Monday, May 9, 2011

HOWTO : Highest secured Hiawatha Web Server 7.4.1 on Ubuntu 11.04 Server

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

For the performance, please refer to the study of SaltwaterC at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 11.04.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade


If the kernel or kernel modules have been updated, you are required to reboot your system before going further.

Step 1 - Installation of PHP5 and MariaDB

Since MySQL is now owned by Oracle, the developers of previous MySQL reformed and developed MariaDB under GPL v2. It is compatible to MySQL and running much faster than MySQL too. You can use MariaDB as alternative. The commands and API are the same, such as "mysql -u root -p".

Prepare for installation of MariaDB
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1BB943DB

sudo nano /etc/apt/sources.list.d/mariadb.list

Append the following lines.

deb http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main
deb-src http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main


Save the change and install the following.

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd

Step 2 - Installation of Hiawatha

Install required dependenices for Hiawatha.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Download the latest version of Hiawatha (the current version at this writing is 7.4.1).

wget http://www.hiawatha-webserver.org/files/hiawatha-7.4.1.tar.gz
tar -xzvf hiawatha-7.4.1.tar.gz
cd hiawatha-7.4.1


./configure
make deb


cd ..

sudo dpkg -i hiawatha_7.4.1_amd64.deb

or

sudo dpkg -i hiawatha_7.4.1_i386.deb

Step 3 - Configure PHP5 (Optional for security only)

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd


*some PHP applications may require safe_mode = off

Step 4 - Configure php-fcgi (PHP's FastCGI)

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line and change it as is.

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data ; /etc/php5/cgi/php.ini

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by the following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf


Step 5 - Configure Hiawatha (Part 1)

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data

Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
#   Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}


Step 5a (Optional for security purpose) :

Add the following line at the GENERAL SETTINGS.

ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log


LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper


Make changes for the following entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes


BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1


KickOnBan = yes
ReconnectDelay = 3


Step 5b :

The entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi


FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}


Step 5c :

Add the following line at VIRTUAL HOSTS.

Include /etc/hiawatha/enable-sites/

*Make sure the make a directory enable-sites and disable-sites under /etc/hiawatha.

sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites

Step 6 - Configure Hiawatha (Part 2)

If your domain is mysite.com, you are required to create a file namely mysite.com and place it under /etc/hiawatha/enable-sites/mysite.com.

VirtualHost {
   Hostname = www.mysite.com, mysite.com
   WebsiteRoot = /var/www/mysite
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 15
#   UseFastCGI = PHP5
#   UseToolkit = banshee
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   DenyBot = taptubot:/
   WrapCGI = jail_mysite
}


You can ignore the "DenyBot" entries when you want the search engines to find your site easily.

Furthermore, if you want to disable this virtual site, you can move the "mysite.com" to /etc/hiawatha/disable-sites/ and then restart hiawatha server.

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart


Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi


Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data

Step 8 - Configure Apparmor (Optional for security purpose)

Execute the following command and then let the web site running for a while, maybe a week or so.

sudo aa-genprof hiawatha

About one week later or the web page/site is misbehaving, issue the following command to update the profile. Remember to reload the profile after the command has been issued.

sudo aa-logprof

Or, if you are impatient, you can edit the following file instead.

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

The content of usr.sbin.hiawatha should look like this or make it look like this.

# Last Modified: Thu Jun 3 01:52:13 2010
#include <tunables/global>


/usr/sbin/hiawatha {
   #include <abstractions/apache2-common>
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/php5>


   capability chown,
   capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
   capability setuid,


   /bin/dash rix,
   owner /etc/hiawatha/ r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   owner /etc/passwd r,
   /etc/php5/ r,
   /etc/php5/** r,
   /etc/postfix/** r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /etc/snmp/snmp.conf r,
   /sys/devices/system/cpu/ r,
   /tmp/** rwk,
   /usr/bin/php5-cgi rix,
   /usr/lib/postfix/cleanup rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/ r,
   /usr/share/** r,
   /var/www/ r,
   /var/www/** rwk,
   /var/lib/ r,
   /var/lib/** rw,
   /var/lib/hiawatha/** rw,
   owner /var/log/hiawatha/** w,
   /var/log/hiawatha/** r,
   owner /var/run/ r,
   owner /var/run/** w,
   /var/run/** r,
   /var/spool/postfix/** rw,
   /var/spool/postfix/pid/** wk,
}


Make the profile in enforce mode (activate the above settings).

sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper


The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Step 10 - Configure logwatch (Optional)

Please refer to this link to make the LogWatch to know your Hiawatha webserver's log files.

Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.

Step 11 - Change the ownership of the log files

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log


* "php-fcgi.log" and "system.log" leave them untouched (root:root).

Step 11a - Change ownership of all directories and files at the /var/www/mysite

Put the web application files to /var/www/mysite and then change the ownership of all directories and files under /var/www/mysite to root:root.

cd /var/www/mysite
sudo chown -R root:root *


Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart


Step 13 - Performance tuning for MariaDB (Optional)

You can fine tune the MariaDB as per this link.

Step 14 - Performance tuning for Ubuntu (Optional)

You can fine tune the Ubuntu Server as per this link.

Step 15 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 16 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

That's all! See you.

HOWTO : MariaDB and XCache performance tuning on Ubuntu 11.04

The following settings is for tuning the MariaDB database performance on Ubuntu 11.04. It is well tested on Intel Xeon 4 core CPU x 2 and 8 GB RAM. It is also well tested on Drupal 6.2.

Step 1 :

sudo nano /etc/mysql/my.cnf

Change the values as the following :

[mysqld_safe]
nice = -5

[mysqld]
key_buffer_size = 384M
thread_cache_size = 384
max_connections = 500
table_cache = 1800
# If you have 8 cores CPU, the value should be 16 (no. of processor x 2)
thread_concurrency = 16
query_cache_limit = 4M
query_cache_size = 128M

[isamchk]
key_buffer = 64M


Step 2 :

sudo restart mysql

Step 3 (Optional) :

If you are using Hiawatha Web Server and PHP5, the following settings will further tune the performance also.

sudo apt-get install php5-xcache

Step 3a (Optional) :

sudo nano /etc/php5/conf.d/xcache.ini

Change the value of xcache.size as the following :

xcache.size = 64M

Step 3b (Optional) :

sudo /etc/init.d/php-fcgi restart

Step 3c (Optional) :

To test if it is working or not :

sudo php-cgi -v

If you can see the "with XCache v1.3.0, Copyright (c) 2005-2009, by mOo", your xcache is working.

That's all! See you.

HOWTO : MariaDB 5.2 on Ubuntu Server 11.04

Since MySQL is now owned by Oracle, the developers of previous MySQL reformed and developed MariaDB under GPL v2. It is compatible to MySQL and running much faster than MySQL too. You can use MariaDB as alternative. The commands and API are the same, such as "mysql -u root -p".

Step 1 :

Prepare for installation of MariaDB

sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1BB943DB

Step 2 :

sudo nano /etc/apt/sources.list.d/mariadb.list

Append the following lines.

deb http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main
deb-src http://mirror2.hs-esslingen.de/mariadb/repo/5.2/ubuntu natty main


Save the change and install the following.

Step 3 :

sudo apt-get update

sudo apt-get install mariadb-server mariadb-client

** You can also replace your MySQL to MariaDB in this way. The MySQL will be uninstall automatically. You can also use the my.cnf of MySQL without any problem or replace by the new one.

Step 4 : (Optional)

To tune the performance of MariaDB. Please see this link for reference. The settings are the same.

That's all! See you.

HOWTO : Logwatch for Hiawatha on Ubuntu 11.04 Server

Logwatch reads your log files and alert you about the unusual log entries. It is working perfect for Apache. However, the log directory of Hiawatha is different from Apache. You should do something else on logwatch in order to make it to read Hiawatha log files.

Step 0 :

Install logwatch.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install logwatch


Step 1 :

Make changes to the logwatch configure file in order to tell her to send you a email report.

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the settings of the following lines.

Output = mail
Format = html
MailTo = samiux@gmail.com


Step 2 :

Make logwatch to read Hiawatha log files.

sudo nano /usr/share/logwatch/default.conf/logfiles/http.conf

Add the following lines on the appropriate sections.

LogFile = hiawatha/*access.log
LogFile = hiawatha/*access.log.1
LogFile = hiawatha/*error.log
LogFile = hiawatha/*error.log.1
LogFile = hiawatha/*system.log
LogFile = hiawatha/*system.log.1
LogFile = hiawatha/*garbage.log
LogFile = hiawatha/*garbage.log.1
LogFile = hiawatha/*php-fcgi.log
LogFile = hiawatha/*php-fcgi.log.1
LogFile = hiawatha/*exploit.log
LogFile = hiawatha/*exploit.log.1

Archive = hiawatha/*access.log.*.gz
Archive = hiawatha/*error.log.*.gz
Archive = hiawatha/*system.log.*.gz
Archive = hiawatha/*garbage.log.*.gz
Archive = hiawatha/*php-fcgi.log.*.gz
Archive = hiawatha/*exploit.log.*.gz


That's all. See you!

HOWTO : Secure your Ubuntu Server in a passive way on Ubuntu 11.04

Root account access warning

Add the following to the top of the file /root/.bashrc and you will be informed by email when the root account is being accessed.

echo -e "Root Shell Access on `tty` \n `w`" | mail -s "Alert: Root Access" samiux@gmail.com

You are also required to add the captioned line at the sudoers' .bashrc file.

echo -e "Sudoer Shell Access on `tty` \n `w`" | mail -s "Alert: Sudoer Access" samiux@gmail.com

Hardening SSH

The official port of SSH is 22. You can change it to any port that between 1024 and 65535. You can do it at the router or firewall and you can do it at the configure file of SSH at /etc/ssh/sshd_config. You are recommended to disable the root account login via SSH even you are using Ubuntu.

Port 65535
PermitRootLogin no


sudo /etc/init.d/sshd restart

Block all failed attempts

You are also required to install Fail2Ban in order to block all several time failed attempts.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install fail2ban


Change the setting at /etc/fail2ban/jail.conf when necessary.

Restart the fail2ban after the changes.

sudo /etc/init.d/fail2ban restart

Finally, enable firewall and only allow necessary ports to be access.

That's all! See you.

HOWTO : vsFTPd on Ubuntu Server 11.04

Step 1 :
Install the vsFTPd.

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install vsftpd


Step 2 :
Edit the configure file of vsFTPd.

sudo nano /etc/vsftpd.conf

Change the setting as the following.

# If you allow anonymous login then
anonymous_enable=YES
# If you do not allow anonymous login then
#anonymous_enable=NO
local_enable=YES
write_enable=YES
# Users are allowed to walk around at his directory only
chroot_local_user=YES


If you are behind a firewall or router, the following setting should be implemented and append to the end of the file.

pasv_enable=YES
#pasv_promiscuous=YES
pasv_min_port=50000
pasv_max_port=50100
# If your server's IP address is 192.168.0.15
pasv_address=192.168.0.15

#local_root=/home


Make sure port 20, 21, and 50000-50100 are opened at your firewall or router. The ports should be forwarded to and opened at the vsFTPd server. Anonymous user can be download the files at /home/ftp directory.

Since the current version of vsFTPd changed the chroot setting, you need to create a working directory at /home/samiux (for example), such as /home/samiux/my_ftpdir.

Step 3 :

sudo chmod 500 /home/samiux
sudo chmod 775 /home/samiux/my_ftpdir

Step 4 :
Restart vsFTPd.

sudo /etc/init.d/vsftpd restart

That's all. See you.