Forum

WAF on Hiawatha

Fred
27 January 2016, 00:15
Hi Hugo,

Could you please tell me if Hiawatha can be use as a Web Application Firewall (OSI level 7)
Can mod_security be use with Hiawatha?

I am trying to secure my wordpress installation at the server level and not use wordpress plugin if possible

Thank you in advance
Fred
Hugo Leisink
27 January 2016, 08:15
Yes, it can via the reverse proxy mode. I don't know mod_security very well, but I think it is made for Apache. I also don't know Wordpress very well, so I have no idea what plugin you are talking about.
Fred
27 January 2016, 12:12
Hi Hugo,

I already use Hiawatha as a reverse proxy mode
VirtualHost {
Hostname = www.mydomain.com, mydomain.com, *.mydomain.com
WebsiteRoot = /var/www/empty
StartFile = index.php
#RequireTLS = yes,31536000
ExecuteCGI = no
PreventXSS = yes
#PreventCSRF = yes
PreventSQLi = yes
#CustomHeader = X-Frame-Options: DENY
CustomHeader = X-Frame-Options: sameorigin
RandomHeader = 512
ReverseProxy .* http://10.8.23.14:80 1300 keep-alive
#LoginMessage = scanner.example.tld
#PasswordFile = digest:/srv/www/digest/scanner.digest
AccessLogfile = /var/log/hiawatha/mydomain.access.log
ErrorLogfile = /var/log/hiawatha/mydomain.error.log
}


What else I am missing here?
All the security scan that I do say that I need to implement a WAF.
So I take it I missed something in the configuration
Hugo Leisink
27 January 2016, 12:15
Why do you need a WAF? What is wrong with or potentially dangerous about the application behind the reverse proxy? How does your scanner determine a WAF is needed and none is in place?

Btw, the CustomHeader is ignored in reverse proxy mode. Hiawatha doesn't change the response from the final webserver.
Fred
27 January 2016, 14:55
I use mainly wordpress and the plugin on that CMS are know to be the first cause for concern..
At the moment using site like hackertarget dot com anyone can see what I have install on the website.
As a result, if I am behind in updating the site core or pluggin, anyone can exploit the vulnerabilty knowing the version number...

Also tools like wpscan can draw a list of all my worpress user and site vulenerability

I know that Hiawatha can stop sql injection but how can I stop people from looking around?

Another thing.. how do I remove server header information?
I have expose php Off in my php ini file, is that anything to do at Hiawatha level?
Hugo Leisink
27 January 2016, 15:03
... how can I stop people from looking around?

You can't. The only way to do that is to take your website offline. But then you don't have a website anymore. The whole idea of a website is that people can look at it.

If you don't want to have a possible vulnerable website on your server, then stop using Wordpress. I'm sure this is not what you want to hear, but it's the simple truth. Wordpress is a piece of junk with a nice shiny interface.
Fred
27 January 2016, 15:30
Well.. I am not going to disagree with that but the market is with either majento or wordpress at the moment..
I tried to hack into my site and I was please to see that I couldn't pass my firewall
So that's good
Do you have a list of what Hiawatha will protect me from ?
I look on the site but couldn't see it
Fred
27 January 2016, 16:06
Found it
https://www.hiawatha-webserver.org/features
Security is one of the key features of this webserver. Besides support for SSL (via mbed TLS), Hiawatha offers protection against SQL injections, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF/XSRF) and DoS attacks. Banning of bad behaving clients and limiting CGI runtime are examples of Hiawatha's unique security features.


Have you added any more since ?
Hugo Leisink
27 January 2016, 16:29
... the market is with either majento or wordpress at the moment.

Who says you have to follow the market? You can also try to set the market.

Hiawatha can also protect against flooding, uploaded malware and exploits. To get a good overview of what Hiawatha can do, use 10 minutes of your time to quickly scan the Hiawatha manual page for available options.
Fred
28 January 2016, 13:13
Beleive me I hav read it more than once
But you are rigth to remind me as each time i read it, I realised I missed something
Fred
28 January 2016, 13:35
Hi Hugo,

When looking around the site for the info, I realised that you have the Banshee project and the demo look really good...
I wonder if I could use that as an alternative to wordpress..
So my question is, can Banshee be use for e-commerce?
If yes what would you use for the cart ?

Fred
Hugo Leisink
28 January 2016, 14:14
Banshee is a Content Management Framework, which is a framework with ready to use modules. Although several of those modules form a CMS, Banshee should not be seen as a CMS. It might very likely require programming to suit your needs. The weblog however is quite functionaly if you ask me. Depending on your needs, Banshee might very well be a replacement for Wordpress. It has a weblog, static pages and the ability to upload files. Setting a new layout / design however still requires coding.

Banshee doesn't have webshop functionality, as a webshop is very likely very different for everybody.
This topic has been closed.