Security first with the Hiawatha web server
Small but Safe
Security on the Internet is vital. The Hiawatha web server [1], created by Hugo Lensink, is a small (and free) web server that subscribes to the principle "security by default." This article shows how to install and use Hiawatha.
You'll get the most benefit from Hiawatha if you run web applications, such as a CMS or any PHP website that occasionally gets hit by vulnerabilities (and they all do, of course). Hiawatha adds an extra layer of security, delivering ready-to-use rewrite rules for different CMS options.
In comparison with Apache and Nginx, the Hiawatha configuration file is much more concise and easier to edit. Hiawatha makes it very easy to switch on the security features for a CMS, for example; whereas setting up security for a CMS in Nginx or Apache will require the additional work of configuring modules and rules and testing them. See the box titled "Pros and Cons" for a summary of Hiawatha benefits and costs.
Pros and Cons
Why use the Hiawatha web server?
- Intrusion detection (IDS) and prevention tools are ready-to-use. On-board tools protect your sites from SQL injection, cross-site scripting (XSS), denial of service (DOS), and other attacks. Hiawatha also supports banning; when it detects an attack, it bans the attacking IP address automatically, thus also slowing or stopping other attacks the intruder might be attempting.
- Security by default. The default configuration file serves your TLS with perfect-forward-secrecy (PFS), does not use OpenSSL, and includes other safety features. The SSL Labs website gives Hiawatha an A-rating, where Apache has a C.
- Lean. Hiawatha has a small footprint, so it is usable on old machines, or in my case, as a means for serving many websites on a new machine.
- Easy to configure. Hiawatha has a rather friendly configuration environment, and the creator usually gives superb feedback to solve your questions. The clean configuration makes Hiawatha a breeze to configure.
- Monitoring. An integrated monitoring tool is available at the Hiawatha website.
Potential problems:
- Professional support is harder to find than it is with some other web server alternatives.
- Hiawatha probably can't do everything Apache can. Hiawatha doesn't have the proven track record of Apache or even an alternative tool like Nginx.
A Virtual Machine with Hiawatha
TurnKey Linux [2] is an open source project that provides 100+ free virtual machine images with support for many popular open-source applications, such as Joomla, Nginx, CRM, and more. You can use these virtual images in VMware, AWS Docker, and other virtualization environments. One easy way to set up a Hiawatha virtual machine is to start up the TurnKey Linux Nginx VM [3], then remove Nginx and add Hiawatha.
Start by downloading the TurnKey Linux Nginx VM, a small Linux Debian system, stripped for use as a VM, that comes with MySQL, PHP, and Nginx installed. I use this image because I like to install PHP/MySQL websites such as Joomla.
Deploy the image and give it two network adapters, one for administration and one for the web server. I gave the system 1GB memory, but it has not yet used more than 200MB.
Then, boot the image. You have several choices:
- Add a password for root account and MySQL root account
- Choose whether or not to use TurnKey backup
- Turn on automatic updating of security patches
You'll want to install the security updates right away (get some coffee; it might take a while), apply static IP addresses, and shut down the system. (Because you're setting up a website, you probably want a static IP address, right?)
Now export the VM from VMware to disk as a basis to reuse later (OVA image). Once you get the VM up and running, the next step is to remove Nginx and install Hiawatha. Log in using SSH with the root account via the internal network adapter and the password you just inserted. If you look at the process list, you can see Nginx and fastcgi:
ps waux
See the output in Listing 1. The process overview now shows Nginx and php-fastcgi are running, as expected.
Listing 1
Process List
root 589 0.0 0.3 142492 3092 ? Ss 20:35 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; www-data 591 0.0 0.3 142832 3716 ? S 20:35 0:00 nginx: worker process www-data 592 0.0 0.3 142832 3716 ? S 20:35 0:00 nginx: worker process www-data 593 0.0 0.3 142832 3716 ? S 20:35 0:00 nginx: worker process www-data 594 0.0 0.3 142832 3716 ? S 20:35 0:00 nginx: worker process www-data 1099 0.0 0.5 357844 5572 ? S 20:35 0:00 /usr/bin/php-cgi -q -b /var/run/nginx/php-fastcgi.sock www-data 1100 0.0 0.5 357844 5572 ? S 20:35 0:00 /usr/bin/php-cgi -q -b /var/run/nginx/php-fastcgi.sock
See the documentation for your Linux distro to see if Hiawatha is available directly from the project repositories. (At this writing, Hiawatha isn't available in Ubuntu.)
If you can't install Hiawatha from your distro's package repository, you'll need to add the install resource http://apt.sparkz.no/
:
apt-key adv --recv-keys --keyserver keys.gnupg.net DC242980 echo "deb http://apt.sparkz.no/debian/ squeeze main" >> \ /etc/apt/sources.list.d/sources.list
Then, install Hiawatha as follows:
apt-get update apt-get install hiawatha
Hiawatha is now installed, but it can't bind to port 80 because Nginx is still using port 80. So, do the following:
apt-get remove nginx reboot
Then log in via SSH again and run:
/etc/init.d/hiawatha start
The output should say "Starting web server: Hiawatha." Check the process list to see if Hiawatha is working:
ps waux | egrep iawa shows hiawatha running www-data 4766 0.1 0.3 118232 4016 ? Ssl 20:13 0:00 /usr/sbin/hiawatha
You can use netstat
to check the bindings:
netstat -tulpn
See the output in Listing 2.
Listing 2
netstat Output
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4766/hiawatha tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 944/perl tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 676/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 916/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4766/hiawatha tcp 0 0 127.0.0.1:12319 0.0.0.0:* LISTEN 766/shellinaboxd tcp 0 0 0.0.0.0:12320 0.0.0.0:* LISTEN 764/stunnel4 tcp 0 0 0.0.0.0:12321 0.0.0.0:* LISTEN 764/stunnel4 tcp6 0 0 :::22 :::* LISTEN 676/sshd
Another way to check whether Hiawatha is working is to open a web browser and connect to it by typing the static internal IP address in the browser window.
Troubleshooting
If you have any problems with installing or starting Hiawatha, you can check for errors in the config file with:
service hiawatha check
Or the following command:
/etc/init.d/hiawatha restart
will also report errors, for instance, when loading certificates fails.
Check the Hiawatha logfile with:
tail -f /var/log/hiawatha/access.log
Configure Hiawatha
Now that you have a VM with the Hiawatha web server running on it, the next step is to install a website. The Hiawatha configuration file is /etc/hiawatha/hiawatha.conf
. To open the file in the Vi text editor:
vi /etc/hiawatha/hiawatha.conf
Feel free to use another editor, such as nano, if you prefer.
The Hiawatha config file has the following sections:
- Variables and general settings – Not so interesting really.
- Binding settings – If you also need TLS (encryption), you have work to do, because only port 80 is open by default.
- Banning settings – Use this section to make the websites more secure by building a defense against hackers.
- CGI settings and URL toolkit – Useful if you want to install something like Joomla or PHP.
- Default website and virtual hosts – Where you define websites.
It is better not to use the default website for serving your own websites but to serve them as virtual hosts. As the config file states: "automated web scanners won't find your possible vulnerable website" (by searching and scanning IP-addresses). Hiawatha installs a default website for you. In the config file, you can see where it lives:
WebsiteRoot = /var/www/hiawatha StartFile = index.html AccessLogfile = /var/log/hiawatha/access.log ErrorLogfile = /var/log/hiawatha/error.log
I will leave the default website alone and instead define a new website as a virtual host. To define a new site, I need to configure Hiawatha to serve as a virtual host website and install HTML pages in the right directory.
Buy this article as PDF
(incl. VAT)