Server Hardening Checkup with Nitko

by Stephen Fluin 2010.05.06

Server security is vital to anyone running a web server of any kind. For brevity in this article, I am going to call people that are attempting to break or break into your server "hackers". There are lots of attack vectors hackers can use. Some hackers are attempting to attack a specific server, whereas some hackers are attempting to exploit general vulnerabilities and do what is called "door knocking" where they check large numbers of servers for known vulnerabilities.

One good way to start checking your own server is with a tool called nitko. Nitko is a tool that is easily installed on ubuntu from the repositories, and is run with nitko -h <server>. Running nikto against your server checks for several thousand known vulnerabilities and misconfigurations on your server. It will also tell you if the versions of any of your critical applications (such as php, ssl, apache) are out of date. For example, running nitko against this website reveals the following:

- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP:          67.207.147.101
+ Target Hostname:    mortalpowers.com
+ Target Port:        80
---------------------------------------------------------------------------
+ Server: Apache/2.2.12 (Ubuntu)
- /robots.txt - contains 3 'disallow' entries which should be manually viewed. (GET)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-0: ETag header found on server, inode: 590191, size: 132, mtime: 0x484f2a92b9380
+ OSVDB-0: GET /index.php/"><script><script>alert(document.cookie)</script>< : eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3092: GET /sitemap.xml : This gives a nice listing of the site content.
+ OSVDB-3092: GET /test.html : This might be interesting...
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 3577 items checked: 7 item(s) reported on remote host
+ End Time:        (195 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

These results show me 7 items I should look at carefully on my server. The only thing I might want to change is that I have allowed the default Apache installation to share the /icons/ folder and make it an browsable directory. This might be a concern for other sites, but it doesn't really have any security impact on my system.


permalink