|
Web Site Security Testing
Hey guys, I was wondering if there are any tools out there to test a web server's security. I want to be able to test it before I put it into production.
Thanks, green one |
Sorry guys... I realize the potential for this question to raise an eyebrow... however there has to be some tools out there to let you test your own server for any possbile security risks either local or external.
I'm not looking to hack someone's site... just test my own. |
Use Netcraft to see if the server is already listed. Comes in handy determining the OS/httpd version and spares you a scan (aprox). If you can find a CVE entry for a vulnerable httpd version, just try break it straight away, else don't be subtle and throw a portscan at it using Nmap/hping2 to find out what's open. Finish with a look with Nessus/Whisker/Arirang/whatever else scan to find possible vulnerable sw. Basically there's too much tools around, I'd say go for what you're comfortable with. Since you've got local access you can use local auditing stuff like CISscan, SARA, TIGER, COPS.
Use the results (maybe use Bastille-linux as well) to tighten up security. Don't forget to check docs like the Apache security primer, SANS top 20 vulnerabilities and the basic references we post in this forum aprox once every month*. Also check out the OSSTM at http://www.isecom.org for framework docs and excellent tool list. Here's some other tool archive links: Huge archive: http://www.cerias.purdue.edu/coast/a...ory_index.html Refs: http://www.cert.org/other_sources/tool_sources.html top 50 tools: http://www.insecure.org/tools.html *If you want us to run this by you again, just ask. But post some system/network/purpose specs before so we can see if we can make it more specific. HTH. |
| All times are GMT -5. The time now is 07:00 AM. |