My blog is moved!

Notice!

This blog is moved to Samiux’s Blog.

HOWTO : Hiawatha 6.16 web server on Ubuntu 9.04 Server

Hiawatha is a web server which is developed by Hugo Leisink who is in a great interest in IT security. It is designed with security in mind. It comes with Cross-site Scripting (XSS) prevention, Cross-site Request Forgery (CSRF) prevention, DoS/flooding protection, and SQL injection prevention.

It works with PHP and MySQL. Therefore, the LAMP (Linux, Apache, MySQL and PHP) should be renamed to LHMP (Linux, Hiawatha, MySQL and PHP).

Step 0 :

Install Ubuntu 9.04 Server and OpenSSH as usual. Make sure to perform the following.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Step 1 :

Download Hiawatha, the current version at this writing is 6.16, at http://www.hiawatha-webserver.org/download.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.16.tar.gz
tar -xzvf hiawatha-6.16.tar.gz
cd hiawatha-6.16

Configure and compile the Hiawatha.

sudo apt-get install build-essentail libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

sudo ./configure
sudo make deb

The deb package will be created at /home/samiux. You can install it by :

sudo dpkg -i hiawatha_6.16_amd64.deb

or

sudo dpkg -i hiawatha_6.16_i386.deb

Step 2 :

Install mysql and php5.

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Enter the password for the MySQL and write it down for further usage.

Step 3 :

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line :

Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Kill it with -k, such as :

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf

*Make sure you have been activated php-fcgi; otherwise, php5 cannot be run.

Step 4 :

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.

ServerId = www-data

Uncomment the following entries at BINDING SETTINGS.

Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Uncomment all the entries at BANNING SETTINGS.

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24

Uncomment all the entries at COMMON GATEWAY INTERFACE (CGI) SETTINGS.

CGIhandler = /usr/hin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php,php5
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
GCIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Uncomment all the entries of URL TOOLKIT.

UrlToolkit {
   ToolkitID = banshee
   RequestURI isfile Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}

Uncomment all the entries of VIRTUAL HOSTS and alert it when necessary.

VirtualHost {
   Hostname = http://www.samiux.com
   WebsiteRoot = /var/www/www.samiux.com
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForGCI = 5
   UseFastCGI = PHP5
   UseToolkit = banshee
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
}

Assumed that your domain name is samiux.com and the site is at /var/www/www.samiux.com.

Step 5 :

sudo nano /etc/php5/cgi/php.ini

Change the following line to Off.

allow_url_fopen = Off

Step 6 :

Restart the Hiawatha.

sudo /etc/init.d/hiawatha restart

Step 7 :

Use AppArmor with Hiawatha.

sudo aa-genprof hiawatha

sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Add the following lines.

#include <tunables/global>
/usr/sbin/hiawatha {
   #include <abstractions/base>
   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,
   network inet tcp,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/ r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid w,
   /var/www/ r,
   /var/www/** rw,
   /home/*/public_html/** r,
}

Make it enforce.

sudo aa-enforce hiawatha

That’s all. See you!

My Perfect Home Network 2009 (Version 4.0)

my_home_network_v4.0

The following is the setting of “My Perfect Home Network 2009 (Version 4.0)”. Virtualization technology can reduce the number of servers you owned. It saves room, electricity and money as well as manpower to manage. Therefore, it has one more term – Green Computing.

Configuration of KVM Server
2 x Intel Xeon E5420 Quad-Core CPU
16GB ECC DDR2 RAM
6 x 1TB Hard drive on hardware RAID 5EE

KVM Server
Virtualization Server (that runs the following 5 servers)
Proxmox on Debian 5.01 Lenny

Server #0
Running Untangle inside.

Server #1
Almost perfect and secure Ubuntu 9.04 LAMP Server

Server #2
WebDAV on Ubuntu 9.04 Server

Server #3
Sockso (Music Server) on Ubuntu 9.04 Server

Server #4
ntop on Ubuntu 9.04 Server

Server #5
Torrentflux-b4rt with Cherokee on Ubuntu 9.04 Server

**********

Router to router
Connecting wired router to wireless router

**********

Evolution of my network 2007-2009

2007 – a very simple network with a wired and a wireless router

2008

2009 (Version 3.4)

2009 (Version 4.0) *This writing* – It is finally simplified into one server with the help of modern computing technology!

HOWTO : Logwatch on Ubuntu 9.04 Server

Logwatch reads your log files and can send you daily email about the most interesting parts.

Step 1 :

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install logwatch

Step 2 :

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the following as shown :

Output = mail
Format = html
MailTo = samiux@gmail.com

Step 3 :

sudo nano /etc/cron.daily/00logwatch

/usr/sbin/logwatch --mailto samiux@gmail.com

Enjoy!

HOWTO : Security enhanced your Ubuntu 9.04 LAMP server with AppArmor

Step 1 :

Check if AppArmor is enabled or not. And make sure MySQL profile is enabled too.

sudo apparmor_status

Step 2 :

Create a profile of Apache2.

sudo aa-genprof apache2

sudo nano /etc/apparmor.d/usr.sbin.apache2

Add the following lines within ^DEFAULT_URI bracket.

/usr/sbin/suexec2 rix,
/usr/share/apache2/** r,
/var/log/apache2/** rwl,
/var/xoops/** r,
/var/www/xoops/** r,

Step 3 :

Put the profile in complain mode.

sudo aa-complain /etc/apparmor.d/usr.sbin.apache2
sudo /etc/init.d/apache2 restart

Step 4 :

After running the XOOPS for a while, we can update the profiles.

sudo aa-logprof

When the prompt ask for your selection, choose “A (Add)” to add a rule to the profiles. Save the file at the end of the process.

You can repeat this step when necessary.

Step 5 :

After running the XOOPS for a longer time and found no error, you can make the profile in enforce mode. Before doing so, make sure you have conducted the Step 4 once more.

sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
sudo /etc/init.d/apache2 restart

Step 6 (Optional) :

If you encounter any error, you can disable the profile.

sudo ln -s /etc/apparmor.d/usr.sbin.apache2 /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.apache2
sudo rm /etc/aparmor.d/disable/usr.sbin.apache2

Reference :
(1) Ubuntu Documentation (AppArmor)
(2) Introduction to AppArmor
(3) Share your profiles
(4) AppArmor support threads

HOWTO : Make your Apache to use SSL

Step 1 :

sudo a2enmod ssl

Copy the default-ssl to the name as your current XOOPS domain, e.g. samiux.com.

sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/samiux.com-ssl

sudo nano /etc/apache2/sites-available/samiux.com-ssl

Do not change anything inside but except the following :

DocumentRoot /var/www/xoops
ServerName http://www.samiux.com # add this line under DocumentRoot
<Directory /var/www/xoops>

Step 2 :

sudo nano /etc/apache2/sites-available/samiux.com

Make sure you enabled rewrite module as at previous HOWTO. Add the following inside the mod_rewrite.c bracket.

RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]

Step 3 :

Open your browser and go to your site and login as admin. Enable SSL and add the SSL URL as https://www.samiux.com at the Preferance.

sudo nano /var/www/xoops/mainfile.php

Change your domain name and path as https://www.samiux.com

Step 4 :

sudo a2ensite samiux.com-ssl

sudo /etc/init.d/apache2 restart

HOWTO : SSH to use RSA key for login

ssh-keygen -t rsa -b 2048

or

ssh-keygen -t rsa -b 4096

“Enter file in which to save the key (/home/samiux/.ssh/id_rsa): (Hit Enter)”

Press “Enter”

“Enter passphrase (empty for no passphrase):”

Enter your password twice.

nano /home/samiux/.ssh/id_rsa.pub

Copy the content.

SSH to your server. At the username directory.

sudo mkdir .ssh

sudo nano /home/username/.ssh/authorized_keys

Then pasted the previous copied key onto the authorized_keys file. Save it.

Still at the server.

sudo nano /etc/ssh/sshd_config

Change the following settings as is.

AuthorizedKeysFile %h/.ssh/authorized_keys
IgnoreUserKnownHosts yes
PasswordAuthentication no
#UseLogin no
UsePAM no

sudo /etc/init.d/ssh restart

When you login to the server again, you will ask for your RSA key passphrase once. Later, you will not be asked for any passphrase or password.