How can I test the security of my server?

mysql php security unix
10,918

Solution 1

Based on your tags, here's some basic advice:

OS (Linux)

  • Apply updates/security patches including Kernel
  • Checksum tool to detect file/permission changes like aide, fcheck, tripwire etc.
  • Only enable network services you're actually using (check with netstat -tulpen)
  • Sane user definition: who has root access?
  • SSH: disable direct root logins
  • Hard- or software firewall

PHP

  • Use hardened PHP (Suhosin)
  • Google the web for security best practices in PHP

MySQL

  • Eiter let it run with Unix sockets or via TCP but only on localhost/your LAN
  • Define a root password
  • Define restricted users for every different application

That's just the pure basics written down in 2 minutes. Theres much more.

Solution 2

Download Backtrack and run FastTrack's AutoPwn against your server. It's a completely automated approach, but it's a great low effort way of finding the low-hanging fruit.

If you got web components, SkipFish is another great automated testing tool.

Solution 3

There are many tests you can perform and many tools available to test with. For starters you might like to run Nikto.

Although you may believe users can't upload files, a security hole in the applications or services may well prove otherwise, as many have learned the hard way. Always work on the assumption that your system is broken and vulnerable and look for ways to fix it, before someone else finds the holes for you.

Solution 4

If you have access to the system, you can find out what ports may be open using netstat. It can list all listening ports. Firewalls and other security measures may mitigate the risk.

Match this list to a remote scan. Investigate any ports the remote scan shows that aren't listed by netstat. There should be none that are not accounted for by DNAT rules on a firewall.

Disable any services you don't need. It used to be common to file a variety of unnecessary services running. Many were trivial such as chargen, time, daytime, and other. Some were significant such as Telnet, FTP, HTTP.

For services only needed internally configure them to listen on 127.0.0.1 and/or ::1 (IPv6) if possible.

Solution 5

BackTrack FastTrack's AutoPwn good for really old servers with very old packages installed. If you have modern updated linux/windows it won't find anything. (I like backtrack but that serious tool that require extensive knowledge of security and pen testing)

I would recommend to install and scan your server with Nessus, it pretty powerful (even though free version does not have latest vulnerability signatures) and can not only scan for open ports and remote vulnerable software but also login to server with root credentials and perform local audit.

It just a tool, it is not enough to make your server "secure" but together with, for example, weeheavy's tips you can get closer.

I would also add Monitoring. Install OSSEC or its analog (tripwire, etc), you want to be notified if anything weird happening on the server in real time via email/sms/etc.

Share:
10,918

Related videos on Youtube

aneuryzm
Author by

aneuryzm

Updated on September 17, 2022

Comments

  • aneuryzm
    aneuryzm over 1 year

    How can I test the security of my server ?

    Please I know it is too general question. But I was wondering if there is a tester software or web service checking all ports of your server, or possibly security holes ?

    I usually check unix permissions and that's it, but there is something I can do ?

    ps. Users cannot upload files with my web applications, so I don't have that issue.

  • aneuryzm
    aneuryzm over 13 years
    So there is not a reasonably secure test you can suggest, but I should search more info on google.
  • aneuryzm
    aneuryzm over 13 years
    Is there a free tool for this ? Just to be reasonably sure your server is safe
  • Sirex
    Sirex over 13 years
    that was a clickable link, you know.
  • Phil Swiss
    Phil Swiss over 13 years
    try Nessus (nessus.org), the free version does a good job.
  • Tom O'Connor
    Tom O'Connor over 13 years
    "Klaatu barada nikto"
  • John Gardeniers
    John Gardeniers over 13 years
    @Tom, I'm pretty sure I'm not the only one who has absolutely no idea what you're trying to say, or why.
  • Tom O'Connor
    Tom O'Connor over 13 years
    Really? Never seen "The Day The Earth Stood Still"?
  • Scott Pack
    Scott Pack over 13 years
    A couple of years ago the Nessus licensing changed. Now both feeds get the same sigs at the same time, but the Home Feed is more limited in how you use it, as well as missing out on some of the features.
  • Vitaly Nikolaev
    Vitaly Nikolaev over 13 years
    Thx. Good to know!
  • Diego Vieira
    Diego Vieira about 9 years
    Backtrack is no longer available, use kali.org instead

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Using mysql_real_escape_string with PDO (no connection to localhost server)
What's the difference between PHP's addslashes and mysql(i)_escape_string?
Make php files hidden from outside world
PHP MySQL $_GET Hack prevention
How to let PHP connect to database by using UNIX socket (Joomla)
what's the meaning of 'admin' OR 1=1 -- '
Problems with creation of database DVWA
if mysql_query() fails, what to do?
How can I disable the phpMyAdmin login page?
How to create a secure mysql prepared statement in php?