HOWTO : Hiawatha 6.16 web server on Ubuntu 9.04 Server

Hiawatha is a web server which is developed by Hugo Leisink who is in a great interest in IT security. It is designed with security in mind. It comes with Cross-site Scripting (XSS) prevention, Cross-site Request Forgery (CSRF) prevention, DoS/flooding protection, and SQL injection prevention.

It works with PHP and MySQL. Therefore, the LAMP (Linux, Apache, MySQL and PHP) should be renamed to LHMP (Linux, Hiawatha, MySQL and PHP).

Step 0 :

Install Ubuntu 9.04 Server and OpenSSH as usual. Make sure to perform the following.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Step 1 :

Download Hiawatha, the current version at this writing is 6.16, at http://www.hiawatha-webserver.org/download.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.16.tar.gz
tar -xzvf hiawatha-6.16.tar.gz
cd hiawatha-6.16

Configure and compile the Hiawatha.

sudo apt-get install build-essentail libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

sudo ./configure
sudo make deb

The deb package will be created at /home/samiux. You can install it by :

sudo dpkg -i hiawatha_6.16_amd64.deb

or

sudo dpkg -i hiawatha_6.16_i386.deb

Step 2 :

Install mysql and php5.

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Enter the password for the MySQL and write it down for further usage.

Step 3 :

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line :

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Kill it with -k, such as :

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf

*Make sure you have been activated php-fcgi; otherwise, php5 cannot be run.

Step 4 :

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data

Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24

Uncomment all the entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS.

CGIhandler = /usr/hin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php,php5
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
GCIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Uncomment all the entries of URL TOOLKIT.

UrlToolkit {
   ToolkitID = banshee
   RequestURI isfile Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}

Uncomment all the entries of VIRTUAL HOSTS and alert it when necessary.

VirtualHost {
   Hostname = http://www.samiux.com
   WebsiteRoot = /var/www/www.samiux.com
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForGCI = 5
   UseFastCGI = PHP5
   UseToolkit = banshee
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
}

Assumed that your domain name is samiux.com and the site is at /var/www/www.samiux.com.

Step 5 :

sudo nano /etc/php5/cgi/php.ini

Change the following line to Off.

allow_url_fopen = Off

Step 6 :

Restart the Hiawatha.

sudo /etc/init.d/hiawatha restart

Step 7 :

Use AppArmor with Hiawatha.

sudo aa-genprof hiawatha

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Add the following lines.

#include <tunables/global>
/usr/sbin/hiawatha {
   #include <abstractions/base>
   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,
   network inet tcp,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/ r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid w,
   /var/www/ r,
   /var/www/** rw,
   /home/*/public_html/** r,
}

Make it enforce.

sudo aa-enforce hiawatha

That’s all. See you!

HOWTO : Clean up all log archives after a period of time

If I understand fully and correctly, logrotate just compress log files and the number of compressed log files will be growing up after a period of time. It will not delete those outdated compressed log files automatically.

Therefore, I write the following shell script for the captioned purpose which will delete all the files at /var/log and its subdirectories that are existing more than 30 days.

You can change the existing days by altering the value at DAYEXIST.

Step 1 :

nano /home/samiux/cleanup

————- CUT HERE —————–
#!/bin/bash

LOGDIR=”/var/log”
DAYEXIST=”30″

find $LOGDIR -type f -mtime +$DAYEXIST -exec rm {} \;

exit 0
————- CUT HERE —————–

sudo chmod +x /home/samiux/cleanup

Step 2 :

Perform the task at 0130 hours every day.

sudo crontab -e

30 1 * * * /home/samiux/cleanup 2 >&1

Step 3 :

WARNING : DO IT AT YOUR RISK

** Your comment is welcome when my concept is wrong, thanks **

Enjoy!

HOWTO : Passive mode for Pure-FTPd on Ubuntu Server 9.04

I used to use vsFTPd. However, I recently need to test ISPConfig 3 which requires to install Pure-FTPd. My testing server is behind NAT and FTP should be running in passive mode. How to do it on Pure-FTPd?

Assumed that your server IP is 192.168.50.100 and you want to specify a port range 50000-50100 for the passive mode.

Step 1 :

sudo nano /etc/pure-ftpd/conf/PassivePortRange
50000 50100

sudo nano /etc/pure-ftpd/conf/ForcePassiveIP
192.168.50.100

Step 2 :

Restart the service.

sudo /etc/init.d/pure-ftpd restart

That’s all!

HOWTO : Torrentflux-b4rt with Cherokee on Ubuntu 9.04 Server

I am going to build a Bittorrent server with Cherokee web server instead of Apache. I call it as LCMP – Linux, Cherokee, MySQL and PHP. It may be the fastest web server in the world so far. You are not require to edit the config files. All settings are completed by your browser.

Bittorrent server front-end is using Torrentflux-b4rt. It is running on PHP and MySQL with bittornado.

Step 0 :

Install Ubuntu 9.04 Server edition as usual. Select OpenSSH only when install.

After the installation, perform the system update.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Assume your server’s IP is 192.168.0.200

Step 1 :

sudo nano /etc/apt/sources.list.d/cherokee.list

Add the following lines.

deb http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main

Add the key.

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EBA7BD49

sudo apt-get update
sudo apt-get install cherokee

Step 2 :

sudo apt-get install mysql-server mysql-client

Enter the MySQL root password when asked. Make sure you have write it down.

Step 3 :

sudo apt-get install php5-cgi

sudo nano /etc/php5/cgi/php.ini

Append the following line at the end of the file.

cgi.fix_pathinfo = 1

sudo /etc/init.d/cherokee restart

sudo apt-get install php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

sudo /etc/init.d/cherokee restart

Step 4 :

sudo cherokee-admin -b

The following will be displayed.

Login:
User: admin
One-time Password: W0K2jR961aYaeiwu

Web Interface:
URL: http://localhost:9090/

Cherokee Web Server 0.99.22 (Aug 5 2009): Listening on port ALL:9090, TLS disabled, IPv6 disabled, using epoll, 4096 fds system limit, max. 2041 connections, caching I/O, single thread

Open browser and point to http://192.168.0.200:9090 or http://localhost:9090

Enter the user name as “admin” and password as “W0K2jR961aYaeiwu” (which will be changed each time).

Step 5 :

Clone a virtual host from default. Add the domain name, document root and etc.

The document root should be “/var/www/torrentflux”.

Go back to the terminal and press Ctrl + C to quit the Cherokee’s admin page.

sudo /etc/init.d/cherokee restart

Step 6 :

sudo apt-get install unrar unzip vlc uudeview build-essential bittornado

Download and compile cksfv that is required by torrentflux-b4rt.

wget http://zakalwe.fi/~shd/foss/cksfv/files/cksfv-1.3.14.tar.bz2
tar -xjvf cksfv-1.3.14.tar.bz2

cd cksfv-1.3.14
./configure
make
sudo make install

Get and install torrentflux-b4rt.

wget http://download.berlios.de/tf-b4rt/torrentflux-b4rt_1.0-beta2.tar.bz2
tar -xjvf torrentflux-b4rt_1.0-beta2.tar.bz2

cd torrentflux-b4rt_1.0-beta2
sudo cp -R html /var/www/torrentflux
sudo chmod -R 0777 /var/www/torrentflux/inc/config

sudo mkdir /home/samiux/torrent
sudo chmod -R 0777 /home/samiux/torrent

Step 7 :

Point your browser to http://192.168.0.200/setup.php and configure it.

** You keyin the username and password on the torrentflux-b4rt will be recorded for the admin account. Please write it down.

The download directory should be “/home/samiux/torrent”.

After the configuration, delete the setup.php.

sudo rm /var/www/torrentflux/setup.php

Step 8 :

Make sure to forward the default ports 49160 to 49300 at your router or firewall.

Step 9 (Optional) :

Install vsftpd when necessary.

** Make sure you change the IP address at “pasv_address”.

Step 10 (Optional) :

Make your server bootless.

Enjoy!

My Perfect Home Network 2009 (Version 4.0)

my_home_network_v4.0

The following is the setting of “My Perfect Home Network 2009 (Version 4.0)”. Virtualization technology can reduce the number of servers you owned. It saves room, electricity and money as well as manpower to manage. Therefore, it has one more term – Green Computing.

Configuration of KVM Server
2 x Intel Xeon E5420 Quad-Core CPU
16GB ECC DDR2 RAM
6 x 1TB Hard drive on hardware RAID 5EE

KVM Server
Virtualization Server (that runs the following 5 servers)
Proxmox on Debian 5.01 Lenny

Server #0
Running Untangle inside.

Server #1
Almost perfect and secure Ubuntu 9.04 LAMP Server

Server #2
WebDAV on Ubuntu 9.04 Server

Server #3
Sockso (Music Server) on Ubuntu 9.04 Server

Server #4
ntop on Ubuntu 9.04 Server

Server #5
Torrentflux-b4rt with Cherokee on Ubuntu 9.04 Server

**********

Router to router
Connecting wired router to wireless router

**********

Evolution of my network 2007-2009

2007 – a very simple network with a wired and a wireless router

2008

2009 (Version 3.4)

2009 (Version 4.0) *This writing* – It is finally simplified into one server with the help of modern computing technology!

HOWTO : Add or rename network interface on Debian 5.0

When you insert a new network interface to a already setup server, it will not recognized your new added network interface correctly. However, we can edit it manually.

Step 1 :

sudo nano /etc/udev/rules.d/70-persistent-net.rules

Edit the MAC address and/or name of the interface when necessary.

Step 2 :

sudo nano /etc/network/interfaces

Add a new entry for the new interface accordingly.

auto eth2
iface eth2 inet dhcp

*dhcp if IP is assigned automatically by DHCP

Step 3 :

sudo ifconfig ethX up

sudo /etc/init.d/networking restart

*where ethX will be eth0, eth1, eth2 ….

HOWTO : Godaddy.com’s Relay Mail Server with Postfix on Ubuntu Server

Your Internet Services Provider (ISP) may block SMTP port (Port 25) if you are not using a business plan (like in Hong Kong). However, you can still send email with reverse lookup of your domain name when your domain registrar is Godaddy.com.

Step 1 :

Create and enable your free email account at Godaddy.com when you have a domain name there. Set the password accordingly. Your username of the account may be look like this : yourname@yourdomain.

Incoming Mail Server Type : POP3
Incoming Mail Server : pop.secureserver.net
Incoming Mail Server Port : 110

Outgoing Mail Server : smtpout.secureserver.net
Outgoing Mail Server Port : 25, 80, 587 or 3535

Step 2 :

Create a file namely “sasl_passwd“.

sudo nano /etc/postfix/sasl/sasl_passwd

Add the following line.

smtpout.secureserver.net username:password

Step 2a :

Save and quit. Issue the following commands.

chown root:root /etc/postfix/sasl/sasl_passwd
chmod 600 /etc/postfix/sasl/sasl_passwd
postmap /etc/postfix/sasl/sasl_passwd

Step 3 :

Go to your mail server (Postfix).

sudo nano /etc/postfix/main.cf

Edit or/and add the following lines.

relayhost = [smtpout.secureserver.net]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
mynetworks = 192.168.0.0/24, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

*If your network is 192.168.0.0/24, otherwise; change it accordingly.

Step 4 :

Restart the Postfix to make it work.

sudo /etc/init.d/postfix restart

Step 5 :

Now, you can send email with reverse lookup via Godaddy.com’s relay mail server. Your email will not be blocked or redirected to “Junk Mail” folder by Gmail, Yahoo Mail or others.

Be keep in mind that you have 250 quota every day. Or, you are required to purchase more quota.

Point to your email server on other servers that will send email.