Fast and safe with the Hiawatha secure web server
Security Wing
The settings thus far have produced a basic web server with very little fancy stuff. You still haven't seen much of Hiawatha's advanced security features. Before touring these additional options, start by telling Hiawatha to talk to the logfiles:
SystemLogfile = /usr/local/var/log/hiawatha/system.log AccessLogfile = /usr/local//var/log/hiawatha/access.log ErrorLogfile = /usr/local//var/log/hiawatha/error.log GarbageLogfile = /usr/local//var/log/hiawatha/garbage.log
The SystemLogfile holds the messages from the daemon; access is logged in AccessLogfile, and ErrorLogfile logs errors. The last line collects the garbage – that is, erroneous or incomplete HTTP requests. Incomplete and erroneous requests are often an indication of a break-in attempt.
Thus far, the web server has only listened on port 80. To bind to this port, Hiawatha needs root privileges. However, it is not a good idea to leave the program running as root. To avoid this problem, Hiawatha changes the user to nobody immediately after launching. The ServerId setting tells the web server to change to another user:
ServerId = www-data
Restricting Resources
The next step is to mitigate the danger of denial-of-service attacks (DoS) by reducing the number of simultaneous connections that Hiawatha can handle – both overall and per IP address:
ConnectionsTotal = 150 ConnectionsPerIP = 10
While you're at it, it is also a good idea to limit the internal cache size to, say, 15MB:
CacheSize = 15
Also, you can tell Hiawatha to restrict the cache to files ranging in size from CacheMaxFilesize (in kilobytes) to CacheMinFilesize (in bytes):
CacheMaxFilesize = 128 CacheMinFilesize = 256
Netiquette
In the opinion of Hiawatha developer Hugo Leisink, clients should behave well if they want the web server to answer them. To punish clients that send malformed or overlong HTTP requests, Hiawatha resorts to the medieval method of banning. For example, with the command
BanOnGarbage = 300
Hiawatha will refuse to respond to a client for 300 seconds if it sends a non-standards-compliant HTTP request, and
BanOnMaxReqSize = 60
bans it for 60 seconds in the case of a request with an illegal length. You can combat flooding with the following command:
BanOnFlooding = 10/1:35
This command bans a client for 35 seconds if it has sent more than 10 request to Hiawatha within a second. The following is also useful:
BanOnCMDi = 60
This setting bans a client for 60 seconds if it has attempted a command injection attack. The following does the same for SQL injection attacks:
BanOnSQLi = 70
Hiawatha also supports blacklists or whitelists:
BanlistMask = allow 192.168.2.111, deny 192.168.0.0/16
If a banned client is really naughty and attempts to access Hiawatha again while exiled, the following command automatically resets the ban:
RebanDuringBan = yes
« Previous 1 2 3 4 Next »
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.