October 27th, 2002 12:15 AM
This header is easily reduced or disabled in Apache, just look at the ServerTokens command in the config file.
Every website you go to sends HTTP headers to and from the browser. One of these headers is a server header and looks like this:
Server: Apache/1.3.26 (Trustix Secure Linux/Linux) mod_perl/1.26
October 27th, 2002 01:36 AM
may i also but in to make sure the scanner dosnt perform DoS testing (ping of death, syn floods) as that would be the last thing u wanted to do
i reccomend to go with the old computer running a bsd/linux running ipchains and keep your packages upated
October 27th, 2002 07:37 PM
Useing the suegestions I downloaded a few vulnerability scanners, One called Stealth HTTP vulnerability scanner version 2 build 47 and a fer CGI vulnerability scanners.
I could not run Nessus to scan my computer from localhost, it gave me an error. If i remember corectly, I tryed a few scanners.
Stealth did find two possible bugs, one was my robots.txt file which contains instructions to search engines as to what directories may be spidered and which ones may not. I clicked a button for more information and it searched google for me and found a few articles. Aparently because robots.txt is known by atackers and is also can be read by anyone, this can expose information about secret files and directorys. To fix this problem I might delete robots.txt and use the new robot meta tags to instruct the search engines to weather ti can follow or not follow:
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
And the other possible bug found was test.shtml. But when i looked it up with google it apeared that only certian web server could have an exploit with text.shtml, such as iis.
I will try some experimenting to see if my test.shtml can be exploited.
Then the CGI scanner found a exploit. So all together i only had maybe 3 exploits combineing the HTML and CGI exploits.
Previous versions of my software allowed an atacker to get a directory listing if they typed in a URL then a file name that exists, then %00
that issue has been fixed since.
other then nessus are they any other scanners you recomend?
In snatches, they learn something of the wisdom
which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~