Forum

Hi Hugo,

Could you please tell me if Hiawatha can be use as a Web Application Firewall (OSI level 7)
Can mod_security be use with Hiawatha?

I am trying to secure my wordpress installation at the server level and not use wordpress plugin if possible

Thank you in advance
Fred

Yes, it can via the reverse proxy mode. I don't know mod_security very well, but I think it is made for Apache. I also don't know Wordpress very well, so I have no idea what plugin you are talking about.

Hi Hugo,

I already use Hiawatha as a reverse proxy mode

VirtualHost {
   Hostname = www.mydomain.com, mydomain.com, *.mydomain.com
   WebsiteRoot = /var/www/empty
   StartFile = index.php
   #RequireTLS = yes,31536000
   ExecuteCGI = no
   PreventXSS = yes
   #PreventCSRF = yes
   PreventSQLi = yes
   #CustomHeader = X-Frame-Options: DENY
   CustomHeader = X-Frame-Options: sameorigin
   RandomHeader = 512
   ReverseProxy .* http://10.8.23.14:80 1300 keep-alive
   #LoginMessage = scanner.example.tld
   #PasswordFile = digest:/srv/www/digest/scanner.digest
   AccessLogfile = /var/log/hiawatha/mydomain.access.log
   ErrorLogfile = /var/log/hiawatha/mydomain.error.log
}

What else I am missing here?
All the security scan that I do say that I need to implement a WAF.
So I take it I missed something in the configuration

Why do you need a WAF? What is wrong with or potentially dangerous about the application behind the reverse proxy? How does your scanner determine a WAF is needed and none is in place?

Btw, the CustomHeader is ignored in reverse proxy mode. Hiawatha doesn't change the response from the final webserver.

I use mainly wordpress and the plugin on that CMS are know to be the first cause for concern..
At the moment using site like hackertarget dot com anyone can see what I have install on the website.
As a result, if I am behind in updating the site core or pluggin, anyone can exploit the vulnerabilty knowing the version number...

Also tools like wpscan can draw a list of all my worpress user and site vulenerability

I know that Hiawatha can stop sql injection but how can I stop people from looking around?

Another thing.. how do I remove server header information?
I have expose php Off in my php ini file, is that anything to do at Hiawatha level?

You can't. The only way to do that is to take your website offline. But then you don't have a website anymore. The whole idea of a website is that people can look at it.

If you don't want to have a possible vulnerable website on your server, then stop using Wordpress. I'm sure this is not what you want to hear, but it's the simple truth. Wordpress is a piece of junk with a nice shiny interface.

Well.. I am not going to disagree with that but the market is with either majento or wordpress at the moment..
I tried to hack into my site and I was please to see that I couldn't pass my firewall
So that's good
Do you have a list of what Hiawatha will protect me from ?
I look on the site but couldn't see it

Found it
https://www.hiawatha-webserver.org/features


Have you added any more since ?

Who says you have to follow the market? You can also try to set the market.

Hiawatha can also protect against flooding, uploaded malware and exploits. To get a good overview of what Hiawatha can do, use 10 minutes of your time to quickly scan the Hiawatha manual page for available options.

Beleive me I hav read it more than once
But you are rigth to remind me as each time i read it, I realised I missed something

Hi Hugo,

When looking around the site for the info, I realised that you have the Banshee project and the demo look really good...
I wonder if I could use that as an alternative to wordpress..
So my question is, can Banshee be use for e-commerce?
If yes what would you use for the cart ?

Fred

Banshee is a Content Management Framework, which is a framework with ready to use modules. Although several of those modules form a CMS, Banshee should not be seen as a CMS. It might very likely require programming to suit your needs. The weblog however is quite functionaly if you ask me. Depending on your needs, Banshee might very well be a replacement for Wordpress. It has a weblog, static pages and the ability to upload files. Setting a new layout / design however still requires coding.

Banshee doesn't have webshop functionality, as a webshop is very likely very different for everybody.