HOWTO : Upgrade Ubuntu Server 16.04 to 18.04

Ubuntu 18.04 LTS is just released. It is a high time to upgrade your Ubuntu Server 16.04 LTS to 18.04 LTS. To upgrade it, make sure you have sufficient free space.

Step 1 :

sudo apt install update-manager-core
sudo do-release-upgrade -d

You need to answer "Y" to all questions asked.

Step 2 :

Make sure to enable all the required repositories at /etc/apt/source.list.d/ and then run the following command.

sudo apt update

Step 3 :

If you have application that works only on Java 8, make sure to do the following.

update-java-alternatives -l
sudo update-java-alternatives -s java-1.8.0-openjdk-amd64

or

sudo update-alternatives --config java

Then, select Java 8

Step 4 :

If your system is running PHP, you need to reinstall all the required packages. For example,

sudo apt-get install php7.2-cgi php7.2 php7.2-cli php7.2-mysql php7.2-curl php7.2-gd php7.2-intl php7.2-imap php7.2-pspell php7.2-recode php7.2-sqlite3 php7.2-tidy php7.2-xmlrpc php7.2-xsl apache2-utils php7.2-fpm php-memcache php-imagick mysql-server mysql-client php7.2-mbstring php7.2-zip

Make sure to do the following when you are using php7.2-fpm on Apache2 :

sudo a2enmod php7.2
sudo a2enconf php7.2-fpm
sudo systemctl enable php7.2-fpm
sudo systemctl enable apache2
sudo systemctl restart php7.2-fpm
sudo systemctl restart apache2

That's all! See you.

VirtualBox 5.0.x Headless with PHPVirtualBox 5.0.x

VirtualBox is a virtual machine which can be running on desktop and server. We can running VirtualBox as server (Headless mode) with PHPVirtualBox as front end. PHPVirutalBox can be running with Apache flawlessly. However, I would like it to be running on Hiawatha. There is no database required for the Headless mode.

Part A - Hardware

Motherboard : ASRock Rack C2750D4I server board
CPU : Intel Atom C2750
RAM : 4 x 8GB (32GB) DDR3-1600
Hard Drive : 2 x Western Digital 4TB WD4000F9YZ

Western Digital 4TB WD4000F9YZ is not certified by ASRock, so, it cannot boot from SATA3 ports. The SATA2 ports are used in this case.

The performance of C2750 is similar to Xeon E3-1220L. Please the comparison page at here.

The power consumption of this setup is between 30W to 80W.

Make sure you have enabled "Virtualization" (VT-x) in the BIOS.

Part B - Software

Operating System : Ubuntu Server 16.04.1 LTS
Virtual Machine : VirtualBox 5.0.30
Front End : PHPVirtualBox 5.0.5
Web Server : Hiawatha
RAID : Software RAID 1

Part C - Installation

Part C.1 - Operating System and Software RAID 1 Installation

RAID 1 requires two hard drivers for the installation. When you are installing Ubuntu Server 14.04.2 LTS, you are required to do the partitioning. Select "Automatically partitioning" for each drive. The partitions will be (1) 1MB for "biosgrub"; (2) Free Space for root directory; and (3) Free Space for SWAP.

Then select "Configure Software RAID" to configure the Software RAID 1 on Free Space for root directory and Free Space for SWAP partitions. Do not RAID the "biosgrub" partitions. Set the "Free Space for root directory" to be mount at "/" and use as "Ext4 jouraling file system". Set the "Free Space for SWAP" to be used as "SWAP".

Finally, you should select to install "OpenSSH" when asked.

After the installation, your box can be booted up as expected. You can check the status of Software RAID 1 by the following commands :

cat /proc/mdstat

mdadm --detail /dev/md0
mdadm --detail /dev/md1

Part C.2 - VirtualBox Installation

After the Ubuntu Server 16.04.1 LTS is installed, you can install VirtualBox on it.

sudo nano /etc/apt/sources.list.d/vbox.list

Append the following line to it :

deb http://download.virtualbox.org/virtualbox/debian xenial contrib

Save it.

wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -

sudo apt-get update
sudo apt-get install dkms unzip
sudo apt-get install virtualbox-5.0

wget http://download.virtualbox.org/virtualbox/5.0.30/Oracle_VM_VirtualBox_Extension_Pack-5.0.30-112061.vbox-extpack

sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-5.0.30-112061.vbox-extpack

To uninstall Extension Pack :

sudo VBoxManage extpack uninstall "Oracle VM VirtualBox Extension Pack"

Part C.3 - Hiawatha Web Server Installation

sudo apt-get install php-common php7.0-cli php7.0-common php7.0-curl php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-readline php7.0-xml php7.0-zip php7.0-pgsql php7.0-sqlite3 php7.0-fpm php-apcu mysql-server mysql-client php7.0-cgi apache2-utils php7.0-soap

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget http://www.cmake.org/files/v3.6/cmake-3.6.2.tar.gz
tar -xvzf cmake-3.6.2.tar.gz
cd cmake-3.6.2
./configure
make
sudo make install

wget http://www.hiawatha-webserver.org/files/hiawatha-10.4.tar.gz
tar -xzvf hiawatha-10.4.tar.gz
cd hiawatha-10.4/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.4_amd64.deb

sudo systemctl enable hiawatha

sudo nano /etc/php/7.0/fpm/php.ini

Make changes as is.

zlib.output_compression = On
zlib.output_compression_level = 6
cgi.rfc2616_headers = 1

Append the following to the php-fpm.conf.

sudo nano /etc/php/7.0/fpm/php-fpm.conf

[www]
user = www-data
group = www-data
listen.mode = 0666
listen = /var/run/php/php7.0-fpm.sock
pm = static
pm.max_children = 100
chdir = /

sudo nano /etc/hiawatha/hiawatha.conf



sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites

sudo nano /etc/hiawatha/enable-sites/vbox.local



Make sure to change the "Hostname" to your IP address.

Part C.4 - PHPVirtualBox Installation

sudo adduser --ingroup vboxusers vbox

Enter password when prompted. Make sure you use a simple password as symbols do not accepted by VirtualBox.

wget "http://downloads.sourceforge.net/project/phpvirtualbox/phpvirtualbox-5.0-5.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fphpvirtualbox%2F&ts=1476606079&use_mirror=ncu" -O phpvirtualbox-5.0.5.zip
sudo unzip phpvirtualbox-5.0.5.zip -d /var/www/
sudo mv /var/www/phpvirtualbox-5.0.5/ /var/www/vbox
cd /var/www/vbox
sudo cp config.php-example config.php
sudo nano config.php

Change "$username" to "vbox" and "$password" to the password you just entered.

Change "$consoleHost" to your IP address, such as "192.168.1.120"

Uncoment (remove "#" in the front) "$enableAdvancedConfig = true;" and "$startStopConfig = true;"

sudo nano /etc/default/virtualbox

Append the following line to the empty file :

VBOXWEB_USER=vbox
VBOXWEB_HOST=127.0.0.1

sudo cp /var/www/vbox/vboxinit /etc/init.d/vboxinit
sudo update-rc.d vboxinit defaults

sudo systemctl enable vboxweb-service
sudo systemctl start vboxweb-service

Now, you can browse to http://[your-server-ip]/index.html, e.g. http://192.168.1.120/index.html.

Log in with "admin' as username and 'admin" as password.

You can copy the iso files to /home/samiux/iso for example by scp command.

Make sure you have installed "Guest Additions" to the all virtual desktop guests. Meanwhile, you need Flash to run the guest VNC.



If you want to browse with http://[your-server-ip]/ only, you need to do the following :

sudo cp /var/www/vbox/index.html /var/www/vbox/index.php

Troubleshooting

For phpvirtualbox login error when php7.0 is updated :

sudo /etc/init.d/php7.0-fpm restart

For phpvirtualbox guest vm showing "saved" or "poweroff" :

sudo systemctl restart vboxweb-service

Before upgrading VirtualBox, make sure all your virtual machines (guests) have been shut down. Then, stop the VirtualBox :

sudo systemctl stop vboxdrv
sudo systemctl stop vboxweb-service

If the Linux kernel is updated but the Virtualbox kernel module was not compiled by DRM properly, you need to run :

sudo /sbin/rcvboxdrv setup

If you encountered "Uninstalling old VirtualBox DKMS kernel modulesError! Could not locate dkms.conf file." when upgrading, you need to delete the source file of previous version :

sudo rm -rf /var/lib/dkms/vboxhost/[previous version]

e.g. /var/lib/dkms/vboxhost/5.0.28

dkms status

After that, run the following commands or reboot the box.

sudo systemctl start vboxdrv
sudo systemctl start vboxweb-service

Then, start all virtual machines in web interface.


That's all! See you.

HOWTO : VirtualBox Headless with PHPVirtualBox

VirtualBox is a virtual machine which can be running on desktop and server. We can running VirtualBox as server (Headless mode) with PHPVirtualBox as front end. PHPVirutalBox can be running with Apache flawlessly. However, I would like it to be running on Hiawatha. There is no database required for the Headless mode.

Part A - Hardware

Motherboard : ASRock Rack C2750D4I server board
CPU : Intel Atom C2750
RAM : 4 x 8GB (32GB) DDR3-1600
Hard Drive : 2 x Western Digital 4TB WD4000F9YZ

Western Digital 4TB WD4000F9YZ is not certified by ASRock, so, it cannot boot from SATA3 ports. The SATA2 ports are used in this case.

The performance of C2750 is similar to Xeon E3-1220L. Please the comparison page at here.

The power consumption of this setup is between 30W to 80W.

Make sure you have enabled "Virtualization" (VT-x) in the BIOS.

Part B - Software

Operating System : Ubuntu Server 14.04.2 LTS
Virtual Machine : VirtualBox 4.3.28
Front End : PHPVirtualBox 4.3-3
Web Server : Hiawatha
RAID : Software RAID 1

Part C - Installation

Part C.1 - Operating System and Software RAID 1 Installation

RAID 1 requires two hard drivers for the installation. When you are installing Ubuntu Server 14.04.2 LTS, you are required to do the partitioning. Select "Automatically partitioning" for each drive. The partitions will be (1) 1MB for "biosgrub"; (2) Free Space for root directory; and (3) Free Space for SWAP.

Then select "Configure Software RAID" to configure the Software RAID 1 on Free Space for root directory and Free Space for SWAP partitions. Do not RAID the "biosgrub" partitions. Set the "Free Space for root directory" to be mount at "/" and use as "Ext4 jouraling file system". Set the "Free Space for SWAP" to be used as "SWAP".

Finally, you should select to install "OpenSSH" when asked.

After the installation, your box can be booted up as expected. You can check the status of Software RAID 1 by the following commands :

cat /proc/mdstat

mdadm --detail /dev/md0
mdadm --detail /dev/md1

Make sure to change /etc/network/interfaces :

Add "allow-hotplug p119p1" just below "auto p119p1".

Part C.2 - VirtualBox Installation

After the Ubuntu Server 14.04.2 LTS is installed, you can install VirtualBox on it.

sudo nano /etc/apt/sources.list.d/vbox.list

Append the following line to it :

deb http://download.virtualbox.org/virtualbox/debian trusty contrib

Save it.

wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

sudo apt-get update
sudo apt-get install dkms unzip
sudo apt-get install virtualbox-4.3

wget http://download.virtualbox.org/virtualbox/4.3.28/Oracle_VM_VirtualBox_Extension_Pack-4.3.28-100309.vbox-extpack

sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.3.28-100309.vbox-extpack

To uninstall Extension Pack :

sudo VBoxManage extpack uninstall "Oracle VM VirtualBox Extension Pack"

Part C.3 - Hiawatha Web Server Installation

sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache apache2-utils php5-fpm

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget http://www.cmake.org/files/v3.2/cmake-3.2.3.tar.gz
tar -xvzf cmake-3.2.3.tar.gz
cd cmake-3.2.3
./configure
make
sudo make install

wget http://www.hiawatha-webserver.org/files/hiawatha-9.13.tar.gz
tar -xzvf hiawatha-9.13.tar.gz
cd hiawatha-9.13/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_9.13_amd64.deb

sudo nano /etc/php5/fpm/php.ini

Make changes as is.

zlib.output_compression = On
zlib.output_compression_level = 6

Append the following to the php-fpm.conf.

sudo nano /etc/php5/fpm/php-fpm.conf

[www]
user = www-data
group = www-data
listen.mode = 0666
listen = /var/run/php5-fpm.sock
pm = static
pm.max_children = 100
chdir = /

sudo nano /etc/hiawatha/hiawatha.conf



sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites

sudo nano /etc/hiawatha/enable-sites/vbox.local



Make sure to change the "Hostname" to your IP address.

Part C.4 - PHPVirtualBox Installation

sudo adduser --ingroup vboxusers vbox

Enter password when prompted.

wget "http://sourceforge.net/projects/phpvirtualbox/files/phpvirtualbox-4.3-3.zip/download" -O phpvirtualbox-4.3-3.zip
sudo unzip phpvirtualbox-4.3-3.zip -d /var/www/
sudo mv /var/www/phpvirtualbox-4.3-3 /var/www/vbox
cd /var/www/vbox
sudo cp config.php-example config.php
sudo nano config.php

Change "$username" to "vbox" and "$password" to the password you just entered.

Change "$consoleHost" to your IP address, such as "192.168.1.120"

Uncoment (remove "#" in the front) "$enableAdvancedConfig = true;" and "$startStopConfig = true;"

sudo nano /etc/default/virtualbox

Append the following line :

VBOXWEB_USER=vbox

sudo cp /var/log/vbox/vboxinit /etc/init.d/vboxinit
sudo update-rc.d vboxinit defaults

sudo /etc/init.d/vboxweb-service start

Now, you can browse to http://[your-server-ip]/index.html, e.g. http://192.168.1.120/index.html.

Log in with "admin' as username and 'admin" as password.

You can copy the iso files to /home/samiux/iso for example by scp command.

Make sure you have installed "Guest Additions" to the all virtual desktop guests. Meanwhile, you need Flash to run the guest VNC.



If you want to browse with http://[your-server-ip]/ only, you need to do the following :

sudo cp /var/www/vbox/index.html /var/www/vbox/index.php

If the network interface occasionally cannot be detected, you can :

sudo cp /etc/network/interfaces /etc/network/interfaces-original

sudo nano /etc/network/interfaces

Make sure only the interfaces are as below :

# This file describes the network interfaces available on you system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interace
auto lo
iface lo inet loopback

# The primary network interface
auto p119p1
allow-hotplug p119p1
iface p119p1 inet dhcp


That's all! See you.

EXPLOIT-DEV : CentOS 6.3 vs Ubuntu 12.04

There are many methods to exploit Local File Inclusion (LFI) of a vulnerability PHP web application in Linux systems. Some of them are invalid in the latest version of Linux distributions, I think. For example, those methods are processes injection, log files injection, session files injection and etc.

Unfortunately, in my recently research, I find out that PHP session files of CentOS 6.3 (maybe applied for previous versions) in default settings can be injected and loaded. However, Ubuntu 12.04 cannot. (Remarks : I did not check the other Linux distributions for this research.)

When the PHP session files can be injected and loaded along with LFI vulnerability, a remote shell can be obtained by attackers.

Basically, CentOS is a clone of RedHat Enterprise Linux.

Reference : Web vulnerabilities to gain access to the system

That's all! See you.

HOWTO : Drupal 6.2 or 7 with Hiawatha 7.4 WebServer on Ubuntu Server/Desktop 10.10

I am going to setup a development environment of Drupal 6.2 or 7 with Hiawatha 7.4 on Ubuntu Desktop 10.10. However, this setting is also suit for production environment on Ubuntu Server 10.10 with a little bit changing.

Step 0 - Installation of Hiawatha

Follow this link to install required packages. You can omit the optional security settings at the moment.

Step 1 - Configuration of Hiawatha

Change the following section to the /etc/hiawatha/hiawatha.conf.

Binding {
   Port = 80
   #Interface = 127.0.0.1
   MaxKeepAlive = 30
   TimeForRequest = 3,20
   MaxRequestSize = 8192
   MaxUploadSize = 30
}

Add the following section to the /etc/hiawatha/hiawatha.conf.

UrlToolkit {
   ToolkitID = drupal7
   RequestURI exists Return
   Match /favicon.ico Return
   Match .* Rewrite /index.php
}

or/and

UrlToolkit {
   ToolkitID = drupal6
   RequestURI exists Return
   Match ^/favicon.ico$ Return
   Match /(.*)\?(.*) Rewrite /index.php?q=$1&$2
   Match /(.*) Rewrite /index.php?q=$1
}

Step 2 - Configuration of virtual host

sudo nano /etc/hiawatha/enable-site/drupal7

Drupal 7 :

VirtualHost {
   Hostname = localhost, 127.0.0.1
   WebsiteRoot = /var/www/drupal7
   StartFile = index.php
   SecureURL = false
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 120
   #UseFastCGI = PHP5
   UseToolkit = drupal7
   #DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   TriggerOnCGIstatus = no
}

or

sudo nano /etc/hiawatha/enable-site/drupal6

Drupal 6 :

VirtualHost {
   Hostname = localhost, 127.0.0.1
   WebsiteRoot = /var/www/drupal6
   StartFile = index.php
   SecureURL = false
   AccessLogfile = /var/log/hiawatha/access.log
   ErrorLogfile = /var/log/hiawatha/error.log
   TimeForCGI = 120
   #UseFastCGI = PHP5
   UseToolkit = drupal6
   #DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   TriggerOnCGIstatus = no
}

Step 2a :

sudo /etc/init.d/hiawatha restart

Step 3 : Preparation of installation of Drupal

Download the Drupal from her official site. Extract the downloaded file and copy to /var/www/.

sudo tar -xzvf drupal-6.20.tar.gz

or

sudo tar -xzvf drupal-7.0.tar.gz

Step 3a :

Create a directory under /var/www/.

sudo mkdir /var/www/drupal6

or

sudo mkdir /var/www/drupal7

Step 3b :

Copy the files to the /var/www/.

sudo cp ~/drupal-6.20/* /var/www/drupal6

or

sudo cp ~/drupal-7.0/* /var/www/drupal7

Step 3c :

cd /var/www/drupal6

or

cd /var/www/drupal7

Step 3d :

sudo chmod a+w sites/default
sudo mkdir sites/default/files
sudo chmod a+w sites/default/files

sudo cp sites/default/default.settings.php sites/default/settings.php
sudo chmod a+w sites/default/settings.php

Step 3e :

mysql -u root -p

After entered the password, create a database for the installation.

create database drupal;

After that, then quit MySQL.

quit

Step 3f :

Open the browser and type "localhost" at the address field to continue the installation. The database name is "drupal".

When the installation is completed, carry out the following commands.

sudo chmod go-w sites/default
sudo chmod go-w sites/default/settings.php

sudo chmod a-r CHANGELOG.txt

Step 4 : Complete the installation

Drupal 6.2

sudo crontab -e

Add the following :

0 * * * * wget -O - -q -t 1 http://localhost/cron.php

or

Drupal 7

Administration -- Configuration -- System -- Cron

Get the Cron key at Administration -- Reports -- Status report -- Cron maintenance tasks.

sudo crontab -e

0 * * * * wget -O - -q -t 1 http://localhost/cron.php?cron_key=YOURKEY

Step 5 : Localization (Optional)

Download the required localization .po file at the following links.

http://localize.drupal.org/download
http://drupal.org/localize

That's all! See you.

HOWTO : phpmyadmin on Ubuntu 10.04 LTS Server

Since there is a bug in PHP5 on Ubuntu 10.04 LTS, the sessions are saved at /tmp instead of /var/lib/php5. Some PHP applications may not encountered any problem. However, phpmyadmin do run into problem - cannot login. Don't panic, I will show you how to solve this problem at ease.

Bug fix on PHP5

Do one of the following command depends on your situation.

sudo nano /etc/php5/cgi/php.ini

or

sudo nano /etc/php5/apache2/php.ini

or

sudo nano /etc/php5/cli/php.ini

Make the following changes to php.ini.

session.save_path = /tmp
session.auto_start = 1

Installation of phpmyadmin

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install phpmyadmin

Make sure mysql and php5 are already installed.

Configuration file of Apache2 and lighttp will be setup automatically after answering several questions. Write down what password you have entered.

sudo cp /usr/share/phpmyadmin/config.inc.php /usr/share/phpmyadmin/config.inc.php.bak

sudo cp /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php

sudo nano /usr/share/phpmyadmin/config.inc.php

Locate $cfg['blowfish_secret']='' and enter some password like string, e.g. dlhw034tu034F&W.

The outcome will be :
$cfg['blowfish_secret']='dlhw034tu034F&W'

Save and then reboot your server. Or,

sudo /etc/init.d/php-fcgi restart
or
sudo /etc/init.d/php restart

Then, restart Apache or your web server
sudo /etc/init.d/apache2 restart

Access phpmyadmin with your browser and point the url to :
http://your_server_ip/phpmyadmin

username is "root" while the password is what you have entered during installation.

This bug has been reported by someone else. I think the fix will be released soon.

That's all! See you.

HOWTO : Highest secured Hiawatha Web Server (6.17.1) on Ubuntu 9.04 Server

What is Hiawatha?

Hiawatha is a web server that developed by Hugo Leisink since 2002.  Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of.  Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite.  Hiawatha is already built-in.  She can ban some bad traffic and bad activities on your web server.  Her footprint is also small, that is 130kb, surprise?!  She is the default web server for Austrumi and Puppy Linux. 

Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server.  There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it requires to modify the source code to solve the problem.

Hiawatha runs MySQL and PHP great in cgi mode.  It can run in Windows environment too (but not yet tried).  This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.04

Install Ubuntu 9.04 Server and OpenSSH.  If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

*Note : some modules will not be required, such as php5-sqlite and php5-snmp.  If your web application requires them, make sure to install them.

Step 2 - Install Hiawatha

Download the current Hiawatha, 6.17.1 at this time of writing.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1

Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

Fix bug on Hiawatha.
sudo nano cgi-wrapper.c

At line 103, just below rest = uncomment(line); add the following lines :

if (*rest == '\0') {
   continue;
}

At the hiawatha-6.17.1 directory, build the Hiawatha deb package.

./configure
make deb

The deb package will be created at your home directory, such as /home/samiux.  You can install it now.

cd ..

For 64-bit system :
sudo dpkg -i hiawatha_6.17.1_amd64.deb

For 32-bit system :
sudo dpkg -i hiawatha_6.17.1_i386.deb

Step 3 - Configure PHP5

Edit the php.ini.

sudo nano /etc/php5/cgi/php.ini

Make change as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

*Note : some PHP application may requires safe_mode = Off.

Edit Hiawatha's php-fcgi.conf.

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Step 4 - Configure Hiawatha

Edit the file hiawatha.conf.

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.
ServerId = www-data

Add the following line at the GENERAL SETTINGS. Apache compatible log file format.
LogFormat = extended
CGIwrapper = /usr/sbin/cgi-wrapper

Uncomment the following entries at BINDING SETTINGS.
Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Uncomment all the entries at BANNING SETTINGS.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24

*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}

*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   #Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog/access.log
   ErrorLogfile = /var/log/hiawatha/blog/error.log
   TimeForCGI = 5
   #UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCMDi = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
   DenyBot = YoudaoBot:/
   DenyBot = ParchBot:/
   DenyBot = Curl:/
   DenyBot = msnbot:/
   DenyBot = NaverBot:/
   WrapCGI = jail
}

Configure cgi-wrapper.conf.
sudo nano /etc/hiawatha/cgi-wrapper.conf

Make changes to the file.
CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
#CGIhandler = /usr/bin/python
#CGIhandler = /usr/bin/ruby
#CGIhandler = /usr/bin/ssi-cgi

Wrap = jail ; /var/www ; www-data:www-data

*Note : Some CMS will not well when PreventCMDi = yes.  DenyBot entries are optional.  If you do not want spiders and bots to crawl your site, you should enable it.  Those entries are examples only.  UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data.  If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.
# Last Modified: Thu Oct 1 10:00:57 2009
#include <tunables/global>


/usr/sbin/hiawatha {
#include <abstractions/base>


   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,


   network inet tcp,


   /bin/dash rix,
   /etc/group r,
   /etc/hiawatha/** r,
   /etc/host.conf r,
   /etc/hosts r,
   /etc/mailname r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /etc/php5/cgi/php.ini r,
   /etc/php5/conf.d/ r,
   /etc/php5/conf.d/**.ini r,
   /etc/phpmyadmin/** r,
   /etc/postfix/**.cf r,
   /etc/protocols r,
   /etc/resolv.conf r,
   /etc/services r,
   /usr/bin/php5-cgi rix,
   /usr/lib{,32,64}/** mr,
   /usr/sbin/cgi-wrapper rix,
   /usr/sbin/hiawatha mr,
   /usr/sbin/postdrop rix,
   /usr/sbin/sendmail rix,
   /usr/share/dbconfig-common/** r,
   /usr/share/file/magic.mime r,
   /usr/share/mysql/charsets/Index.xml r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /usr/share/zoneinfo/ r,
   owner /var/lib/** rwk,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/run/hiawatha.pid rw,
   owner /var/spool/postfix/maildrop/** rw,
   /var/spool/postfix/public/pickup w,
   /var/www/ r,
   /var/www/** rw,
}

* suppose you are using postfix.

Make the profile in enforce mode (active).
sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Step 6 - Improve the security of CGI-Wrapper

Now, your hiawatha is very secure but I would like to make it more secure.

sudo apt-get install libcap2-bin

Apply Capabilities on cgi-wrapper.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper

The result of getcap :

sudo getcap /usr/sbin/cgi-wrapper

It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

Known Issue
Alias cannot be functioned with this configuration so far.

That's all.  See you!

HOWTO : Most secure web server (Hiawatha 6.17.1) on Ubuntu 9.04 Server

What is Hiawatha?

Hiawatha is a web server that developed by Hugo Leisink since 2002.  Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of.  Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite.  Hiawatha is already built-in.  She can ban some bad traffic and bad activities on your web server.  Her footprint is also small, that is 130kb, surprise?!  She is the default web server for Austrumi and Puppy Linux. 

Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server.  There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it cannot be configured to run PHP5 in cgi-wrapper mode at the moment.  However, perl is no problem.

Hiawatha runs MySQL and PHP great in cgi mode.  It can run in Windows environment too (but not yet tried).  This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.

Installation of Linux, Hiawatha, MySQL and PHP - LHMP

Step 0 - Install Ubuntu 9.04

Install Ubuntu 9.04 Server and OpenSSH.  If your web application requires email function, you should also install Mail Server also.

Make sure you have perform the following commands at the terminal (or console).

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

If the kernel or kernel modules have been updated, you should reboot your computer/server.

Step 1 - Install PHP5 and MySQL

sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

*Note : some modules will not be required, such as php5-sqlite and php5-snmp.  If your web application requires them, make sure to install them.

Step 2 - Install Hiawatha

Download the current Hiawatha, 6.17.1 at this time of writing.

sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1

Install requires dependenices.

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

At the hiawatha-6.17.1 directory, build the Hiawatha deb package.

./configure
make deb

The deb package will be created at your home directory, such as /home/samiux.  You can install it now.

cd ..

For 64-bit system :
sudo dpkg -i hiawatha_6.17.1_amd64.deb

For 32-bit system :
sudo dpkg -i hiawatha_6.17.1_i386.deb

Step 3 - Configure PHP5

Edit the php.ini.

sudo nano /etc/php5/cgi/php.ini

Make change as is.

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

*Note : some PHP application may requires safe_mode = Off.

Edit Hiawatha's php-fcgi.conf.

sudo nano /etc/hiawatha/php-fcgi.conf

Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data

Activate php-fcgi.

sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

If you make any change on php-fcgi.conf, make sure to restart it by following commands.

sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf

Step 4 - Configure Hiawatha

Edit the file hiawatha.conf.

sudo nano /etc/hiawatha/hiawatha.conf

Uncomment ServerId at GENERAL SETTINGS.
ServerId = www-data

Add the following line at the GENERAL SETTINGS. Apache compatible log file format.
LogFormat = extended

Uncomment the following entries at BINDING SETTINGS.
Binding {
   Port = 80
   MaxKeepAlive = 30
   TimeForRequest = 3,20
}

Uncomment all the entries at BANNING SETTINGS.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24

*Note : Make change to the Banlistmask in order to meet your network requirement.

Uncomment php5-cgi and CGIextension lines.
#CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi

Uncomment all the entries of FastCGIserver and rename ConnectTo to 127.0.0.1:2005.

FastCGIserver {
   FastCGIid = PHP5
   ConnectTo = 127.0.0.1:2005
   Extension = php, php5
   SessionTimeout = 30
}

Optional - Create the following lines under URL TOOLKIT.

UrlToolkit {
   ToolkitID = CMS_common
   RequestURI isfile Return
   RequestURI exists Return
   Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
   Match .*\?(.*) Rewrite /index.php?$1
   Match .* Rewrite /index.php
}

*Note : UrlToolkit is similar to Apache's mod_rewrite.

Create a VirtualHost for your site.

VirtualHost {
   Hostname = samiux.blogspot.com
   Alias = /php_my_admin:/usr/share/phpmyadmin
   WebsiteRoot = /var/www/blog
   StartFile = index.php
   AccessLogfile = /var/log/hiawatha/blog/access.log
   ErrorLogfile = /var/log/hiawatha/blog/error.log
   TimeForCGI = 5
   UseFastCGI = PHP5
   UseToolkit = CMS_common
   ExecuteCGI = yes
   PreventCMDi = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
   DenyBot = Googlebot:/
   DenyBot = twiceler:/
   DenyBot = MSNBot:/
   DenyBot = yahoo:/
   DenyBot = BaiDuSpider:/
   DenyBot = Ask:/
   DenyBot = Yahoo! Slurp:/
   DenyBot = Sogou web spider:/
   DenyBot = Sogou-Test-Spider:/
   DenyBot = Baiduspider+:/
   DenyBot = Yandex:/
   DenyBot = UniversalFeedParser:/
   DenyBot = Mediapartners-Google:/
   DenyBot = Sosospider+:/
}

*Note : Some CMS will not well when PreventCMDi = yes.  DenyBot entries are optional.  If you do not want spiders and bots to crawl your site, you should enable it.  Those entries are examples only.  UseToolKit is also optional.

Make sure /var/log/hiawatha/blog exists (example) and its ownership is www-data.

If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog

Restart Hiawatha.
sudo /etc/init.d/hiawatha restart

Now, make sure the ownership of access.log and error.log are www-data.  If not, make them as is.

sudo chown www-data:www-data /var/log/hiawatha/blog/*

Step 5 - Configure Apparmor (to make Hiawatha more safety)

Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha

Edit the profile usr.sbin.hiawatha.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha

Make the entries look like this.

# Last Modified: Tue Sep  1 10:28:15 2009
#include <tunables/global>

/usr/sbin/hiawatha {
   #include <abstractions/base>

   capability chown,
   capability dac_override,
   capability net_bind_service,
   capability setgid,
   capability setuid,
   capability sys_chroot,

   network inet tcp,

   /etc/group r,
   /etc/hiawatha/** r,
   /etc/nsswitch.conf r,
   /etc/passwd r,
   /usr/bin/php5-cgi rix,
   /usr/sbin/cgi-wrapper mr,
   /usr/sbin/hiawatha mr,
   /usr/share/dbconfig-common/** r,
   /usr/share/phpmyadmin/ r,
   /usr/share/phpmyadmin/** r,
   /var/lib/** r,
   /var/lib/hiawatha/* rw,
   /var/log/hiawatha/* r,
   /var/log/hiawatha/** rw,
   /var/log/hiawatha/blog/* r,
   /var/log/hiawatha/blog/** a,
   /var/run/hiawatha.pid w,
   /var/www/ r,
   /var/www/** rw,
}

Make the profile in enforce mode (active).
sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha

If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

Step 6 - Configure CGI-Wrapper

To be continue ....

Reference :
Hiawatha Manual
Hiawatha Features
AppArmor

That's all.  See you!