Notice!
This blog is moved to Samiux’s Blog.
Filed under: debian, General, Linux, Security, Ubuntu | Leave a Comment »
HOWTO : Hiawatha 6.16 web server on Ubuntu 9.04 Server
Posted on August 30, 2009 by samiux
Hiawatha is a web server which is developed by Hugo Leisink who is in a great interest in IT security. It is designed with security in mind. It comes with Cross-site Scripting (XSS) prevention, Cross-site Request Forgery (CSRF) prevention, DoS/flooding protection, and SQL injection prevention.
It works with PHP and MySQL. Therefore, the LAMP (Linux, Apache, MySQL and PHP) should be renamed to LHMP (Linux, Hiawatha, MySQL and PHP).
Step 0 :
Install Ubuntu 9.04 Server and OpenSSH as usual. Make sure to perform the following.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
Step 1 :
Download Hiawatha, the current version at this writing is 6.16, at http://www.hiawatha-webserver.org/download.
sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.16.tar.gz
tar -xzvf hiawatha-6.16.tar.gz
cd hiawatha-6.16
Configure and compile the Hiawatha.
sudo apt-get install build-essentail libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev
sudo ./configure
sudo make deb
The deb package will be created at /home/samiux. You can install it by :
sudo dpkg -i hiawatha_6.16_amd64.deb
or
sudo dpkg -i hiawatha_6.16_i386.deb
Step 2 :
Install mysql and php5.
sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Enter the password for the MySQL and write it down for further usage.
Step 3 :
sudo nano /etc/hiawatha/php-fcgi.conf
Uncomment the following line :
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data
Activate php-fcgi.
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf
Kill it with -k, such as :
sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
*Make sure you have been activated php-fcgi; otherwise, php5 cannot be run.
Step 4 :
sudo nano /etc/hiawatha/hiawatha.conf
Uncomment ServerId at GENERAL SETTINGS.
ServerId = www-data
Uncomment the following entries at BINDING SETTINGS.
Binding {
Port = 80
MaxKeepAlive = 30
TimeForRequest = 3,20
}
Uncomment all the entries at BANNING SETTINGS.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24
Uncomment all the entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS.
CGIhandler = /usr/hin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php,php5
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
GCIextension = cgi
Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.
FastCGIserver {
FastCGIid = PHP5
ConnectTo = 127.0.0.1:2005
Extension = php, php5
SessionTimeout = 30
}
Uncomment all the entries of URL TOOLKIT.
UrlToolkit {
ToolkitID = banshee
RequestURI isfile Return
Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}
Uncomment all the entries of VIRTUAL HOSTS and alert it when necessary.
VirtualHost {
Hostname = http://www.samiux.com
WebsiteRoot = /var/www/www.samiux.com
StartFile = index.php
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
TimeForGCI = 5
UseFastCGI = PHP5
UseToolkit = banshee
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes
}
Assumed that your domain name is samiux.com and the site is at /var/www/www.samiux.com.
Step 5 :
sudo nano /etc/php5/cgi/php.ini
Change the following line to Off.
allow_url_fopen = Off
Step 6 :
Restart the Hiawatha.
sudo /etc/init.d/hiawatha restart
Step 7 :
Use AppArmor with Hiawatha.
sudo aa-genprof hiawatha
sudo nano /etc/apparmor.d/usr.sbin.hiawatha
Add the following lines.
#include <tunables/global>
/usr/sbin/hiawatha {
#include <abstractions/base>
capability chown,
capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
network inet tcp,
/etc/group r,
/etc/hiawatha/** r,
/etc/nsswitch.conf r,
/etc/passwd r,
/usr/bin/php5-cgi rix,
/usr/sbin/cgi-wrapper mr,
/usr/sbin/hiawatha mr,
/usr/share/dbconfig-common/** r,
/usr/share/phpmyadmin/ r,
/usr/share/phpmyadmin/** r,
/var/lib/** r,
/var/lib/hiawatha/* rw,
/var/log/hiawatha/ r,
/var/log/hiawatha/** rw,
/var/run/hiawatha.pid w,
/var/www/ r,
/var/www/** rw,
/home/*/public_html/** r,
}
Make it enforce.
sudo aa-enforce hiawatha
That’s all. See you!
Filed under: debian, fedora, General, Linux, Security, Ubuntu | 4 Comments »
HOWTO : Build deb from source on Ubuntu 9.04
Posted on August 22, 2009 by samiux
Download checkinstall
sudo apt-get install checkinstall
Download the source file, such as foo.tar.gz and extract it.
tar -xzvf foo.tar.gz
cd foo
./configure
make
sudo checkinstall
After that, the package will be installed automatically and a deb is also generated. You can uninstall package as usual.
For checkinstall usage, please man it.
Filed under: debian, General, Ubuntu | Leave a Comment »
HOWTO : Clean up all log archives after a period of time
Posted on August 18, 2009 by samiux
If I understand fully and correctly, logrotate just compress log files and the number of compressed log files will be growing up after a period of time. It will not delete those outdated compressed log files automatically.
Therefore, I write the following shell script for the captioned purpose which will delete all the files at /var/log and its subdirectories that are existing more than 30 days.
You can change the existing days by altering the value at DAYEXIST.
Step 1 :
nano /home/samiux/cleanup
————- CUT HERE —————–
#!/bin/bash
LOGDIR=”/var/log”
DAYEXIST=”30″
find $LOGDIR -type f -mtime +$DAYEXIST -exec rm {} \;
exit 0
————- CUT HERE —————–
sudo chmod +x /home/samiux/cleanup
Step 2 :
Perform the task at 0130 hours every day.
sudo crontab -e
30 1 * * * /home/samiux/cleanup 2 >&1
Step 3 :
WARNING : DO IT AT YOUR RISK
** Your comment is welcome when my concept is wrong, thanks **
Enjoy!
Filed under: debian, fedora, General, Linux, Ubuntu | Leave a Comment »
HOWTO : Passive mode for Pure-FTPd on Ubuntu Server 9.04
Posted on August 18, 2009 by samiux
I used to use vsFTPd. However, I recently need to test ISPConfig 3 which requires to install Pure-FTPd. My testing server is behind NAT and FTP should be running in passive mode. How to do it on Pure-FTPd?
Assumed that your server IP is 192.168.50.100 and you want to specify a port range 50000-50100 for the passive mode.
Step 1 :
sudo nano /etc/pure-ftpd/conf/PassivePortRange
50000 50100
sudo nano /etc/pure-ftpd/conf/ForcePassiveIP
192.168.50.100
Step 2 :
Restart the service.
sudo /etc/init.d/pure-ftpd restart
That’s all!
Filed under: debian, fedora, General, Linux, Ubuntu | Leave a Comment »
HOWTO : Quota with ext4 on Ubuntu 9.04 Server
Posted on August 17, 2009 by samiux
There is a bug in quota package when filesystem is ext4 in Ubuntu 9.04 Server. You cannot activate quota function under ext4 on Ubuntu 9.04. However, we can use Ubuntu 9.10′s package instead. It is in alpha stage at the moment.
Step 1 :
Download the package at here and the current version is 3.17-3 by this writing.
Install the package and configure the package as usual.
sudo dpkg -i <package_name>
Step 2 :
Edit /etc/fstab and add “usrquota,grpquota” on the partition with the mount point /.
sudo touch /quota.user /quota.group
sudo chmod 600 /quota.*
sudo mount -o remount /
Step 3 :
sudo quotacheck -avugm
sudo quotaon -avug
That’s all. See you!
Filed under: General, Linux, Ubuntu | Leave a Comment »
HOWTO : Torrentflux-b4rt with Cherokee on Ubuntu 9.04 Server
Posted on August 15, 2009 by samiux
I am going to build a Bittorrent server with Cherokee web server instead of Apache. I call it as LCMP – Linux, Cherokee, MySQL and PHP. It may be the fastest web server in the world so far. You are not require to edit the config files. All settings are completed by your browser.
Bittorrent server front-end is using Torrentflux-b4rt. It is running on PHP and MySQL with bittornado.
Step 0 :
Install Ubuntu 9.04 Server edition as usual. Select OpenSSH only when install.
After the installation, perform the system update.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
Assume your server’s IP is 192.168.0.200
Step 1 :
sudo nano /etc/apt/sources.list.d/cherokee.list
Add the following lines.
deb http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main
Add the key.
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EBA7BD49
sudo apt-get update
sudo apt-get install cherokee
Step 2 :
sudo apt-get install mysql-server mysql-client
Enter the MySQL root password when asked. Make sure you have write it down.
Step 3 :
sudo apt-get install php5-cgi
sudo nano /etc/php5/cgi/php.ini
Append the following line at the end of the file.
cgi.fix_pathinfo = 1
sudo /etc/init.d/cherokee restart
sudo apt-get install php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
sudo /etc/init.d/cherokee restart
Step 4 :
sudo cherokee-admin -b
The following will be displayed.
Login:
User: admin
One-time Password: W0K2jR961aYaeiwu
Web Interface:
URL: http://localhost:9090/
Cherokee Web Server 0.99.22 (Aug 5 2009): Listening on port ALL:9090, TLS disabled, IPv6 disabled, using epoll, 4096 fds system limit, max. 2041 connections, caching I/O, single thread
Open browser and point to http://192.168.0.200:9090 or http://localhost:9090
Enter the user name as “admin” and password as “W0K2jR961aYaeiwu” (which will be changed each time).
Step 5 :
Clone a virtual host from default. Add the domain name, document root and etc.
The document root should be “/var/www/torrentflux”.
Go back to the terminal and press Ctrl + C to quit the Cherokee’s admin page.
sudo /etc/init.d/cherokee restart
Step 6 :
sudo apt-get install unrar unzip vlc uudeview build-essential bittornado
Download and compile cksfv that is required by torrentflux-b4rt.
wget http://zakalwe.fi/~shd/foss/cksfv/files/cksfv-1.3.14.tar.bz2
tar -xjvf cksfv-1.3.14.tar.bz2
cd cksfv-1.3.14
./configure
make
sudo make install
Get and install torrentflux-b4rt.
wget http://download.berlios.de/tf-b4rt/torrentflux-b4rt_1.0-beta2.tar.bz2
tar -xjvf torrentflux-b4rt_1.0-beta2.tar.bz2
cd torrentflux-b4rt_1.0-beta2
sudo cp -R html /var/www/torrentflux
sudo chmod -R 0777 /var/www/torrentflux/inc/config
sudo mkdir /home/samiux/torrent
sudo chmod -R 0777 /home/samiux/torrent
Step 7 :
Point your browser to http://192.168.0.200/setup.php and configure it.
** You keyin the username and password on the torrentflux-b4rt will be recorded for the admin account. Please write it down.
The download directory should be “/home/samiux/torrent”.
After the configuration, delete the setup.php.
sudo rm /var/www/torrentflux/setup.php
Step 8 :
Make sure to forward the default ports 49160 to 49300 at your router or firewall.
Step 9 (Optional) :
Install vsftpd when necessary.
** Make sure you change the IP address at “pasv_address”.
Step 10 (Optional) :
Enjoy!
Filed under: debian, fedora, General, Linux, Ubuntu | 1 Comment »
