This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.
Prerequisite
Select
OpenSSH and Mail Server when installing Ubuntu Server 10.04 LTS.Update the fresh install system to the latest status.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgradeIf the kernel or kernel modules have been updated, you are required to reboot your system before going further.
Step 1 - Installation of PHP5 and MySQL
sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpegStep 2 - Installation of Hiawatha
Install required dependenices for Hiawatha.
sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-devDownload the latest version of Hiawatha (the current version at this writing is 7.3).
sudo wget http://www.hiawatha-webserver.org/files/hiawatha-7.3.tar.gz
tar -xzvf hiawatha-7.3.tar.gz
cd hiawatha-7.3./configure
make debcd ..sudo dpkg -i hiawatha_7.3_amd64.debor
sudo dpkg -i hiawatha_7.3_i386.debStep 3 - Configure PHP5 (Optional for security only)
The following settings are for making PHP5 more secure.
sudo nano /etc/php5/cgi/php.iniMake changes as is.
display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd*some PHP applications may require
safe_mode = offStep 4 - Configure php-fcgi (PHP's FastCGI)
sudo nano /etc/hiawatha/php-fcgi.confUncomment the following line and change it as is.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data ; /etc/php5/cgi/php.inisudo php-fcgi -c /etc/hiawatha/php-fcgi.confIf you make any change on
php-fcgi.conf, make sure to restart it by the following commands.sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.confStep 5 - Configure Hiawatha (Part 1)
sudo nano /etc/hiawatha/hiawatha.confUncomment
ServerId at GENERAL SETTINGS.ServerId = www-dataUncomment the following entries at
BINDING SETTINGS.Binding {
Port = 80
# Interface = 127.0.0.1
MaxKeepAlive = 30
TimeForRequest = 3,20
}Step 5a (Optional for security purpose) :
Add the following line at the
GENERAL SETTINGS. ConnectionsTotal = 1000
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.logLogFormat = extended
ExploitLogfile = /var/log/hiawatha/exploit.log
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapperMake changes for the following entries at
BANNING SETTINGS. BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yesBanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 10/1:15
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1KickOnBan = yes
ReconnectDelay = 3Step 5b :
The entries at
COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgiFastCGIserver {
FastCGIid = PHP5
ConnectTo = 127.0.0.1:2005
Extension = php, php5
SessionTimeout = 30
}Step 5c :
Add the following line at
VIRTUAL HOSTS.Include /etc/hiawatha/enable-sites/*Make sure the make a directory
enable-sites under /etc/hiawatha.sudo mkdir /etc/hiawatha/enable-sitesStep 6 - Configure Hiawatha (Part 2)
If your domain is mysite.com, you are required to create a file namely
mysite.com and place it under /etc/hiawatha/enable-sites/mysite.com.VirtualHost {
Hostname = www.mysite.com, mysite.com
WebsiteRoot = /var/www/mysite
StartFile = index.php
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
TimeForCGI = 15
# UseFastCGI = PHP5
# UseToolkit = banshee
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
ExecuteCGI = yes
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes
DenyBot = Googlebot:/
DenyBot = twiceler:/
DenyBot = MSNBot:/
DenyBot = yahoo:/
DenyBot = BaiDuSpider:/
DenyBot = Ask:/
DenyBot = Yahoo! Slurp:/
DenyBot = Sogou web spider:/
DenyBot = Sogou-Test-Spider:/
DenyBot = Baiduspider+:/
DenyBot = Yandex:/
DenyBot = UniversalFeedParser:/
DenyBot = Mediapartners-Google:/
DenyBot = Sosospider+:/
DenyBot = YoudaoBot:/
DenyBot = ParchBot:/
DenyBot = Curl:/
DenyBot = msnbot:/
DenyBot = NaverBot:/
DenyBot = taptubot:/
WrapCGI = jail_mysite
}Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)
sudo nano /etc/hiawatha/cgi-wrapper.confCGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgiWrap = jail_mysite ; /var/www/mysite ; www-data:www-dataStep 8 - Configure Apparmor (Optional for security purpose)
Execute the following command and then let the web site running for a while, maybe a week or so.
sudo aa-genprof hiawathaAbout one week later or the web page/site is misbehaving, issue the following command to update the profile. Remember to reload the profile after the command has been issued.
sudo aa-logprofOr, if you are impatient, you can edit the following file instead.
sudo nano /etc/apparmor.d/usr.sbin.hiawathaThe content of
usr.sbin.hiawatha should look like this or make it look like this.# Last Modified: Thu Jun 3 01:52:13 2010
#include /usr/sbin/hiawatha {
#include
#include
#include
#include capability chown,
capability dac_override,
capability fowner,
capability fsetid,
capability setgid,
capability setuid, /bin/dash rix,
owner /etc/hiawatha/ r,
owner /etc/hiawatha/** r,
/etc/host.conf r,
/etc/hosts r,
/etc/mailname r,
/etc/nsswitch.conf r,
owner /etc/passwd r,
/etc/php5/ r,
/etc/php5/** r,
/etc/postfix/** r,
/etc/protocols r,
/etc/resolv.conf r,
/etc/services r,
/sys/devices/system/cpu/ r,
/usr/bin/php5-cgi rix,
/usr/lib/postfix/cleanup rix,
/usr/lib{,32,64}/** mr,
/usr/sbin/cgi-wrapper rix,
/usr/sbin/postdrop rix,
/usr/sbin/sendmail rix,
/usr/share/ r,
/usr/share/** r,
/var/www/ r,
/var/www/** r,
/var/www/logfiles/ r,
/var/www/logfiles/** rw,
/var/lib/ r,
/var/lib/** rw,
/var/lib/hiawatha/** rw,
owner /var/log/hiawatha/** w,
/var/log/hiawatha/** r,
owner /var/run/ r,
owner /var/run/** rw,
/var/spool/postfix/** rw,
/var/spool/postfix/pid/** wk,
/var/www/hiawatha/ r,
}Make the profile in enforce mode (activate the above settings).
sudo aa-enforce hiawathaIf you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawathaIf you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawathaIf you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawathaStep 9 - Enhance the security of cgi-wrapper (Optional for security purpose)
Now, your hiawatha is very secure but I would like to make it more secure.
sudo apt-get install libcap2-binApply Capabilities on cgi-wrapper.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapperThe result of getcap :
sudo getcap /usr/sbin/cgi-wrapperIt will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+epStep 10 - Configure logwatch (Optional)
HOWTO : Logwatch for Hiawatha on Ubuntu
Step 11 - Start, Stop and Restart Hiawatha
sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restartThat's all! See you.
No comments:
Post a Comment