Results 1 to 8 of 8

Thread: Apache and PHP security check tool

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    Apache and PHP security check tool

    A while a go, I posted links to securing apache and php.

    SecurityFocus HOME Infocus: Securing Apache: Step-by-Step

    SecurityFocus HOME Infocus: Securing PHP: Step-by-Step

    Now there is a tool to scan for security config errors.

    TrustSight Security Hardening Tool v 1.0 Beta
    by Syhunt Inf. Ltd.
    < http://www.syhunt.com/section.php?id=sec_hardening >
    Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
    Score: Not scored yet


    TrustSight Security Hardening Tool parses the web server's configuration files to detect security configuration errors. Examines the web server's security configuration with close to 50 security checks. Supports Apache and PHP configuration files. Produces simple, easy to read reports.
    Its just in beta... but still worth a look/test.

    Enjoy! BTW: Check out some of the other new tools... some pretty interesting stuff.

    http://www.securityfocus.com/tools
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Has anyone had a chance to test this yet?

    Your thoughts/opinions? I haven't yet had a chance to test it myself...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I'll try to test it tommorrow.
    =

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I just ran it against my intranet server. Its not on the internet, but I use it to learn and to keep frequent reading material, links and the such. Here is the output from it.

    TrustSight Security Hardening Report
    TrustSight Security Hardening Tool report for httpd.conf ("S:\httpd\conf\httpd.conf"")
    Date: 03/07/2004 3:31:49 PM

    TrustSight Security Hardening Tool - Session Details
    Paranoid Mode: Yes


    3 recommendation(s)

    ServerTokens directive
    Line: 31
    It is recommended to modify the ServerTokens directive to ServerTokens ProductOnly. After this change, Apache doesn''t disclose information about its version.


    ServerSignature directive
    Line: 920
    It is recommended to modify the ServerSignature directive to ServerSignature Off


    mod_security.c module

    mod_security.c module not found. We recommend to enable the mod_security module - The mod_security module can help protect against Cross Site Scripting (XSS) and SQL injection. Detailed information can be found at: http://www.modsecurity.org


    v1.0.0 BETA. New versions will be announced on the Syhunt homepage at: www.syhunt.com
    I had to run it on my xpbox, with a drive temporarily mapped to my linux box.

    I could have simply copied the file over but it was faster and easier this way.

    Guess I have a bit of "hardening" to do... but its not on the web... so I have some more time to figure out exactly what all this is. I'm not too experienced with webservers. I've never really needed them except for little things that I do.

    Anywho, thats the kind of reports it gives. Mind you, this is a default config that was installed with RH9. Oh, and I'm not using mysql or php.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    Very cool tool. I'll definately be passing it on to the person who maintains our helpdesk (it's apache w/ php.. I may even run it later on today if work stays this quiet).

    I ran it against my laptop. I'll also run it on my desktop tonight and try and post the results so that you can compare them. Anyways this laptop has EagleX installed on it. I haven't reconfigured anything, I've just gone with the default configuration, since it only listens on the loopback. Feel free to browse the results and enjoy!

    Report - httpd.conf
    Report - php.ini

    Peace,
    HT

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    HT

    I have a newly configured machine with eaglex on it too. I left it at the default config too.

    You'd think that a "security tool" would have tried to beef up security on their install?

    The apache, mysql and etc. should all be locked down at install, since they are only being used for one thing. You don't need to be very flexible with that. The only thing they need to be flexible with is the updating and the snort config files.

    I'm still learning snort, so it is very sensitive. I have to fine tune it. It reports that every website I visit is portscanning me! lol Well, thats for another day...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I've been having the same problem. I get constant alerts, every time I load a website.. it's a port scan apparently. Although I've been having quite a few problems with EagleX and snort in Windows (this is my first time running it in Win). Oink doesn't run properly, it crashes out and gives errors. I even modified the perl script so it would get the correct file and now it can't decompress it. I also get dB failures all the time and MySQL wont' start by default like the installer says it's supposed to. However I playing with it on my laptop which I only use at work, so I'll see what happens when i sink more time into it.


    Peace,
    HT

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Yeah, I had that problem with the updates too. Just change the location of oink from /syg***/oink/etc to c:\rest of path. I don't have that box booted at the momenty.

    But, thats how I fixed it. It updates just fine. Though, you may want to change the file it downloads to the current one, rather than stable one? Works ok for me.

    I still get all those port scans though. I'll have to figure that out. I don't have a book for snort yet... and I hate reading big docs on websites. gives me a headache.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •