tag:blogger.com,1999:blog-57194609441952737042024-03-09T06:31:37.652+08:00Almost Secure and Perfect Ubuntu ServerMaking an almost secure and perfect Ubuntu server is my interest.
I am going to share my experience in making it works.Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comBlogger69125tag:blogger.com,1999:blog-5719460944195273704.post-61029283595810560302017-05-03T01:12:00.000+08:002017-08-10T00:56:32.921+08:00HOWTO : Highest Secure Hiawatha Web Server 10.6 on Ubuntu Server 16.04 LTS<b>(A) Introduction</b><br>
<br>
<a href="http://www.hiawatha-webserver.org/">Hiawatha Web Server</a> is designed with security in mind. It already built-in some security features to protect common attacks, such as SQLi, XSS, CSRF. Meanwhile, it can be configured to prevent scanning from vulnerability scanners too.<br>
<br>
Hiawatha is a light weight and fast as well as secure web server in the market. Hiawatha is working well with PHP and MySQL. The following guide is showing how to configure Hiawatha in a very high secure way on Ubuntu Server LTS.<br>
<br>
<b>(B) Software Prerequisite</b><br>
<br>
The current version as at the time of this writing :<br>
(1) Ubuntu Server 16.04.2 LTS<br>
(2) CMake 3.8.1<br>
(3) Hiawatha 10.6<br>
<br>
<b>(C) Installation of PHP7.0 and MySQL</b><br>
<br>
<code>sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client</code><br>
<br>
<b>(D) Installation of Hiawatha</b><br>
<br>
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br>
<br>
<u>(a) Install CMake</u><br>
<br>
<code>wget https://cmake.org/files/v3.8/cmake-3.8.1.tar.gz<br>
tar -xvzf cmake-3.8.1.tar.gz<br>
cd cmake-3.8.1<br>
./configure<br>
make<br>
sudo make install</code><br>
<br>
<u>(b) Install Hiawatha</u><br>
<br>
<code>wget https://github.com/hsleisink/hiawatha/archive/v10.6.tar.gz<br>
tar -xzvf v10.6.tar.gz<br>
<br>
cd hiawatha-10.6/extra<br>
<br>
./make_debian_package<br>
<br>
cd ..<br>
<br>
sudo dpkg -i hiawatha_10.6_amd64.deb</code><br>
<br>
<b>(E) Configuration of PHP7.0</b><br>
<br>
<code>sudo nano /etc/php/7.0/fpm/php.ini</code><br>
<br>
Make changes as is.<br>
<br>
<code>allow_url_fopen = Off<br>
session.cookie_httponly = 1<br>
disable_functions = [EXIST_FUNCTION],system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,</code><br>
<br>
* [EXIST_FUNCTION] is the functions that already at "disable_functions" of php.ini<br>
<br>
<b>(F) Let's Encrypt on Hiawatha</b><br>
<br>
<u>(a) Configuration of Hiawatha</u><br>
<br>
<code>sudo mkdir -p /etc/hiawatha/enable-sites<br>
sudo mkdir -p /etc/hiawatha/disable-sites</code><br>
<br>
Edit "cgi-wrapper.conf".<br>
<br>
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br>
<br>
Change the following as is.<br>
<br>
<code>CGIhandler = /usr/bin/perl<br>
CGIhandler = /usr/sbin/php7.0-fpm<br>
CGIhandler = /usr/bin/python<br>
CGIhandler = /usr/bin/ruby<br>
CGIhandler = /usr/bin/ssi-cgi<br>
<br>
Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br>
<br>
Change the ownership of the log files.<br>
<br>
<code>cd /var/log/hiawatha<br>
sudo chown www-data:www-data access.log<br>
sudo chown www-data:www-data error.log<br>
sudo chown www-data:www-data exploit.log<br>
sudo chown www-data:www-data garbage.log<br>
sudo chown root:root system.log</code><br>
<br>
Change the ownership of the web application files.<br>
<br>
<code>cd /var/www/mysite<br>
sudo chown -R root:root *</code><br>
<br>
The following are examples of "hiawatha.conf" and "mysite.com".<br>
<br>
/etc/hiawatha/hiawatha.conf example :<br>
<iframe src="https://pastebin.com/embed_iframe/8FSsZqDw" style="border:none;width:100%"></iframe><br>
<br>
/etc/hiawatha/enable-sites/mysite.com example :<br>
<iframe src="https://pastebin.com/embed_iframe/CSCF562r" style="border:none;width:100%"></iframe><br>
<br>
<code>sudo systemctl restart php7.0-fpm<br>
sudo systemctl restart hiawatha<br>
sudo systemctl enable php7.0-fpm<br>
sudo systemctl enable hiawatha</code><br>
<br>
<u>(b) Self Signed SSL Certificate Generation</u><br>
<br>
To generate SSL certificate for the web root.<br>
<br>
<code>openssl genrsa -out default.pem 4096<br>
openssl req -new -x509 -days 3650 -key default.pem -out server.crt<br>
echo "" >> default.pem<br>
cat server.crt >> default.pem<br>
echo "" >> default.pem<br>
rm -f server.crt<br>
sudo mkdir -p /etc/hiawatha/tls<br>
sudo cp default.pem /etc/hiawatha/tls<br>
sudo chown root:root /etc/hiawatha/tls/default.pem<br>
sudo chmod 600 /etc/hiawatha/tls/default.pem<br>
sudo chmod 600 -R /etc/hiawatha/tls</code><br>
<br>
<u>(c) Let's Encrypt Generation and Configuration</u><br>
<br>
(1) First time install Let's Encrypt :<br>
<br>
Make sure port 80 is workable as Let's Encrypt script will use it to generate the SSL/TLS certificates.<br>
<br>
Change ~/hiawatha-10.6/extra/letsencrypt/letsencrypt.conf :<br>
<br>
<code>nano ~/hiawatha-10.6/extra/letsencrypt/letsencrypt.conf</code><br>
<br>
Change "ACCOUNT_EMAIL_ADDRESS" to your email address. Let's Encrypt will alert you when the SSL/TLS certificate is going to expire via this email address.<br>
<br>
<code>ACCOUNT_EMAIL_ADDRESS = samiux@gmail.com</code><br>
<br>
Change "CERTIFICATE_RSA_KEY_SIZE" to 4096.<br>
<br>
<code>CERTIFICATE_RSA_KEY_SIZE = 4096</code><br>
<br>
Change "RENEWAL_REUSE_KEY" to true. The server private key/public key will be used for the SSL/TLS certificate renewal.<br>
<br>
<code>RENEWAL_REUSE_KEY = true</code><br>
<br>
Comment out the "Testing" LE_CA_HOSTNAME and uncomment "Production" LE_CA_HOSTNAME.<br>
<br>
<code>LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production<br>
#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # Testing</code><br>
<br>
Run the Hiawatha 10.6 letsencrypt script to generate server private key and server certificate as well as Let's Encrypt X3 certificate :<br>
<br>
<code>cd ~/hiawatha-10.6/extra/letsencrypt<br>
sudo ./letsencrypt register</code><br>
<br>
A "account.key" will be generated at the ~/hiawatha-10.6/extra/letsencrypt. Make sure keep this "account.key" in a safe space.<br>
<br>
Then generate the SSL/TLS certificate of your server :<br>
<br>
<code>sudo ./letsencrypt www.mysite.com</code><br>
<br>
A "www.mysite.com.pem" will be generated at /etc/hiawatha/tls/.<br>
<br>
Rename the generated file :<br>
<br>
<code>sudo -sH<br>
cd /etc/hiawatha/tls<br>
mv www.mysite.com.pem www.mysite.com-privkey.pem<br>
cp www.mysite.com-privkey.pem www.mysite.com.pem</code><br>
<br>
Make sure keep the private key file in a safe space and generate the server public key :<br>
<br>
<code>openssl rsa -in www.mysite.com-privkey.pem -pubout -out pubkey.pem</code><br>
<br>
Replace pubkey.pem content to the first block of code "PRIVATE KEY" at www.mysite.com.pem.<br>
<br>
Insert Let's Encrypt X4 certificate :<br>
<br>
<code>wget https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt<br>
echo "" >> www.mysite.com.pem<br>
cat lets-encrypt-x4-cross-signed.pem.txt >> www.mysite.com.pem</code><br>
<br>
<code>chmod 600 www.mysite.com.pem<br>
chmod 600 www.mysite.com-privkey.pem</code><br>
<br>
Then configure VirtualHost at /etc/hiawatha/enable-sites/mysite.com.<br>
<br>
Add the following to the VirtualHost at /etc/hiawatha/enable-sites/mysite.com :<br>
<br>
<code>RequireTLS = yes, 180d; includeSubDomains; preload<br>
TLScertFile = /etc/hiawatha/tls/www.mysite.com-privkey.pem<br>
PublicKeyPins = /etc/hiawatha/tls/www.mysite.com.pem,60d</code><br>
<br>
Make sure to delete the private key at www.mysite.com.pem file<br>
<br>
<code>sudo cp /etc/hiawatha/tls/www.mysite.com.pem /etc/hiawatha/tls/www.mysite.com.pem-BACKUP<br>
sudo sed '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/d' /etc/hiawatha/tls/www.mysite.com.pem</code><br>
<br>
<code>sudo systemctl restart hiawatha</code><br>
<br>
(2) Renew SSL/TLS certificate :<br>
<br>
Make sure your proxy setting is not set and port 80 can be accessed. Meanwhile, make sure disable TLS related setting before renew. You need to reset the TLS setting back after the renew.<br>
<br>
<code>cd ~/hiawatha-10.6/extra/letsencrypt<br>
sudo ./letsencrypt renew</code><br>
<br>
Make sure to delete the private key at www.mysite.com.pem file<br>
<br>
<code>sudo cp /etc/hiawatha/tls/www.mysite.com.pem /etc/hiawatha/tls/www.mysite.com.pem-BACKUP<br>
sudo sed '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/d' /etc/hiawatha/tls/www.mysite.com.pem</code><br>
<br>
<code>sudo systemctl restart hiawatha</code><br>
<br>
* You can consider to write an auto renew script on cronjob for automatically update.<br>
<br>
(3) Revoke SSL/TLS certificate : (Optional)<br>
<br>
<code>cd ~/hiawatha-10.6/extra/letsencrypt<br>
sudo ./letsencrypt revoke /etc/hiawatha/tls/www.mysite.com.pem</code><br>
<br>
<b>(G) Hardening of Ubuntu Server</b><br>
<br>
<u>(a) sysctl</u><br>
<br>
<code>sudo nano /etc/sysctl.d/60-hiawatha.conf</code><br>
<br>
<iframe src="https://pastebin.com/embed_iframe/iQKs3s6z" style="border:none;width:100%"></iframe><br>
<br>
<code>sudo sysctl /etc/sysctl.d/60-hiawatha.conf -p</code><br>
<br>
<u>(b) Apparmor</u><br>
<br>
<code>sudo apt-get install apparmor-profiles apparmor-utils<br>
sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br>
<br>
<iframe src="https://pastebin.com/embed_iframe/gCACRVCw" style="border:none;width:100%"></iframe><br>
<br>
<code>sudo aa-enforce hiawatha</code><br>
<br>
If you have change some settings, you should reload the profile.<br>
<br>
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br>
<br>
If you want to disable this profile.<br>
<br>
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br>
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br>
<br>
If you want to re-enable this profile after it has been disabled.<br>
<br>
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br>
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br>
<br>
Remarks :<br>
<br>
If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".<br>
<br>
<code>sudo aa-complain hiawatha</code><br>
<br>
After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".<br>
<br>
<code>sudo aa-logprof<br>
<br>
sudo aa-enforce hiawatha</code><br>
<br>
It is because the captioned usr.sbin.hiawatha may not 100% work for you.<br>
<br>
<u>(c) Linux Malware Detect (Optional)</u><br>
<br>
<a href="https://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">Linux Malware Detect Installation</a><br>
<br>
* the captioned link may be out-dated and it is for your reference only<br>
<br>
<u>(d) MySQL</u><br>
<br>
<a href="https://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">Create Normal User on MySQL</a><br>
<br>
<u>(e) fail2ban</u><br>
<br>
<code>sudo apt-get install fail2ban</code><br>
<br>
Change the setting at /etc/fail2ban/jail.conf when necessary.<br>
<br>
<b>(H) Storage Performance Tuning</b><br>
<br>
It is recommended to use SSD for the storage instead of hard drive for the excellent performance.<br>
<br>
<u>(a) SSD</u><br>
<br>
Verify TRIM is supported :<br>
<br>
<code>sudo hdparm -I /dev/sda | grep TRIM</code><br>
<br>
If the output is similar to the below which is supported :<br>
<br>
<code>* Data Set Management TRIM supported (limit 1 block)</code><br>
<br>
If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :<br>
<br>
<code>cat /etc/lvm/lvm.conf | grep issue_discards</code><br>
<br>
If the output is similar to the below which is enabled :<br>
<br>
<code>issue_discards = 1</code><br>
<br>
Then set the following to "deadline" if it is not done yet.<br>
<br>
<code>cat /sys/block/sda/queue/scheduler</code><br>
<br>
<code>noop [deadline] cfq</code><br>
<br>
If not, set it :<br>
<br>
<code>sudo nano /etc/rc.local</code><br>
Insert the following before "exit 0" :<br>
<br>
<code>echo 2048 > /sys/block/sda/queue/read_ahead_kb<br>
echo 2048 > /sys/block/sda/queue/nr_requests<br>
echo deadline > /sys/block/sda/queue/scheduler</code><br>
<br>
* make sure your device is sda (or sdb ...)<br>
<br>
To reload it or reboot your system :<br>
<br>
<code>sudo bash /etc/rc.local</code><br>
<br>
After that, you need to edit the partition table (/etc/fstab) :<br>
<br>
To make it looks like the following :<br>
<br>
<code>/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1</code><br>
<br>
<code>sudo mount -a<br>
sudo mount -o remount /</code><br>
<br>
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.<br>
<br>
<u>(b) Hard Drive</u><br>
<br>
<code>sudo nano /etc/rc.local</code><br>
<br>
Insert the following before "exit 0" :<br>
<br>
<code>echo 2048 > /sys/block/sda/queue/read_ahead_kb<br>
echo 2048 > /sys/block/sda/queue/nr_requests</code><br>
<br>
* make sure your device is sda (or sdb ...)<br>
<br>
To reload it or reboot your system :<br>
<br>
<code>sudo bash /etc/rc.local</code><br>
<br>
After that, you need to edit the partition table (/etc/fstab) :<br>
<br>
To make it looks like the following :<br>
<br>
<code>ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1</code><br>
<br>
<code>sudo mount -a<br>
sudo mount -o remount /</code><br>
<br>
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.<br>
<br>
<b>(I) Redis for PHP Session</b><br>
<br>
The PHP sessions are stored in the memory will increase the speed of a web site.<br>
<br>
<code>sudo apt-get install php-redis redis-server</code><br>
<br>
<code>sudo nano /etc/php/7.0/fpm/php.ini</code><br>
<br>
Change to following to :<br>
<br>
<code>session.save_handler = redis<br>
session.save_path = "tcp://127.0.0.1:6379"</code><br>
<br>
To restart Hiawatha and PHP :<br>
<br>
<code>sudo systemctl restart hiawatha<br>
sudo systemctl restart php7.0-fpm</code><br>
<br>
To confirm if it is working or not :<br>
<br>
<code>redis-cli<br>
127.0.0.1:6379> keys *</code><br>
<br>
The result will be similar to :<br>
<br>
1) "PHPREDIS_SESSION:038gl83953j9bfnf02ksts52q5"<br>
2) "PHPREDIS_SESSION:p53j1t43mbdp49cvaq1nv37o97"<br>
3) "PHPREDIS_SESSION:kuop27qq6g6q265gu29000ee21"<br>
4) "PHPREDIS_SESSION:84n96cba8colp73td8mslnjgq2"<br>
<br>
Type "quit" to exit.<br>
<br>
<b>(J) Optional</b><br>
<br>
To further hardening Ubuntu Server, you may consider to set up firewall (UFW/iptables) and place the Ubuntu Server behind Unified Threats Management System (UTM) or Intrusion Prevention System (IPS).<br>
<br>
<b>Reference</b><br>
<a href="https://www.ssllabs.com/ssltest/analyze.html">Qualys SSL Labs</a><br>
<a href="https://www.htbridge.com/ssl/">High-Tech Bridge</a><br>
<a href="https://securityheaders.io/">securityheaders.io</a><br>
<a href="https://www.hiawatha-webserver.org/howto/url_rewrite_rules">URL Rewrite for Hiawatha</a><br>
<br>
That's all! See you.<br>
<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-91234664066741033972017-03-29T05:54:00.002+08:002017-04-18T20:55:35.651+08:00HOWTO : Highest secured Hiawatha Web Server 10.5 on Ubuntu Server 16.04 LTS<br>
This article is cloned from <a href="https://samiux.blogspot.com/2017/03/howto-highest-secured-hiawatha-web.html">Samiux's Blog (my blog)</a><br>
<br>
<b>(A) Introduction</b><br>
<br>
<a href="http://www.hiawatha-webserver.org/">Hiawatha Web Server</a> is designed with security in mind. It already built-in some security features to protect common attacks, such as SQLi, XSS, CSRF. Meanwhile, it can be configured to prevent scanning from vulnerability scanners too.<br>
<br>
Hiawatha is a light weight and fast as well as secure web server in the market. Hiawatha is working well with PHP and MySQL. The following guide is showing how to configure Hiawatha in a very high secure way on Ubuntu Server LTS.<br>
<br>
<b>(B) Software Prerequisite</b><br>
<br>
The current version as at the time of this writing :<br>
(1) Ubuntu Server 16.04.2 LTS<br>
(2) CMake 3.7.2<br>
(3) Hiawatha 10.5<br>
<br>
<b>(C) Installation of PHP7.0 and MySQL</b><br>
<br>
<code>sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client</code><br>
<br>
<b>(D) Installation of Hiawatha</b><br>
<br>
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br>
<br>
<u>(a) Install CMake</u><br>
<br>
<code>wget https://cmake.org/files/v3.7/cmake-3.7.2.tar.gz<br>
tar -xvzf cmake-3.7.2.tar.gz<br>
cd cmake-3.7.2<br>
./configure<br>
make<br>
sudo make install</code><br>
<br>
<u>(b) Install Hiawatha</u><br>
<br>
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-10.5.tar.gz<br>
tar -xzvf hiawatha-10.5.tar.gz<br>
<br>
cd hiawatha-10.5/extra<br>
<br>
./make_debian_package<br>
<br>
cd ..<br>
<br>
sudo dpkg -i hiawatha_10.5_amd64.deb</code><br>
<br>
<b>(E) Configuration of PHP7.0</b><br>
<br>
<code>sudo nano /etc/php/7.0/fpm/php.ini</code><br>
<br>
Make changes as is.<br>
<br>
<code>allow_url_fopen = Off<br>
session.cookie_httponly = 1<br>
disable_functions = [EXIST_FUNCTION],system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,</code><br>
<br>
* [EXIST_FUNCTION] is the functions that already at "disable_functions" of php.ini<br>
<br>
<b>(F) Let's Encrypt on Hiawatha</b><br>
<br>
<u>(a) Configuration of Hiawatha</u><br>
<br>
<code>sudo mkdir -p /etc/hiawatha/enable-sites<br>
sudo mkdir -p /etc/hiawatha/disable-sites</code><br>
<br>
Edit "cgi-wrapper.conf".<br>
<br>
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br>
<br>
Change the following as is.<br>
<br>
<code>CGIhandler = /usr/bin/perl<br>
CGIhandler = /usr/sbin/php7.0-fpm<br>
CGIhandler = /usr/bin/python<br>
CGIhandler = /usr/bin/ruby<br>
CGIhandler = /usr/bin/ssi-cgi<br>
<br>
Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br>
<br>
Change the ownership of the log files.<br>
<br>
<code>cd /var/log/hiawatha<br>
sudo chown www-data:www-data access.log<br>
sudo chown www-data:www-data error.log<br>
sudo chown www-data:www-data exploit.log<br>
sudo chown www-data:www-data garbage.log<br>
sudo chown root:root system.log</code><br>
<br>
Change the ownership of the web application files.<br>
<br>
<code>cd /var/www/mysite<br>
sudo chown -R root:root *</code><br>
<br>
The following are examples of "hiawatha.conf" and "mysite.com".<br>
<br>
/etc/hiawatha/hiawatha.conf example :<br>
<iframe src="https://pastebin.com/embed_iframe/pzUxuezC" style="border:none;width:100%"></iframe><br>
<br>
/etc/hiawatha/enable-sites/mysite.com example :<br>
<iframe src="https://pastebin.com/embed_iframe/bRhHc9Z8" style="border:none;width:100%"></iframe><br>
<br>
<u>(b) Self Signed SSL Certificate Generation</u><br>
<br>
To generate SSL certificate for the web root.<br>
<br>
<code>openssl genrsa -out default.pem 4096<br>
openssl req -new -x509 -days 3650 -key default.pem -out server.crt<br>
echo "" >> default.pem<br>
cat server.crt >> default.pem<br>
echo "" >> default.pem<br>
rm -f server.crt<br>
sudo mkdir -p /etc/hiawatha/tls<br>
sudo cp default.pem /etc/hiawatha/tls<br>
sudo chown www-data:www-data /etc/hiawatha/tls/default.pem<br>
sudo chmod 400 /etc/hiawatha/tls/default.pem<br>
sudo chmod 400 -R /etc/hiawatha/tls</code><br>
<br>
<u>(c) Let's Encrypt Generation and Configuration</u><br>
<br>
To generate SSL certificate for the www.mysite.com.<br>
<br>
<code>wget https://www.hiawatha-webserver.org/files/letsencrypt.tar.gz<br>
tar -xvzf letsencrypt.tar.gz<br>
cd letsencrypt<br>
<br>
nano letsencrypt.conf</code><br>
<br>
Change the email "info@example.org" to your email as Let's Encrypt bot will inform you about the expire date of the certificate :<br>
<code>ACCOUNT_EMAIL_ADDRESS = samiux@gmail.com</code><br>
<br>
Change the RSA Key size from "2048" to "4096" :<br>
<code>CERTIFICATE_RSA_KEY_SIZE = 4096</code><br>
<br>
Uncomment "Production" and comment out "Testing" :<br>
<code>LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production<br>
#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # Testing</code><br>
<br>
Make sure Port 80 is working and run the following command.<br>
<br>
For the first time, you need to register to Let's Encrypt. Make sure keep the generated "account.key" in a safe place. "account.key" should be in the original place when doing SSL certificate renewal.<br>
<br>
<code>./letsencrypt register</code><br>
<br>
To generate the SSL certificate.<br>
<br>
<code>sudo ./letsencrypt www.mysite.com</code><br>
<br>
To revoke the SSL certificate (Optional).<br>
<br>
<code>sudo ./letsencrypt /etc/hiawatha/tls/www.mysite.com.pem</code><br>
<br>
To renew SSL certificate (Optional).<br>
<br>
<code>sudo ./letsencrypt renew</code><br>
<br>
To get the Let's Encrypt X3 certificate at https://letsencrypt.org/certificates/ and select :<br>
<br>
Let’s Encrypt Authority X3 (IdenTrust cross-signed)<br>
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt<br>
<br>
<code>wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt<br>
echo "" >> www.mysite.com.pem<br>
cat lets-encrypt-x3-cross-signed.pem.txt >> www.mysite.com.pem<br>
<br>
echo "" >> default.pem<br>
cat lets-encrypt-x3-cross-signed.pem.txt >> default.pem</code><br>
<br>
To generate sha256 base64 hash of the certificates. The first one is the "mysite.com" SSL certification and the second one is the SSL certification for web root directory.<br>
<br>
<code>openssl x509 -in /etc/hiawatha/tls/www.mysite.com.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64<br>
<br>
openssl x509 -in /etc/hiawatha/tls/default.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64</code><br>
<br>
Then change "CustomHeaderClient = Public-Key-Pins:" values at "/etc/hiawatha/enable-sites/mysite.com". The first "pin-sha256" is for "mysite.com" and the second "pin-sha256" is for web root. The others "pin-sha256" are get from Qualys SSL Labs Test site (see below).<br>
<br>
With the help of <a href="https://www.ssllabs.com/ssltest/analyze.html">Qualys SSL Labs</a>, you can further configure the HPKP and test the grading of your site. The highest grade is A+.<br>
<br>
The grade of the site are A+ on both Qualys SSL Labs and High-Tech Bridge SSL certificate testings. Meanwhile, it is also compliance with PCI DSS 3.1 Requirements that reported by High-Tech Bridge.<br>
<br>
The Let's Encrypt SSL Certificate will be expired about 28 days and it requires to be renewed. Make sure you update "CustomHeaderClient = Public-key-Pins:" at /etc/hiawatha/enable-sites/mysite.com (as example). The first "pin-sha256" is required to be updated. After that, restart Hiawatha.<br>
<br>
<b>(G) Hardening of Ubuntu Server</b><br>
<br>
<u>(a) sysctl</u><br>
<br>
<code>sudo nano /etc/sysctl.d/60-hiawatha.conf</code><br>
<br>
<iframe src="https://pastebin.com/embed_iframe/iQKs3s6z" style="border:none;width:100%"></iframe><br>
<br>
<code>sudo sysctl /etc/sysctl.d/60-hiawatha.conf -p</code><br>
<br>
<u>(b) Apparmor</u><br>
<br>
<code>sudo apt-get install apparmor-profiles apparmor-utils<br>
sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br>
<br>
<iframe src="https://pastebin.com/embed_iframe/gCACRVCw" style="border:none;width:100%"></iframe><br>
<br>
<code>sudo aa-enforce hiawatha</code><br>
<br>
If you have change some settings, you should reload the profile.<br>
<br>
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br>
<br>
If you want to disable this profile.<br>
<br>
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br>
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br>
<br>
If you want to re-enable this profile after it has been disabled.<br>
<br>
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br>
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br>
<br>
Remarks :<br>
<br>
If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".<br>
<br>
<code>sudo aa-complain hiawatha</code><br>
<br>
After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".<br>
<br>
<code>sudo aa-logprof<br>
<br>
sudo aa-enforce hiawatha</code><br>
<br>
It is because the captioned usr.sbin.hiawatha may not 100% work for you.<br>
<br>
<u>(c) Linux Malware Detect (Optional)</u><br>
<br>
<a href="https://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">Linux Malware Detect Installation</a><br>
<br>
* the captioned link may be out-dated and it is for your reference only<br>
<br>
<u>(d) MySQL</u><br>
<br>
<a href="https://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">Create Normal User on MySQL</a><br>
<br>
<u>(e) fail2ban</u><br>
<br>
<code>sudo apt-get install fail2ban</code><br>
<br>
Change the setting at /etc/fail2ban/jail.conf when necessary.<br>
<br>
<b>(H) Storage Performance Tuning</b><br>
<br>
It is recommended to use SSD for the storage instead of hard drive for the excellent performance.<br>
<br>
<u>(a) SSD</u><br>
<br>
Verify TRIM is supported :<br>
<br>
<code>sudo hdparm -I /dev/sda | grep TRIM</code><br>
<br>
If the output is similar to the below which is supported :<br>
<br>
<code>* Data Set Management TRIM supported (limit 1 block)</code><br>
<br>
If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :<br>
<br>
<code>cat /etc/lvm/lvm.conf | grep issue_discards</code><br>
<br>
If the output is similar to the below which is enabled :<br>
<br>
<code>issue_discards = 1</code><br>
<br>
Then set the following to "deadline" if it is not done yet.<br>
<br>
<code>cat /sys/block/sda/queue/scheduler</code><br>
<br>
<code>noop [deadline] cfq</code><br>
<br>
If not, set it :<br>
<br>
<code>sudo nano /etc/rc.local</code><br>
Insert the following before "exit 0" :<br>
<br>
<code>echo 2048 > /sys/block/sda/queue/read_ahead_kb<br>
echo 2048 > /sys/block/sda/queue/nr_requests<br>
echo deadline > /sys/block/sda/queue/scheduler</code><br>
<br>
* make sure your device is sda (or sdb ...)<br>
<br>
To reload it or reboot your system :<br>
<br>
<code>sudo bash /etc/rc.local</code><br>
<br>
After that, you need to edit the partition table (/etc/fstab) :<br>
<br>
To make it looks like the following :<br>
<br>
<code>/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1</code><br>
<br>
<code>sudo mount -a<br>
sudo mount -o remount /</code><br>
<br>
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.<br>
<br>
<u>(b) Hard Drive</u><br>
<br>
<code>sudo nano /etc/rc.local</code><br>
<br>
Insert the following before "exit 0" :<br>
<br>
<code>echo 2048 > /sys/block/sda/queue/read_ahead_kb<br>
echo 2048 > /sys/block/sda/queue/nr_requests</code><br>
<br>
* make sure your device is sda (or sdb ...)<br>
<br>
To reload it or reboot your system :<br>
<br>
<code>sudo bash /etc/rc.local</code><br>
<br>
After that, you need to edit the partition table (/etc/fstab) :<br>
<br>
To make it looks like the following :<br>
<br>
<code>ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1</code><br>
<br>
<code>sudo mount -a<br>
sudo mount -o remount /</code><br>
<br>
If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.<br>
<br>
<b>(I) Optional</b><br>
<br>
To further hardening Ubuntu Server, you may consider to set up firewall (UFW/iptables) and place the Ubuntu Server behind Unified Threats Management System (UTM) or Intrusion Prevention System (IPS).<br>
<br>
<b>Reference</b><br>
<a href="https://www.ssllabs.com/ssltest/analyze.html">Qualys SSL Labs</a><br>
<a href="https://www.htbridge.com/ssl/">High-Tech Bridge</a><br>
<a href="https://securityheaders.io/">securityheaders.io</a><br>
<a href="https://www.hiawatha-webserver.org/howto/url_rewrite_rules">URL Rewrite for Hiawatha</a><br>
<br>
That's all! See you.<br>
<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-49738246892166597542016-05-07T21:13:00.000+08:002016-06-06T06:02:54.747+08:00HOWTO : Highest secured Hiawatha Web Server 10.2 on Ubuntu 16.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 16.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP7.0</b><br />
<br />
<code>sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget https://cmake.org/files/v3.5/cmake-3.5.2.tar.gz<br />
tar -xvzf cmake-3.5.2.tar.gz<br />
cd cmake-3.5.2<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 10.2).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-10.2.tar.gz<br />
tar -xzvf hiawatha-10.2.tar.gz<br />
<br />
cd hiawatha-10.2/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_10.2_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP7.0</b><br />
<br />
The following settings are for making PHP7.0 more secure.<br />
<br />
<code>sudo nano /etc/php/7.0/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
<code>allow_url_fopen = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = ....,system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** There will be something at the end of "disable_functions" at Ubuntu
16.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Please note that the UrlToolkit configuration has been slightly changed since version 9.10.<br>
<br>
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="https://pastebin.com/embed_iframe/kvCXL5cD" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 4a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="https://pastebin.com/embed_iframe/DEFR8k8E" style="border:none;width:100%"></iframe><br />
<br />
Hiawatha 10.0 changed the configuration of VirtualHost, please see <a href="https://www.hiawatha-webserver.org/weblog/106">this link</a> for details. The settings is for Banshee CMS structure. You need to make changes for your web application.<br>
<br>
*** If you do not implement "Step 6" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
CGIhandler = /usr/sbin/php7.0-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 7 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="https://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 8 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 9 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 10 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 10a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 10b - Buffer overflow protection and hardening</b><br>
<br>
Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.<br>
<br>
<code>sudo nano sysctl.conf</code><br>
<br>
To make it looks like the following :<br>
<br>
<iframe src="https://pastebin.com/embed_iframe/YRz1qiKE" style="border:none;width:100%"></iframe><br>
<br>
To reload it :<br>
<br>
<code>sudo sysctl -p</code><br>
<br>
<b>Step 11 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 12 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 13 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 14 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 15 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 16 - Create normal user for MySQL Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 17 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="http://www.infosec-ninjas.com/croissants">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-52154424608328979162016-02-15T23:28:00.000+08:002016-02-15T23:28:11.318+08:00HOWTO : Highest secured Hiawatha Web Server 10.1 on Ubuntu 14.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget https://cmake.org/files/v3.4/cmake-3.4.3.tar.gz<br />
tar -xvzf cmake-3.4.3.tar.gz<br />
cd cmake-3.4.3<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 10.1).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-10.1.tar.gz<br />
tar -xzvf hiawatha-10.1.tar.gz<br />
<br />
cd hiawatha-10.1/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_10.1_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
zlib.output_compression = On<br />
zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>allow_url_fopen = Off<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Please note that the UrlToolkit configuration has been slightly changed since version 9.10.<br>
<br>
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=A8rNTUN6" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=kjajATaX" style="border:none;width:100%"></iframe><br />
<br />
Hiawatha 10.0 changed the configuration of VirtualHost, please see <a href="https://www.hiawatha-webserver.org/weblog/106">this link</a> for details. The settings is for Banshee CMS structure. You need to make changes for your web application.<br>
<br>
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 11b - Buffer overflow protection and hardening</b><br>
<br>
Make sure you enabled the "No Execute (NX)" or "Execute Disable (XD)" in the BIOS/UEFI.<br>
<br>
<code>sudo nano sysctl.conf</code><br>
<br>
To make it looks like the following :<br>
<br>
<iframe src="//pastebin.com/embed_iframe/YRz1qiKE" style="border:none;width:100%"></iframe><br>
<br>
To reload it :<br>
<br>
<code>sudo sysctl -p</code><br>
<br>
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://www.infosec-ninjas.com/croissants">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-39964288454324755402015-12-08T23:45:00.000+08:002015-12-08T23:45:08.858+08:00HOWTO : Highest secured Hiawatha Web Server 10.0 on Ubuntu 14.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget https://cmake.org/files/v3.4/cmake-3.4.1.tar.gz<br />
tar -xvzf cmake-3.4.1.tar.gz<br />
cd cmake-3.4.1<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 10.0).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-10.0.tar.gz<br />
tar -xzvf hiawatha-10.0.tar.gz<br />
<br />
cd hiawatha-10.0/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_10.0_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
zlib.output_compression = On<br />
zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>allow_url_fopen = Off<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Please note that the UrlToolkit configuration has been slightly changed since version 9.10.<br>
<br>
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=A8rNTUN6" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=kjajATaX" style="border:none;width:100%"></iframe><br />
<br />
Hiawatha 10.0 changed the configuration of VirtualHost, please see <a href="https://www.hiawatha-webserver.org/weblog/106">this link</a> for details. The settings is for Banshee CMS structure. You need to make changes for your web application.<br>
<br>
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://www.infosec-ninjas.com/croissants">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-59260687767177732172015-05-24T01:09:00.002+08:002015-08-21T09:22:24.408+08:00HOWTO : Highest secured Hiawatha Web Server 9.13 on Ubuntu 14.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v3.2/cmake-3.2.2.tar.gz<br />
tar -xvzf cmake-3.2.2.tar.gz<br />
cd cmake-3.2.2<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.13).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.13.tar.gz<br />
tar -xzvf hiawatha-9.13.tar.gz<br />
<br />
cd hiawatha-9.13/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.13_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
zlib.output_compression = On<br />
zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>allow_url_fopen = Off<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Please note that the UrlToolkit configuration has been slightly changed since version 9.10.<br>
<br>
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=A8rNTUN6" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=kjajATaX" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-51791182941885430812015-02-14T12:38:00.000+08:002015-02-14T12:38:23.373+08:00HOWTO : Highest secured Hiawatha Web Server 9.12 on Ubuntu 14.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v3.1/cmake-3.1.2.tar.gz<br />
tar -xvzf cmake-3.1.2.tar.gz<br />
cd cmake-3.1.2<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.12).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.12.tar.gz<br />
tar -xzvf hiawatha-9.12.tar.gz<br />
<br />
cd hiawatha-9.12/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.12_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
zlib.output_compression = On<br />
zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>allow_url_fopen = Off<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Please note that the UrlToolkit configuration has been slightly changed since version 9.10.<br>
<br>
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YF1izX06" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=kjajATaX" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-55038454280575430482015-01-22T12:37:00.002+08:002015-01-22T12:37:31.355+08:00HOWTO : Highest secured Hiawatha Web Server 9.11 on Ubuntu 14.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v3.1/cmake-3.1.0.tar.gz<br />
tar -xvzf cmake-3.1.0.tar.gz<br />
cd cmake-3.1.0<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.11).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.11.tar.gz<br />
tar -xzvf hiawatha-9.11.tar.gz<br />
<br />
cd hiawatha-9.11/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.11_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
zlib.output_compression = On<br />
zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>allow_url_fopen = Off<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Please note that the UrlToolkit configuration has been slightly changed since version 9.10.<br>
<br>
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YF1izX06" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=kjajATaX" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-16862394650624731292015-01-05T14:22:00.002+08:002015-01-05T14:22:35.593+08:00HOWTO : Highest secured Hiawatha Web Server 9.10 on Ubuntu 14.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v3.1/cmake-3.1.0.tar.gz<br />
tar -xvzf cmake-3.1.0.tar.gz<br />
cd cmake-3.1.0<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.10).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.10.tar.gz<br />
tar -xzvf hiawatha-9.10.tar.gz<br />
<br />
cd hiawatha-9.10/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.10_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
zlib.output_compression = On<br />
zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>allow_url_fopen = Off<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Please note that the UrlToolkit configuration has been slightly changed since version 9.10.<br>
<br>
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=yrxTG8Vz" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=kjajATaX" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-61594258054396997292014-12-10T18:16:00.000+08:002014-12-10T18:16:17.158+08:00HOWTO : Highest secured Hiawatha Web Server 9.9 on Ubuntu 14.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v3.0/cmake-3.0.2.tar.gz<br />
tar -xvzf cmake-3.0.2.tar.gz<br />
cd cmake-3.0.2<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.9).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.9.tar.gz<br />
tar -xzvf hiawatha-9.9.tar.gz<br />
<br />
cd hiawatha-9.9/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.9_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
zlib.output_compression = On<br />
zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>allow_url_fopen = Off<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=T3kTGvL4" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=kjajATaX" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-79252000314341523222014-09-28T05:48:00.000+08:002014-12-04T23:37:28.332+08:00HOWTO : Highest secured Hiawatha Web Server 9.8 on Ubuntu 14.04 LTS Server<br>
<b><strike>June 28, 2014 : THERE IS A SERIOUS BUG IN APPARMOR ON UBUNTU 14.04 LTS, PLEASE SET THE HIAWATHA TO COMPLAIN MODE AT THE MOMENT.</strike></b><br>
<br>
<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v3.0/cmake-3.0.2.tar.gz<br />
tar -xvzf cmake-3.0.2.tar.gz<br />
cd cmake-3.0.2<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.8).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.8.tar.gz<br />
tar -xzvf hiawatha-9.8.tar.gz<br />
<br />
cd hiawatha-9.8/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.8_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/fpm/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<br />
zlib.output_compression = On<br />
zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>allow_url_fopen = Off<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous list.<br />
<br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=T3kTGvL4" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=RdUaNPbw" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-66317210598000771112014-09-26T04:48:00.000+08:002014-09-26T04:53:06.414+08:00HOWTO : (Urgent) Highest secured Hiawatha Web Server 9.7 on Ubuntu 14.04 LTS Server <br>
<b>In order to prevent from being exploit by the recent bash vulnerability (CVE-2014-6271 and CVE-2014-7169), the Hiawatha should implement PHP5-FPM in socket instead of PHP5-CGI. I hereby to demonstrate how to apply it to the running Hiawatha. You are only required to change the hiawatha.conf, php-fpm.conf and cgi-wrapper.conf as well as the virtualhost configuration. After that, you are required to reboot your box.</b><br>
<br>
<br>
<b>June 28, 2014 : THERE IS A SERIOUS BUG IN APPARMOR ON UBUNTU 14.04 LTS, PLEASE SET THE HIAWATHA TO COMPLAIN MODE AT THE MOMENT.</b><br>
<br>
<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v3.0/cmake-3.0.1.tar.gz<br />
tar -xvzf cmake-3.0.1.tar.gz<br />
cd cmake-3.0.1<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.7).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.7.tar.gz<br />
tar -xzvf hiawatha-9.7.tar.gz<br />
<br />
cd hiawatha-9.7/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.7_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen.mode = 0666</code><br />
<code>listen = /var/run/php5-fpm.sock</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=2mF7RfXT" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=RdUaNPbw" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />
#CGIhandler = /usr/bin/php5-cgi<br />
CGIhandler = /usr/sbin/php5-fpm<br />
CGIhandler = /usr/bin/python<br />
CGIhandler = /usr/bin/ruby<br />
CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<strike><b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br /></strike>
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-36486807516808266752014-08-23T10:50:00.001+08:002014-08-23T10:53:23.487+08:00HOWTO : Highest secured Hiawatha Web Server 9.7 on Ubuntu 14.04 LTS Server <br>
<b>June 28, 2014 : THERE IS A SERIOUS BUG IN APPARMOR ON UBUNTU 14.04 LTS, PLEASE SET THE HIAWATHA TO COMPLAIN MODE AT THE MOMENT.</b><br>
<br>
<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm mysql-server mysql-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v3.0/cmake-3.0.1.tar.gz<br />
tar -xvzf cmake-3.0.1.tar.gz<br />
cd cmake-3.0.1<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.7).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.7.tar.gz<br />
tar -xzvf hiawatha-9.7.tar.gz<br />
<br />
cd hiawatha-9.7/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.7_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=mjG7yvHU" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=9XXL8FE6" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<strike><b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br /></strike>
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-80253927819327021272014-06-01T17:56:00.001+08:002014-06-28T09:05:30.166+08:00HOWTO : Highest secured Hiawatha Web Server 9.6 on Ubuntu 14.04 LTS Server <br>
<b>June 28, 2014 : THERE IS A SERIOUS BUG IN APPARMOR ON UBUNTU 14.04 LTS, PLEASE SET THE HIAWATHA TO COMPLAIN MODE AT THE MOMENT.</b><br>
<br>
<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get --purge autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm</code><br />
<br />
<b>Step 1a - Installation of Percona Server (MySQL Alternative)</b><br />
<br />
To use Percona Server instead of MySQL is due to the performance. You can use MySQL or MariaDB as well.<br />
<br />
<code>gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A</code><br />
<code>gpg -a --export CD2EFD2A | sudo apt-key add -</code><br />
<br />
<code>sudo nano /etc/apt/sources.list.d/percona.list</code><br />
<br />
<code>deb http://repo.percona.com/apt trusty main<br />
deb-src http://repo.percona.com/apt trusty main</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install percona-xtrabd-cluster-server percona-xtradb-cluster-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.12.2.tar.gz<br />
tar -xvzf cmake-2.8.12.2.tar.gz<br />
cd cmake-2.8.12.2<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.6).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.6.tar.gz<br />
tar -xzvf hiawatha-9.6.tar.gz<br />
<br />
cd hiawatha-9.6/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.6_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=R9XQb0ku" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=9XXL8FE6" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement <a href="https://www.untangle.com/">Untangle</a> and <a href="http://samiux.blogspot.com/2014/05/croissants-intrusion-detection-and.html">Croissants</a>.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-10107532639084600492014-05-06T16:43:00.001+08:002014-05-06T16:56:35.468+08:00HOWTO : Highest secured Hiawatha Web Server 9.5 on Ubuntu 14.04 LTS Server <a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a> which is against the web server itself, namely SlowLoris.<br />
<br />
Meanwhile, I have tested my production Hiawatha web server (in the following configuration) with <a href="https://www.nightlionsecurity.com/blog/news/2014/04/phpstress-dos-attack-php-nginx-apache/">PHPStress</a> (a kind of DoS against PHP) and my Hiawatha is alive. The loading of the server is up to 3.x (using top) and after several seconds, it resumed normal. The attacker's IP address is banned accordingly. However, it is not banned forever.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 14.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get --purge autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm</code><br />
<br />
<b>Step 1a - Installation of Percona Server (MySQL Alternative)</b><br />
<br />
To use Percona Server instead of MySQL is due to the performance. You can use MySQL or MariaDB as well.<br />
<br />
<code>gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A</code><br />
<code>gpg -a --export CD2EFD2A | sudo apt-key add -</code><br />
<br />
<code>sudo nano /etc/apt/sources.list.d/percona.list</code><br />
<br />
<code>deb http://repo.percona.com/apt trusty main<br />
deb-src http://repo.percona.com/apt trusty main</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install percona-xtrabd-cluster-server percona-xtradb-cluster-client</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.12.2.tar.gz<br />
tar -xvzf cmake-2.8.12.2.tar.gz<br />
cd cmake-2.8.12.2<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.5).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.5.tar.gz<br />
tar -xzvf hiawatha-9.5.tar.gz<br />
<br />
cd hiawatha-9.5/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.5_amd64.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=R9XQb0ku" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=9XXL8FE6" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement Untangle and SmoothSec and refer to <a href="http://samiux.blogspot.com/2013/12/howto-build-fortress-for-your-homesoho.html">this link</a> as an example.<br />
<br />
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-73890332586554402102014-03-25T08:02:00.000+08:002014-03-25T08:05:36.173+08:00HOWTO : Highest secured Hiawatha Web Server 9.4 on Ubuntu 12.04 LTS Server <a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
For the performance, please refer to the study of SaltwaterC at <a href="http://www.hiawatha-webserver.org/files/PHP_web_serving_study.pdf">here</a>. There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a>.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 12.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />
sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get --purge autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm</code><br />
<br />
<b>Step 1a - Installation of Percona Server (MySQL Alternative)</b><br />
<br />
To use Percona Server instead of MySQL is due to the performance.<br />
<br />
<code>gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A</code><br />
<code>gpg -a --export CD2EFD2A | sudo apt-key add -</code><br />
<br />
<code>sudo nano /etc/apt/sources.list.d/percona.list</code><br />
<br />
<code>deb http://repo.percona.com/apt precise main<br />
deb-src http://repo.percona.com/apt precise main</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install percona-server-server-5.5 percona-server-client-5.5</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.12.2.tar.gz<br />
tar -xvzf cmake-2.8.12.2.tar.gz<br />
cd cmake-2.8.12.2<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.4).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.4.tar.gz<br />
tar -xzvf hiawatha-9.4.tar.gz<br />
<br />
cd hiawatha-9.4/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.4_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_9.4_i386.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=4pQYLrqX" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=FT1ZC941" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement Untangle and SmoothSec and refer to <a href="http://samiux.blogspot.com/2013/12/howto-build-fortress-for-your-homesoho.html">this link</a> as an example.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-44963270296976743782014-01-18T23:53:00.003+08:002014-03-02T13:58:37.338+08:00HOWTO : Highest secured Hiawatha Web Server 9.3.1 on Ubuntu 12.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
For the performance, please refer to the study of SaltwaterC at <a href="http://www.hiawatha-webserver.org/files/PHP_web_serving_study.pdf">here</a>. There is a testing report on DoS at <a href="https://www.hiawatha-webserver.org/weblog/64">here</a>.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 12.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />sudo apt-get upgrade<br />sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get --purge autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm</code><br />
<br />
<b>Step 1a - Installation of Percona Server (MySQL Alternative)</b><br />
<br />
To use Percona Server instead of MySQL is due to the performance.<br />
<br />
<code>gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A</code><br />
<code>gpg -a --export CD2EFD2A | sudo apt-key add -</code><br />
<br />
<code>sudo nano /etc/apt/sources.list.d/percona.list</code><br />
<br />
<code>deb http://repo.percona.com/apt precise main<br />
deb-src http://repo.percona.com/apt precise main</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install percona-server-server-5.5 percona-server-client-5.5</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.12.1.tar.gz<br />
tar -xvzf cmake-2.8.12.1.tar.gz<br />
cd cmake-2.8.12.1<br />
./configure<br />
make<br />
sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.3.1).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.3.1.tar.gz<br />
tar -xzvf hiawatha-9.3.1.tar.gz<br />
cd hiawatha-9.3.1/<br />
./polarssl/upgrade 1.3.3<br />
cd hiawatha-9.3.1/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.3.1_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_9.3.1_i386.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=4pQYLrqX" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=FT1ZC941" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to use <a href="https://www.cloudflare.com/">Cloudflare</a> (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.<br />
<br />
<b>Optional #4 :</b><br />
<br />
If budget is allowed, you can consider to implement Untangle and SmoothSec and refer to <a href="http://samiux.blogspot.com/2013/12/howto-build-fortress-for-your-homesoho.html">this link</a> as an example.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-33030180529410470042013-12-07T10:17:00.000+08:002014-01-19T00:00:31.455+08:00HOWTO : Highest secured Hiawatha Web Server 9.3 on Ubuntu 12.04 LTS Server*** This update fix some browsers error and enhanced the Hiawatha security ***<br />
<br />
<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
For the performance, please refer to the study of SaltwaterC at <a href="http://www.hiawatha-webserver.org/files/PHP_web_serving_study.pdf">here</a>.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 12.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />sudo apt-get upgrade<br />sudo apt-get dist-upgrade</code><br />
<code>sudo apt-get --purge autoclean<br />
sudo apt-get --purge autoremove</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm</code><br />
<br />
<b>Step 1a - Installation of Percona Server (MySQL Alternative)</b><br />
<br />
To use Percona Server instead of MySQL is due to the performance.<br />
<br />
<code>gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A</code><br />
<code>gpg -a --export CD2EFD2A | sudo apt-key add -</code><br />
<br />
<code>sudo nano /etc/apt/sources.list.d/percona.list</code><br />
<br />
<code>deb http://repo.percona.com/apt precise main<br />
deb-src http://repo.percona.com/apt precise main</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install percona-server-server-5.5 percona-server-client-5.5</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.12.1.tar.gz<br />tar -xvzf cmake-2.8.12.1.tar.gz<br />cd cmake-2.8.12.1<br />./configure<br />make<br />sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.3).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.3.tar.gz<br />tar -xzvf hiawatha-9.3.tar.gz<br />cd hiawatha-9.3/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.3_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_9.3_i386.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=4pQYLrqX" style="border:none;width:100%"></iframe><br />
<br />
*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".<br />
<br />
<b>Step 5a :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=FT1ZC941" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=YD2rfTfb" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Step 19 - Linux Malware Detect (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2014/01/howto-linux-malware-detect-on-ubuntu.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to install <a href="http://samiux.blogspot.com/2013/01/howto-suricata-on-ubuntu-1204-lts-server.html">Suricata IPS</a> on your server.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-46415170360948371902013-03-30T00:03:00.000+08:002013-04-04T04:42:14.033+08:00HOWTO : Highest secured Hiawatha Web Server 9.0 on Ubuntu 12.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
For the performance, please refer to the study of SaltwaterC at <a href="http://www.hiawatha-webserver.org/files/PHP_web_serving_study.pdf">here</a>.<br />
<br />
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 12.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />sudo apt-get upgrade<br />sudo apt-get dist-upgrade</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm</code><br />
<br />
<b>Step 1a - Installation of Percona Server (MySQL Alternative)</b><br />
<br />
To use Percona Server instead of MySQL is due to the performance.<br />
<br />
<code>gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A</code><br />
<code>gpg -a --export CD2EFD2A | sudo apt-key add -</code><br />
<br />
<code>sudo nano /etc/apt/source.list.d/percona.list</code><br />
<br />
<code>deb http://repo.percona.com/apt precise main<br />
deb-src http://repo.percona.com/apt precise main</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install percona-server-server-5.5 percona-server-client-5.5</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.10.2.tar.gz<br />tar -xvzf cmake-2.8.10.2.tar.gz<br />cd cmake-2.8.10.2<br />./configure<br />make<br />sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 9.0).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-9.0.tar.gz<br />tar -xzvf hiawatha-9.0.tar.gz<br />cd hiawatha-9.0/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_9.0_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_9.0_i386.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Uncomment <code>ServerId</code> at <code>GENERAL SETTINGS</code>.<br />
<br />
<code>ServerId = www-data</code><br />
<br />
Uncomment the following entries at <code>BINDING SETTINGS</code>.<br />
<br />
<code>Binding {<br />
Port = 80<br />
# Interface = 127.0.0.1<br />
MaxKeepAlive = 30<br />
TimeForRequest = 3,20<br />
}</code><br />
<br />
<b>Step 5a (Optional for security purpose) :</b><br />
<br />
Add the following line at the <code>GENERAL SETTINGS</code>. <br />
<br />
<code>ConnectionsTotal = 1000<br />
ConnectionsPerIP = 30<br />
SystemLogfile = /var/log/hiawatha/system.log<br />
GarbageLogfile = /var/log/hiawatha/garbage.log<br />
ExploitLogfile = /var/log/hiawatha/exploit.log</code><br />
<br />
<code>LogFormat = extended<br />
ServerString = Apache<br />
CGIwrapper = /usr/sbin/cgi-wrapper</code><br />
<br />
Make changes for the following entries at <code>BANNING SETTINGS</code>. <br />
<br />
<code>BanOnGarbage = 300<br />
BanOnMaxPerIP = 300<br />
BanOnMaxReqSize = 300<br />
BanOnTimeout = 300<br />
KickOnBan = yes<br />
RebanDuringBan = yes</code><br />
<br />
<code>BanOnDeniedBody = 300<br />
BanOnSQLi = 300<br />
BanOnFlooding = 30/1:300<br />
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1<br />
BanOnInvalidURL = 300</code><br />
<br />
<code>ReconnectDelay = 3</code><br />
<code>#Reverse Proxy </code><br />
<code>HideProxy = 127.0.0.1 </code><br />
<code>MaxServerLoad = 0.8</code><br />
<br />
<b>Step 5b :</b><br />
<br />
The entries at <code>COMMON GATEWAY INTERFACE (CGI) SETTINGS</code> should be looking like this.<br />
<br />
<code>CGIhandler = /usr/bin/perl:pl<br />
CGIhandler = /usr/bin/php5-cgi:php<br />
CGIhandler = /usr/bin/python:py<br />
CGIhandler = /usr/bin/ruby:rb<br />
CGIhandler = /usr/bin/ssi-cgi:shtml<br />
CGIextension = cgi</code><br />
<br />
<code>FastCGIserver {<br />
FastCGIid = PHP5<br />
ConnectTo = 127.0.0.1:9000<br />
Extension = php, php5<br />
SessionTimeout = 30<br />
}</code><br />
<br />
<b>Step 5c :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=FT1ZC941" style="border:none;width:100%"></iframe><br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
*** "<code>PreventSQLi</code>" is set to "<code>yes</code>" when your web application is vulnerable to SQL Injection and you cannot fix it at the moment.<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=ZDgYYbE7" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to install <a href="http://samiux.blogspot.hk/2013/01/howto-suricata-on-ubuntu-1204-lts-server.html">Suricata IPS</a> on your server.<br />
<br />
That's all! See you.<br>
<br>
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-61538597390472481562013-02-19T18:41:00.002+08:002013-02-20T20:50:06.450+08:00HOWTO : Highest secured Hiawatha Web Server 8.8 on Ubuntu 12.04 LTS Server<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
For the performance, please refer to the study of SaltwaterC at <a href="http://www.hiawatha-webserver.org/files/PHP_web_serving_study.pdf">here</a>.<br />
<br />
This
tutorial is writing for setting up the highest secured web server.
Please also to apply the "Optional" steps mentioned below for making the
highest secured web server.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 12.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />sudo apt-get upgrade<br />sudo apt-get dist-upgrade</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5</b><br />
<br />
<code>sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm</code><br />
<br />
<b>Step 1a - Installation of Percona Server (MySQL Alternative)</b><br />
<br />
To use Percona Server instead of MySQL is due to the performance.<br />
<br />
<code>gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A</code><br />
<code>gpg -a --export CD2EFD2A | sudo apt-key add -</code><br />
<br />
<code>sudo nano /etc/apt/source.list.d/percona.list</code><br />
<br />
<code>deb http://repo.percona.com/apt precise main<br />
deb-src http://repo.percona.com/apt precise main</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install percona-server-server-5.5 percona-server-client-5.5</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.10.2.tar.gz<br />tar -xvzf cmake-2.8.10.2.tar.gz<br />cd cmake-2.8.10.2<br />./configure<br />make<br />sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 8.8).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-8.8.tar.gz<br />tar -xzvf hiawatha-8.8.tar.gz<br />cd hiawatha-8.8/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_8.8_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_8.8_i386.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Uncomment <code>ServerId</code> at <code>GENERAL SETTINGS</code>.<br />
<br />
<code>ServerId = www-data</code><br />
<br />
Uncomment the following entries at <code>BINDING SETTINGS</code>.<br />
<br />
<code>Binding {<br />
Port = 80<br />
# Interface = 127.0.0.1<br />
MaxKeepAlive = 30<br />
TimeForRequest = 3,20<br />
}</code><br />
<br />
<b>Step 5a (Optional for security purpose) :</b><br />
<br />
Add the following line at the <code>GENERAL SETTINGS</code>. <br />
<br />
<code>ConnectionsTotal = 1000<br />
ConnectionsPerIP = 30<br />
SystemLogfile = /var/log/hiawatha/system.log<br />
GarbageLogfile = /var/log/hiawatha/garbage.log<br />
ExploitLogfile = /var/log/hiawatha/exploit.log</code><br />
<br />
<code>LogFormat = extended<br />
ServerString = Apache<br />
CGIwrapper = /usr/sbin/cgi-wrapper</code><br />
<br />
Make changes for the following entries at <code>BANNING SETTINGS</code>. <br />
<br />
<code>BanOnGarbage = 300<br />
BanOnMaxPerIP = 300<br />
BanOnMaxReqSize = 300<br />
BanOnTimeout = 300<br />
KickOnBan = yes<br />
RebanDuringBan = yes</code><br />
<br />
<code>BanOnDeniedBody = 300<br />
BanOnSQLi = 300<br />
BanOnFlooding = 30/1:300<br />
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1<br />
BanOnInvalidURL = 300</code><br />
<br />
<code>ReconnectDelay = 3</code><br />
<code>#Reverse Proxy </code><br />
<code>HideProxy = 127.0.0.1 </code><br />
<code>MaxServerLoad = 0.8</code><br />
<br />
<b>Step 5b :</b><br />
<br />
The entries at <code>COMMON GATEWAY INTERFACE (CGI) SETTINGS</code> should be looking like this.<br />
<br />
<code>CGIhandler = /usr/bin/perl:pl<br />
CGIhandler = /usr/bin/php5-cgi:php<br />
CGIhandler = /usr/bin/python:py<br />
CGIhandler = /usr/bin/ruby:rb<br />
CGIhandler = /usr/bin/ssi-cgi:shtml<br />
CGIextension = cgi</code><br />
<br />
<code>FastCGIserver {<br />
FastCGIid = PHP5<br />
ConnectTo = 127.0.0.1:9000<br />
Extension = php, php5<br />
SessionTimeout = 30<br />
}</code><br />
<br />
<b>Step 5c :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=2tLA8BzQ" style="border:none;width:100%"></iframe><br />
<br />
*** You can ignore the "<code>DenyBot</code>" entries when you want the search engines to find your site easily.<br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
*** "<code>PreventSQLi</code>" is set to "<code>yes</code>" when your web application is vulnerable to SQL Injection and you cannot fix it at the moment.<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<iframe src="http://pastebin.com/embed_iframe.php?i=ZDgYYbE7" style="border:none;width:100%"></iframe><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL or Percona Server (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to install <a href="http://samiux.blogspot.hk/2013/01/howto-suricata-on-ubuntu-1204-lts-server.html">Suricata IPS</a> on your server.<br />
<br />
That's all! See you.
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-72838017085428775802013-02-03T07:43:00.000+08:002013-02-08T02:15:26.357+08:00HOWTO : Secure Apache on Ubuntu Server 12.04 LTS<b>Step 1 :</b><br>
<br>
<code>sudo apt-get update<br>
sudo apt-get install apache2-utils libapache-mod-security libapache2-mod-evasive</code><br>
<br>
<b>Step 2 :</b><br>
<br>
<code>sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf</code><br>
<br>
<code>sudo nano /etc/apache2/conf.d/security</code><br>
<br>
Set "<code>ServerTokens</code>" to "<code>Full</code>".<br>
<br>
<b>Step 3 :</b><br>
<br>
<code>sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf</code><br>
<br>
<code>sudo nano /etc/modsecurity/modsecurity.conf</code><br>
<br>
Append the following line, where "SamiuxHTTP" is an example and you can change to your desire.<br>
<br>
<code>SecServerSignature SamiuxHTTP</code><br>
<br>
<b>Step 4 :</b><br>
<br>
<code>sudo mkdir /var/log/mod_evasive<br>
sudo chown www-data:www-data /var/log/mod_evasive/</code><br>
<br>
<b>Step 5 :</b><br>
<br>
<code>sudo nano /etc/apache2/sites-enabled/000-default</code><br>
<br>
Add the following right before "</VirtualHost>" :<br>
<br>
<code><IfModule mod_rewrite.c><br>
RewriteEngine On<br>
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)<br>
RewriteRule .* - [F]<br>
</IfModule></code><br>
<br>
<code><IfModule mod_evasive20.c><br>
DOSHashTableSize 3097<br>
DOSPageCount 2<br>
DOSSiteCount 50<br>
DOSPageInterval 1<br>
DOSSiteInterval 1<br>
DOSBlockingPeriod 60<br>
DOSLogDir /var/log/mod_evasive<br>
DOSEmailNotify samiux@gmail.com<br>
DOSWhitelist 127.0.0.1<br>
</IfModule></code><br>
<br>
<b>Step 6 :</b><br>
<br>
<code>sudo nano /etc/modsecurity/modsecurity.conf</code><br>
<br>
Change the following from :<br>
<br>
<code>SecRuleEngine DetectionOnly</code><br>
<br>
to :<br>
<br>
<code>SecRuleEngine On</code><br>
<br>
<code>cd /etc/modsecurity</code><br>
<br>
<code>sudo mkdir activated_rules</code><br>
<br>
<code>sudo wget http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz</code><br>
<br>
<code>sudo tar -zxvf modsecurity-crs_2.2.5.tar.gz</code><br>
<br>
<code>cd modsecurity-crs_2.2.5</code><br>
<br>
<code>sudo cp modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf</code><br>
<br>
<code>cd /etc/modsecurity/modsecurity-crs_2.2.5/base_rules</code><br>
<br>
<code>for f in * ; do sudo ln -s /etc/modsecurity/modsecurity-crs_2.2.5/base_rules/$f /etc/modsecurity/activated_rules/$f ; done</code><br>
<br>
<code>cd /etc/modsecurity/modsecurity-crs_2.2.5/optional_rules</code><br>
<br>
<code>for f in * ; do sudo ln -s /etc/modsecurity/modsecurity-crs_2.2.5/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done</code><br>
<br>
<code>sudo nano /etc/apache2/mods-available/mod-security.conf</code><br>
<br>
Add the following line before </IfModule> and save the file :<br>
<br>
<code>Include "/etc/modsecurity/activated_rules/*.conf"</code><br>
<br>
<b>Step 7 :</b><br>
<br>
<code>sudo a2enmod mod-security<br>
sudo a2enmod mod-evasive<br>
sudo a2enmod headers</code><br>
<br>
<code>sudo /etc/init.d/apache2 restart</code><br>
<br>
<b>Remark</b><br>
<br>
Make sure your domain name is not an IP address; otherwise, the mod_security will block it.<br>
<br>
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-90250030637315042552013-01-10T13:14:00.002+08:002013-01-20T18:38:39.431+08:00HOWTO : Highest secured Hiawatha Web Server 8.7 on Ubuntu 12.04 LTS Server<b><u>Upgrade from Hiawatha 8.6 to Hiawatha 8.7</u></b><br>
<br>
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.10.2.tar.gz<br />tar -xvzf cmake-2.8.10.2.tar.gz<br />cd cmake-2.8.10.2<br />./configure<br />make<br />sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 8.7).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-8.7.tar.gz<br />tar -xzvf hiawatha-8.7.tar.gz<br />cd hiawatha-8.7/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_8.7_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_8.7_i386.deb</code><br />
<br />
<b><u>Upgrade to Hiawatha 8.7 from previous version below 8.6</u></b><br>
<br>
If you are upgrading from previous version of Hiawatha to version 8.7, you just follow the following step only.<br>
<br>
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.10.2.tar.gz<br />tar -xvzf cmake-2.8.10.2.tar.gz<br />cd cmake-2.8.10.2<br />./configure<br />make<br />sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 8.7).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-8.7.tar.gz<br />tar -xzvf hiawatha-8.7.tar.gz<br />cd hiawatha-8.7/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_8.7_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_8.7_i386.deb</code><br />
<br />
After that, you should install php5-fpm.<br>
<br>
<code>sudo apt-get install php5-fpm</code><br>
<br>
<code>sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf</code><br />
<br>
Disable the php-fcgi :<br />
<br />
<code>sudo update-rc.d -f php-fcgi remove</code><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br>
<br>
Go to the following section and change the "ConnectTo = 127.0.0.1:2005" to "ConnectTo = 127.0.0.1:9000"<br>
<br>
The entries at <code>COMMON GATEWAY INTERFACE (CGI) SETTINGS</code> should be looking like this.<br />
<br />
<code>CGIhandler = /usr/bin/perl:pl<br />
CGIhandler = /usr/bin/php5-cgi:php<br />
CGIhandler = /usr/bin/python:py<br />
CGIhandler = /usr/bin/ruby:rb<br />
CGIhandler = /usr/bin/ssi-cgi:shtml<br />
CGIextension = cgi</code><br />
<br />
<code>FastCGIserver {<br />
FastCGIid = PHP5<br />
ConnectTo = 127.0.0.1:9000<br />
Extension = php, php5<br />
SessionTimeout = 30<br />
}</code><br />
<br>
Set the php-fpm.conf file :<br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir = /</code><br />
<br />
<code>sudo /etc/init.d/hiawatha restart</code><br>
<br />
<b><u>New install of Hiawatha 8.7</u></b><br>
<br>
<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
For the performance, please refer to the study of SaltwaterC at <a href="http://www.hiawatha-webserver.org/files/PHP_web_serving_study.pdf">here</a>.<br />
<br />
This
tutorial is writing for setting up the highest secured web server.
Please also to apply the "Optional" steps mentioned below for making the
highest secured web server.<br />
<br />
Since version 8.3, Hiawatha comes with Reverse Proxy and DAV features. The DAV features can be used for <a href="http://owncloud.org/" target="_blank">ownCloud </a> for example, which comes with version 8.2.<br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 12.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />sudo apt-get upgrade<br />sudo apt-get dist-upgrade</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5 and MySQL</b><br />
<br />
<code>sudo
apt-get install mysql-server mysql-client php5-cgi php5 php5-cli
php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap
php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode
php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache
php5-suhosin php5-ffmpeg apache2-utils mini-httpd php5-fpm</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.10.2.tar.gz<br />tar -xvzf cmake-2.8.10.2.tar.gz<br />cd cmake-2.8.10.2<br />./configure<br />make<br />sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 8.7).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-8.7.tar.gz<br />tar -xzvf hiawatha-8.7.tar.gz<br />cd hiawatha-8.7/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_8.7_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_8.7_i386.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir =/</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Uncomment <code>ServerId</code> at <code>GENERAL SETTINGS</code>.<br />
<br />
<code>ServerId = www-data</code><br />
<br />
Uncomment the following entries at <code>BINDING SETTINGS</code>.<br />
<br />
<code>Binding {<br />
Port = 80<br />
# Interface = 127.0.0.1<br />
MaxKeepAlive = 30<br />
TimeForRequest = 3,20<br />
}</code><br />
<br />
<b>Step 5a (Optional for security purpose) :</b><br />
<br />
Add the following line at the <code>GENERAL SETTINGS</code>. <br />
<br />
<code>ConnectionsTotal = 1000<br />
ConnectionsPerIP = 30<br />
SystemLogfile = /var/log/hiawatha/system.log<br />
GarbageLogfile = /var/log/hiawatha/garbage.log<br />
ExploitLogfile = /var/log/hiawatha/exploit.log</code><br />
<br />
<code>LogFormat = extended<br />
ServerString = Apache<br />
CGIwrapper = /usr/sbin/cgi-wrapper</code><br />
<br />
Make changes for the following entries at <code>BANNING SETTINGS</code>. <br />
<br />
<code>BanOnGarbage = 300<br />
BanOnMaxPerIP = 300<br />
BanOnMaxReqSize = 300<br />
BanOnTimeout = 300<br />
KickOnBan = yes<br />
RebanDuringBan = yes</code><br />
<br />
<code>BanOnDeniedBody = 300<br />
BanOnSQLi = 300<br />
BanOnFlooding = 30/1:300<br />
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1<br />
BanOnInvalidURL = 300</code><br />
<br />
<code>ReconnectDelay = 3</code><br />
<code>#Reverse Proxy </code><br />
<code>HideProxy = 127.0.0.1 </code><br />
<code>MaxServerLoad = 0.8</code><br />
<br />
<b>Step 5b :</b><br />
<br />
The entries at <code>COMMON GATEWAY INTERFACE (CGI) SETTINGS</code> should be looking like this.<br />
<br />
<code>CGIhandler = /usr/bin/perl:pl<br />
CGIhandler = /usr/bin/php5-cgi:php<br />
CGIhandler = /usr/bin/python:py<br />
CGIhandler = /usr/bin/ruby:rb<br />
CGIhandler = /usr/bin/ssi-cgi:shtml<br />
CGIextension = cgi</code><br />
<br />
<code>FastCGIserver {<br />
FastCGIid = PHP5<br />
ConnectTo = 127.0.0.1:9000<br />
Extension = php, php5<br />
SessionTimeout = 30<br />
}</code><br />
<br />
<b>Step 5c :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<code>VirtualHost {<br />
Hostname = www.mysite.com, mysite.com<br />
WebsiteRoot = /var/www/mysite<br />
StartFile = index.php<br />
AccessLogfile = /var/log/hiawatha/access.log<br />
ErrorLogfile = /var/log/hiawatha/error.log<br />
TimeForCGI = 15<br />
# UseFastCGI = PHP5<br />
UseToolkit = banshee</code><br />
<code> # if ownCloud or alike is installed, otherwise, it should be "no" </code><br />
<code> WebDAVapp = yes<br />
# <script .. </script><br />
# e.g. <script>alert("xss");</script><br />
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$<br />
DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$<br />
DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$<br />
DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$<br />
DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$<br />
DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$<br />
# <meta .. /><br />
# e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/><br />
DenyBody = ^.*%3Cmeta.*%2F%3E.*$<br />
DenyBody = ^.*%3CMETA.*%2F%3E.*$<br />
DenyBody = ^.*%3CMeTa.*%2F%3E.*$<br />
DenyBody = ^.*%3CmEtA.*%2F%3E.*$<br />
# <iframe .. /><br />
DenyBody = ^.*%3Ciframe.*%2F%3E.*$<br />
DenyBody = ^.*%3CIFRAME.*%2F%3E.*$<br />
# Null Byte<br />
DenyBody = ^.*(it cannot be displayed here).*$<br />
ExecuteCGI = yes<br />
PreventCSRF = yes<br />
PreventSQLi = yes<br />
PreventXSS = yes<br />
DenyBot = Googlebot:/<br />
DenyBot = twiceler:/<br />
DenyBot = MSNBot:/<br />
DenyBot = yahoo:/<br />
DenyBot = BaiDuSpider:/<br />
DenyBot = Ask:/<br />
DenyBot = Yahoo! Slurp:/<br />
DenyBot = Sogou web spider:/<br />
DenyBot = Sogou-Test-Spider:/<br />
DenyBot = Baiduspider+:/<br />
DenyBot = Yandex:/<br />
DenyBot = UniversalFeedParser:/<br />
DenyBot = Mediapartners-Google:/<br />
DenyBot = Sosospider+:/<br />
DenyBot = YoudaoBot:/<br />
DenyBot = ParchBot:/<br />
DenyBot = Curl:/<br />
DenyBot = msnbot:/<br />
DenyBot = NaverBot:/<br />
DenyBot = taptubot:/<br />
WrapCGI = jail_mysite<br />
}</code><br />
<br />
*** You can ignore the "<code>DenyBot</code>" entries when you want the search engines to find your site easily.<br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
*** "<code>PreventSQLi</code>" is set to "<code>yes</code>" when your web application is vulnerable to SQL Injection and you cannot fix it at the moment.<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<code># Last Modified: Thu Jun 3 01:52:13 2010<br />#include <tunables/global></code><br />
<br />
<code>/usr/sbin/hiawatha {<br />
#include <abstractions/apache2-common><br />
#include <abstractions/base><br />
#include <abstractions/nameservice><br />
#include <abstractions/php5></code><br />
<br />
<code> capability chown,<br />
capability dac_override,<br />
capability fowner,<br />
capability fsetid,<br />
capability setgid,<br />
capability setuid,</code><br />
<br />
<code> /bin/dash rix,<br />
/etc/ImageMagick/policy.xml r,<br />
owner /etc/hiawatha/ r,<br />
/etc/hiawatha/** r,<br />
/etc/host.conf r,<br />
/etc/hosts r,<br />
/etc/mailname r,<br />
/etc/nsswitch.conf r,<br />
owner /etc/passwd r,<br />
/etc/php5/ r,<br />
/etc/php5/** r,<br />
/etc/postfix/** r,<br />
/etc/protocols r,<br />
/etc/resolv.conf r,<br />
/etc/services r,<br />
/etc/snmp/snmp.conf r,<br />
/proc/*/auxv r,<br />
/sys/devices/system/cpu/ r,<br />
owner /tmp/** rwk,<br />
/usr/bin/php5-cgi rix,<br />
/usr/lib/postfix/cleanup rix,<br />
/usr/lib{,32,64}/** mr,<br />
/usr/sbin/cgi-wrapper rix,<br />
/usr/sbin/postdrop rix,<br />
/usr/sbin/sendmail rix,<br />
/usr/share/ r,<br />
/usr/share/** r,<br />
/var/www/ r,<br />
# /var/www/** rwk, (is for general settings. The following 2 lines are for Banshee only.)<br />
/var/www/** rk,<br />
/var/www/banshee/logfiles/** rw,<br />
/var/lib/ r,<br />
owner /var/lib/php5/** rw,<br />
/var/lib/** r,<br />
/var/lib/*/ rw,<br />
/var/lib/hiawatha/** rw,<br />
owner /var/log/hiawatha/** w,<br />
/var/log/hiawatha/** r,<br />
owner /var/run/ r,<br />
owner /var/run/** w,<br />
/var/run/** r,<br />
owner /run/ r,<br />
owner /run/** w,<br />
/run/** r,<br />
/var/spool/postfix/** rw,<br />
/var/spool/postfix/pid/** wk,<br />
}</code><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to place your web server behind this free service at <a href="https://www.cloudflare.com/">Cloudflare</a>. The main point is you can manage the DNS yourself and have a fixed IP address.<br />
<br />
<b>Optional #4 :</b><br />
<br />
Consider to install <a href="http://samiux.blogspot.hk/2013/01/howto-suricata-on-ubuntu-1204-lts-server.html">Suricata IPS</a> on your server.<br />
<br />
That's all! See you.
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-86530630735655884242012-11-08T18:40:00.002+08:002012-12-01T00:19:20.589+08:00HOWTO : Upgrade to Hiawatha 8.6 on Ubuntu Server 12.04 LTS<b>Upgrade to Hiawatha 8.6</b><br>
<br>
If you are upgrading from previous version of Hiawatha to version 8.6, you just follow the following step only.<br>
<br>
Download the source code of Hiawatha and compile. Then install the package as normal.<br>
<br>
<code>sudo apt-get install php5-fpm</code><br>
<br>
<code>sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf</code><br />
<br>
Disable the php-fcgi :<br />
<br />
<code>sudo update-rc.d -f php-fcgi remove</code><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br>
<br>
Go to the following section and change the "ConnectTo = 127.0.0.1:2005" to "ConnectTo = 127.0.0.1:9000"<br>
<br>
The entries at <code>COMMON GATEWAY INTERFACE (CGI) SETTINGS</code> should be looking like this.<br />
<br />
<code>CGIhandler = /usr/bin/perl:pl<br />
CGIhandler = /usr/bin/php5-cgi:php<br />
CGIhandler = /usr/bin/python:py<br />
CGIhandler = /usr/bin/ruby:rb<br />
CGIhandler = /usr/bin/ssi-cgi:shtml<br />
CGIextension = cgi</code><br />
<br />
<code>FastCGIserver {<br />
FastCGIid = PHP5<br />
ConnectTo = 127.0.0.1:9000<br />
Extension = php, php5<br />
SessionTimeout = 30<br />
}</code><br />
<br>
Set the php-fpm.conf file :<br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir =/</code><br />
<br />
<code>sudo /etc/init.d/hiawatha restart</code><br>
<br />
That's all! See you.<br>
<br>Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-79855548997231612242012-11-01T17:40:00.002+08:002012-11-29T01:50:47.805+08:00HOWTO : Highest secured Hiawatha Web Server 8.6 on Ubuntu 12.04 LTS Server<a href="http://secure-ubuntu-server.blogspot.com/2012/11/howto-upgrade-to-hiawatha-86-on-ubuntu.html">Upgrade to Hiawatha 8.6</a><br>
<br>
<a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
For the performance, please refer to the study of SaltwaterC at <a href="http://www.hiawatha-webserver.org/files/PHP_web_serving_study.pdf">here</a>.<br />
<br />
This
tutorial is writing for setting up the highest secured web server.
Please also to apply the "Optional" steps mentioned below for making the
highest secured web server.<br />
<br />
Since version 8.3, Hiawatha comes with Reverse Proxy and DAV features. The DAV features can be used for <a href="http://owncloud.org/" target="_blank">ownCloud </a> for example, which comes with version 8.2.<br />
<br />
Updated : <br />
<br />
According to the Author of Hiawatha, the OwnCloud 4.5.1 can be running flawlessly on Hiawatha. The xcache error can be fixed very easily.<br />
<br />
<code>Hugo Leisink 27 October 2012, 11:04</code><br />
<code>I've got 4.5.1 up and running. Don't use any URL rewriting. To get rid of the xcache errors, in lib/cache/xcache, replace the lines 27, 34 and 39 with 'return false'. Now it all looks oke.</code><br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 12.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />sudo apt-get upgrade<br />sudo apt-get dist-upgrade</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5 and MySQL</b><br />
<br />
<code>sudo
apt-get install mysql-server mysql-client php5-cgi php5 php5-cli
php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap
php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode
php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache
php5-suhosin php5-ffmpeg apache2-utils mini-httpd php5-fpm</code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.9.tar.gz<br />tar -xvzf cmake-2.8.9.tar.gz<br />cd cmake-2.8.9<br />./configure<br />make<br />sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 8.6).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-8.6.tar.gz<br />tar -xzvf hiawatha-8.6.tar.gz<br />cd hiawatha-8.6/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_8.6_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_8.6_i386.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
<code>display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
</code>
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fpm</b><br />
<br />
<b>*** If you just upgrade to Hiawatha 8.6 from 8.5, please refer to <a href="http://secure-ubuntu-server.blogspot.com/2012/11/howto-upgrade-to-hiawatha-86-on-ubuntu.html">here</a>. ***</b><br />
<br />
Append the following to the php-fpm.conf.<br />
<br />
<code>sudo nano /etc/php5/fpm/php-fpm.conf</code><br />
<br />
<code>[www]</code><br />
<code>user = www-data</code><br />
<code>group = www-data</code><br />
<code>listen = 127.0.0.1:9000</code><br />
<code>pm = static</code><br />
<code>pm.max_children = 100</code><br />
<code>chroot = /var/www/</code><br />
<code>chdir =/</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Uncomment <code>ServerId</code> at <code>GENERAL SETTINGS</code>.<br />
<br />
<code>ServerId = www-data</code><br />
<br />
Uncomment the following entries at <code>BINDING SETTINGS</code>.<br />
<br />
<code>Binding {<br />
Port = 80<br />
# Interface = 127.0.0.1<br />
MaxKeepAlive = 30<br />
TimeForRequest = 3,20<br />
}</code><br />
<br />
<b>Step 5a (Optional for security purpose) :</b><br />
<br />
Add the following line at the <code>GENERAL SETTINGS</code>. <br />
<br />
<code>ConnectionsTotal = 1000<br />
ConnectionsPerIP = 30<br />
SystemLogfile = /var/log/hiawatha/system.log<br />
GarbageLogfile = /var/log/hiawatha/garbage.log<br />
ExploitLogfile = /var/log/hiawatha/exploit.log</code><br />
<br />
<code>LogFormat = extended<br />
ServerString = Apache<br />
CGIwrapper = /usr/sbin/cgi-wrapper</code><br />
<br />
Make changes for the following entries at <code>BANNING SETTINGS</code>. <br />
<br />
<code>BanOnGarbage = 300<br />
BanOnMaxPerIP = 300<br />
BanOnMaxReqSize = 300<br />
BanOnTimeout = 300<br />
KickOnBan = yes<br />
RebanDuringBan = yes</code><br />
<br />
<code>BanOnDeniedBody = 300<br />
BanOnSQLi = 300<br />
BanOnFlooding = 30/1:300<br />
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1<br />
BanOnInvalidURL = 300</code><br />
<br />
<code>ReconnectDelay = 3</code><br />
<code>#Reverse Proxy </code><br />
<code>HideProxy = 127.0.0.1 </code><br />
<code>MaxServerLoad = 0.8</code><br />
<br />
<b>Step 5b :</b><br />
<br />
The entries at <code>COMMON GATEWAY INTERFACE (CGI) SETTINGS</code> should be looking like this.<br />
<br />
<code>CGIhandler = /usr/bin/perl:pl<br />
CGIhandler = /usr/bin/php5-cgi:php<br />
CGIhandler = /usr/bin/python:py<br />
CGIhandler = /usr/bin/ruby:rb<br />
CGIhandler = /usr/bin/ssi-cgi:shtml<br />
CGIextension = cgi</code><br />
<br />
<code>FastCGIserver {<br />
FastCGIid = PHP5<br />
ConnectTo = 127.0.0.1:9000<br />
Extension = php, php5<br />
SessionTimeout = 30<br />
}</code><br />
<br />
<b>Step 5c :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<code>VirtualHost {<br />
Hostname = www.mysite.com, mysite.com<br />
WebsiteRoot = /var/www/mysite<br />
StartFile = index.php<br />
AccessLogfile = /var/log/hiawatha/access.log<br />
ErrorLogfile = /var/log/hiawatha/error.log<br />
TimeForCGI = 15<br />
# UseFastCGI = PHP5<br />
UseToolkit = banshee</code><br />
<code> # if ownCloud or alike is installed, otherwise, it should be "no" </code><br />
<code> WebDAVapp = yes<br />
# <script .. </script><br />
# e.g. <script>alert("xss");</script><br />
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$<br />
DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$<br />
DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$<br />
DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$<br />
DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$<br />
DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$<br />
# <meta .. /><br />
# e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/><br />
DenyBody = ^.*%3Cmeta.*%2F%3E.*$<br />
DenyBody = ^.*%3CMETA.*%2F%3E.*$<br />
DenyBody = ^.*%3CMeTa.*%2F%3E.*$<br />
DenyBody = ^.*%3CmEtA.*%2F%3E.*$<br />
# <iframe .. /><br />
DenyBody = ^.*%3Ciframe.*%2F%3E.*$<br />
DenyBody = ^.*%3CIFRAME.*%2F%3E.*$<br />
# Null Byte<br />
DenyBody = ^.*(it cannot be displayed here).*$<br />
ExecuteCGI = yes<br />
PreventCSRF = yes<br />
PreventSQLi = yes<br />
PreventXSS = yes<br />
DenyBot = Googlebot:/<br />
DenyBot = twiceler:/<br />
DenyBot = MSNBot:/<br />
DenyBot = yahoo:/<br />
DenyBot = BaiDuSpider:/<br />
DenyBot = Ask:/<br />
DenyBot = Yahoo! Slurp:/<br />
DenyBot = Sogou web spider:/<br />
DenyBot = Sogou-Test-Spider:/<br />
DenyBot = Baiduspider+:/<br />
DenyBot = Yandex:/<br />
DenyBot = UniversalFeedParser:/<br />
DenyBot = Mediapartners-Google:/<br />
DenyBot = Sosospider+:/<br />
DenyBot = YoudaoBot:/<br />
DenyBot = ParchBot:/<br />
DenyBot = Curl:/<br />
DenyBot = msnbot:/<br />
DenyBot = NaverBot:/<br />
DenyBot = taptubot:/<br />
WrapCGI = jail_mysite<br />
}</code><br />
<br />
*** You can ignore the "<code>DenyBot</code>" entries when you want the search engines to find your site easily.<br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
*** "<code>PreventSQLi</code>" is set to "<code>yes</code>" when your web application is vulnerable to SQL Injection and you cannot fix it at the moment.<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<code># Last Modified: Thu Jun 3 01:52:13 2010<br />#include <tunables/global></code><br />
<br />
<code>/usr/sbin/hiawatha {<br />
#include <abstractions/apache2-common><br />
#include <abstractions/base><br />
#include <abstractions/nameservice><br />
#include <abstractions/php5></code><br />
<br />
<code> capability chown,<br />
capability dac_override,<br />
capability fowner,<br />
capability fsetid,<br />
capability setgid,<br />
capability setuid,</code><br />
<br />
<code> /bin/dash rix,<br />
/etc/ImageMagick/policy.xml r,<br />
owner /etc/hiawatha/ r,<br />
/etc/hiawatha/** r,<br />
/etc/host.conf r,<br />
/etc/hosts r,<br />
/etc/mailname r,<br />
/etc/nsswitch.conf r,<br />
owner /etc/passwd r,<br />
/etc/php5/ r,<br />
/etc/php5/** r,<br />
/etc/postfix/** r,<br />
/etc/protocols r,<br />
/etc/resolv.conf r,<br />
/etc/services r,<br />
/etc/snmp/snmp.conf r,<br />
/proc/*/auxv r,<br />
/sys/devices/system/cpu/ r,<br />
owner /tmp/** rwk,<br />
/usr/bin/php5-cgi rix,<br />
/usr/lib/postfix/cleanup rix,<br />
/usr/lib{,32,64}/** mr,<br />
/usr/sbin/cgi-wrapper rix,<br />
/usr/sbin/postdrop rix,<br />
/usr/sbin/sendmail rix,<br />
/usr/share/ r,<br />
/usr/share/** r,<br />
/var/www/ r,<br />
# /var/www/** rwk, (is for general settings. The following 2 lines are for Banshee only.)<br />
/var/www/** rk,<br />
/var/www/banshee/logfiles/** rw,<br />
/var/lib/ r,<br />
owner /var/lib/php5/** rw,<br />
/var/lib/** r,<br />
/var/lib/*/ rw,<br />
/var/lib/hiawatha/** rw,<br />
owner /var/log/hiawatha/** w,<br />
/var/log/hiawatha/** r,<br />
owner /var/run/ r,<br />
owner /var/run/** w,<br />
/var/run/** r,<br />
owner /run/ r,<br />
owner /run/** w,<br />
/run/** r,<br />
/var/spool/postfix/** rw,<br />
/var/spool/postfix/pid/** wk,<br />
}</code><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to place your web server behind this free service at <a href="https://www.cloudflare.com/">Cloudflare</a>. The main point is you can manage the DNS yourself and have a fixed IP address.<br />
<br />
That's all! See you.
Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.comtag:blogger.com,1999:blog-5719460944195273704.post-83098847747267834702012-09-26T01:47:00.000+08:002012-11-01T17:36:31.001+08:00HOWTO : Highest secured Hiawatha Web Server 8.5 on Ubuntu 12.04 LTS Server <a href="http://www.hiawatha-webserver.org/">Hiawatha</a> is a very
secure and fast web server in the market. It supports PHP, Perl, Python
and Ruby. It is also very lightweight, easy to configure and setup
too. How secure? Please refer to the <a href="http://www.hiawatha-webserver.org/features">features</a> of Hiawatha.<br />
<br />
For the performance, please refer to the study of SaltwaterC at <a href="http://www.hiawatha-webserver.org/files/PHP_web_serving_study.pdf">here</a>.<br />
<br />
This
tutorial is writing for setting up the highest secured web server.
Please also to apply the "Optional" steps mentioned below for making the
highest secured web server.<br />
<br />
Since version 8.3, Hiawatha comes with Reverse Proxy and DAV features. The DAV features can be used for <a href="http://owncloud.org/" target="_blank">ownCloud </a> for example, which comes with version 8.2.<br />
<br />
Updated : <br />
<br />
According to the Author of Hiawatha, the OwnCloud 4.5.1 can be running flawlessly on Hiawatha. The xcache error can be fixed very easily.<br />
<br />
<code>Hugo Leisink 27 October 2012, 11:04</code><br />
<code>I've got 4.5.1 up and running. Don't use any URL rewriting. To get rid of the xcache errors, in lib/cache/xcache, replace the lines 27, 34 and 39 with 'return false'. Now it all looks oke.</code><br />
<br />
<b>Prerequisite</b><br />
<br />
Select <code>OpenSSH</code> and <code>Mail Server</code> when installing <code>Ubuntu Server 12.04 LTS</code>.<br />
<br />
Update the fresh install system to the latest status.<br />
<br />
<code>sudo apt-get update<br />sudo apt-get upgrade<br />sudo apt-get dist-upgrade</code><br />
<br />
Select
unattendance update to your system. It will push all the updates to
your system when there is some. Or, you can create a cron job later to
update your system in a certain of time if you prefer.<br />
<br />
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.<br />
<br />
<b>Step 1 - Installation of PHP5 and MySQL</b><br />
<br />
<code>sudo
apt-get install mysql-server mysql-client php5-cgi php5 php5-cli
php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap
php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode
php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache
php5-suhosin php5-ffmpeg apache2-utils mini-httpd </code><br />
<br />
<b>Step 2 - Installation of Hiawatha</b><br />
<br />
Install required dependenices for Hiawatha.<br />
<br />
<code>sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev</code><br />
<br />
Download the latest version of CMake at http://www.cmake.org/<br />
<br />
<code>wget http://www.cmake.org/files/v2.8/cmake-2.8.9.tar.gz<br />tar -xvzf cmake-2.8.9.tar.gz<br />cd cmake-2.8.9<br />./configure<br />make<br />sudo make install</code><br />
<br />
Download the latest version of Hiawatha (the current version at this writing is 8.5).<br />
<br />
<code>wget http://www.hiawatha-webserver.org/files/hiawatha-8.5.tar.gz<br />tar -xzvf hiawatha-8.5.tar.gz<br />cd hiawatha-8.5/extra</code><br />
<br />
<code>./make_debian_package</code><br />
<br />
<code>cd ..</code><br />
<br />
<code>sudo dpkg -i hiawatha_8.5_amd64.deb</code><br />
<br />
or<br />
<br />
<code>sudo dpkg -i hiawatha_8.5_i386.deb</code><br />
<br />
<b>Step 3 - Configure PHP5</b><br />
<br />
The following settings are for making PHP5 more secure.<br />
<br />
<code>sudo nano /etc/php5/cgi/php.ini</code><br />
<br />
Make changes as is.<br />
<br />
<code>cgi.rfc2616_headers = 1<br /><br />zlib.output_compression = On<br />zlib.output_compression_level = 6</code><br />
<br />
<b>Step 3a - Configure PHP5 (Optional for security purpose)</b><br />
<br />
display_errors = Off<br />
log_errors = On<br />
allow_url_fopen = Off<br />
safe_mode = On<br />
expose_php = Off<br />
enable_dl = Off<br />
session.cookie_httponly = 1 <br />
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd<br />
cgi.fix_pathinfo = 0<br />
<br />
*** According to the <a href="http://www.hiawatha-webserver.org/weblog/23">author of Hiawatha</a>, the cgi.fix_pathinfo should be set to 0 at this moment. <br />
<br />
***
There will be something at the end of "disable_functions" at Ubuntu
12.04 LTS, you just append the captioned list to the end of the previous
list.<br />
<br />
*** some PHP applications may require <code>safe_mode = off</code><br />
<br />
<b>Step 4 - Configure php-fcgi (PHP's FastCGI)</b><br />
<br />
<code>sudo nano /etc/hiawatha/php-fcgi.conf</code><br />
<br />
Uncomment the following line and change it as is.<br />
<br />
<code>Server = /usr/bin/php5-cgi ; 3; 127.0.0.1:2005 ; www-data ; /etc/php5/cgi/php.ini</code><br />
<br />
<code>sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf</code><br />
<br />
If you make any change on <code>php-fcgi.conf</code>, make sure to restart it by the following commands.<br />
<br />
<code>sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf<br />sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf</code><br />
<br />
<b>Step 5 - Configure Hiawatha (Part 1)</b><br />
<br />
<code>sudo nano /etc/hiawatha/hiawatha.conf</code><br />
<br />
Uncomment <code>ServerId</code> at <code>GENERAL SETTINGS</code>.<br />
<br />
<code>ServerId = www-data</code><br />
<br />
Uncomment the following entries at <code>BINDING SETTINGS</code>.<br />
<br />
<code>Binding {<br />
Port = 80<br />
# Interface = 127.0.0.1<br />
MaxKeepAlive = 30<br />
TimeForRequest = 3,20<br />
}</code><br />
<br />
<b>Step 5a (Optional for security purpose) :</b><br />
<br />
Add the following line at the <code>GENERAL SETTINGS</code>. <br />
<br />
<code>ConnectionsTotal = 1000<br />
ConnectionsPerIP = 30<br />
SystemLogfile = /var/log/hiawatha/system.log<br />
GarbageLogfile = /var/log/hiawatha/garbage.log<br />
ExploitLogfile = /var/log/hiawatha/exploit.log</code><br />
<br />
<code>LogFormat = extended<br />
ServerString = Apache<br />
CGIwrapper = /usr/sbin/cgi-wrapper</code><br />
<br />
Make changes for the following entries at <code>BANNING SETTINGS</code>. <br />
<br />
<code>BanOnGarbage = 300<br />
BanOnMaxPerIP = 300<br />
BanOnMaxReqSize = 300<br />
BanOnTimeout = 300<br />
KickOnBan = yes<br />
RebanDuringBan = yes</code><br />
<br />
<code>BanOnDeniedBody = 300<br />
BanOnSQLi = 300<br />
BanOnFlooding = 30/1:300<br />
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1<br />
BanOnInvalidURL = 300</code><br />
<br />
<code>ReconnectDelay = 3</code><br />
<code>#Reverse Proxy </code><br />
<code>HideProxy = 127.0.0.1 </code><br />
<code>MaxServerLoad = 0.8</code><br />
<br />
<b>Step 5b :</b><br />
<br />
The entries at <code>COMMON GATEWAY INTERFACE (CGI) SETTINGS</code> should be looking like this.<br />
<br />
<code>CGIhandler = /usr/bin/perl:pl<br />
CGIhandler = /usr/bin/php5-cgi:php<br />
CGIhandler = /usr/bin/python:py<br />
CGIhandler = /usr/bin/ruby:rb<br />
CGIhandler = /usr/bin/ssi-cgi:shtml<br />
CGIextension = cgi</code><br />
<br />
<code>FastCGIserver {<br />
FastCGIid = PHP5<br />
ConnectTo = 127.0.0.1:2005<br />
Extension = php, php5<br />
SessionTimeout = 30<br />
}</code><br />
<br />
<b>Step 5c :</b><br />
<br />
Add the following line at <code>VIRTUAL HOSTS</code>.<br />
<br />
<code>Include /etc/hiawatha/enable-sites/</code><br />
<br />
*Make sure the make a directory <code>enable-sites</code> and <code>disable-sites</code> under <code>/etc/hiawatha</code>.<br />
<br />
<code>sudo mkdir /etc/hiawatha/enable-sites</code><br />
<code>sudo mkdir /etc/hiawatha/disable-sites</code><br />
<br />
<b>Step 6 - Configure Hiawatha (Part 2)</b><br />
<br />
If your domain is mysite.com, you are required to create a file namely <code>mysite.com</code> and place it under <code>/etc/hiawatha/enable-sites/mysite.com</code>.<br />
<br />
<code>VirtualHost {<br />
Hostname = www.mysite.com, mysite.com<br />
WebsiteRoot = /var/www/mysite<br />
StartFile = index.php<br />
AccessLogfile = /var/log/hiawatha/access.log<br />
ErrorLogfile = /var/log/hiawatha/error.log<br />
TimeForCGI = 15<br />
# UseFastCGI = PHP5<br />
UseToolkit = banshee</code><br />
<code> # if ownCloud or alike is installed, otherwise, it should be "no" </code><br />
<code> WebDAVapp = yes<br />
# <script .. </script><br />
# e.g. <script>alert("xss");</script><br />
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$<br />
DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$<br />
DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$<br />
DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$<br />
DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$<br />
DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$<br />
# <meta .. /><br />
# e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/><br />
DenyBody = ^.*%3Cmeta.*%2F%3E.*$<br />
DenyBody = ^.*%3CMETA.*%2F%3E.*$<br />
DenyBody = ^.*%3CMeTa.*%2F%3E.*$<br />
DenyBody = ^.*%3CmEtA.*%2F%3E.*$<br />
# <iframe .. /><br />
DenyBody = ^.*%3Ciframe.*%2F%3E.*$<br />
DenyBody = ^.*%3CIFRAME.*%2F%3E.*$<br />
# Null Byte<br />
DenyBody = ^.*(it cannot be displayed here).*$<br />
ExecuteCGI = yes<br />
PreventCSRF = yes<br />
PreventSQLi = yes<br />
PreventXSS = yes<br />
DenyBot = Googlebot:/<br />
DenyBot = twiceler:/<br />
DenyBot = MSNBot:/<br />
DenyBot = yahoo:/<br />
DenyBot = BaiDuSpider:/<br />
DenyBot = Ask:/<br />
DenyBot = Yahoo! Slurp:/<br />
DenyBot = Sogou web spider:/<br />
DenyBot = Sogou-Test-Spider:/<br />
DenyBot = Baiduspider+:/<br />
DenyBot = Yandex:/<br />
DenyBot = UniversalFeedParser:/<br />
DenyBot = Mediapartners-Google:/<br />
DenyBot = Sosospider+:/<br />
DenyBot = YoudaoBot:/<br />
DenyBot = ParchBot:/<br />
DenyBot = Curl:/<br />
DenyBot = msnbot:/<br />
DenyBot = NaverBot:/<br />
DenyBot = taptubot:/<br />
WrapCGI = jail_mysite<br />
}</code><br />
<br />
*** You can ignore the "<code>DenyBot</code>" entries when you want the search engines to find your site easily.<br />
<br />
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".<br />
<br />
*** "<code>PreventSQLi</code>" is set to "<code>yes</code>" when your web application is vulnerable to SQL Injection and you cannot fix it at the moment.<br />
<br />
Furthermore, if you want to disable this virtual site, you can move the "<code>mysite.com</code>" to <code>/etc/hiawatha/disable-sites/</code> and then restart hiawatha server.<br />
<br />
<code>sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/<br />sudo /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)</b><br />
<br />
<code>sudo nano /etc/hiawatha/cgi-wrapper.conf</code><br />
<br />
<code>CGIhandler = /usr/bin/perl<br />CGIhandler = /usr/bin/php5-cgi<br />CGIhandler = /usr/bin/python<br />CGIhandler = /usr/bin/ruby<br />CGIhandler = /usr/bin/ssi-cgi</code><br />
<br />
<code>Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data</code><br />
<br />
<b>Step 8 - Configure Apparmor (Optional for security purpose)</b><br />
<br />
Install the following packages :<br />
<br />
<code>sudo apt-get install apparmor-profiles apparmor-utils</code><br />
<br />
Execute the following command and then let the web site running for a while, maybe a week or so.<br />
<br />
<code>sudo aa-genprof hiawatha</code><br />
<br />
About
one week later or the web page/site is misbehaving, issue the following
command to update the profile. Remember to reload the profile after
the command has been issued.<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
Or, if you are impatient, you can edit the following file instead.<br />
<br />
<code>sudo nano /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
The content of <code>usr.sbin.hiawatha</code> should look like this or make it look like this.<br />
<br />
<code># Last Modified: Thu Jun 3 01:52:13 2010<br />#include <tunables/global></code><br />
<br />
<code>/usr/sbin/hiawatha {<br />
#include <abstractions/apache2-common><br />
#include <abstractions/base><br />
#include <abstractions/nameservice><br />
#include <abstractions/php5></code><br />
<br />
<code> capability chown,<br />
capability dac_override,<br />
capability fowner,<br />
capability fsetid,<br />
capability setgid,<br />
capability setuid,</code><br />
<br />
<code> /bin/dash rix,<br />
/etc/ImageMagick/policy.xml r,<br />
owner /etc/hiawatha/ r,<br />
/etc/hiawatha/** r,<br />
/etc/host.conf r,<br />
/etc/hosts r,<br />
/etc/mailname r,<br />
/etc/nsswitch.conf r,<br />
owner /etc/passwd r,<br />
/etc/php5/ r,<br />
/etc/php5/** r,<br />
/etc/postfix/** r,<br />
/etc/protocols r,<br />
/etc/resolv.conf r,<br />
/etc/services r,<br />
/etc/snmp/snmp.conf r,<br />
/proc/*/auxv r,<br />
/sys/devices/system/cpu/ r,<br />
owner /tmp/** rwk,<br />
/usr/bin/php5-cgi rix,<br />
/usr/lib/postfix/cleanup rix,<br />
/usr/lib{,32,64}/** mr,<br />
/usr/sbin/cgi-wrapper rix,<br />
/usr/sbin/postdrop rix,<br />
/usr/sbin/sendmail rix,<br />
/usr/share/ r,<br />
/usr/share/** r,<br />
/var/www/ r,<br />
# /var/www/** rwk, (is for general settings. The following 2 lines are for Banshee only.)<br />
/var/www/** rk,<br />
/var/www/banshee/logfiles/** rw,<br />
/var/lib/ r,<br />
owner /var/lib/php5/** rw,<br />
/var/lib/** r,<br />
/var/lib/*/ rw,<br />
/var/lib/hiawatha/** rw,<br />
owner /var/log/hiawatha/** w,<br />
/var/log/hiawatha/** r,<br />
owner /var/run/ r,<br />
owner /var/run/** w,<br />
/var/run/** r,<br />
owner /run/ r,<br />
owner /run/** w,<br />
/run/** r,<br />
/var/spool/postfix/** rw,<br />
/var/spool/postfix/pid/** wk,<br />
}</code><br />
<br />
Make the profile in enforce mode (activate the above settings).<br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
If you have change some settings, you should reload the profile.<br />
<br />
<code>sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to disable this profile.<br />
<br />
<code>sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/<br />sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
If you want to re-enable this profile after it has been disabled.<br />
<br />
<code>sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha<br />sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha</code><br />
<br />
<b>Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)</b><br />
<br />
Now, your hiawatha is very secure but I would like to make it more secure.<br />
<br />
<code>sudo apt-get install libcap2-bin</code><br />
<br />
Apply Capabilities on cgi-wrapper.<br />
<br />
<code>sudo chmod u-s /usr/sbin/cgi-wrapper<br />sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper</code><br />
<br />
The result of getcap :<br />
<br />
<code>sudo getcap /usr/sbin/cgi-wrapper</code><br />
<br />
It will display :<br />
<code>/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep</code><br />
<br />
<b>Step 10 - Configure logwatch (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-logwatch-for-hiawatha-on-ubuntu.html">link</a> to make the LogWatch to know your Hiawatha webserver's log files.<br />
<br />
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.<br />
<br />
<b>Step 11 - Change the ownership of the log files</b><br />
<br />
<code>cd /var/log/hiawatha<br />sudo chown www-data:www-data access.log<br />sudo chown www-data:www-data error.log<br />sudo chown www-data:www-data exploit.log<br />sudo chown www-data:www-data garbage.log<br />sudo chown root:root system.log</code><br />
<br />
* "<code>php-fcgi.log</code>" and "<code>system.log</code>" leave them untouched (root:root).<br />
<br />
<b>Step 11a - Change ownership of all directories and files at the /var/www/mysite</b><br />
<br />
Put
the web application files to /var/www/mysite and then change the
ownership of all directories and files under /var/www/mysite to
root:root.<br />
<br />
<code>cd /var/www/mysite<br />sudo chown -R root:root *</code><br />
<br />
<b>Step 12 - Start, Stop and Restart Hiawatha</b><br />
<br />
<code>sudo /etc/init.d/hiawatha start<br />sudo /etc/init.d/hiawatha stop<br />suod /etc/init.d/hiawatha restart</code><br />
<br />
<b>Step 13 - Performance tuning for MySQL (Optional)</b><br />
<br />
You can fine tune the MySQL as per this <a href="http://secure-ubuntu-server.blogspot.com/2011/03/howto-mysql-and-xcache-performance.html">link</a>.<br />
<br />
<b>Step 14 - Secure your Ubuntu Server in a passive way (Optional)</b><br />
<br />
Please refer to this <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-secure-your-ubuntu-server-in.html">link</a> to secure your server in a passive way.<br />
<br />
<b>Step 15 - Setup a FTP server on Ubuntu Server (Optional)</b><br />
<br />
This <a href="http://secure-ubuntu-server.blogspot.com/2011/05/howto-vsftpd-on-ubuntu-server-1104.html">link</a> shows you how to setup a vsFTPd server.<br />
<br />
<b>Step 16 - URL Rewrite rules (Optional)</b><br />
<br />
For the url rewrite rules for your PHP applications, please refer to this <a href="http://www.hiawatha-webserver.org/howto/url_rewrite_rules">link</a><br />
<br />
Make sure you add "UseToolkit" at the VirtualHost section.<br />
<br />
<b>Step 17 - Send email to GMail via Postfix (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2010/12/howto-send-mail-to-gmail-by-postfix-on.html">link</a><br />
<br />
<b>Step 18 - Create normal user for MySQL or MariaDB (Optional)</b><br />
<br />
Please refer to this <a href="http://samiux.blogspot.com/2012/01/howto-create-normal-user-on-mysql-and.html">link</a><br />
<br />
<b>Remarks :</b><br />
<br />
If you encounter "<code>500 Internal Server Error</code>", you may consider to make the Apparmor to "<code>Complain mode</code>".<br />
<br />
<code>sudo aa-complain hiawatha</code><br />
<br />
After several days browsing the website, you may consider to turn the Apparmor to "<code>Enforce mode</code>".<br />
<br />
<code>sudo aa-logprof</code><br />
<br />
<code>sudo aa-enforce hiawatha</code><br />
<br />
It is because the captioned <code>usr.sbin.hiawatha</code> may not 100% work for you.<br />
<br />
<u>In order to further hardened your Hiawatha web server, please consider the following options :</u><br />
<br />
<b>Optional #1 :</b><br />
<br />
For SSH connection security, you also may consider to implement the <a href="http://www.zeroflux.org/projects/knock">Port Knocking</a> feature.<br />
<br />
<code>sudo apt-get install knockd</code><br />
<br />
<b>Optional #2 :</b><br />
<br />
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with <a href="https://help.ubuntu.com/community/UFW">UFW</a>.<br />
<br />
If ufw does not exist in your server, you can install it :<br />
<br />
<code>sudo apt-get install ufw</code><br />
<br />
<b>Optional #3 :</b><br />
<br />
Consider to place your web server behind this free service at <a href="https://www.cloudflare.com/">Cloudflare</a>. The main point is you can manage the DNS yourself and have a fixed IP address.<br />
<br />
That's all! See you.Samiuxhttp://www.blogger.com/profile/18065979766005810905noreply@blogger.com