Fast and safe with the Hiawatha secure web server
The settings thus far have produced a basic web server with very little fancy stuff. You still haven't seen much of Hiawatha's advanced security features. Before touring these additional options, start by telling Hiawatha to talk to the logfiles:
SystemLogfile = /usr/local/var/log/hiawatha/system.log AccessLogfile = /usr/local//var/log/hiawatha/access.log ErrorLogfile = /usr/local//var/log/hiawatha/error.log GarbageLogfile = /usr/local//var/log/hiawatha/garbage.log
The SystemLogfile holds the messages from the daemon; access is logged in AccessLogfile, and ErrorLogfile logs errors. The last line collects the garbage – that is, erroneous or incomplete HTTP requests. Incomplete and erroneous requests are often an indication of a break-in attempt.
Thus far, the web server has only listened on port 80. To bind to this port, Hiawatha needs root privileges. However, it is not a good idea to leave the program running as root. To avoid this problem, Hiawatha changes the user to nobody immediately after launching. The ServerId setting tells the web server to change to another user:
ServerId = www-data
The next step is to mitigate the danger of denial-of-service attacks (DoS) by reducing the number of simultaneous connections that Hiawatha can handle – both overall and per IP address:
ConnectionsTotal = 150 ConnectionsPerIP = 10
While you're at it, it is also a good idea to limit the internal cache size to, say, 15MB:
CacheSize = 15
Also, you can tell Hiawatha to restrict the cache to files ranging in size from CacheMaxFilesize (in kilobytes) to CacheMinFilesize (in bytes):
CacheMaxFilesize = 128 CacheMinFilesize = 256
In the opinion of Hiawatha developer Hugo Leisink, clients should behave well if they want the web server to answer them. To punish clients that send malformed or overlong HTTP requests, Hiawatha resorts to the medieval method of banning. For example, with the command
BanOnGarbage = 300
Hiawatha will refuse to respond to a client for 300 seconds if it sends a non-standards-compliant HTTP request, and
BanOnMaxReqSize = 60
bans it for 60 seconds in the case of a request with an illegal length. You can combat flooding with the following command:
BanOnFlooding = 10/1:35
This command bans a client for 35 seconds if it has sent more than 10 request to Hiawatha within a second. The following is also useful:
BanOnCMDi = 60
This setting bans a client for 60 seconds if it has attempted a command injection attack. The following does the same for SQL injection attacks:
BanOnSQLi = 70
Hiawatha also supports blacklists or whitelists:
BanlistMask = allow 192.168.2.111, deny 192.168.0.0/16
If a banned client is really naughty and attempts to access Hiawatha again while exiled, the following command automatically resets the ban:
RebanDuringBan = yes
Read full article as PDF:
The Bavarian capital shuns Microsoft, Google, and other alternatives to implement an open-source groupware solution.
Phone vendor partnerships bring Mark Shuttleworth's dream of Ubuntu on a phone a step closer to reality.
Donors will get to vote on new features for the free video editor.
Debian project puts init out to pasture and says no to Ubuntu's Upstart.
Ultra-sophisticated attack tool might have originated from a state-sponsored intelligence service.
New alternative for init comes with a small footprint and minimal configuration.
X marks the target for the next-generation windowing system.
Super-clone CentOS Linux gets beamed up to the mother ship.
HTML technology will enable new video editing and playback options.
New Linux distro is optimzed for gaming.