Fast and safe with the Hiawatha secure web server
Security Wing
The settings thus far have produced a basic web server with very little fancy stuff. You still haven't seen much of Hiawatha's advanced security features. Before touring these additional options, start by telling Hiawatha to talk to the logfiles:
SystemLogfile = /usr/local/var/log/hiawatha/system.log AccessLogfile = /usr/local//var/log/hiawatha/access.log ErrorLogfile = /usr/local//var/log/hiawatha/error.log GarbageLogfile = /usr/local//var/log/hiawatha/garbage.log
The SystemLogfile holds the messages from the daemon; access is logged in AccessLogfile, and ErrorLogfile logs errors. The last line collects the garbage – that is, erroneous or incomplete HTTP requests. Incomplete and erroneous requests are often an indication of a break-in attempt.
Thus far, the web server has only listened on port 80. To bind to this port, Hiawatha needs root privileges. However, it is not a good idea to leave the program running as root. To avoid this problem, Hiawatha changes the user to nobody immediately after launching. The ServerId setting tells the web server to change to another user:
ServerId = www-data
Restricting Resources
The next step is to mitigate the danger of denial-of-service attacks (DoS) by reducing the number of simultaneous connections that Hiawatha can handle – both overall and per IP address:
ConnectionsTotal = 150 ConnectionsPerIP = 10
While you're at it, it is also a good idea to limit the internal cache size to, say, 15MB:
CacheSize = 15
Also, you can tell Hiawatha to restrict the cache to files ranging in size from CacheMaxFilesize (in kilobytes) to CacheMinFilesize (in bytes):
CacheMaxFilesize = 128 CacheMinFilesize = 256
Netiquette
In the opinion of Hiawatha developer Hugo Leisink, clients should behave well if they want the web server to answer them. To punish clients that send malformed or overlong HTTP requests, Hiawatha resorts to the medieval method of banning. For example, with the command
BanOnGarbage = 300
Hiawatha will refuse to respond to a client for 300 seconds if it sends a non-standards-compliant HTTP request, and
BanOnMaxReqSize = 60
bans it for 60 seconds in the case of a request with an illegal length. You can combat flooding with the following command:
BanOnFlooding = 10/1:35
This command bans a client for 35 seconds if it has sent more than 10 request to Hiawatha within a second. The following is also useful:
BanOnCMDi = 60
This setting bans a client for 60 seconds if it has attempted a command injection attack. The following does the same for SQL injection attacks:
BanOnSQLi = 70
Hiawatha also supports blacklists or whitelists:
BanlistMask = allow 192.168.2.111, deny 192.168.0.0/16
If a banned client is really naughty and attempts to access Hiawatha again while exiled, the following command automatically resets the ban:
RebanDuringBan = yes
« Previous 1 2 3 4 Next »
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.