Security Wing

The settings thus far have produced a basic web server with very little fancy stuff. You still haven't seen much of Hiawatha's advanced security features. Before touring these additional options, start by telling Hiawatha to talk to the logfiles:

SystemLogfile = /usr/local/var/log/hiawatha/system.log
AccessLogfile = /usr/local//var/log/hiawatha/access.log
ErrorLogfile = /usr/local//var/log/hiawatha/error.log
GarbageLogfile = /usr/local//var/log/hiawatha/garbage.log

The SystemLogfile holds the messages from the daemon; access is logged in AccessLogfile, and ErrorLogfile logs errors. The last line collects the garbage – that is, erroneous or incomplete HTTP requests. Incomplete and erroneous requests are often an indication of a break-in attempt.

Thus far, the web server has only listened on port 80. To bind to this port, Hiawatha needs root privileges. However, it is not a good idea to leave the program running as root. To avoid this problem, Hiawatha changes the user to nobody immediately after launching. The ServerId setting tells the web server to change to another user:

ServerId = www-data

Restricting Resources

The next step is to mitigate the danger of denial-of-service attacks (DoS) by reducing the number of simultaneous connections that Hiawatha can handle – both overall and per IP address:

ConnectionsTotal = 150
ConnectionsPerIP = 10

While you're at it, it is also a good idea to limit the internal cache size to, say, 15MB:

CacheSize = 15

Also, you can tell Hiawatha to restrict the cache to files ranging in size from CacheMaxFilesize (in kilobytes) to CacheMinFilesize (in bytes):

CacheMaxFilesize = 128
CacheMinFilesize = 256

Netiquette

In the opinion of Hiawatha developer Hugo Leisink, clients should behave well if they want the web server to answer them. To punish clients that send malformed or overlong HTTP requests, Hiawatha resorts to the medieval method of banning. For example, with the command

BanOnGarbage = 300

Hiawatha will refuse to respond to a client for 300 seconds if it sends a non-standards-compliant HTTP request, and

BanOnMaxReqSize = 60

bans it for 60 seconds in the case of a request with an illegal length. You can combat flooding with the following command:

BanOnFlooding = 10/1:35

This command bans a client for 35 seconds if it has sent more than 10 request to Hiawatha within a second. The following is also useful:

BanOnCMDi = 60

This setting bans a client for 60 seconds if it has attempted a command injection attack. The following does the same for SQL injection attacks:

BanOnSQLi = 70

Hiawatha also supports blacklists or whitelists:

BanlistMask = allow 192.168.2.111, deny 192.168.0.0/16

If a banned client is really naughty and attempts to access Hiawatha again while exiled, the following command automatically resets the ban:

RebanDuringBan = yes