Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. # Hiawatha main configuration file
  2. #
  3.  
  4.  
  5. # GENERAL SETTINGS
  6. #
  7. ServerId = www-data
  8. ConnectionsTotal = 1000
  9. ConnectionsPerIP = 35
  10. SystemLogfile = /var/log/hiawatha/system.log
  11. GarbageLogfile = /var/log/hiawatha/garbage.log
  12. ExploitLogfile = /var/log/hiawatha/exploit.log
  13.  
  14. LogFormat = extended
  15. ServerString = SimpleHTTPserver
  16. CGIwrapper = /usr/sbin/cgi-wrapper
  17.  
  18. # BINDING SETTINGS
  19. # A binding is where a client can connect to.
  20. #
  21. Binding {
  22. Port = 80
  23. # Interface = 127.0.0.1
  24. MaxKeepAlive = 50
  25. TimeForRequest = 12,50
  26. }
  27. #
  28. #Binding {
  29. # Port = 443
  30. # Interface = ::1
  31. # MaxKeepAlive = 30
  32. # TimeForRequest = 3,20
  33. # SSLcertFile = hiawatha.pem
  34. #}
  35.  
  36.  
  37. # BANNING SETTINGS
  38. # Deny service to clients who misbehave.
  39. #
  40. #BanOnGarbage = 300
  41. #BanOnMaxPerIP = 60
  42. #BanOnMaxReqSize = 300
  43. #KickOnBan = yes
  44. #RebanDuringBan = yes
  45.  
  46. BanOnGarbage = 300
  47. BanOnMaxPerIP = 300
  48. BanOnMaxReqSize = 300
  49. BanOnTimeout = 300
  50. KickOnBan = yes
  51. RebanDuringBan = yes
  52.  
  53. BanOnDeniedBody = 300
  54. BanOnSQLi = 300
  55. BanOnFlooding = 90/1:300
  56. BanlistMask = deny 127.0.0.1
  57. BanOnInvalidURL = 300
  58.  
  59. BanOnWrongPassword = 3:300
  60. ChallengeClient = 70,httpheader,300
  61.  
  62. # COMMON GATEWAY INTERFACE (CGI) SETTINGS
  63. # These settings can be used to run CGI applications.
  64. #
  65. CGIhandler = /usr/bin/perl:pl
  66. #CGIhandler = /usr/bin/php5-cgi:php
  67. CGIhandler = /usr/sbin/php5-fpm:php
  68. CGIhandler = /usr/bin/python:py
  69. CGIhandler = /usr/bin/ruby:rb
  70. CGIhandler = /usr/bin/ssi-cgi:shtml
  71. CGIextension = cgi
  72. #
  73. FastCGIserver {
  74. FastCGIid = PHP5
  75. # ConnectTo = 127.0.0.1:9000
  76. ConnectTo = /var/run/php5-fpm.sock
  77. Extension = php
  78. SessionTimeout = 600
  79. }
  80.  
  81.  
  82. # URL TOOLKIT
  83. # This URL toolkit rule was made for the Banshee PHP framework, which
  84. # can be downloaded from http://www.hiawatha-webserver.org/banshee
  85. #
  86. UrlToolkit {
  87. ToolkitID = banshee
  88. Do Call scannerblocker
  89. Do Call vulnerabilityblocker
  90. RequestURI isfile Return
  91. Match ^/(css|files|images|js|slimstat)($|/) Return
  92. Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
  93. Match ^/(crawler)($|/) Return
  94. Match .*\?(.*) Rewrite /index.php?$1
  95. Match .* Rewrite /index.php
  96. }
  97.  
  98. UrlToolkit {
  99. ToolkitID = vulnerabilityblocker
  100. Header * \(\)\s*\{ DenyAccess # Shellshock
  101. MatchCI ^/(crawler|pma|myadmin|phpmyadmin|cgi-bin)($|/) Ban 900 # phpmyadmin & cgi-bin
  102. MatchCI ^/(xmlrpc.php|phpinfo.php)$ Ban 900 # wordpress, drupal & phpinfo
  103. }
  104.  
  105. UrlToolkit {
  106. ToolkitID = scannerblocker
  107. Header User-Agent ^w3af.sourceforge.net DenyAccess
  108. Header User-Agent ^dirbuster DenyAccess
  109. Header User-Agent ^nikto DenyAccess
  110. Header User-Agent ^sqlmap DenyAccess
  111. Header User-Agent ^fimap DenyAccess
  112. Header User-Agent ^nessus DenyAccess
  113. Header User-Agent ^Nessus DenyAccess
  114. Header User-Agent ^whatweb DenyAccess
  115. Header User-Agent ^Openvas DenyAccess
  116. Header User-Agent ^jbrofuzz DenyAccess
  117. Header User-Agent ^libwhisker DenyAccess
  118. Header User-Agent ^webshag DenyAccess
  119. Header User-Agent ^Morfeus DenyAccess
  120. Header User-Agent ^Fucking DenyAccess
  121. Header User-Agent ^Scanner DenyAccess
  122. Header User-Agent ^Aboundex DenyAccess
  123. Header User-Agent ^AlphaServer DenyAccess
  124. Header User-Agent ^Indy DenyAccess
  125. Header User-Agent ^ZmEu DenyAccess
  126. Header User-Agent ^social DenyAccess
  127. Header User-Agent ^Zollard DenyAccess
  128. Header User-Agent ^CLR DenyAccess
  129. Header User-Agent ^Camino DenyAccess
  130. Header User-Agent ^Nmap DenyAccess
  131. Header * ^WVS DenyAccess
  132. Header User-Agent ^Python-httplib DenyAccess
  133. Header User-Agent ^Python-requests DenyAccess
  134. Header User-Agent ^masscan DenyAccess
  135. Header User-Agent ^Java DenyAccess
  136. Header User-Agent ^Nutch DenyAccess
  137. Header User-Agent ^Who.is DenyAccess
  138. Header User-Agent ^immoral DenyAccess
  139. Header User-Agent ^crawler DenyAccess
  140. Header User-Agent ^NetShelter DenyAccess
  141. Header User-Agent ^Application DenyAccess
  142. Header User-Agent ^Validator.nu/LV DenyAccess
  143. Header * ^ssdp DenyAccess
  144. Header User-Agent ^Arachni DenyAccess
  145. Header User-Agent ^Spider-Pig DenyAccess
  146. Header User-Agent ^tinfoilsecurity DenyAccess
  147. Header User-Agent ^@ DenyAccess
  148. Header User-Agent ^shellshock-scan DenyAccess
  149. Header User-Agent ^Vega DenyAccess
  150. Header * ^\(\)\s*\{ DenyAccess
  151. Header * ^uname DenyAccess
  152. Header * ^whoami DenyAccess
  153. Header User-Agent ^friendly-scanner DenyAccess
  154. Header * ^mxmail.netease.com DenyAccess
  155. Header * ^muieblackcat DenyAccess
  156. Header User-Agent ^BOT\sfor\sJCE DenyAccess
  157. }
  158.  
  159.  
  160. # DEFAULT WEBSITE
  161. # It is wise to use your IP address as the hostname of the default website
  162. # and give it a blank webpage. By doing so, automated webscanners won't find
  163. # your possible vulnerable website.
  164. #
  165. Hostname = 98.139.183.24
  166. WebsiteRoot = /var/www/hiawatha
  167. StartFile = index.html
  168. AccessLogfile = /var/log/hiawatha/access.log
  169. ErrorLogfile = /var/log/hiawatha/error.log
  170. #ErrorHandler = 404:/error.cgi
  171. ReverseProxy ^/.* http://www.example.com:80/
  172.  
  173. Include /etc/hiawatha/enable-sites/
  174.  
  175. # VIRTUAL HOSTS
  176. # Use a VirtualHost section to declare the websites you want to host.
  177. #
  178. #VirtualHost {
  179. # Hostname = www.my-domain.com
  180. # WebsiteRoot = /var/www/my-domain/public
  181. # StartFile = index.php
  182. # AccessLogfile = /var/www/my-domain/log/access.log
  183. # ErrorLogfile = /var/www/my-domain/log/error.log
  184. # TimeForCGI = 5
  185. # UseFastCGI = PHP5
  186. # UseToolkit = banshee
  187. #}
  188.  
  189.  
  190. # DIRECTORY SETTINGS
  191. # You can specify some settings per directory.
  192. #
  193. #Directory {
  194. # Path = /home/baduser
  195. # ExecuteCGI = no
  196. # UploadSpeed = 10,2
  197. #}