For the performance, please refer to the study of SaltwaterC at here.
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.
Prerequisite
Select
OpenSSH and Mail Server when installing Ubuntu Server 12.04 LTS.Update the fresh install system to the latest status.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgradeSelect unattendance update to your system. It will push all the updates to your system when there is some. Or, you can create a cron job later to update your system in a certain of time if you prefer.
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.
Step 1 - Installation of PHP5 and MySQL
sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd kspliceStep 2 - Installation of Hiawatha
Install required dependenices for Hiawatha.
sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-devDownload the latest version of CMake at http://www.cmake.org/
wget http://www.cmake.org/files/v2.8/cmake-2.8.7.tar.gz
tar -xvzf cmake-2.8.7.tar.gz
cd cmake-2.8.7
./configure
sudo make installDownload the latest version of Hiawatha (the current version at this writing is 8.0).
wget http://www.hiawatha-webserver.org/files/hiawatha-8.1.tar.gz
tar -xzvf hiawatha-8.1.tar.gz
cd hiawatha-8.1/extra./make_debian_packagecd ..sudo dpkg -i hiawatha_8.1_amd64.debor
sudo dpkg -i hiawatha_8.1_i386.debStep 3 - Configure PHP5
The following settings are for making PHP5 more secure.
sudo nano /etc/php5/cgi/php.iniMake changes as is.
cgi.rfc2616_headers = 1
zlib.output_compression = On
zlib.output_compression_level = 6Step 3a - Configure PHP5 (Optional for security purpose)
display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
cgi.fix_pathinfo = 0
*** According to the author of Hiawatha, the cgi.fix_pathinfo should be set to 0 at this moment.
*** There will be something at the end of "disable_functions" at Ubuntu 12.04 LTS, you just append the captioned list to the end of the previous list.
*** some PHP applications may require
safe_mode = offStep 4 - Configure php-fcgi (PHP's FastCGI)
sudo nano /etc/hiawatha/php-fcgi.confUncomment the following line and change it as is.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data ; /etc/php5/cgi/php.inisudo php-fcgi -c /etc/hiawatha/php-fcgi.confIf you make any change on
php-fcgi.conf, make sure to restart it by the following commands.sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.confStep 5 - Configure Hiawatha (Part 1)
sudo nano /etc/hiawatha/hiawatha.confUncomment
ServerId at GENERAL SETTINGS.ServerId = www-dataUncomment the following entries at
BINDING SETTINGS.Binding {
Port = 80
# Interface = 127.0.0.1
MaxKeepAlive = 30
TimeForRequest = 3,20
}Step 5a (Optional for security purpose) :
Add the following line at the
GENERAL SETTINGS. ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.logLogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapperMake changes for the following entries at
BANNING SETTINGS. BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yesBanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1
BanOnInvalidURL = 300ReconnectDelay = 3Step 5b :
The entries at
COMMON GATEWAY INTERFACE (CGI) SETTINGS should be looking like this.CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgiFastCGIserver {
FastCGIid = PHP5
ConnectTo = 127.0.0.1:2005
Extension = php, php5
SessionTimeout = 30
}Step 5c :
Add the following line at
VIRTUAL HOSTS.Include /etc/hiawatha/enable-sites/*Make sure the make a directory
enable-sites and disable-sites under /etc/hiawatha.sudo mkdir /etc/hiawatha/enable-sitessudo mkdir /etc/hiawatha/disable-sitesStep 6 - Configure Hiawatha (Part 2)
If your domain is mysite.com, you are required to create a file namely
mysite.com and place it under /etc/hiawatha/enable-sites/mysite.com.VirtualHost {
Hostname = www.mysite.com, mysite.com
WebsiteRoot = /var/www/mysite
StartFile = index.php
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
TimeForCGI = 15
# UseFastCGI = PHP5
# UseToolkit = banshee
#
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$
DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$
DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$
DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$
DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$
#
# e.g.
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.
Step 11 - Change the ownership of the log files
cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log
* "php-fcgi.log" and "system.log" leave them untouched (root:root).
Step 11a - Change ownership of all directories and files at the /var/www/mysite
Put the web application files to /var/www/mysite and then change the ownership of all directories and files under /var/www/mysite to root:root.
cd /var/www/mysite
sudo chown -R root:root *
Step 12 - Start, Stop and Restart Hiawatha
sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart
Step 13 - Performance tuning for MySQL (Optional)
You can fine tune the MySQL as per this link.
Step 14 - Secure your Ubuntu Server in a passive way (Optional)
Please refer to this link to secure your server in a passive way.
Step 15 - Setup a FTP server on Ubuntu Server (Optional)
This link shows you how to setup a vsFTPd server.
Step 16 - URL Rewrite rules (Optional)
For the url rewrite rules for your PHP applications, please refer to this link
Make sure you add "UseToolkit" at the VirtualHost section.
Step 17 - Send email to GMail via Postfix (Optional)
Please refer to this link
Step 18 - Create normal user for MySQL or MariaDB (Optional)
Please refer to this link
Remarks :
If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".
sudo aa-complain hiawatha
After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".
sudo aa-logprof
sudo aa-enforce hiawatha
It is because the captioned usr.sbin.hiawatha may not 100% work for you.
In order to further hardened your Hiawatha web server, please consider the following options :
Optional #1 :
For SSH connection security, you also may consider to implement the Port Knocking feature.
sudo apt-get install knockd
Optional #2 :
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with UFW.
If ufw does not exist in your server, you can install it :
sudo apt-get install ufw
Optional #3 :
Consider to place your web server behind this free service at Cloudflare. The main point is you can manage the DNS yourself and have a fixed IP address.
That's all! See you.