
   /var/lib/** rw,
   /var/lib/hiawatha/** rw,
   owner /var/log/hiawatha/** w,
   /var/log/hiawatha/** r,
   owner /var/run/ r,
   owner /var/run/** w,
   /var/run/** r,
   /var/spool/postfix/** rw,
   /var/spool/postfix/pid/** wk,
}

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log

cd /var/www/mysite
sudo chown -R root:root *

Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart

Step 13 - Performance tuning for MariaDB (Optional)

You can fine tune the MariaDB as per this link.

Step 14 - Performance tuning for Ubuntu (Optional)

You can fine tune the Ubuntu Server as per this link.

Step 15 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 16 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

That's all! See you.

HOWTO : MariaDB and XCache performance tuning on Ubuntu 11.04

2011-05-09T09:09:00.000+08:00

The following settings is for tuning the MariaDB database performance on Ubuntu 11.04. It is well tested on Intel Xeon 4 core CPU x 2 and 8 GB RAM. It is also well tested on Drupal 6.2.

Step 1 :

sudo nano /etc/mysql/my.cnf

Change the values as the following :

[mysqld_safe]
nice = -5

[mysqld]
key_buffer_size = 384M
thread_cache_size = 384
max_connections = 500
table_cache = 1800
# If you have 8 cores CPU, the value should be 16 (no. of processor x 2)
thread_concurrency = 16
query_cache_limit = 4M
query_cache_size = 128M

[isamchk]
key_buffer = 64M

Step 2 :

sudo restart mysql

Step 3 (Optional) :

If you are using Hiawatha Web Server and PHP5, the following settings will further tune the performance also.

sudo apt-get install php5-xcache

Step 3a (Optional) :

sudo nano /etc/php5/conf.d/xcache.ini

Change the value of xcache.size as the following :

xcache.size = 64M

Step 3b (Optional) :

sudo /etc/init.d/php-fcgi restart

Step 3c (Optional) :

To test if it is working or not :

sudo php-cgi -v

If you can see the "with XCache v1.3.0, Copyright (c) 2005-2009, by mOo", your xcache is working.

That's all! See you.

HOWTO : MariaDB 5.2 on Ubuntu Server 11.04

2011-05-09T09:07:00.004+08:00

Since MySQL is now owned by Oracle, the developers of previous MySQL reformed and developed MariaDB under GPL v2. It is compatible to MySQL and running much faster than MySQL too. You can use MariaDB as alternative. The commands and API are the same, such as "mysql -u root -p".

Step 1 :

Prepare for installation of MariaDB

sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1BB943DB

Step 2 :

sudo nano /etc/apt/sources.list.d/mariadb.list

Append the following lines.

deb http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main
deb-src http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main

Save the change and install the following.

Step 3 :

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client

** You can also replace your MySQL to MariaDB in this way. The MySQL will be uninstall automatically. You can also use the my.cnf of MySQL without any problem or replace by the new one.

Step 4 : (Optional)

To tune the performance of MariaDB. Please see this link for reference. The settings are the same.

That's all! See you.

HOWTO : Logwatch for Hiawatha on Ubuntu 11.04 Server

2011-05-09T08:59:00.000+08:00

Logwatch reads your log files and alert you about the unusual log entries. It is working perfect for Apache. However, the log directory of Hiawatha is different from Apache. You should do something else on logwatch in order to make it to read Hiawatha log files.

Step 0 :

Install logwatch.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install logwatch

Step 1 :

Make changes to the logwatch configure file in order to tell her to send you a email report.

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the settings of the following lines.

Output = mail
Format = html
MailTo = samiux@gmail.com

Step 2 :

Make logwatch to read Hiawatha log files.

sudo nano /usr/share/logwatch/default.conf/logfiles/http.conf

Add the following lines on the appropriate sections.

LogFile = hiawatha/*access.log
LogFile = hiawatha/*access.log.1
LogFile = hiawatha/*error.log
LogFile = hiawatha/*error.log.1
LogFile = hiawatha/*system.log
LogFile = hiawatha/*system.log.1
LogFile = hiawatha/*garbage.log
LogFile = hiawatha/*garbage.log.1
LogFile = hiawatha/*php-fcgi.log
LogFile = hiawatha/*php-fcgi.log.1

Archive = hiawatha/*access.log.*.gz
Archive = hiawatha/*error.log.*.gz
Archive = hiawatha/*system.log.*.gz
Archive = hiawatha/*garbage.log.*.gz
Archive = hiawatha/*php-fcgi.log.*.gz

That's all. See you!

HOWTO : Secure your Ubuntu Server in a passive way on Ubuntu 11.04

2011-05-09T08:55:00.001+08:00

Root account access warning

Add the following to the top of the file /root/.bashrc and you will be informed by email when the root account is being accessed.

echo -e "Root Shell Access on `tty` \n `w`" | mail -s "Alert: Root Access" samiux@gmail.com

You are also required to add the captioned line at the sudoers' .bashrc file.

echo -e "Sudoer Shell Access on `tty` \n `w`" | mail -s "Alert: Sudoer Access" samiux@gmail.com

Hardening SSH

The official port of SSH is 22. You can change it to any port that between 1024 and 65535. You can do it at the router or firewall and you can do it at the configure file of SSH at /etc/ssh/sshd_config. You are recommended to disable the root account login via SSH even you are using Ubuntu.

Port 65535
PermitRootLogin no

sudo /etc/init.d/sshd restart

Block all failed attempts

You are also required to install Fail2Ban in order to block all several time failed attempts.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install fail2ban

Change the setting at /etc/fail2ban/jail.conf when necessary.

Restart the fail2ban after the changes.

sudo /etc/init.d/fail2ban restart

Finally, enable firewall and only allow necessary ports to be access.

That's all! See you.

HOWTO : vsFTPd on Ubuntu Server 11.04

2011-05-09T08:53:00.001+08:00

Step 1 :
Install the vsFTPd.

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install vsftpd

Step 2 :
Edit the configure file of vsFTPd.

sudo nano /etc/vsftpd.conf

Change the setting as the following.

# If you allow anonymous login then
anonymous_enable=YES
# If you do not allow anonymous login then
#anonymous_enable=NO
local_enable=YES
write_enable=YES
# Users are allowed to walk around at his directory only
chroot_local_user=YES

If you are behind a firewall or router, the following setting should be implemented and append to the end of the file.

pasv_enable=YES
#pasv_promiscuous=YES
pasv_min_port=50000
pasv_max_port=50100
# If your server's IP address is 192.168.0.15
pasv_address=192.168.0.15

local_root=/home

Make sure port 20, 21, and 50000-50100 are opened at your firewall or router. The ports should be forwarded to and opened at the vsFTPd server. Anonymous user can be download the files at /home/ftp directory.

Step 3 :
Restart vsFTPd.

sudo /etc/init.d/vsftpd restart

That's all. See you.

HOWTO : MariaDB 5.2 on Ubuntu Server 10.10

2011-03-26T23:12:00.000+08:00

deb http://mirrors.xmission.com/mariadb/repo/5.2/ubuntu maverick main
deb-src http://mirrors.xmission.com/mariadb/repo/5.2/ubuntu maverick main

Save the change and install the following.

Step 3 :

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client

** You can also replace your MySQL to MariaDB in this way. The MySQL will be uninstall automatically. You can also use the my.cnf of MySQL without any problem or replace by the new one.

Step 4 : (Optional)

To tune the performance of MariaDB is the same as tuning MySQL. Please see this link for reference. The settings are the same.

That's all! See you.

HOWTO : MySQL and XCache performance tuning on Ubuntu 10.10

2011-03-24T18:45:00.003+08:00

The following settings is for tuning the MySQL database performance on Ubuntu 10.10. It is well tested on Intel Xeon 4 core CPU x 2 and 8 GB RAM. It is also well tested on Drupal 6.2.

Step 1 :

sudo nano /etc/mysql/my.cnf

Change the values as the following :

[mysqld_safe]
nice = -5

[mysqld]
key_buffer = 384M
thread_cache_size = 384
max_connections = 500
table_cache = 1800
# If you have 8 cores CPU, the value should be 16 (no. of processor x 2)
thread_concurrency = 16
query_cache_limit = 4M
query_cache_size = 128M

[isamchk]
key_buffer = 64M

HOWTO : vsFTPd on Ubuntu Server 10.10

2011-02-06T22:06:00.000+08:00

Step 1 :
Install the vsFTPd.

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install vsftpd

Step 2 :
Edit the configure file of vsFTPd.

sudo nano /etc/vsftpd.conf

Change the setting as the following.

# If you allow anonymous login then
anonymous_enable=YES
# If you do not allow anonymous login then
#anonymous_enable=NO
local_enable=YES
write_enable=YES
# Users are allowed to walk around at his directory only
chroot_local_user=YES

If you are behind a firewall or router, the following setting should be implemented and append to the end of the file.

pasv_enable=YES
#pasv_promiscuous=YES
pasv_min_port=50000
pasv_max_port=50100
# If your server's IP address is 192.168.0.15
pasv_address=192.168.0.15

HOWTO : Secure your Ubuntu Server in a passive way

2010-11-20T12:57:00.004+08:00

*** The original post is written on June 13, 2009 by me. I repost here for reference. The original post is at here. ***

Root account access warning

Add the following to the top of the file /root/.bashrc and you will be informed by email when the root account is being accessed.

echo -e "Root Shell Access on `tty` \n `w`" | mail -s "Alert: Root Access" samiux@gmail.com

You are also required to add the captioned line at the sudoers' .bashrc file.

echo -e "Sudoer Shell Access on `tty` \n `w`" | mail -s "Alert: Sudoer Access" samiux@gmail.com

Hardening SSH

The official port of SSH is 22. You can change it to any port that between 1024 and 65535. You can do it at the router or firewall and you can do it at the configure file of SSH at /etc/ssh/sshd_config. You are recommended to disable the root account login via SSH even you are using Ubuntu.

Port 65535
PermitRootLogin no

sudo /etc/init.d/sshd restart

Block all failed attempts

You are also required to install Fail2Ban in order to block all several time failed attempts.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install fail2ban

HOWTO : Highest secured Hiawatha Web Server 7.4 on Ubuntu 10.10 Server

2010-11-19T01:17:00.023+08:00

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 10.10.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

If the kernel or kernel modules have been updated, you are required to reboot your system before going further.

Step 1 - Installation of PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd

Step 1a - Installation of PHP5 and MariaDB (Alternative)

Since MySQL is now owned by Oracle, the developers of previous MySQL reformed and developed MariaDB under GPL v2. It is compatible to MySQL and running much faster than MySQL too. You can use MariaDB as alternative. The commands and API are the same, such as "mysql -u root -p".

Prepare for installation of MariaDB
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1BB943DB

sudo nano /etc/apt/sources.list.d/mariadb.list

Append the following lines.

deb http://mirrors.xmission.com/mariadb/repo/5.2/ubuntu maverick main
deb-src http://mirrors.xmission.com/mariadb/repo/5.2/ubuntu maverick main

Save the change and install the following.

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd

** You can also replace your MySQL to MariaDB in this way. The MySQL will be uninstall automatically. You can also use the my.cnf of MySQL without any problem or replace by the new one.

Step 2 - Installation of Hiawatha

Install required dependenices for Hiawatha.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Download the latest version of Hiawatha (the current version at this writing is 7.4).

wget http://www.hiawatha-webserver.org/files/hiawatha-7.4.tar.gz
tar -xzvf hiawatha-7.4.tar.gz
cd hiawatha-7.4

./configure
make deb

cd ..

sudo dpkg -i hiawatha_7.4_amd64.deb

or

sudo dpkg -i hiawatha_7.4_i386.deb

Step 3 - Configure PHP5 (Optional for security only)

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Binding {
   Port = 80
#   Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper

Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1

KickOnBan = yes
ReconnectDelay = 3

Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Step 5c :

Add the following line at VIRTUAL HOSTS.

Include /etc/hiawatha/enable-sites/

*Make sure the make a directory enable-sites under /etc/hiawatha.

sudo mkdir /etc/hiawatha/enable-sites

Step 6 - Configure Hiawatha (Part 2)

If your domain is mysite.com, you are required to create a file namely mysite.com and place it under /etc/hiawatha/enable-sites/mysite.com.

VirtualHost {
   Hostname = www.mysite.com, mysite.com
   WebsiteRoot = /var/www/mysite
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail_mysite
}

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

# Last Modified: Thu Jun  3 01:52:13 2010
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/php5>

   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
   capability setuid,

   /bin/dash rix,
   owner /etc/hiawatha/ r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   owner /etc/passwd r,
   /etc/php5/ r,
   /etc/php5/** r,
   /etc/postfix/** r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /etc/snmp/snmp.conf r,
   /sys/devices/system/cpu/ r,
   /tmp/** rwk,
   /usr/bin/php5-cgi rix,
   /usr/lib/postfix/cleanup rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/ r,
   /usr/share/** r,
   /var/www/ r,
   /var/www/** rwk,
   /var/lib/ r,
   /var/lib/** rw,
   /var/lib/hiawatha/** rw,
   owner /var/log/hiawatha/** w,
   /var/log/hiawatha/** r,
   owner /var/run/ r,
   owner /var/run/** w,
   /var/run/** r,
   /var/spool/postfix/** rw,
   /var/spool/postfix/pid/** wk,
}

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log

cd /var/www/mysite
sudo chown -R root:root *

Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart

Step 13 - Performance tuning for MySQL or MariaDB (Optional)

You can fine tune the MySQL or MariaDB as per this link.

Step 14 - Performance tuning for Ubuntu (Optional)

You can fine tune the Ubuntu Server as per this link.

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

That's all! See you.

HOWTO : Highest secured Hiawatha Web Server 7.3 on Ubuntu 10.04 Server

2010-08-14T05:13:00.008+08:00

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 10.04 LTS.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

If the kernel or kernel modules have been updated, you are required to reboot your system before going further.

Step 1 - Installation of PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-7.3.tar.gz
tar -xzvf hiawatha-7.3.tar.gz
cd hiawatha-7.3

./configure
make deb

cd ..

sudo dpkg -i hiawatha_7.3_amd64.deb

or

sudo dpkg -i hiawatha_7.3_i386.deb

Step 3 - Configure PHP5 (Optional for security only)

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Binding {
   Port = 80
#   Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ExploitLogfile = /var/log/hiawatha/exploit.log
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper

Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 10/1:15
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1

KickOnBan = yes
ReconnectDelay = 3

Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

VirtualHost {
   Hostname = www.mysite.com, mysite.com
   WebsiteRoot = /var/www/mysite
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail_mysite
}

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

# Last Modified: Thu Jun  3 01:52:13 2010
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/php5>

   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
   capability setuid,

   /bin/dash rix,
   owner /etc/hiawatha/ r,
   owner /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   owner /etc/passwd r,
   /etc/php5/ r,
   /etc/php5/** r,
   /etc/postfix/** r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /sys/devices/system/cpu/ r,
   /usr/bin/php5-cgi rix,
   /usr/lib/postfix/cleanup rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/ r,
   /usr/share/** r,
   /var/www/ r,
   /var/www/** r,
   /var/www/logfiles/ r,
   /var/www/logfiles/** rw,
   /var/lib/ r,
   /var/lib/** rw,
   /var/lib/hiawatha/** rw,
   owner /var/log/hiawatha/** w,
   /var/log/hiawatha/** r,
   owner /var/run/ r,
   owner /var/run/** rw,
   /var/spool/postfix/** rw,
   /var/spool/postfix/pid/** wk,
   /var/www/hiawatha/ r,
}

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart

That's all! See you.

HOWTO : Highest secured Hiawatha Web Server 6.19 on Ubuntu 9.10 Server

2009-12-20T10:57:00.002+08:00

Hiawatha is a web server that equipped with a lot of security features. It is developed by Hugo Leisink since 2002.

Hiawatha supports PHP, Perl, Python and Ruby. It is a lightweight and fast as well as secured web server.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.10

Install Ubuntu 9.10 Server and OpenSSH. If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

*Note : some modules will not be required, such as php5-sqlite and php5-snmp. If your web application requires them, make sure to install them.

Step 2 - Install Hiawatha

Download the current Hiawatha, 6.19 at this time of writing.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.19.tar.gz
tar -xzvf hiawatha-6.19.tar.gz
cd hiawatha-6.19

Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

At the hiawatha-6.19 directory, build the Hiawatha deb package.

./configure
make deb

The deb package will be created at your home directory, such as /home/samiux. You can install it now.

cd ..

For 64-bit system :
sudo dpkg -i hiawatha_6.19_amd64.deb

For 32-bit system :
sudo dpkg -i hiawatha_6.19_i386.deb

Step 3 - Configure PHP5

Edit the php.ini.

sudo nano /etc/php5/cgi/php.ini

Make change as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

*Note : some PHP application may requires safe_mode = Off.

Edit Hiawatha's php-fcgi.conf.

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Step 4 - Configure Hiawatha

Edit the file hiawatha.conf.

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.
ServerId = www-data

Add the following line at the GENERAL SETTINGS. Apache compatible log file format.

LogFormat = extended
ExploitLogfile = /var/log/hiawatha/exploit.log
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper

Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24

*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}

*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   #Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog_access.log
   ErrorLogfile = /var/log/hiawatha/blog_error.log
   TimeForCGI = 5
   #UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail
}

Configure cgi-wrapper.conf.
sudo nano /etc/hiawatha/cgi-wrapper.conf

Make changes to the file.

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail ; /var/www ; www-data:www-data

*Note : DenyBot entries are optional. If you do not want spiders and bots to crawl your site, you should enable it. Those entries are examples only. UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data. If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.

# Last Modified: Thu Oct  1 10:00:57 2009
#include <tunables/global>


/usr/sbin/hiawatha {
  #include <abstractions/base>


   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,


   network inet tcp,


   /bin/dash rix,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /etc/php5/cgi/php.ini r,
   /etc/php5/conf.d/ r,
   /etc/php5/conf.d/**.ini r,
   /etc/phpmyadmin/** r,
   /etc/postfix/**.cf r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /usr/bin/php5-cgi rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/hiawatha mr,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/dbconfig-common/** r,
   /usr/share/file/magic.mime r,
   /usr/share/mysql/charsets/Index.xml r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /usr/share/zoneinfo/ r,
   owner /var/lib/** rwk,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid rw,
   owner /var/spool/postfix/maildrop/** rw,
   /var/spool/postfix/public/pickup w,
   /var/www/ r,
   /var/www/** rw,
}

* suppose you are using postfix.

Make the profile in enforce mode (active).
sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Step 6 - Improve the security of CGI-Wrapper

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Step 7 - logwatch configuration

LogWatch configuration as per Ubuntu 9.04

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

Known Issue
Alias cannot be functioned with this configuration so far.

That's all. See you!

HOWTO : Highest secured Hiawatha Web Server (6.17.1) on Ubuntu 9.04 Server

2009-10-01T11:09:00.007+08:00

What is Hiawatha?

Hiawatha is a web server that developed by Hugo Leisink since 2002. Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of. Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite. Hiawatha is already built-in. She can ban some bad traffic and bad activities on your web server. Her footprint is also small, that is 130kb, surprise?! She is the default web server for Austrumi and Puppy Linux.

Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server. There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it requires to modify the source code to solve the problem.

Hiawatha runs MySQL and PHP great in cgi mode. It can run in Windows environment too (but not yet tried). This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.04

Install Ubuntu 9.04 Server and OpenSSH. If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1

Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Fix bug on Hiawatha.
sudo nano cgi-wrapper.c

At line 103, just below rest = uncomment(line); add the following lines :

if (*rest == '\0') {
   continue;
}

At the hiawatha-6.17.1 directory, build the Hiawatha deb package.

./configure
make deb

The deb package will be created at your home directory, such as /home/samiux. You can install it now.

cd ..

For 64-bit system :
sudo dpkg -i hiawatha_6.17.1_amd64.deb

For 32-bit system :
sudo dpkg -i hiawatha_6.17.1_i386.deb

Step 3 - Configure PHP5

Edit the php.ini.

sudo nano /etc/php5/cgi/php.ini

Make change as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

LogFormat = extended
CGIwrapper = /usr/sbin/cgi-wrapper

Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24

*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}

*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   #Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog/access.log
   ErrorLogfile = /var/log/hiawatha/blog/error.log
   TimeForCGI = 5
   #UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCMDi = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   WrapCGI = jail
}

Configure cgi-wrapper.conf.
sudo nano /etc/hiawatha/cgi-wrapper.conf

Make changes to the file.

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
#CGIhandler = /usr/bin/python
#CGIhandler = /usr/bin/ruby
#CGIhandler = /usr/bin/ssi-cgi

Wrap = jail ; /var/www ; www-data:www-data

*Note : Some CMS will not well when PreventCMDi = yes. DenyBot entries are optional. If you do not want spiders and bots to crawl your site, you should enable it. Those entries are examples only. UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data. If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.

# Last Modified: Thu Oct  1 10:00:57 2009
#include <tunables/global>


/usr/sbin/hiawatha {
  #include <abstractions/base>


   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,


   network inet tcp,


   /bin/dash rix,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /etc/php5/cgi/php.ini r,
   /etc/php5/conf.d/ r,
   /etc/php5/conf.d/**.ini r,
   /etc/phpmyadmin/** r,
   /etc/postfix/**.cf r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /usr/bin/php5-cgi rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/hiawatha mr,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/dbconfig-common/** r,
   /usr/share/file/magic.mime r,
   /usr/share/mysql/charsets/Index.xml r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /usr/share/zoneinfo/ r,
   owner /var/lib/** rwk,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid rw,
   owner /var/spool/postfix/maildrop/** rw,
   /var/spool/postfix/public/pickup w,
   /var/www/ r,
   /var/www/** rw,
}

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Step 6 - Improve the security of CGI-Wrapper

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

Known Issue
Alias cannot be functioned with this configuration so far.

That's all. See you!

HOWTO : Logwatch for Hiawatha on Ubuntu 9.04 Server

2009-09-20T12:20:00.001+08:00

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install logwatch

Output = mail
Format = html
MailTo = samiux@gmail.com

Step 2 :

You should also change the setting at the daily cron job.

sudo nano /etc/cron.daily/00logwatch

Make the entry like this.

/usr/sbin/logwatch --mailto samiux@gmail.com

Step 3 :

Make logwatch to read Hiawatha log files.

sudo nano /usr/share/logwatch/default.conf/logfiles/http.conf

Add the following lines on the appropriate sections.

LogFile = hiawatha/*access.log
LogFile = hiawatha/*access.log.1
LogFile = hiawatha/*error.log
LogFile = hiawatha/*error.log.1
LogFile = hiawatha/*system.log
LogFile = hiawatha/*system.log.1
LogFile = hiawatha/*garbage.log
LogFile = hiawatha/*garbage.log.1
LogFile = hiawatha/*php-fcgi.log
LogFile = hiawatha/*php-fcgi.log.1

Archive = hiawatha/*access.log.*.gz
Archive = hiawatha/*error.log.*.gz
Archive = hiawatha/*system.log.*.gz
Archive = hiawatha/*garbage.log.*.gz
Archive = hiawatha/*php-fcgi.log.*.gz

See also (Hiawatha 6.17.1 installation) :
Samiux's Blog
or
Almost Secure and Perfect Ubuntu Server

That's all. See you!

HOWTO : Most secure web server (Hiawatha 6.17.1) on Ubuntu 9.04 Server

2009-09-15T23:42:00.002+08:00

What is Hiawatha?

Hiawatha is a web server that developed by Hugo Leisink since 2002. Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of. Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite. Hiawatha is already built-in. She can ban some bad traffic and bad activities on your web server. Her footprint is also small, that is 130kb, surprise?! She is the default web server for Austrumi and Puppy Linux.

Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server. There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it cannot be configured to run PHP5 in cgi-wrapper mode at the moment. However, perl is no problem.

Hiawatha runs MySQL and PHP great in cgi mode. It can run in Windows environment too (but not yet tried). This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.04

Install Ubuntu 9.04 Server and OpenSSH. If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1

Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

At the hiawatha-6.17.1 directory, build the Hiawatha deb package.

./configure
make deb

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24

*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.

#CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}

*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog/access.log
   ErrorLogfile = /var/log/hiawatha/blog/error.log
   TimeForCGI = 5
   UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCMDi = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
}

*Note : Some CMS will not well when PreventCMDi = yes. DenyBot entries are optional. If you do not want spiders and bots to crawl your site, you should enable it. Those entries are examples only. UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data. If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.

# Last Modified: Tue Sep  1 10:28:15 2009
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/base>

   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,

network inet tcp,

   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/log/hiawatha/blog/* r,
   /var/log/hiawatha/blog/** a,
   /var/run/hiawatha.pid w,
   /var/www/ r,
   /var/www/** rw,
}

Make the profile in enforce mode (active).
sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Step 6 - Configure CGI-Wrapper

To be continue ....

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

That's all. See you!

HOWTO : Hiawatha 6.16 web server on Ubuntu 9.04 Server

2009-08-30T17:05:00.004+08:00

Hiawatha is a web server which is developed by Hugo Leisink who is in a great interest in IT security. It is designed with security in mind. It comes with Cross-site Scripting (XSS) prevention, Cross-site Request Forgery (CSRF) prevention, DoS/flooding protection, and SQL injection prevention.

It works with PHP and MySQL. Therefore, the LAMP (Linux, Apache, MySQL and PHP) should be renamed to LHMP (Linux, Hiawatha, MySQL and PHP).

Step 0 :

Install Ubuntu 9.04 Server and OpenSSH as usual. Make sure to perform the following.

sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade

Step 1 :

Download Hiawatha, the current version at this writing is 6.16, at http://www.hiawatha-webserver.org/download.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.16.tar.gz tar -xzvf hiawatha-6.16.tar.gz cd hiawatha-6.16

Configure and compile the Hiawatha.

sudo apt-get install build-essentail libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

sudo ./configure sudo make deb

The deb package will be created at /home/samiux. You can install it by :

sudo dpkg -i hiawatha_6.16_amd64.deb

sudo dpkg -i hiawatha_6.16_i386.deb

Step 2 :

Install mysql and php5.

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Enter the password for the MySQL and write it down for further usage.

Step 3 :

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line :

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Kill it with -k, such as :

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf

*Make sure you have been activated php-fcgi; otherwise, php5 cannot be run.

Step 4 :

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data

Uncomment the following entries at BINDING SETTINGS.

Binding { Port = 80 MaxKeepAlive = 30 TimeForRequest = 3,20 }

Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300 BanOnMaxPerIP = 60 BanOnMaxReqSize = 300 KickOnBan = yes RebanDuringBan = yes BanOnSQLi = 0 BanOnFlooding = 10/1:15 BanlistMask = allow 192.168.0.0/24

Uncomment all the entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS.

CGIhandler = /usr/hin/perl:pl CGIhandler = /usr/bin/php5-cgi:php,php5 CGIhandler = /usr/bin/python:py CGIhandler = /usr/bin/ruby:rb CGIhandler = /usr/bin/ssi-cgi:shtml GCIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver { FastCGIid = PHP5 ConnectTo = 127.0.0.1:2005 Extension = php, php5 SessionTimeout = 30 }

Uncomment all the entries of URL TOOLKIT.

UrlToolkit { ToolkitID = banshee RequestURI isfile Return Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return Match .*\?(.*) Rewrite /index.php?$1 Match .* Rewrite /index.php }

Uncomment all the entries of VIRTUAL HOSTS and alert it when necessary.

VirtualHost { Hostname = www.samiux.com WebsiteRoot = /var/www/www.samiux.com StartFile = index.php AccessLogfile = /var/log/hiawatha/access.log ErrorLogfile = /var/log/hiawatha/error.log TimeForGCI = 5 UseFastCGI = PHP5 UseToolkit = banshee PreventCSRF = yes PreventSQLi = yes PreventXSS = yes }

Assumed that your domain name is samiux.com and the site is at /var/www/www.samiux.com.

Step 5 :

sudo nano /etc/php5/cgi/php.ini

Change the following line to Off.

allow_url_fopen = Off

Step 6 :

Restart the Hiawatha.

sudo /etc/init.d/hiawatha restart

Step 7 :

Use AppArmor with Hiawatha.

sudo aa-genprof hiawatha

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Add the following lines.

#include <tunables/global> /usr/sbin/hiawatha { #include <abstractions/base> capability chown, capability dac_override, capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, network inet tcp, /etc/group r, /etc/hiawatha/** r, /etc/nsswitch.conf r, /etc/passwd r, /usr/bin/php5-cgi rix, /usr/sbin/cgi-wrapper mr, /usr/sbin/hiawatha mr, /usr/share/dbconfig-common/** r, /usr/share/phpmyadmin/ r, /usr/share/phpmyadmin/** r, /var/lib/** r, /var/lib/hiawatha/* rw, /var/log/hiawatha/ r, /var/log/hiawatha/** rw, /var/run/hiawatha.pid w, /var/www/ r, /var/www/** rw, /home/*/public_html/** r, }

Make it enforce.

sudo aa-enforce hiawatha

That's all. See you!

HOWTO : Quota with ext4 on Ubuntu 9.04 Server

2009-08-18T00:05:00.000+08:00

There is a bug in quota package when filesystem is ext4 in Ubuntu 9.04 Server. You cannot activate quota function under ext4 on Ubuntu 9.04. However, we can use Ubuntu 9.10's package instead. It is in alpha stage at the moment.

Step 1 :

Download the package at here and the current version is 3.17-3 by this writing.

Install the package and configure the package as usual.

sudo dpkg -i <package_name>

Step 2 :

Edit /etc/fstab and add "usrquota,grpquota" on the partition with the mount point /.

sudo touch /quota.user /quota.group sudo chmod 600 /quota.* sudo mount -o remount /

Step 3 :

sudo quotacheck -avugm sudo quotaon -avug

That's all. See you!

HOWTO : Torrentflux-b4rt with Cherokee on Ubuntu 9.04 Server

2009-08-15T08:43:00.007+08:00

I am going to build a Bittorrent server with Cherokee web server instead of Apache. I call it as LCMP - Linux, Cherokee, MySQL and PHP. It may be the fastest web server in the world so far. You are not require to edit the config files. All settings are completed by your browser.

Bittorrent server front-end is using Torrentflux-b4rt. It is running on PHP and MySQL with bittornado.

Step 0 :

Install Ubuntu 9.04 Server edition as usual. Select OpenSSH only when install.

After the installation, perform the system update.

sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade

Assume your server's IP is 192.168.0.200

Step 1 :

sudo nano /etc/apt/sources.list.d/cherokee.list

Add the following lines.

deb http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main deb-src http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main

Add the key.

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EBA7BD49

sudo apt-get update sudo apt-get install cherokee

Step 2 :

sudo apt-get install mysql-server mysql-client

Enter the MySQL root password when asked. Make sure you have write it down.

Step 3 :

sudo apt-get install php5-cgi

sudo nano /etc/php5/cgi/php.ini

Append the following line at the end of the file.

cgi.fix_pathinfo = 1

sudo /etc/init.d/cherokee restart

sudo apt-get install php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

sudo /etc/init.d/cherokee restart

Step 4 :

sudo cherokee-admin -b

The following will be displayed.

Login: User: admin One-time Password: W0K2jR961aYaeiwu

Web Interface: URL: http://localhost:9090/

Cherokee Web Server 0.99.22 (Aug 5 2009): Listening on port ALL:9090, TLS disabled, IPv6 disabled, using epoll, 4096 fds system limit, max. 2041 connections, caching I/O, single thread

Open browser and point to http://192.168.0.200:9090 or http://localhost:9090

Enter the user name as "admin" and password as "W0K2jR961aYaeiwu" (which will be changed each time).

Step 5 :

Clone a virtual host from default. Add the domain name, document root and etc.

The document root should be "/var/www/torrentflux".

Go back to the terminal and press Ctrl + C to quit the Cherokee's admin page.

sudo /etc/init.d/cherokee restart

Step 6 :

sudo apt-get install unrar unzip vlc uudeview build-essential bittornado

Download and compile cksfv that is required by torrentflux-b4rt.

wget http://zakalwe.fi/~shd/foss/cksfv/files/cksfv-1.3.14.tar.bz2 tar -xjvf cksfv-1.3.14.tar.bz2

cd cksfv-1.3.14 ./configure make sudo make install

Get and install torrentflux-b4rt.

wget http://download.berlios.de/tf-b4rt/torrentflux-b4rt_1.0-beta2.tar.bz2 tar -xjvf torrentflux-b4rt_1.0-beta2.tar.bz2

cd torrentflux-b4rt_1.0-beta2 sudo cp -R html /var/www/torrentflux sudo chmod -R 0777 /var/www/torrentflux/inc/config

sudo mkdir /home/samiux/torrent sudo chmod -R 0777 /home/samiux/torrent

Step 7 :

Point your browser to http://192.168.0.200/setup.php and configure it.

** You keyin the username and password on the torrentflux-b4rt will be recorded for the admin account. Please write it down.

The download directory should be "/home/samiux/torrent".

After the configuration, delete the setup.php.

sudo rm /var/www/torrentflux/setup.php

Step 8 :

Make sure to forward the default ports 49160 to 49300 at your router or firewall.

Step 9 (Optional) :

Install vsftpd when necessary.

** Make sure you change the IP address at "pasv_address".

Step 10 (Optional) :

Make your server bootless.

That's all. See you!

HOWTO : Godaddy.com's Relay Mail Server with Postfix on Ubuntu 9.04 Server

2009-07-31T12:14:00.005+08:00

Your Internet Services Provider (ISP) may block SMTP port (Port 25) if you are not using a business plan (like in Hong Kong). However, you can still send email with reverse lookup of your domain name when your domain registrar is Godaddy.com.

Step 1 :

Create and enable your free email account at Godaddy.com when you have a domain name there. Set the password accordingly. Your username of the account may be look like this : yourname@yourdomain.

Incoming Mail Server Type : POP3
Incoming Mail Server : pop.secureserver.net
Incoming Mail Server Port : 110

Outgoing Mail Server : smtpout.secureserver.net
Outgoing Mail Server Port : 25, 80, 587 or 3535

Step 2 :

Create a file namely "sasl_passwd".

sudo nano /etc/postfix/sasl/sasl_passwd

Add the following line.

smtpout.secureserver.net username:password

Step 2a :

Save and quit. Issue the following commands.

chown root:root /etc/postfix/sasl/sasl_passwd
chmod 600 /etc/postfix/sasl/sasl_passwd
postmap /etc/postfix/sasl/sasl_passwd

Step 3 :

Go to your mail server (Postfix).

sudo nano /etc/postfix/main.cf

Edit or/and add the following lines.

relayhost = [smtpout.secureserver.net]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
mynetworks = 192.168.0.0/24, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

*If your network is 192.168.0.0/24, otherwise; change it accordingly.

Step 4 :

Restart the Postfix to make it work.

sudo /etc/init.d/postfix restart

Step 5 :

Now, you can send email with reverse lookup via Godaddy.com's relay mail server. Your email will not be blocked or redirected to "Junk Mail" folder by Gmail, Yahoo Mail or others.

Be keep in mind that you have 250 quota every day. Or, you are required to purchase more quota.

Point to your email server on other servers that will send email.

That's all. See you!

HOWTO : Performance tuning for PostgreSQL on Ubuntu 9.04 Server

2009-07-26T17:35:00.003+08:00

Step 1 :

Edit postgresql.conf.

sudo nano /etc/postgresql/8.3/main/postgresql.conf

Step 2 :

The performance tuning setting is as the following :

(1) shared_buffers

Recommended : 0.25 * Available Memory

(2) work_mem

Recommended : Available Memory / max_connections
(If your queries tend to be more complicated, then divide that by 2. If you typically run very close to max_connections connections, then consider dividing by 2 again. If that gives you a number that isn't at least 16MB, buy more memory.)

(3) maintenance_work_mem

Recommended : Available Memory / 8

(4) wal_buffers

Recommended : 8MB

(5) checkpoint_segments

Recommended : 16 to 128

(6) effective_cache_size

Recommended : Available Memory * 0.75

(7) cpu_tuple_cost

Recommended : 0.0030

(8) cpu_index_tuple_cost

Recommended : 0.0010

(9) cpu_operator_cost

Recommended : 0.0005

(10) fsync

Recommended : off

Warning : If “fsync” is set to “off”, you may encounter data loss when the power failure unless you have a battery backup unit at your hardware RAID card.

(11) max_connection

Recommended : 140% (100 clients average means 140 max connections)

(12) checkpoint_timeout

Recommended : 1h

Step 3 :

Restart PostgreSQL server.

sudo /etc/init.d/postgresql-8.3 restart

Step 4 :

If it produces error message and cannot restart, change the setting for "kernel.shmmax" on sysctl.conf as suggested.

Edit the sysctl.conf as suggested.

sudo nano /etc/sysctl.conf

Reference #1 :

The following is the my setting of a 8GB RAM server which is running PostgreSQL.

/etc/postgresql/8.3/main/postgresql.conf

max_connections = 140
shared_buffers = 2GB
temp_buffers = 8MB
work_mem = 16MB
maintenance_work_mem = 1GB
wal_buffers = 8MB
checkpoint_segments = 128
effective_cache_size = 6GB
cpu_tuple_cost = 0.0030
cpu_index_tuple_cost = 0.0010
cpu_operator_cost = 0.0005
fsync = off
checkpoint_timeout = 1h

Reference #2 :

The following is my setting of sysctl.conf on the same server.

/etc/sysctl.conf

kernel.sem = 250 32000 100 128
kernel.shmall = 2097152
kernel.shmmax = 2209914880
kernel.shmmni = 4096
fs.file-max = 262140
vm.vfs_cache_pressure = 50
vm.min_free_kbytes = 65536

net.core.rmem_default = 33554432
net.core.rmem_max = 33554432
net.core.wmem_default = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 10240 87380 33554432
net.ipv4.tcp_wmem = 10240 87380 33554432
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_mem = 786432 1048576 26777216
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 360000

Step 5 :

Add the following parameters to the kernel tag of Grub.

reservation,nodiratime,noatime

Step 6 :

sudo mount -a

If no error message produced, issue the following command to make it work.

sudo mount -o remount /

That's all. See you!

HOWTO : Sockso 1.1.8 (Music Server) on Ubuntu 9.04 Server

2009-07-17T21:17:00.009+08:00

Sockso is a cross platform music server and requires no installation. She runs on a standalone personal computer or on a server. For running on personal computer with GUI, please refer to her official site.

The client computer requires no mp3 player to play the music but needs a Flash player.

The advantage of Sockso is that you can listen to your mp3 files at anytime and anywhere under the condition that fast internet connection is available. The disadvantage is that you should have at least IEEE 802.11g (54M) Wifi connection for smooth operation.

Sockso requires Sun Java only and it is requires no Apache or other web server to run.

Step 1 :

Sockso requires Sun Java to work. You should install the following packages.

sudo apt-get install sun-java6-bin sun-java6-fonts sun-java6-jre unzip

Step 2 :

Download the latest version of Sockso. The current version is 1.1.8 at the time of this writing.

wget http://sockso.googlecode.com/files/sockso-1.1.8.zip

unzip sockso-1.1.8.zip

sudo mkdir /usr/share/sockso

sudo cp -R /home/samiux/sockso-1.1.8/* /usr/share/sockso/*

sudo mkdir /var/sockso
sudo chmod -R 0755 /var/sockso

Step 3 :

Run the Sockso at command prompt.

sudo sh /usr/share/sockso/linux.sh --nogui --datadir /var/sockso

If you have some mp3 at /home/samiux/music and /home/mary/mp3, just runs the following command to make the music collection.

#SockSo#>coladd /home/samiux/music
#SockSo#>coladd /home/mary/mp3

If you want to list all collections, use the following command.

collist

If you want to delete one of the collections, use the following command.

coldel

Add a user to the Sockso.

#SockSo#>useradd samiux <your_password_here> samiux@gmail.com

To exit the #SockSo#> command prompt.

exit

Step 4 :

Copy the init.d script to /etc/init.d/

sudo cp /usr/share/sockso/scripts/init.d/sockso /etc/init.d/sockso.pl

Create a sockso script file.

sudo nano /etc/init.d/sockso

-------- CUT HERE ---------
#!/bin/bash

perl /etc/init.d/sockso.pl $1

exit 0
-------- CUT HERE ---------

Edit the sockso.pl as the following.

sudo nano /etc/init.d/sockso.pl

use constant SOCKSO_DIR => "/usr/share/sockso/";

system( 'sh linux.sh --nogui --datadir /var/sockso > /dev/null 2>&1 &' );

Step 5 :

Now, you can start the sockso with the following command.

sudo chmod +x /etc/init.d/sockso
sudo chmod +x /etc/init.d/sockso.pl

sudo /etc/init.d/sockso start

You can also stop the sockso with the following command.

sudo /etc/init.d/sockso stop

Listen to the music with your browser.

http://192.168.0.100:4444

Step 6 :

Make the script to be ran automatically after reboot.

sudo update-rc.d sockso defaults

Remarks : Make sure you have stopped the Sockso before reboot or shutdown; otherwise, the mp3 databases would be corrupted. If so, you should delete everything inside /var/sockso and redo the Step 3.

Remarks : Don't broadcast copyrighted musics or songs. Or, you may be in lawsuit.

That's all. See you!

HOWTO : WebDAV on Ubuntu 9.04 Server

2009-07-14T15:38:00.007+08:00

WebDAV is a file manager that running on web server. You can access it like on your desktop. Easy and enjoyable.

Install Ubuntu 9.04 server as usual and select LAMP and OpenSSH when asked for choice. You can also install vsFTPd if you want to but it is optional.

Step 1 :

sudo a2enmod dav_fs sudo a2enmod dav sudo a2enmod dav_lock
sudo a2dissite default

sudo /etc/init.d/apache2 restart

Step 2 :

To create a virtual host for the WebDAV.

sudo mkdir -p /var/www/webdav chown www-data /var/www/webdav

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/webdav

sudo nano /etc/apache2/sites-available/webdav

Make the a portion of the file as the following :

.... DocumentRoot /var/www/webdav <Directory /var/www/webdav/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> <Location /> DAV On AuthType Basic AuthName "webdav" AuthUserFile /var/www/.passwd.dav Require valid-user DavMinTimeout 600 <LimitExcept GET PUT HEAD OPTIONS POST> Require valid-user </LimitExcept> </Location> ....

Step 3 :

sudo htpasswd -c /var/www/.passwd.dav samiux

chown root:www-data /var/www/.passwd.dav chmod 640 /var/www/.passwd.dav

suod chmod -R 0777 /var/www/webdav sudo chown www-data:www-data /var/www/webdav

sudo /etc/init.d/apache2 restart

Step 4 :

To test if WebDAV works or not.

sudo apt-get install cadaver

sudo cadaver http://localhost/

If you got “dav:/” prompt, enter “quit” to quit. Otherwises, fix the problem.

Step 5 (Windows only) :

Download NetDrive at http://www.netdrive.net/ and set it accordingly. The port should be 80.

Now you can access your WebDAV server from Windows.

Step 6 (Ubuntu only) :

Go to “Place” > “Connect to Server“. Select “WebDAV (HTTP)“. Enter the IP of your WebDAV server and then press “Connect“. Submit the username and password. An icon will be displayed on your desktop. Double click it and go.

Now you can access your WebDAV server from Ubuntu.

OpenOffice

If you open the OpenOffice files on the WebDAV by clicking, you can only open it in read only mode. However, there is method to overcome this problem. You open OpenOffice Write (for example), click the “Open file” and at the “Name of file” enter the following :

vnd.sun.star.webdav://192.168.0.100/openoffice_readonly_on_webdav.odt

Now you can edit and save it on WebDAV.

Limitation of WebDAV

You can paste a file onto WebDAV directly but there is a file size limitation, that is, the file should be less than 1GB. If you want to paste a file larger than 1GB, I suggest to use FTP instead.

Make sure to change the ownership of the files that you have uploaded by FTP.

sudo chown -R www-data:www-data /var/www/webdav

That’s all!

HOWTO : Rebootless with Ksplice Uptrack on Ubuntu 9.04 Server

2009-07-10T20:40:00.004+08:00

By using Ksplice Uptrack, your Ubuntu Server 9.04 will become rebootless even the kernel is updated.

Step 1 :

Get the access key of Ksplice Uptrack at the following link.

http://www.ksplice.com/uptrack/key

The access key will email to you.

Step 2 :

sudo nano /etc/apt/sources.list.d/ksplice.list

Append the following lines to the file.

deb http://www.ksplice.com/apt jaunty ksplice
deb-src http://www.ksplice.com/apt jaunty ksplice

Add the key to repository.

sudo wget -N https://www.ksplice.com/apt/ksplice-archive.asc
sudo apt-key add ksplice-archive.asc

Step 3 :

Install Ksplice Uptrack.

sudo apt-get update
sudo apt-get install uptrack

When installing uptrack, you will be asked for the access key. Go to your email and copy the just received access key to the space provided on the screen.

Step 4 :

sudo nano /etc/uptrack/uptrack.conf

Change the following line and makes Ksplice Uptrack to be installed automatically.

autoinstall = yes

Step 5 :

sudo /etc/init.d/uptrack restart

That's all. See you!

HOWTO : SSH to use RSA key for login

2009-07-10T20:33:00.002+08:00

Generate RSA key.

ssh-keygen -t rsa -b 2048

ssh-keygen -t rsa -b 4096

“Enter file in which to save the key (/home/samiux/.ssh/id_rsa): (Hit Enter)”

Press “Enter”

“Enter passphrase (empty for no passphrase):”

Enter your password twice.

nano /home/samiux/.ssh/id_rsa.pub

Copy the content.

SSH to your server. At the username directory.

sudo mkdir .ssh

sudo nano /home/username/.ssh/authorized_keys

Then pasted the previous copied key onto the authorized_keys file. Save it.

Still at the server.

sudo nano /etc/ssh/sshd_config

Change the following settings as is.

AuthorizedKeysFile %h/.ssh/authorized_keys
IgnoreUserKnownHosts yes
PasswordAuthentication no
#UseLogin no
UsePAM no

sudo /etc/init.d/ssh restart

When you login to the server again, you will ask for your RSA key passphrase once. Later, you will not be asked for any passphrase or password in the same session.

For Ubuntu Desktop users, you may consider to install SSHMenu. It will make your work more easily.

http://sshmenu.sourceforge.net/

That's all. See you!

HOWTO : Fail2ban on Ubuntu 9.04 Server

2009-07-10T20:25:00.004+08:00

Fail2ban cannot work properly with Ubuntu 9.04 Server as Ubuntu installed with Python 2.6. It is very easy to overcome this problem.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python2.5

sudo nano /usr/bin/fail2ban-server

Change the first line from

#!/usr/bin/python

#!/usr/bin/python2.5

Set the /etc/fail2ban/jail.conf as usual.

sudo /etc/init.d/fail2ban restart

Make change to the related services to "True". By default, any unauthorized access will be blocked after 6 invalid attempts.

sudo nano /etc/fail2ban/jail.conf

After that, restart fail2ban.

sudo /etc/init.d/fail2ban restart

That's all. See you!

HOWTO : Make sure no rootkit on Ubuntu 9.04 Server

2009-07-10T20:18:00.002+08:00

To ensure your server will not be installed rootkits or trojans as well as worm without your approval, you should check it frequently.

ChkRootKit

Get the chkrootkit package :

sudo apt-get install chkrootkit

Make a Cron Job to do the scan daily at 0700 hours :

sudo crontab -e

0 7 * * * /usr/sbin/chkrootkit; /usr/sbin/chkrootkit -q 2 >&1 | mail -s "Daily ChkRootKit Scan" samiux@gmail.com

Do a manual scan :

sudo /usr/sbin/chkrootkit

Rootkit Hunter

sudo apt-get install rkhunter

Make a Cron Job to do the scan daily at 0500 hours :

sudo crontab -e

0 5 * * * rkhunter --cronjob --rwo | mail -s "Daily Rootkit Hunter Scan" samiux@gmail.com

Do a manual scan :

sudo rkhunter --check

Forensic tool to find hidden processes and ports – unhide

Get the unhide package :

sudo apt-get install unhide

Make a Cron Job to do the scan daily between 0800 and 0930 hours :

sudo crontab -e

0 8 * * * unhide proc; unhide proc -q 2 >&1 | mail -s "Daily unhide proc Scan" samiux@gmail.com

30 8 * * * unhide sys; unhide sys -q 2 >&1 | mail -s "Daily unhide sys Scan" samiux@gmail.com

0 9 * * * unhide brute; unhide brute -q 2 >&1 | mail -s "Daily unhide brute Scan" samiux@gmail.com

30 9 * * * unhide-tcp; unhide-tcp -q 2 >&1 | mail -s "Daily unhide-tcp Scan" samiux@gmail.com

Do a manual scan :

sudo unhide proc
sudo unhide sys
sudo unhide brute
sudo unhide-tcp

Beware :
There will be produced some false positive by RootKit Hunter or ChkRootKit when your packages or files had been updated or have the similar behavior as the rootkit.

If this happened, you can do the following the reset it if anything is alright.

sudo rkhunter --propupd

Remarks :
It is not 100% to proof that your system is away from the attack of Rootkits.

That's all. See you!

HOWTO : Logwatch on Ubuntu 9.04 Server

2009-07-10T20:10:00.001+08:00

Logwatch reads your log files and can send you email daily about the most interesting parts.

Step 1 :

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install logwatch

Step 2 :

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the following as shown :

Output = mail
Format = html
MailTo = samiux@gmail.com

Step 3 :

sudo nano /etc/cron.daily/00logwatch

/usr/sbin/logwatch --mailto samiux@gmail.com

That's all. See you!

HOWTO : Secure Ubuntu 9.04 Server in a passive way

2009-07-10T05:00:00.003+08:00

Part 1

When root or sudoers access the server, you will be informed. It will also alert you when crackers gain rights of your server.

Add the following to the top of the file /root/.bashrc or sudoer's account and you will be informed by email when the root or sudoer account is being accessed.

echo -e "Root Shell Access on `tty` \n `w`" | mail -s "Alert: Root Access" samiux@gmail.com

echo -e "Sudoer Shell Access on `tty` \n `w`" | mail -s "Alert: Sudoer Access" samiux@gmail.com

Part 2

The official port of SSH is 22. You can change it to any port that between 1024 and 65535. You can do it at the router or firewall and you can do it at the configure file of SSH at /etc/ssh/sshd_config. You are recommended to disable the root account login via SSH even you are using Ubuntu.

Port 65535
PermitRootLogin no

sudo /etc/init.d/sshd restart

That's all. See you!

HOWTO : vsFTPd on Ubuntu Server 9.04

2009-07-10T02:25:00.001+08:00

Your LAMP server requires FTP server to upload files to the related directory.

Install the vsFTPd.

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install vsftpd

Edit the configure file of vsFTPd.

sudo nano /etc/vsftpd.conf

Change the setting as the following.

# If you allow anonymous login then
anonymous_enable=YES
# If you do not allow anonymous login then
#anonymous_enable=NO
local_enable=YES
write_enable=YES
# Users are allowed to walk around at his directory only
chroot_local_user=YES

If you are behind a firewall or router, the following setting should be implemented and append to the end of the file.

pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=50000
pasv_max_port=50100
# If your server's IP address is 192.168.0.15
pasv_address=192.168.0.15

Make sure port 20 and 21 are opened at your firewall or router. Anonymous user can be download the files at /home/ftp directory.

Restart vsFTPd.

sudo /etc/init.d/vsftpd restart

That's all. See you!

HOWTO : Secure Socket Layer (SSL) for LAMP on Ubuntu 9.04 Server

2009-07-10T02:10:00.002+08:00

Enable the mod_ssl module.

sudo a2enmod ssl

Edit the default or copy the default to another file for editing.

sudo nano /etc/apache2/sites-available/default

Add the following inside the mod_rewrite.c bracket.

RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]

Enable the default-ssl site.

sudo a2ensite default-ssl

Restart apache to reload the setting and make it active.

sudo /etc/init.d/apache2 restart

That's all. See you!

HOWTO : Performance tuning of LAMP and Ubuntu 9.04 Server

2009-07-08T12:25:00.006+08:00

Performance tuning of LAMP

Step 1:

To control the bandwidth and allow faster cgi browsing, you should install the following modules.

sudo apt-get install libapache2-mod-bw libapache2-mod-fastcgi

Step 2 :

sudo a2enmod deflate

sudo nano /etc/apache2/conf.d/deflate.conf

Add the following lines at the file.

<IfModule mod_deflate.c>
DeflateCompressionLevel 6
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/postscript
<IfModule mod_headers.c>
Header append Vary User-Agent
</IfModule>
</IfModule>

sudo /etc/init.d/apache2 restart

Step 3 :

wget http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2

tar xvf eaccelerator-0.9.5.3.tar.bz2

sudo apt-get install build-essential php5-dev

cd eaccelerator-0.9.5.3
phpize
./configure
make
sudo make install

sudo mkdir /tmp/eaccelerator
sudo chmod 0777 /tmp/eaccelerator

Step 4 :

sudo nano /etc/php5/apache2/php.ini

Append the following lines at the end of the file.

extension="eaccelerator.so"
; shm_size default is 16, you may change to 64 or 128 depends on your RAM
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

sudo /etc/init.d/apache2 restart

Performance tuning of Ubuntu 9.04 Server

Step 5 :

sudo nano /etc/sysctl.conf

Append the following lines at the end of the file.

kernel.sem = 250 32000 100 128
kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
# If you have more than 512MB RAM, use this setting (uncomment it and comment the setting just below)
#fs.file-max = 262140
# If you have 512MB RAM or less, use this setting
fs.file-max = 65535
vm.swappiness = 1
vm.vfs_cache_pressure = 50
vm.min_free_kbytes = 65536

net.core.rmem_default = 33554432
net.core.rmem_max = 33554432
net.core.wmem_default = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 10240 87380 33554432
net.ipv4.tcp_wmem = 10240 87380 33554432
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_mem = 786432 1048576 26777216
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 360000

sudo /sbin/sysctl -p

Step 6 :

sudo nano /etc/rc.local

Add the following lines before "exit 0".

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 256 > /sys/block/sda/queue/nr_requests

*The captioned lines are for sda only.

Step 7 :

sudo nano /etc/fstab

Add "noatime" before "relatime". For example :

UUID=0e57987f-...... / ext3 noatime,relatime,errors=remount-ro 0 1

UUID=0e57987f-...... / ext4 noatime,relatime,errors=remount-ro 0 1

sudo mount -a

If there is no error message, you can now reboot your system.

That's all. See you!

HOWTO : Hardening your Apache and PHP on Ubuntu 9.04 Server

2009-07-07T13:14:00.008+08:00

You have installed LAMP and OpenSSH on your Ubuntu 9.04 Server. The first thing to do is to harden it in order to avoid some kind of attacks.

You can do the following steps in front of your Ubuntu 9.04 Server or remote access it via OpenSSH.

For OpenSSH, your Ubuntu 9.04 Server is at 192.168.0.10 :

ssh 192.168.0.10 -l samiux

Step 1 :

The avoid someone to list your files on your Apache directory, you should do the following step.

sudo nano /etc/apache2/sites-available/default

Add a minus "-" in the front of "Indexes" and it will looking like this :

<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Step 2 :

To enable the rewrite module of Apache.

sudo a2enmod rewrite

To avoid Cross-Site-Tracing attack. Add the following lines within " <VirtualHost *:80>" :

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>

Step 3 :

To avoid HTTP DoS, DDoS or Brute Force attack, you should install this module.

sudo apt-get install libapache2-mod-evasive

Step 4 :

To screen out bad URL requests, such as /etc/shadow or MySQL injection and etc. You should install mod_security module. If you installed a amd64 (64-bit) version of Ubuntu Server, please replaced i386 with amd64 for the following commands.

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/libapache-mod-security_2.5.9-1_i386.deb

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/mod-security-common_2.5.9-1_all.deb

sudo dpkg -i libapache-mod-security_2.5.9-1_i386.deb mod-security-common_2.5.9-1_all.deb

Step 5 :

Do not allow any Apache and Ubuntu Server information to be print on the error pages.

sudo nano /etc/apache2/conf.d/security

Change the following lines as the following :

ServerToken Prod
ServerSignature Off

Step 6 :

Now, it is time to harden the PHP.

sudo nano /etc/php5/apache2/php.ini

Change the following lines as the following :

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

Step 7 :

Final step is to restart Apache server.

sudo /etc/init.d/apache2 restart

Step 8 :

sudo nano /etc/sysctl.conf

Uncomment the following line and make it look like this.

#Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

Make the change active.

sudo /sbin/sysctl -p

That's all. See you!

HOWTO : Install Ubuntu 9.04 Server

2009-07-05T17:17:00.003+08:00

Introduction

Ubuntu is one of the most user-friendly Linux in the world so far. Not only her Desktop edition is user-friendly but so her Server edition. The current version of Ubuntu Desktop and Server edition is 9.04 at the time of this writing.

9.04 stands for released on April 2009. The next version will be 9.10, that is October 2009. Normally, she will release new version on every April and October. However, there is an exceptional. It is 6.06 which is released on June 2006 due to delay of bugs fix.

Hardware requirements

I suggest you have at least a Pentium 4 CPU with 512MB RAM and 40GB hard drive. For the minimum hardware requirement, please see her official site.

You can also install it on VMWare, Linux KVM (Kernal based Virtual Machine) or VirtualBox. It is running flawlessly on them.

Installation of Ubuntu 9.04 Server

Now, I am going to talk about how to install Ubuntu Server 9.04. First of all, you should download Ubuntu 9.04 from her official site. Burn the .iso file as disk image with your disc burning software, such as Nero (in Windows) or K3b (in Linux). Please do not extract the files from the .iso or just burn the file directly on a CD-R.

I suggest to change the ext3 filesystem to ext4 as it is much faster and it will be the next generation of Linux default filesystem. Selects LVM on the entire disk when asking. You may ask for entering user name and password. Please use a more complicated password which should includes uppercase and lowercase letters, numbers and symbols. In addition, it should be longer than 8 characters.

At the end of installation, you may asked to select some servers to install, such as LAMP, mail server, OpenSSH, virtual machine and etc. If you want to build a web server, I suggest you select LAMP, mail server and OpenSSH. I assumed you install LAMP, mail server and OpenSSH as it will be discussed in future tutorials of mine.

Make sure you are connecting to the internet while you are installing Ubuntu. The system will be reboot after the install.

That's all. See you!