How can I test the security of my server?
Solution 1
Based on your tags, here's some basic advice:
OS (Linux)
- Apply updates/security patches including Kernel
- Checksum tool to detect file/permission changes like aide, fcheck, tripwire etc.
- Only enable network services you're actually using (check with
netstat -tulpen
) - Sane user definition: who has root access?
- SSH: disable direct root logins
- Hard- or software firewall
PHP
- Use hardened PHP (Suhosin)
- Google the web for security best practices in PHP
MySQL
- Eiter let it run with Unix sockets or via TCP but only on localhost/your LAN
- Define a root password
- Define restricted users for every different application
That's just the pure basics written down in 2 minutes. Theres much more.
Solution 2
Download Backtrack and run FastTrack's AutoPwn against your server. It's a completely automated approach, but it's a great low effort way of finding the low-hanging fruit.
If you got web components, SkipFish is another great automated testing tool.
Solution 3
There are many tests you can perform and many tools available to test with. For starters you might like to run Nikto.
Although you may believe users can't upload files, a security hole in the applications or services may well prove otherwise, as many have learned the hard way. Always work on the assumption that your system is broken and vulnerable and look for ways to fix it, before someone else finds the holes for you.
Solution 4
If you have access to the system, you can find out what ports may be open using netstat
. It can list all listening ports. Firewalls and other security measures may mitigate the risk.
Match this list to a remote scan. Investigate any ports the remote scan shows that aren't listed by netstat. There should be none that are not accounted for by DNAT rules on a firewall.
Disable any services you don't need. It used to be common to file a variety of unnecessary services running. Many were trivial such as chargen, time, daytime, and other. Some were significant such as Telnet, FTP, HTTP.
For services only needed internally configure them to listen on 127.0.0.1 and/or ::1 (IPv6) if possible.
Solution 5
BackTrack FastTrack's AutoPwn good for really old servers with very old packages installed. If you have modern updated linux/windows it won't find anything. (I like backtrack but that serious tool that require extensive knowledge of security and pen testing)
I would recommend to install and scan your server with Nessus, it pretty powerful (even though free version does not have latest vulnerability signatures) and can not only scan for open ports and remote vulnerable software but also login to server with root credentials and perform local audit.
It just a tool, it is not enough to make your server "secure" but together with, for example, weeheavy's tips you can get closer.
I would also add Monitoring. Install OSSEC or its analog (tripwire, etc), you want to be notified if anything weird happening on the server in real time via email/sms/etc.
Related videos on Youtube
aneuryzm
Updated on September 17, 2022Comments
-
aneuryzm over 1 year
How can I test the security of my server ?
Please I know it is too general question. But I was wondering if there is a tester software or web service checking all ports of your server, or possibly security holes ?
I usually check unix permissions and that's it, but there is something I can do ?
ps. Users cannot upload files with my web applications, so I don't have that issue.
-
aneuryzm over 13 yearsSo there is not a reasonably secure test you can suggest, but I should search more info on google.
-
aneuryzm over 13 yearsIs there a free tool for this ? Just to be reasonably sure your server is safe
-
Sirex over 13 yearsthat was a clickable link, you know.
-
Phil Swiss over 13 yearstry Nessus (nessus.org), the free version does a good job.
-
Tom O'Connor over 13 years"Klaatu barada nikto"
-
John Gardeniers over 13 years@Tom, I'm pretty sure I'm not the only one who has absolutely no idea what you're trying to say, or why.
-
Tom O'Connor over 13 yearsReally? Never seen "The Day The Earth Stood Still"?
-
Scott Pack over 13 yearsA couple of years ago the Nessus licensing changed. Now both feeds get the same sigs at the same time, but the Home Feed is more limited in how you use it, as well as missing out on some of the features.
-
Vitaly Nikolaev over 13 yearsThx. Good to know!
-
Diego Vieira about 9 yearsBacktrack is no longer available, use kali.org instead