News Archive
PhpRiot Newsletter
Your Email Address:

More information

Check whether your web server is correctly configured

Note: This article was originally published at Planet PHP on 21 April 9300.
Planet PHP

Last year Zone-H reported a record number of 1.5 million websites defacements. 1 million of those websites where running Apache.

When it comes to configuring a web server, some people tend to turn everything on by default. Developers are happy because the functionality that they wanted is available without any extra configuration, and there is a reduction in support calls due to functionality not working out-of-the-box. This has proven to be a major source of problems for security in general. A web server should start off with total restriction and then access rights should be applied appropriately. This is known as the Principle of Least Privilege. If a production web server is bound for the Internet, various web server system settings need to be disabled or changed.

You can check whether your web server is correctly configured by using Nikito, a great open source vulnerability scanners that is able to scan for quite a large number of web server vulnerabilities. From their site:

aoNikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.a

I'm going to run a default scan by just supplying the IP of the target:

$ cd nikto-2.1.4 $ ./ -h - ***** SSL support not available (see docs for SSL install) ***** - Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP:AAAAAAAAA + Target Hostname:AAA localhost.localdomain + Target Port:AAAAAAA 80 + Start Time:AAAAAAAA 2011-12-12 13:06:59 --------------------------------------------------------------------------- + Server: Apache + No CGI Directories found (use '-C all' to force check all possible dirs) + 6448 items checked: 0 error(s) and 0 item(s) reported on remote host + End Time:AAAAAAAAAA 2011-12-12 13:08:07 (68 seconds) --------------------------------------------------------------------------- + 1 host(s) tested

By looking at the last section of the Nikto report, I can see that there are no issues that need to be addressed.

Filed under: Deployment, Linux, Open-source, Security, Tools