Forum

Hi again Hugo,
My modest Hiawatha webserver running on a raspberrypi platform is pretty much doing everything I wished to achieve and now (with fingers firmly crossed) I am considering exposing it to the wider-web by opening-up a port on my firewalled home router. I have imposed some additional security on the raspi by way of a firewall (iptables/UFW) plus a few permissions "tweaks" in linux but have been told I need to include "fail2ban" for piece of mind before I expose the raspi to the WWW.

Looking at the Hiawatha man pages I note that comprehensive "ban" options allready exist for various forms of bad behaviour so do I really need to use fail2ban or can I achieve the same level of security from Hiawathas ban options?

Ragards,

raspiham

In my opinion (but since I'm the author, it's no a real independent one), Hiawatha doesn't need fail2ban. It's secure enough. Don't be afraid of any hack. Its banning options are only for keeping garbage out of the logfile.

Hi Hugo,

*** Hugo wrote ***
In my opinion (but since I'm the author, it's no a real independent one), Hiawatha doesn't need fail2ban. It's secure enough.
*** End quote ***

Well, I accept your possibly "biased" in favour of Hiawatha :-) But being pragmatic about it the basic precautions I have taken should prevent casual hacking and if I am ever up against some serious hacking then I will "switch off" the server for a while :-)
For what its worth I have more confidence in Hiawatha's security than many of the other options on offer. A great piece of software.
Thanks for another quick reply.

Regards,

Raspiham.

As an experienced sysadmin with a security background, I use Hiawatha precisely because it doesn't require a buttload of hacks to secure, unlike a lot of other web servers I've worked with. That's not a dig on them so much as a compliment to Hiawatha; it makes my job a lot easier. The only reason I'd recommend something like fail2ban is if you're exposing more than the web ports through the firewall. In that case, it's mainly to protect other services (e.g. SMTP, SSH) from brute-force or badly behaving clients. Hiawatha does a better job on its own, and uses fewer resources. If it was me in your shoes, I'd skip the firewall so you can utilize that memory & CPU time for more interesting things, and let Hiawatha (and your upstream firewall) take care of the Internet nastiness.

Hi Chris,
Thanks for sharing your experience. Your comments have put my mind at rest and make good sense. It also make the initial setting-up much easier to :-)
Regards,
raspiham

You're most welcome, and I hope you have fun with your project.