Default /etc/hiawatha/hiawatha.conf on Ubuntu

hiawatha.conf

# From http://secure-ubuntu-server.blogspot.co.id/2015/05/howto-highest-secured-hiawatha-web.html and default conf
# Hiawatha main configuration file

# VARIABLES
# With 'set', you can declare a variable. Make sure the name of the
# variable doesn't conflict with any of the configuration options. The
# variables are case-sensitive and cannot be redeclared.
#
#set LOCALHOST = 127.0.0.0/8

# GENERAL SETTINGS
#
ServerId = www-data
ConnectionsTotal = 1000
ConnectionsPerIP = 35
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ServerString = SimpleHTTPserver
CGIwrapper = /usr/sbin/cgi-wrapper

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
    Port = 80
#   Interface = 127.0.0.1
    MaxKeepAlive = 50
    TimeForRequest = 12,50
}
#
#Binding {
#    Port = 443
#    Interface = ::1
#    MaxKeepAlive = 30
#    TimeForRequest = 3,20
#    SSLcertFile = hiawatha.pem
#}

# BANNING SETTINGS
# Deny service to clients who misbehave.

BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 90/1:300
BanlistMask = deny 127.0.0.1
BanOnInvalidURL = 300

BanOnWrongPassword = 3:300
ChallengeClient = 70,httpheader,300

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
#CGIhandler = /usr/bin/perl:pl
#CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/sbin/php5-fpm:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
#CGIextension = cgi
#
FastCGIserver {
    FastCGIid = PHP5
#    ConnectTo = 127.0.0.1:9000
    ConnectTo = /var/run/php5-fpm.sock
    Extension = php
    SessionTimeout = 600
}

# URL TOOLKIT
# This URL toolkit rule was made for the Banshee PHP framework, which
# can be downloaded from http://www.hiawatha-webserver.org/banshee
#
UrlToolkit {
    ToolkitID = banshee
    Do Call scannerblocker
    Do Call vulnerabilityblocker
    RequestURI isfile Return
    Match ^/(css|files|images|js|slimstat)($|/) Return
    Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
    Match ^/(crawler)($|/) Return
    Match .*\?(.*) Rewrite /index.php?$1
    Match .* Rewrite /index.php
}

UrlToolkit {
    ToolkitID = vulnerabilityblocker
    Header * \(\)\s*\{ DenyAccess   # Shellshock
    MatchCI ^/(crawler|pma|myadmin|phpmyadmin|cgi-bin)($|/) Ban 900 # phpmyadmin & cgi-bin
    MatchCI ^/(xmlrpc.php|phpinfo.php)$ Ban 900 # wordpress, drupal & phpinfo
}

UrlToolkit {
    ToolkitID = scannerblocker
    Header User-Agent ^w3af.sourceforge.net DenyAccess
    Header User-Agent ^dirbuster DenyAccess
    Header User-Agent ^nikto DenyAccess
    Header User-Agent ^sqlmap DenyAccess
    Header User-Agent ^fimap DenyAccess
    Header User-Agent ^nessus DenyAccess
    Header User-Agent ^Nessus DenyAccess
    Header User-Agent ^whatweb DenyAccess
    Header User-Agent ^Openvas DenyAccess
    Header User-Agent ^jbrofuzz DenyAccess
    Header User-Agent ^libwhisker DenyAccess
    Header User-Agent ^webshag DenyAccess
    Header User-Agent ^Morfeus DenyAccess
    Header User-Agent ^Fucking DenyAccess
    Header User-Agent ^Scanner DenyAccess
    Header User-Agent ^Aboundex DenyAccess
    Header User-Agent ^AlphaServer DenyAccess
    Header User-Agent ^Indy DenyAccess
    Header User-Agent ^ZmEu DenyAccess
    Header User-Agent ^social DenyAccess
    Header User-Agent ^Zollard DenyAccess
    Header User-Agent ^CLR DenyAccess
    Header User-Agent ^Camino DenyAccess
    Header User-Agent ^Nmap DenyAccess
    Header * ^WVS DenyAccess
    Header User-Agent ^Python-httplib DenyAccess
    Header User-Agent ^Python-requests DenyAccess
    Header User-Agent ^masscan DenyAccess
    Header User-Agent ^Java DenyAccess
    Header User-Agent ^Nutch DenyAccess
    Header User-Agent ^Who.is DenyAccess
    Header User-Agent ^immoral DenyAccess
    Header User-Agent ^crawler DenyAccess
    Header User-Agent ^NetShelter DenyAccess
    Header User-Agent ^Application DenyAccess
    Header User-Agent ^Validator.nu/LV DenyAccess
    Header * ^ssdp DenyAccess
    Header User-Agent ^Arachni DenyAccess
    Header User-Agent ^Spider-Pig DenyAccess
    Header User-Agent ^tinfoilsecurity DenyAccess
    Header User-Agent ^@ DenyAccess
    Header User-Agent ^shellshock-scan DenyAccess
    Header User-Agent ^Vega DenyAccess
    Header * ^\(\)\s*\{ DenyAccess
    Header * ^uname DenyAccess
    Header * ^whoami DenyAccess
    Header User-Agent ^friendly-scanner DenyAccess
    Header * ^mxmail.netease.com DenyAccess
    Header * ^muieblackcat DenyAccess
    Header User-Agent ^BOT\sfor\sJCE DenyAccess
}

# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = 23.95.7.27
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
#ErrorHandler = 404:/error.cgi
ReverseProxy ^/.* http://www.example.com:80/

Include /etc/hiawatha/sites-enabled/

# VIRTUAL HOSTS
# Use a VirtualHost section to declare the websites you want to host.
#
#VirtualHost {
#    Hostname = www.my-domain.com
#    WebsiteRoot = /var/www/my-domain/public
#    StartFile = index.php
#    AccessLogfile = /var/www/my-domain/log/access.log
#    ErrorLogfile = /var/www/my-domain/log/error.log
#    TimeForCGI = 5
#    UseFastCGI = PHP5
#    UseToolkit = banshee
#}


# DIRECTORY SETTINGS
# You can specify some settings per directory.
#
#Directory {
#    Path = /home/baduser
#    ExecuteCGI = no
#    UploadSpeed = 10,2
#}