I tested several options of Hiawatha.
Especially the preventive options were interesting.
I’ll list some nice features and how they work here:
PreventXSS = yes #Prevents XSS.
PreventSQLi = yes #Prevents SQLi, see for yourself with the test link at the end of this post.
PreventCSRF = yes #Prevents CSRF.
ConnectionsPerIP = 60 #60 Connections per IP allowed, if going above, you get banned for the length of the BanOnMaxPerIP time period.
BanOnFlooding = 20/1:15 # 20 Connections per 1 Second, going above will result in 15 seconds ban from the server.
BanOnGarbage = 3600 # If doing obvious bullshit like this w00tw00t bot requests, you'll taste the banhammer.
BanOnInvalidURL = 30 # If doing weird invalid URL in terms of some RFC stuff, like not requesting a space with %20 to the server.
BanOnMaxPerIP = 30 # Ban time in seconds.
BanOnMaxReqSize = 3600 # If MaxRequestSize limit is exceeded, get banned.
BanOnSQLi = 3600 # Ban time on SQL injection tries.
BanOnWrongPassword = 1:120 # Entered password wrong 1 time/s, get banned for 120s.
KickOnBan = yes # Forcefully kicks connections of the bad guy instead of showing any error.
RebanDuringBan = yes # If the bad guy keeps doing bad stuff, refresh the ban time.
So as you see, there is quite much to tune in Hiawatha when it comes to preventing bad occurrences.
In fact, the Hiawatha server takes sql injections so serious, it even bans me for posting a sql injection test link in a post, so I had to masquerade it a bit.
Replace the x appearances in the URL with this symbol -> ‚
https://solsocog.de/wp-login.php?action=lostpasswordx or 1x=x1
(warning, you’ll get banned from the Webserver for one hour when clicking the link)
From my Hiawatha article series