You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Pete Eakle <pe...@gmail.com> on 2005/03/26 22:21:09 UTC

[users@httpd] recommendations for checking website security holes?

My company will be announcing a new website soon, and being somewhat
new to this game I am concerned about possible site break-ins.  I
worry that, despite our best efforts, we may still have a
vulnerability somewhere that we will find out about the hard way.  I
was wondering if people could suggest which vulnerabilities are most
likely to be exploited, or possibly suggest an article, service or
tool, etc. that I could use to test out our site for vulnerabilities?

Thanks a lot.

    -Pete

PS: the site will be Apache based and use Tomcat for the dynamic parts.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] recommendations for checking website security holes?

Posted by "Ivan Barrera A." <Br...@Ivn.cl>.

Aman Raheja wrote:
> 2.0.53 is indeed the latest version, with fix to known vulnerabilities.
> The security depends on what you are using. So you might want to check 
> per module, that is enabled, what security threats you might face. For 
> ex, if you have cgi enabled, it depends a lot on the programmers to 
> ensure security, since the programs might be prone to buffer overflows. 
> You might want to check for cross site scripting and other known web 
> security issues. I would start looking in google with web security, 
> apache security, and the like keywords to find more info.
> Apache docs also have security info: 
> http://httpd.apache.org/docs-2.0/misc/security_tips.html
> HTH
> - Aman Raheja
> 
> Pete Eakle wrote:
> 
>> Sorry, I forgot to mention this.  We will be running on Fedora Linux,
>> Core 2, and Apache 2.0.53.  I believe we installed the latest Apache,
>> so I don't know if the 'updates in place' issue will apply to us yet.
>>

You might to check (as a base) for some stuff like :

- Apache/php to latest version
- (optional) php running with safe_mode on
- php running with register_globals_off
- (optional) have SElinux enabled and enforcing
- /tmp , /var/tmp , /dev/shm and other temp dirs, with noexec priv.
- A firewall permitting only new and stablished packets, and havind 
syncookies enabled.
- Sometimes is nice to "hide" versions of your programs. This wont make 
your box unhackeable, but it will bore some script kiddies as they dont 
know with what ther are messing with
- Try to use chrooted and suexec'd services... but that kinda complex 
some times..
and so on.






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] recommendations for checking website security holes?

Posted by Aman Raheja <ar...@techquotes.com>.

2.0.53 is indeed the latest version, with fix to known vulnerabilities.
The security depends on what you are using. So you might want to check 
per module, that is enabled, what security threats you might face. For 
ex, if you have cgi enabled, it depends a lot on the programmers to 
ensure security, since the programs might be prone to buffer overflows. 
You might want to check for cross site scripting and other known web 
security issues. I would start looking in google with web security, 
apache security, and the like keywords to find more info.
Apache docs also have security info: 
http://httpd.apache.org/docs-2.0/misc/security_tips.html
HTH
- Aman Raheja

Pete Eakle wrote:

>Sorry, I forgot to mention this.  We will be running on Fedora Linux,
>Core 2, and Apache 2.0.53.  I believe we installed the latest Apache,
>so I don't know if the 'updates in place' issue will apply to us yet.
>
>    -Pete
>
>On Sat, 26 Mar 2005 14:35:22 -0800, Steven Pierce
><pa...@speakeasy.net> wrote:
>  
>
>>Good Evening,
>>
>>One of items that you should list is the O/S.  If you are using Windows then you would
>>have issues that you might not have with Linux.  I would assume that you are using
>>a form of Unix (Linux, BSD, Sun, Etc).  Also what version of Apache are you using,
>>and do you have all the updates in place??
>>
>>Sorry if this seems basic, but it would give the security guys a little more to
>>go on.
>>
>>*********** REPLY SEPARATOR  ***********
>>
>>On 3/26/2005 at 1:21 PM Pete Eakle wrote:
>>
>>    
>>
>>>My company will be announcing a new website soon, and being somewhat
>>>new to this game I am concerned about possible site break-ins.  I
>>>worry that, despite our best efforts, we may still have a
>>>vulnerability somewhere that we will find out about the hard way.  I
>>>was wondering if people could suggest which vulnerabilities are most
>>>likely to be exploited, or possibly suggest an article, service or
>>>tool, etc. that I could use to test out our site for vulnerabilities?
>>>
>>>Thanks a lot.
>>>
>>>   -Pete
>>>
>>>PS: the site will be Apache based and use Tomcat for the dynamic parts.
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server Project.
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>>
>>>--
>>>No virus found in this incoming message.
>>>Checked by AVG Anti-Virus.
>>>Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005
>>>      
>>>
>>--
>>No virus found in this outgoing message.
>>Checked by AVG Anti-Virus.
>>Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>    
>>
>
>  
>

-- 

Regards
Aman Raheja
http://www.techquotes.com



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] recommendations for checking website security holes?

Posted by Pete Eakle <pe...@gmail.com>.

Sorry, I forgot to mention this.  We will be running on Fedora Linux,
Core 2, and Apache 2.0.53.  I believe we installed the latest Apache,
so I don't know if the 'updates in place' issue will apply to us yet.

    -Pete

On Sat, 26 Mar 2005 14:35:22 -0800, Steven Pierce
<pa...@speakeasy.net> wrote:
> 
> Good Evening,
> 
> One of items that you should list is the O/S.  If you are using Windows then you would
> have issues that you might not have with Linux.  I would assume that you are using
> a form of Unix (Linux, BSD, Sun, Etc).  Also what version of Apache are you using,
> and do you have all the updates in place??
> 
> Sorry if this seems basic, but it would give the security guys a little more to
> go on.
> 
> *********** REPLY SEPARATOR  ***********
> 
> On 3/26/2005 at 1:21 PM Pete Eakle wrote:
> 
> >My company will be announcing a new website soon, and being somewhat
> >new to this game I am concerned about possible site break-ins.  I
> >worry that, despite our best efforts, we may still have a
> >vulnerability somewhere that we will find out about the hard way.  I
> >was wondering if people could suggest which vulnerabilities are most
> >likely to be exploited, or possibly suggest an article, service or
> >tool, etc. that I could use to test out our site for vulnerabilities?
> >
> >Thanks a lot.
> >
> >    -Pete
> >
> >PS: the site will be Apache based and use Tomcat for the dynamic parts.
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> >
> >--
> >No virus found in this incoming message.
> >Checked by AVG Anti-Virus.
> >Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005
> 
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] recommendations for checking website security holes?

Posted by Steven Pierce <pa...@speakeasy.net>.

Good Evening,

One of items that you should list is the O/S.  If you are using Windows then you would
have issues that you might not have with Linux.  I would assume that you are using
a form of Unix (Linux, BSD, Sun, Etc).  Also what version of Apache are you using,
and do you have all the updates in place??  

Sorry if this seems basic, but it would give the security guys a little more to 
go on.



*********** REPLY SEPARATOR  ***********

On 3/26/2005 at 1:21 PM Pete Eakle wrote:

>My company will be announcing a new website soon, and being somewhat
>new to this game I am concerned about possible site break-ins.  I
>worry that, despite our best efforts, we may still have a
>vulnerability somewhere that we will find out about the hard way.  I
>was wondering if people could suggest which vulnerabilities are most
>likely to be exploited, or possibly suggest an article, service or
>tool, etc. that I could use to test out our site for vulnerabilities?
>
>Thanks a lot.
>
>    -Pete
>
>PS: the site will be Apache based and use Tomcat for the dynamic parts.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>-- 
>No virus found in this incoming message.
>Checked by AVG Anti-Virus.
>Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005





-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] recommendations for checking website security holes?

Posted by "Hwee Khoon, Neo" <hw...@pacific.net.sg>.

Hi,

you may want to try Nessus http://www.nessus.org/

it's free.

-----Original Message-----
From: Pete Eakle [mailto:pete.eakle@gmail.com]
Sent: Sunday, March 27, 2005 5:21 AM
To: users@httpd.apache.org
Subject: [users@httpd] recommendations for checking website security
holes?

My company will be announcing a new website soon, and being somewhat
new to this game I am concerned about possible site break-ins.  I
worry that, despite our best efforts, we may still have a
vulnerability somewhere that we will find out about the hard way.  I
was wondering if people could suggest which vulnerabilities are most
likely to be exploited, or possibly suggest an article, service or
tool, etc. that I could use to test out our site for vulnerabilities?

Thanks a lot.

    -Pete

PS: the site will be Apache based and use Tomcat for the dynamic parts.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org