It only took a week before Traveling Forever was seeing hack attempts. They were thankfully only automated script kiddie attacks, but they were still annoying. For any webmaster, system security is an integral part of being able to sleep at night. But just setting up mod_security on Apache and leaving your machine to the elements isn’t nearly enough.

You’ve got to Pen-Test your own machine. Depending on your webhost, they might not like a simulation attack, so be sure to ask first, and let them know what’s going on. Remember, nothing you do now is any worse than what already happens in the wild.

That being said, lets get started and download our tools for our hack test of our web server. For this guide we’ll be using my favorite Pen-Test Linux LiveCD, BackTrack.

Once you’ve downloaded BackTrack, burn it to a CD, then restart your computer with the CD in your computer. You should automatically start booting into Linux. The default username and password are: “root” and “toor”.

There are three parts to your basic Pen-Test. Here we’ll just go over the following tests:

Nitko

Nitko is an automated web vulnerability scanner. Using Nitko is painless and quite easy. This is one of the best tests available for web software vulnerabilites. Use Nitko from the command line, and you’ll see all your vulnerabilities that are in its database. The report isn’t nearly as robust as Nessus’.

Nessus

Nessus is an automated scanner. It’ll scan and see what services are running on your server and check their version against an extremely large database of vulnerabilites. This is one of the most powerful scanners in the world, and it’s open source and free. Its report system is robust and powerful, with a complete breakdown of vulnerabilities or possible misconfigurations broken down by port.

THC-Hydra

THC-Hydra is an automated password cracker. You should always test your web server against a dictionary attack. This is the easiest way to do so, and make sure no script kiddie is going to 0wn your webserver with a lame dictionary attack.

Between these three tests you’ll be off to a good start in making sure your web host has a basic level of security. Of course, every server has its flaw, and there is no such thing as unbreakable. But by doing the most basic attacks, you ensure security from the most common attacks.

You can get BackTrack here.

Share This

Related Posts:

This entry was posted on Wednesday, July 12th, 2006 at 10:24 pm and is filed under Computer Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.