HOWTO : Highest secured Hiawatha Web Server (6.17.1) on Ubuntu 9.04 Server

What is Hiawatha?



Hiawatha is a web server that developed by Hugo Leisink since 2002.  Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of.  Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite.  Hiawatha is already built-in.  She can ban some bad traffic and bad activities on your web server.  Her footprint is also small, that is 130kb, surprise?!  She is the default web server for Austrumi and Puppy Linux. 



Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server.  There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it requires to modify the source code to solve the problem.



Hiawatha runs MySQL and PHP great in cgi mode.  It can run in Windows environment too (but not yet tried).  This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.



Installation of Linux, Hiawatha, MySQL and PHP - LHMP



Step 0 - Install Ubuntu 9.04



Install Ubuntu 9.04 Server and OpenSSH.  If your web application requires email function, you should also install Mail Server also.



Make sure you have perform the following commands at the terminal (or console).



sudo apt-get update

sudo apt-get upgrade

sudo apt-get dist-upgrade




If the kernel or kernel modules have been updated, you should reboot your computer/server.



Step 1 - Install PHP5 and MySQL



sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl



*Note : some modules will not be required, such as php5-sqlite and php5-snmp.  If your web application requires them, make sure to install them.



Step 2 - Install Hiawatha



Download the current Hiawatha, 6.17.1 at this time of writing.



sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz

tar -xzvf hiawatha-6.17.1.tar.gz

cd hiawatha-6.17.1




Install requires dependenices.



sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev



Fix bug on Hiawatha.

sudo nano cgi-wrapper.c



At line 103, just below rest = uncomment(line); add the following lines :



if (*rest == '\0') {

   continue;

}




At the hiawatha-6.17.1 directory, build the Hiawatha deb package.



./configure

make deb




The deb package will be created at your home directory, such as /home/samiux.  You can install it now.



cd ..



For 64-bit system :

sudo dpkg -i hiawatha_6.17.1_amd64.deb



For 32-bit system :

sudo dpkg -i hiawatha_6.17.1_i386.deb



Step 3 - Configure PHP5



Edit the php.ini.



sudo nano /etc/php5/cgi/php.ini



Make change as is.



display_errors = Off

log_errors = On

allow_url_fopen = Off

safe_mode = On

expose_php = Off

enable_dl = Off

disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd




*Note : some PHP application may requires safe_mode = Off.



Edit Hiawatha's php-fcgi.conf.



sudo nano /etc/hiawatha/php-fcgi.conf



Uncomment the following line.

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data



Activate php-fcgi.



sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf



If you make any change on php-fcgi.conf, make sure to restart it by following commands.



sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf




Step 4 - Configure Hiawatha



Edit the file hiawatha.conf.



sudo nano /etc/hiawatha/hiawatha.conf



Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data



Add the following line at the GENERAL SETTINGS. Apache compatible log file format.

LogFormat = extended

CGIwrapper = /usr/sbin/cgi-wrapper




Uncomment the following entries at BINDING SETTINGS.

Binding {

   Port = 80

   MaxKeepAlive = 30

   TimeForRequest = 3,20

}




Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300

BanOnMaxPerIP = 60

BanOnMaxReqSize = 300

KickOnBan = yes

RebanDuringBan = yes

BanOnSQLi = 60

BanOnFlooding = 10/1:15

BanlistMask = allow 192.168.0.0/24




*Note : Make change to the Banlistmask in order to meet your network requirement.



Uncomment php5-cgi and CGIextension lines.

CGIhandler = /usr/bin/perl:pl

CGIhandler = /usr/bin/php5-cgi:php

#CGIhandler = /usr/bin/python:py

#CGIhandler = /usr/bin/ruby:rb

#CGIhandler = /usr/bin/ssi-cgi:shtml

CGIextension = cgi




Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.



FastCGIserver {

   FastCGIid = PHP5

   ConnectTo = 127.0.0.1:2005

   Extension = php, php5

   SessionTimeout = 30

}




Optional - Create the following lines under URL TOOLKIT.



UrlToolkit {

   ToolkitID = CMS_common

   RequestURI isfile Return

   RequestURI exists Return

   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return

   Match .*\?(.*) Rewrite /index.php?$1

   Match .* Rewrite /index.php

}




*Note : UrlToolkit is similar to Apache's mod_rewrite.



Create a VirtualHost for your site.



VirtualHost {

   Hostname = samiux.blogspot.com

   #Alias = /php_my_admin:/usr/share/phpmyadmin

   WebsiteRoot = /var/www/blog

   StartFile = index.php

   AccessLogfile = /var/log/hiawatha/blog/access.log

   ErrorLogfile = /var/log/hiawatha/blog/error.log

   TimeForCGI = 5

   #UseFastCGI = PHP5

   UseToolkit = CMS_common

   ExecuteCGI = yes

   PreventCMDi = yes

   PreventCSRF = yes

   PreventSQLi = yes

   PreventXSS = yes

   DenyBot = Googlebot:/

   DenyBot = twiceler:/

   DenyBot = MSNBot:/

   DenyBot = yahoo:/

   DenyBot = BaiDuSpider:/

   DenyBot = Ask:/

   DenyBot = Yahoo! Slurp:/

   DenyBot = Sogou web spider:/

   DenyBot = Sogou-Test-Spider:/

   DenyBot = Baiduspider+:/

   DenyBot = Yandex:/

   DenyBot = UniversalFeedParser:/

   DenyBot = Mediapartners-Google:/

   DenyBot = Sosospider+:/

   DenyBot = YoudaoBot:/

   DenyBot = ParchBot:/

   DenyBot = Curl:/

   DenyBot = msnbot:/

   DenyBot = NaverBot:/

   WrapCGI = jail

}




Configure cgi-wrapper.conf.

sudo nano /etc/hiawatha/cgi-wrapper.conf



Make changes to the file.

CGIhandler = /usr/bin/perl

CGIhandler = /usr/bin/php5-cgi

#CGIhandler = /usr/bin/python

#CGIhandler = /usr/bin/ruby

#CGIhandler = /usr/bin/ssi-cgi




Wrap = jail ; /var/www ; www-data:www-data



*Note : Some CMS will not well when PreventCMDi = yesDenyBot entries are optional.  If you do not want spiders and bots to crawl your site, you should enable it.  Those entries are examples only.  UseToolKit is also optional.



Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.



If not, make it as is.

sudo chown -R www-data:www-data /var/log/hiawatha/blog



Restart Hiawatha.

sudo /etc/init.d/hiawatha restart



Now, make sure the ownership of access.log and error.log are www-data.  If not, make them as is.



sudo chown www-data:www-data /var/log/hiawatha/blog/*



Step 5 - Configure Apparmor (to make Hiawatha more safety)



Create Apparmor profile for Hiawatha.

sudo aa-genprof hiawatha



Edit the profile usr.sbin.hiawatha.

sudo nano /etc/apparmor.d/usr.sbin.hiawatha



Make the entries look like this.

# Last Modified: Thu Oct 1 10:00:57 2009

#include




/usr/sbin/hiawatha {

#include




   capability chown,

   capability dac_override,

   capability net_bind_service,

   capability setgid,

   capability setuid,

   capability sys_chroot,




   network inet tcp,




   /bin/dash rix,

   /etc/group r,

   /etc/hiawatha/** r,

   /etc/host.conf r,

   /etc/hosts r,

   /etc/mailname r,

   /etc/nsswitch.conf r,

   /etc/passwd r,

   /etc/php5/cgi/php.ini r,

   /etc/php5/conf.d/ r,

   /etc/php5/conf.d/**.ini r,

   /etc/phpmyadmin/** r,

   /etc/postfix/**.cf r,

   /etc/protocols r,

   /etc/resolv.conf r,

   /etc/services r,

   /usr/bin/php5-cgi rix,

   /usr/lib{,32,64}/** mr,

   /usr/sbin/cgi-wrapper rix,

   /usr/sbin/hiawatha mr,

   /usr/sbin/postdrop rix,

   /usr/sbin/sendmail rix,

   /usr/share/dbconfig-common/** r,

   /usr/share/file/magic.mime r,

   /usr/share/mysql/charsets/Index.xml r,

   /usr/share/phpmyadmin/ r,

   /usr/share/phpmyadmin/** r,

   /usr/share/zoneinfo/ r,

   owner /var/lib/** rwk,

   /var/lib/hiawatha/* rw,

   /var/log/hiawatha/* r,

   /var/log/hiawatha/** rw,

   /var/run/hiawatha.pid rw,

   owner /var/spool/postfix/maildrop/** rw,

   /var/spool/postfix/public/pickup w,

   /var/www/ r,

   /var/www/** rw,

}




* suppose you are using postfix.



Make the profile in enforce mode (active).

sudo aa-enforce hiawatha



If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha



If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/

sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha




If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha




Step 6 - Improve the security of CGI-Wrapper



Now, your hiawatha is very secure but I would like to make it more secure.



sudo apt-get install libcap2-bin



Apply Capabilities on cgi-wrapper.

sudo chmod u-s /usr/sbin/cgi-wrapper

sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper




The result of getcap :



sudo getcap /usr/sbin/cgi-wrapper



It will display :

/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep



Reference :

Hiawatha Manual

Hiawatha Features

AppArmor



Known Issue

Alias cannot be functioned with this configuration so far.



That's all.  See you!