Tutorial Lengkap

HOWTO : Highest secured Hiawatha Web Server 9.4 on Ubuntu 12.04 LTS Server

Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.

For the performance, please refer to the study of SaltwaterC at here. There is a testing report on DoS at here.

This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.

Prerequisite

Select OpenSSH and Mail Server when installing Ubuntu Server 12.04 LTS.

Update the fresh install system to the latest status.

sudo apt-get update
sudo apt-get dist-upgrade

sudo apt-get --purge autoclean
sudo apt-get --purge autoremove

Select unattendance update to your system. It will push all the updates to your system when there is some. Or, you can create a cron job later to update your system in a certain of time if you prefer.

If the kernel or kernel modules have been updated, you are required to reboot your system before going further.

Step 1 - Installation of PHP5

sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils php5-fpm

Step 1a - Installation of Percona Server (MySQL Alternative)

To use Percona Server instead of MySQL is due to the performance.

gpg --keyserver hkp://keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A
gpg -a --export CD2EFD2A | sudo apt-key add -

sudo nano /etc/apt/sources.list.d/percona.list

deb http://repo.percona.com/apt precise main
deb-src http://repo.percona.com/apt precise main

sudo apt-get update

sudo apt-get install percona-server-server-5.5 percona-server-client-5.5

Step 2 - Installation of Hiawatha

Install required dependenices for Hiawatha.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Download the latest version of CMake at http://www.cmake.org/

wget http://www.cmake.org/files/v2.8/cmake-2.8.12.2.tar.gz
tar -xvzf cmake-2.8.12.2.tar.gz
cd cmake-2.8.12.2
./configure
make
sudo make install

Download the latest version of Hiawatha (the current version at this writing is 9.4).

wget http://www.hiawatha-webserver.org/files/hiawatha-9.4.tar.gz
tar -xzvf hiawatha-9.4.tar.gz

cd hiawatha-9.4/extra

./make_debian_package

cd ..

sudo dpkg -i hiawatha_9.4_amd64.deb

or

sudo dpkg -i hiawatha_9.4_i386.deb

Step 3 - Configure PHP5

The following settings are for making PHP5 more secure.

sudo nano /etc/php5/cgi/php.ini

Make changes as is.

cgi.rfc2616_headers = 1

zlib.output_compression = On
zlib.output_compression_level = 6

Step 3a - Configure PHP5 (Optional for security purpose)

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
session.cookie_httponly = 1 
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
cgi.fix_pathinfo = 0

*** According to the author of Hiawatha, the cgi.fix_pathinfo should be set to 0 at this moment.

*** There will be something at the end of "disable_functions" at Ubuntu 12.04 LTS, you just append the captioned list to the end of the previous list.

*** some PHP applications may require safe_mode = off

Step 4 - Configure php-fpm

Append the following to the php-fpm.conf.

sudo nano /etc/php5/fpm/php-fpm.conf

[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000
pm = static
pm.max_children = 100
chroot = /var/www/
chdir = /

Step 5 - Configure Hiawatha (Part 1)

sudo nano /etc/hiawatha/hiawatha.conf

The following is not talking about https configuration. If you want to configure https, you should refer to the Hiawatha official manual.

*** If you encounter Chrome browser being banned, you may consider to change the setting of "BanOnFlooding" to "90/1:300".

Step 5a :

Add the following line at VIRTUAL HOSTS.

Include /etc/hiawatha/enable-sites/

*Make sure the make a directory enable-sites and disable-sites under /etc/hiawatha.

sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites

Step 6 - Configure Hiawatha (Part 2)

If your domain is mysite.com, you are required to create a file namely mysite.com and place it under /etc/hiawatha/enable-sites/mysite.com.

*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".

Furthermore, if you want to disable this virtual site, you can move the "mysite.com" to /etc/hiawatha/disable-sites/ and then restart hiawatha server.

sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart

Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)

sudo nano /etc/hiawatha/cgi-wrapper.conf

CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data

Step 8 - Configure Apparmor (Optional for security purpose)

Install the following packages :

sudo apt-get install apparmor-profiles apparmor-utils

Execute the following command and then let the web site running for a while, maybe a week or so.

sudo aa-genprof hiawatha

About one week later or the web page/site is misbehaving, issue the following command to update the profile. Remember to reload the profile after the command has been issued.

sudo aa-logprof

Or, if you are impatient, you can edit the following file instead.

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

The content of usr.sbin.hiawatha should look like this or make it look like this.

Make the profile in enforce mode (activate the above settings).

sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.

sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Step 10 - Configure logwatch (Optional)

Please refer to this link to make the LogWatch to know your Hiawatha webserver's log files.

Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.

Step 11 - Change the ownership of the log files

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log

* "php-fcgi.log" and "system.log" leave them untouched (root:root).

Step 11a - Change ownership of all directories and files at the /var/www/mysite

Put the web application files to /var/www/mysite and then change the ownership of all directories and files under /var/www/mysite to root:root.

cd /var/www/mysite
sudo chown -R root:root *

Step 12 - Start, Stop and Restart Hiawatha

sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart

Step 13 - Performance tuning for MySQL or Percona Server (Optional)

You can fine tune the MySQL as per this link.

Step 14 - Secure your Ubuntu Server in a passive way (Optional)

Please refer to this link to secure your server in a passive way.

Step 15 - Setup a FTP server on Ubuntu Server (Optional)

This link shows you how to setup a vsFTPd server.

Step 16 - URL Rewrite rules (Optional)

For the url rewrite rules for your PHP applications, please refer to this link

Make sure you add "UseToolkit" at the VirtualHost section.

Step 17 - Send email to GMail via Postfix (Optional)

Please refer to this link

Step 18 - Create normal user for MySQL or MariaDB as well as Percona Server (Optional)

Please refer to this link

Step 19 - Linux Malware Detect (Optional)

Please refer to this link

Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha

It is because the captioned usr.sbin.hiawatha may not 100% work for you.

In order to further hardened your Hiawatha web server, please consider the following options :

Optional #1 :

For SSH connection security, you also may consider to implement the Port Knocking feature.

sudo apt-get install knockd

Optional #2 :

You may also consider to enable your firewall at your router or on the Hiawatha Web Server with UFW.

If ufw does not exist in your server, you can install it :

sudo apt-get install ufw

Optional #3 :

Consider to use Cloudflare (free or pay version) or similar. However, make sure do not disclose your server IP address to the public.

Optional #4 :

If budget is allowed, you can consider to implement Untangle and SmoothSec and refer to this link as an example.

That's all! See you.

Throwing Shade on Body Shaming

Nearly two weeks ago on #WCW or Women Crush Wednesday, I received an alert on Instagram. Someone tagged me in the comments section of a photo by up-and-coming songstress Justine Skye. She'd posted a picture of me (similar but not the one above) from the Jungle Gurl campaign I did years ago. I can't tell you word for word what Justine said, but she mentioned that she liked my body and I inspired her to workout. I was flattered. Minutes later when I decided to comment and say thanks for the love, I noticed other people's responses. While there were those comments that encouraged Justine and commended me on my physique, a lot of the other stuff I saw I didn't like. In the same breath that people were telling Justine she should be happy with her shape, they were shaming mine. Once again, this isn't verbatim, but things like She's too skinny - She ain't got no booty - She's not even in shape were in the mix. Talk about rude. Before I could take screenshot or even respond to the criticism, the photo disappeared.

Justine must have deleted it. With thousands of likes and tons of comments, I wondered why she'd gotten rid of the post. Perhaps the pressure on her was too heavy. Or what if she didn't want to deal with the naysayers. Maybe she couldn't take the heat, but I can. Justine Skye is a young, talented vocalists whose star is rising. She's just 18 years old and very impressionable. What others say about her music, her life, and what she likes probably means a lot to her. But just because she deleted the instagram photo doesn't mean the conversation is over. Hold up, let me put on my boxing gloves. It's about to get ugly.

Round 1 - If you don't have anything good to say, keep your mouth shut. Women are already self-conscious enough about our bodies. Some of us stand in the mirror and stare at our flaws. "If I could only get rid of these stretch marks." "My boobs sag." "My stomach isn't flat." We don't need you adding in your two cents too. What if we all walked around shouting out your shortcomings? Could you handle that? Ladies if you're guilty of this, I'm really disappointed in you. Did your mother not teach you any manners? It's enough that we have to deal with men verbally degrading our bodies, but we shouldn't have to fight our own sisters too.

Round 2 - Justine Skye has every right to admire someone else's body, and it does not mean that she doesn't love her own. There may be parts of her petite frame that she absolutely adores and others she wants to tone up. But that doesn't mean she's going to go under the knife to get her ideal physique. Come on! I may love J Lo's and Beyonce's booties, but who says I'm going to get a Brazilian Butt lift or injections to achieve that. Ok, I realize that some people will go to extremes, but if you notice someone you care about shifting in that direction offer encouragement. Don't knock another chick's body in your attempt to lift your friend up.

Round 3- I am a freaking human being too. Oh so because I'm a model or some person you don't know means it's ok for you to talk trash about my body. Hell no! If you want to ridicule me for my taste in music, my political views, or even the fact that I don't like ketchup, that's fine. But cutting me down because of my body, my hair texture, my race or the freckles on my face is completely unacceptable. Do you think I can help the way I look? Sure I can gain some weight, hit the gym, eat more carbs, get a fancy celebrity trainer, but I'm pretty sure that I'll still look like this. What you see is what I look like naturally. Flaws and all. I woke up like this! What gives you the right to judge me? What title do you hold that says it's ok to try and shame me? I am happy. I am healthy. I love my body. I get the feeling you can't say the same, and that's why you're trying to talk sh*t about mine.

TKO! Don't hate. Jealousy and envy will get you nowhere. You must think that the only way to bring yourself up is by cutting other people down. If that's the case, I doubt you'll ever be satisfied with that person you see in the mirror. Learn to love to yourself and accept your body. I know it's not easy, but surrounding yourself with good people and positive images will help. And for heaven's sake, keep your negativity to yourself. What goes around comes around, so say nice things about other women instead.

Sound off: Have you ever thrown shade on another woman's body to make yourself feel better?

Sunday Soul

Ladies, know your worth. Know that you have strength and power. Know that you are a gift to those around you. Accept your beauty. Accept your flaws. Own up to your intelligence. I cannot tell you enough just how important this is. So often we forget just how precious we truly are. We are not objects one can own, but creatures that should be cherished. Sometimes we need to be reminded of this. We play so many roles and we get so busy that we neglect ourselves. We start to lose our way, compromise our needs, and settle instead of demanding what we want. I've been a victim of this myself. Just because I can get by without the best of the best doesn't mean that's acceptable. If we don't hold ourselves to a higher esteem, then how can we expect others to do so?

I came across this wonderful reminder from a beautiful spirit named Natalie Patterson and the folks at Soul Pancake and Darling Magazine. It's called 10 Things Every Female Should Know. You should definitely watch the entire video and every point is fantastic, but here are my top 3:

Learn to take a compliment. Settle into being the center of things.
Stop hiding your tampons. You are a woman. You bleed...
Do not apologize for being yourself. Apologize when you are not.

As we celebrate Women's History Month, know that you are a part of the story. What we are doing now will pave the way for our daughters, our nieces, and honorary kids. Our strength, humility, and gentleness will echo through generations. So it's important for you to remember that you are amazing. You are an extraordinary creature. There is no one exactly like you in the universe. Understand this, accept this, and believe it.

xoxo

Google Play Your Heart Out

The world we live in may seem so big sometimes when it's actually quite small. We have created these close-knit communities that decades ago would've have seemed like science fiction. The way that humans relate to one another through media is extraordinary. We share our heartbreaks and heart-filled stories online, and those words and images spread to the farthest edges of our Earth. We are all connected. I didn't realize the full scope of that until recently. A few months ago, I had the honor of working on a commercial for Google Play. I originally thought of it as just a job. I was cast to play a certain role. As any professional would, I did my best to give the client what they wanted. I didn't expect the love and support that would follow. From the moment the commercial started airing, my social networks started buzzing like a hive of bees.

It started on a Sunday right around Christmas. All of a sudden I started getting messages saying "Hey! Saw you in the Google commercial." The response kept coming and coming and so did the love. From The Golden Globes to the Grammys and even at the end of the Super Bowl- that Google Play spot is everywhere. Random people would come up to me while I was out shopping or grabbing coffee and say they saw my commercial. Some of you said you saw it a movie theater before the previews and jumped up screaming "That's Nikia!" like you really know me. Even if you don't know me personally, you can relate to the commercial. When I score big in Candy Crush... you've had that moment. Yes!

This is just one part of the grand scheme. You can catch the shorter version 'Crush Your Heart Out' featuring me here. To the great minds at Google and the whole team behind this commercial; your imaginations are just amazing. I'm very thankful that you allowed me to take part in this project. This campaign has united us through our hearts and stories. I'm glad I could be a part of such an experience. It really gives me so much joy to know that I helped you feel something. Thanks for allowing me to invade your homes, your big screens, and your small screens with my face. It's meant the world to me. Keeping spreading the love, because 'More than anything, the heart just wants to feel'.

Model Bites: HomeState

I wish I were in Austin right now for South by Southwest, but I'm not. Last year when I was there I overindulged in brisket, beer, and even more brisket. How could I not? It all looked so good. I probably came back from the great state of Texas 10 pounds heavier... pleasantly plump from the barbecue and tacos. Since I'm thousands of miles away, I'll just have to settle for the next best thing. It's a little spot called HomeState, and boy it sure is tasty. Breakfast tacos, Migas, and Frito Pie... oh my lawd have mercy!

HomeState is a cute breakfast and lunch place on the border of Los Feliz and Silverlake, and it's really popular. If you attempt to go on a weekend, be prepared for a line out the door. Don't worry though, it moves fast. If you're not a regular 9 to fiver, I suggest swinging by during the week. Dining solo? Grab a seat at the counter and make friends with strangers and the awesome staff. They'll give you a heads up on what you should be ordering. There's lots of yummy TexMex things on the menu, but do yourself a favor and start with chips and queso or chips and salsa for obvious reasons. Why stop there? Order the loaded queso and chips with chili con carne, guacamole, pico de gallo and sour cream. Perfect for sharing or shoving all in your own mouth.

All the food sounded so good on the menu that I was having a tough time making a decision. I wanted one of everything. I finally decided to order one breakfast taco and one regular brisket taco. I really wanted migas which are crunchy corn strips scrambled with eggs add cheddar, onions and whatever else you can think of, but I'll save that for next time. No shortage of drinks on the menu, except libations. No one needs to start drinking so early in the day anyway, unless you're in Texas at SXSW. You can get Austin's Finest Cuvee Coffee and seasonal aqua fresca. There's also a selection of Mexican sodas to gulp down while you're stuffing your face.

I was super hungry, so I scarfed down the breakfast taco before I could snap suitable pictures. I got the Trinity - eggs, bacon, and potatoes with cheddar. And let me tell you, that brisket taco was the bees knees. It tasted like your cousin Billy Joe had spent hours in the smokehouse cooking it just right and he teleported it straight to your plate from Austin. Yeah, it was that good. The guy sitting next to me order the Frito Pie and it looked a little too messy for me to eat. He said it was really delicious though. I didn't save room for dessert, but you can order 'Bunuelos in a Bag' to take home for later.

So if you're nowhere near Texas and you're roaming around LA looking for good eats, stop on by HomeState. It really hits the spot.

xoxo

My Style: Graphic Jungle

If you're tired of seeing me in stripes, raise your hand. Ok, I see a few. Well, I'm sorry. Stripes happen. I can walk into anything store, and I'm immediately drawn to those white and black bars. Stripes have me brainwashed, but I'm not complaining. It's not like I'm trying to force you to like them just because I love them. It's not a conspiracy. I just have a problem. But this outfit is a new one for me. Never before have I worn stripes together. It's unheard of. What about stripes with dots? Yeah, I went there. It's bold. It's graphic. It's a jungle out there is these streets.

I was inspired by an outfit I saw Jennifer Lopez rocking on American Idol. I couldn't believe she was wearing stripes of different sizes all in the same dress. Perfection. It hugged her body in all the right places and the patterns didn't seem to compete with each other at all. I thought "Hey! If J-Lo can do it, then so can I." Ok, I may be a bit delusional because I don't have a booty like hers or star power like that either. But I've got something, dang it!

The Look
Shirt: Zara (similar)
Skirt: BDG
Heels: Zara (similar)
Sunglasses: Peter Pilotto for Target
Clutch: Merona
Earrings: Target
Ring & Necklace: LZZR Jewelry

The outfit is already banging, but the accessories are like the sprinkles on top of the icing on the cake. Yes I kept the heels basic and black, but they have a sort of suede texture that gives them extra za-zing. The copper necklace necklace and bronze rectangular ring are from latest collection by Lzzr Jewerly. Heavy metal never looked so chic. The shades I scored on sale from the Peter Pilotto for Target collection. Solid-colored sunglasses are such a bore. The polka dot clutch is also pretty sweet and adds some color so that I don't look like a really long barcode.

Super industrial buildings, street art, and one delicious dirty chai latte made this outfit come to life. Shot in around the Daily Dose Cafe in downtown LA. Awesome pics by Taryn with the assistance of Alex for 6twenty7 photography.

If someone tries to say that wearing different stripes together is a fashion faux pas, just show them this. I may look like a zebra plus a cheetah with a little bluebird in her hand, but I'm one hot Phoenix. Better recognize.

For Little Girls Who Have Considered Giving Up

When it seems like the odds are never in your favor. Or when you don't see enough positive images of people like you, you want to give up. Throw in the towel. Call it quits. I get it. You have these big dreams of being somebody and making a difference, but others around tell you to be more realistic. How could someone like you looking like you do and being from where you are ever amount to anything? It's a mixture of ghetto and small town mentality. Because of your socio-economic and racial make-up, you aren't going to be anything more than what you see around you. That's as good as it gets and there's nothing wrong with that. Well, the devil is a lie. Need proof? Look no further than Oscar winner Lupita Nyong'o.

Her meteoric rise has been something legends are made of. After Lupita's loss at the Golden Globes, I had a gut feeling that this defeat wouldn't stop her. She's landed a Miu Miu campaign, graced the cover of tons of magazines, and become a celebrated fashion icon. This Kenyan beauty has racked up numerous accolades including Best Supporting Actress at the Screen Actors Guild Awards and the Independent Spirit Awards. Her speech at the Essence Black Women in Hollywood Luncheon was breathtaking, giving honor to all those black actressed who paved the way for her. Then her huge moment of triumph came last Sunday night at the Academy Awards when Lupita took home an Oscar for her work in '12 Years a Slave'. Her acceptance speech was powerful and tearjerking.

Lupita along with countless other women of color are making a way for you, for all of us. Casting directors and magazine editors are using her beauty as an example of what they want for upcoming roles and editorials. In the years to come there will be more gorgeous and uplifting images of women like us out there for little girls to see. And no one will be able to tell you that you can't make it because you're too this, too that, or not enough of whatever. Forget the steteotyopes and be the prototype for success. Thanks for the inspiration, Lupita.

Carol's Daughter + Target

Guess what's coming to you live and direct from Target. (That's pronounced tar-jay for those who don't know.) It's Carol's Daughter! I knew Mama Lisa Price had something cooking in her kitchen, but I had no idea it would be this. Starting this month you can get some of your favorite CD products at your local Target store. You know how I found out? A friend of mine posted this pic of the ad from the April edition of Essence Magazine. I was floored. I also saw a similar one for the March subscripition of Curlbox and I knew something was brewing. After the jump, check out Lisa's message about the launch.

I went to my closest Target to grab some Hair Milk, and lo and behold it was already sold out! Curly girls must must have flocked to the store as soon as they heard the news. Make sure you check online to see if your Target has Carol's Daughter in stock before you make the trip. I'm so happy for my CD family. We're really moving on up!

#PERFECTPERFECTED

P.S. I still have some behind the scenes photos from my Carol's Daughter shoot that I'll share with you very soon.