My blog is moved!

Notice!

This blog is moved to Samiux’s Blog.

HOWTO : Hiawatha 6.16 web server on Ubuntu 9.04 Server

Hiawatha is a web server which is developed by Hugo Leisink who is in a great interest in IT security. It is designed with security in mind. It comes with Cross-site Scripting (XSS) prevention, Cross-site Request Forgery (CSRF) prevention, DoS/flooding protection, and SQL injection prevention.

It works with PHP and MySQL. Therefore, the LAMP (Linux, Apache, MySQL and PHP) should be renamed to LHMP (Linux, Hiawatha, MySQL and PHP).

Step 0 :

Install Ubuntu 9.04 Server and OpenSSH as usual. Make sure to perform the following.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Step 1 :

Download Hiawatha, the current version at this writing is 6.16, at
http://www.hiawatha-webserver.org/download
.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.16.tar.gz
tar -xzvf hiawatha-6.16.tar.gz
cd hiawatha-6.16

Configure and compile the Hiawatha.

sudo apt-get install build-essentail libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

sudo ./configure
sudo make deb

The deb package will be created at /home/samiux. You can install it by :

sudo dpkg -i hiawatha_6.16_amd64.deb

or

sudo dpkg -i hiawatha_6.16_i386.deb

Step 2 :

Install mysql and php5.

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Enter the password for the MySQL and write it down for further usage.

Step 3 :

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line :

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Kill it with -k, such as :

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf

*Make sure you have been activated php-fcgi; otherwise, php5 cannot be run.

Step 4 :

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data

Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24


Uncomment all the entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS.

CGIhandler = /usr/hin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php,php5
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
GCIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Uncomment all the entries of URL TOOLKIT.

UrlToolkit {
   ToolkitID = banshee
   RequestURI isfile Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}

Uncomment all the entries of VIRTUAL HOSTS and alert it when necessary.

VirtualHost {
   Hostname = http://www.samiux.com
   WebsiteRoot = /var/www/www.samiux.com
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForGCI = 5
   UseFastCGI = PHP5
   UseToolkit = banshee
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
}

Assumed that your domain name is samiux.com and the site is at /var/www/www.samiux.com.

Step 5 :

sudo nano /etc/php5/cgi/php.ini

Change the following line to Off.

allow_url_fopen = Off

Step 6 :

Restart the Hiawatha.

sudo /etc/init.d/hiawatha restart

Step 7 :

Use AppArmor with Hiawatha.

sudo aa-genprof hiawatha

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Add the following lines.

#include <tunables/global>
/usr/sbin/hiawatha {
   #include <abstractions/base>
   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,
   network inet tcp,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/ r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid w,
   /var/www/ r,
   /var/www/** rw,
   /home/*/public_html/** r,
}

Make it enforce.

sudo aa-enforce hiawatha

That’s all. See you!

My Perfect Home Network 2009 (Version 4.0)

The following is the setting of “My Perfect Home Network 2009 (Version 4.0)”. Virtualization technology can reduce the number of servers you owned. It saves room, electricity and money as well as manpower to manage. Therefore, it has one more term – Green Computing.

Configuration of KVM Server
2 x Intel Xeon E5420 Quad-Core CPU
16GB ECC DDR2 RAM
6 x 1TB Hard drive on hardware RAID 5EE

KVM Server
Virtualization Server (that runs the following 5 servers)
Proxmox on Debian 5.01 Lenny

Server #0
Running Untangle inside.

Server #1
Almost perfect and secure Ubuntu 9.04 LAMP Server

Server #2
WebDAV on Ubuntu 9.04 Server

Server #3
Sockso (Music Server) on Ubuntu 9.04 Server

Server #4
ntop on Ubuntu 9.04 Server

Server #5
Torrentflux-b4rt with Cherokee on Ubuntu 9.04 Server

**********

Router to router
Connecting wired router to wireless router

**********

Evolution of my network 2007-2009

2007 – a very simple network with a wired and a wireless router

2008

2009 (Version 3.4)

2009 (Version 4.0) *This writing* – It is finally simplified into one server with the help of modern computing technology!

HOWTO : Logwatch on Ubuntu 9.04 Server

Logwatch reads your log files and can send you daily email about the most interesting parts.

Step 1 :

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install logwatch

Step 2 :

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the following as shown :

Output = mail
Format = html
MailTo = samiux@gmail.com

Step 3 :

sudo nano /etc/cron.daily/00logwatch

/usr/sbin/logwatch --mailto samiux@gmail.com

Enjoy!

HOWTO : Security enhanced your Ubuntu 9.04 LAMP server with AppArmor

Step 1 :

Check if AppArmor is enabled or not. And make sure MySQL profile is enabled too.

sudo apparmor_status

Step 2 :

Create a profile of Apache2.

sudo aa-genprof apache2

sudo nano /etc/apparmor.d/usr.sbin.apache2

Add the following lines within ^DEFAULT_URI bracket.

/usr/sbin/suexec2 rix,
/usr/share/apache2/** r,
/var/log/apache2/** rwl,
/var/xoops/** r,
/var/www/xoops/** r,

Step 3 :

Put the profile in complain mode.

sudo aa-complain /etc/apparmor.d/usr.sbin.apache2
sudo /etc/init.d/apache2 restart

Step 4 :

After running the XOOPS for a while, we can update the profiles.

sudo aa-logprof

When the prompt ask for your selection, choose “A (Add)” to add a rule to the profiles. Save the file at the end of the process.

You can repeat this step when necessary.

Step 5 :

After running the XOOPS for a longer time and found no error, you can make the profile in enforce mode. Before doing so, make sure you have conducted the Step 4 once more.

sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
sudo /etc/init.d/apache2 restart

Step 6 (Optional) :

If you encounter any error, you can disable the profile.

sudo ln -s /etc/apparmor.d/usr.sbin.apache2 /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.apache2
sudo rm /etc/aparmor.d/disable/usr.sbin.apache2

Reference :
(1) Ubuntu Documentation (AppArmor)
(2) Introduction to AppArmor
(3) Share your profiles
(4) AppArmor support threads

HOWTO : Make your Apache to use SSL

Step 1 :

sudo a2enmod ssl

Copy the default-ssl to the name as your current XOOPS domain, e.g. samiux.com.

sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/samiux.com-ssl

sudo nano /etc/apache2/sites-available/samiux.com-ssl

Do not change anything inside but except the following :

DocumentRoot /var/www/xoops
ServerName http://www.samiux.com # add this line under DocumentRoot
<Directory /var/www/xoops>

Step 2 :

sudo nano /etc/apache2/sites-available/samiux.com

Make sure you enabled rewrite module as at previous HOWTO. Add the following inside the mod_rewrite.c bracket.

RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]

Step 3 :

Open your browser and go to your site and login as admin. Enable SSL and add the SSL URL as
https://www.samiux.com
at the Preferance.

sudo nano /var/www/xoops/mainfile.php

Change your domain name and path as
https://www.samiux.com


Step 4 :

sudo a2ensite samiux.com-ssl

sudo /etc/init.d/apache2 restart

HOWTO : SSH to use RSA key for login

ssh-keygen -t rsa -b 2048

or

ssh-keygen -t rsa -b 4096

“Enter file in which to save the key (/home/samiux/.ssh/id_rsa): (Hit Enter)”

Press “Enter”

“Enter passphrase (empty for no passphrase):”

Enter your password twice.

nano /home/samiux/.ssh/id_rsa.pub

Copy the content.

SSH to your server. At the username directory.

sudo mkdir .ssh

sudo nano /home/username/.ssh/authorized_keys

Then pasted the previous copied key onto the authorized_keys file. Save it.

Still at the server.

sudo nano /etc/ssh/sshd_config

Change the following settings as is.

AuthorizedKeysFile %h/.ssh/authorized_keys
IgnoreUserKnownHosts yes
PasswordAuthentication no
#UseLogin no
UsePAM no

sudo /etc/init.d/ssh restart

When you login to the server again, you will ask for your RSA key passphrase once. Later, you will not be asked for any passphrase or password.

HOWTO : Almost a perfect and secure Ubuntu 9.04 LAMP server

If you want to build a production LAMP server with Ubuntu 9.04 and hosting a Content Management System (CMS) such as XOOPS, you can follow the following steps to make your server almost perfect and secure. You are recommended to install a commercial or DIY Unified Threat Management System (UTM) for your network or server. If not, at least enable firewall and open necessary ports only as well as block any unwanted traffic.

However, we cannot proof that you are away from any attacks even you hardening your server with the following procedure and equipped with UTM. Be alert!

LAMP and XOOPS (the CMS)
Install XOOPS on Ubuntu 9.04 Server with security modules

Make your Apache to use SSL

Hardening your server in active and passive ways

Security enhanced Ubuntu 9.04 LAMP server with AppArmor

Secure your Ubuntu 9.04 server in a passive way

Make sure no rookit on your Ubuntu 9.04 server

Fail2ban on Ubuntu 9.04 server

SSH to use RSA key for login

Logwatch on Ubuntu 9.04 Server

vsFTP
vsFTP install on Ubuntu 8.04.1 server (but it is same as on Ubuntu 9.04)

System and PHP tuning
PHP and Apache tuning on Ubuntu 8.04.1 server (but it is same as on Ubuntu 9.04)

Ubuntu system performance tuning

Rebootless on Ubuntu 9.04
Rebootless on Ubuntu 9.04

Making a secure Ubuntu 9.04 server is very easy and almost without a cent.

Give no chance to intruders!!

HOWTO : secure your Ubuntu 9.04 server in a passive way

Root account access warning

Add the following to the top of the file /root/.bashrc and you will be informed by email when the root account is being accessed.

echo -e "Root Shell Access on `tty` \n `w`" | \ mail -s "Alert: Root Access" samiux@gmail.com

Hardening SSH

The official port of SSH is 22. You can change it to any port that between 1024 and 65535. You can do it at the router or firewall and you can do it at the configure file of SSH at /etc/ssh/sshd_config. You are recommended to disable the root account login via SSH even you are using Ubuntu.

Port 65535
PermitRootLogin no

sudo /etc/init.d/sshd restart

Finally, enable firewall and only allow necessary ports to be access.

HOWTO : Make sure no rootkit on your Ubuntu 9.04 server

To ensure your server will not be installed rootkits or trojans as well as worm without your approval, you should check it frequently.

ChkRootKit

Get the chkrootkit package :

sudo apt-get install chkrootkit

Make a Cron Job to do the scan daily at 0700 hours :

sudo crontab -e

0 7 * * * /usr/sbin/chkrootkit; /usr/sbin/chkrootkit -q 2 >&1 | mail -s "Daily ChkRootKit Scan" samiux@gmail.com

Do a manual scan :

sudo /usr/sbin/chkrootkit

Rootkit Hunter (Optional)

sudo apt-get install rkhunter

Make a Cron Job to do the scan daily at 0500 hours :

sudo crontab -e

0 5 * * * rkhunter --cronjob --rwo | mail -s "Daily Rootkit Hunter Scan" samiux@gmail.com

Do a manual scan :

sudo rkhunter --check

Forensic tool to find hidden processes and ports – unhide

Get the unhide package :

sudo apt-get install unhide

Make a Cron Job to do the scan daily between 0800 and 0930 hours :

sudo crontab -e

0 8 * * * unhide proc; unhide proc -q 2 >&1 | mail -s "Daily unhide proc Scan" samiux@gmail.com

30 8 * * * unhide sys; unhide sys -q 2 >&1 | mail -s "Daily unhide sys Scan" samiux@gmail.com

0 9 * * * unhide brute; unhide brute -q 2 >&1 | mail -s "Daily unhide brute Scan" samiux@gmail.com

30 9 * * * unhide-tcp; unhide-tcp -q 2 >&1 | mail -s "Daily unhide-tcp Scan" samiux@gmail.com

Do a manual scan :

sudo unhide proc
sudo unhide sys
sudo unhide brute
sudo unhide-tcp


Beware :
There will be produced some false positive by RootKit Hunter or ChkRootKit when your packages or files had been updated or have the similar behavior as the rootkit.

Remarks :
It is not 100% to proof that your system is away from the attack of Rootkits.