http://www.Linux-Sec.net Hardening-Tightening Security_Policy Hardening-HOWTO Linux Distros Distro Patches Kernel-Patches Dedicated Servers Firewalls DNS Servers Mail Servers Web Servers Turn-Off Daemons Tighten Inetd Services Top-10 Vulnerabilities Top-7 Security Mistakes Top-10 Vulnerabilities Top-20 Most Critical Vulnerability Top-10 Virus Scans/Attacks Stats Top-10 Attacks Hacked Servers One Minute Audits OpenPorts Audit AntiVirus - AntiSpam Anti-Spam Anti-Virus spam.wav Wireless [In]Security Sniffers Security Tools SSH_SSL Firewalls MailServer FileSystem VPN Port Scan Detectors IDS Tools LogFile Analysis Ethernet Monitoring Server Monitoring Tracking & Forensics Hackers Tools Audit Tools Port Scanners Hacking Tools DDOS Tools Sniffer Tools Spoof Tools Exploits & Vulnerbilities Wireless Wireless [In]Security Misc Statistics Linux/BSD Distros Links,Articles,WatchDogs Security Mailing Lists/FAQs Liability Insurance 1U Rackmount Chassis Custom-Chassis.com Linux-1U.net 1U-ITX.net ITX-Blades.net Small PC cases Mini-Box.net Wrap-Box.net Wrap-OS.net Wan-Sim.net Linux-Consulting.com Linux-CAE.net Linux-Sec.net Linux-Boot.net Linux-Backup.net Linux-Wireless.org Linux-Office.net Linux-Video.net Linux-VOIP.net Linux-Jobs.net Linux-Diff.net 1U-Raid5.net Linux-Howto.net Spam Reporting Free Linux CDs ISO9660.org Distro-CD.org Patch-CD.org Contact Linux is a registered trademark of Linus Torvalds More Linux Legalese

Web Server Minimum Web Server Hardening Recommendations Apply the kernel patches Apply your Distro Patches Harden your Server as needed Apply the latest httpd server patches Subscribe to the security mailing list of your http daemon Install web popup junk busters Remove MS-centric Junk ( nimba, codered, .. ) Watch/review your webserver logs All development should be done on a test/development web server ( http://TEST.YourDomain.com ) All cgi-bin scripts should be local to your server WebPages should be created by a program (NOT manually edited) After approval, your web pages should be "bundled" ( *.tgz ) and transferred over and installed Your real webserver ( http://www.YourDomain.com ) should be md5-sum'd randomly/regularly to detect unauthorized changes RFCs Related to http isi.edu RFC-Info Web Servers Apache.org Apache.org Mailing List Umich.edu httpd for PalmPilot ( inactive ) SourceForge.net httpdPalm httpdPalm.SourceForge.net Microsoft http server Netscape http server NCSA Zope CGISecurity.com chroot apache2 Secure http RFC xxx Secure HTTP WebServer Attacks/Exploits/Vulnerability ApacheWeek.com CodeRed Cert.org CodeRed cgi-bin Scripts Checking for exploits in your cgi-bin scripts websniff -v -p 25 Web Browser Testing ScanIT.be bcheck ScanIT.be Browser Vulnerability Statistics Heise.de browserchgeck Privacy.net Qualys.com sztolnia.pl Trivial IE Crash CodeProject.com CookieSpy vdberg.org HTMLBar Web Server Testing WebTrends.net WebServer Testing - loading, links, etc FoundStone.com SiteDigger, UDPFlood, Blast, FSMax openssl s_client -connect mail.google.com:443 FoundStone.com FreeTools ServerSniff.net sslcheck AppSecInc.com AppDetective Improving.org CGI-Security SourceForge.net CGIChk WireTrip.net Whisker - Check Websites PFY.nl SafeCGI and suexec patches CGIWrap InternetTrash.com md-webscan - 180 cgi vulnerbilities Perl.com Latro Ed.net wel.txt perl script Hoobie.net Brutus habets.pp.se synscan Kavado.com ScanDo Monkey.org Arirang - webserver security scanner MozDev.org LiveHttpHeaders nStalker.com n-Stealth PacketFactory.net ISIC ProofSecure.com PureLoad.com thc.org Hydra SoftRequest.com WebSite Test Tools SpiDynamic.com WebInspect ThoughtCrime.org SSLSniff SanctumInc.com AppScan owasp.org webscarab owasp.org WebGoat SandSprite.com Sleuth SecGuru.com FakeConnect, OpenSTA, Siege, http_load, grinder SpiDynamics.com WebInspect WebPerf.org WebPerf.SourceForge.net SandSprite.com WebSleuth zone-H.org WebSleuth Webmitm - SSLmitm SourceForge.net OWasp MavenSecurity.com achilles NetCraft.com Proxy AtStake.com WebProxy OWasp.org WebScarab SecurityFocus.com Mieliekoek.pl Checks for SQL injections SourceForge.net KSES - checks for SQL/XSS injections ImmunitySec.com SPIKE - SQL injections and brute force attacks AstralClinic.com which web server in use W3.org WWW-Security-FAQ UWaterloo.ca CGI Security Tutorial UIUC.edu Writing secure CGI scripts Cert.org Removing Bad Chars WebServer Load Testing apache/ab -n 100000 server.edu/page SunSite.dk WebAppTesting SourceForge.net Deludge SourceForge.net Hammerhead SourceForge.net SSLClient Stress Tool Freshmeat.net PTester - HTTP Benchmarking tool JoeDog.org Siege -- HTTP regression testing & Benchmarking Web PopUPs Busters Privacy.net lots of stuff JunkBuster.com CSUChico.edu Adblock SourceForge.net AdZapper SourceForge.net httpf Senet.com.au Squirm WebWasher.com Uni-Paderborn.de NoShit WebFilter Muffin.doit.org Muffin HTTP WebLog Analysis analog Remove Microsoft-centric Junk from Your Logs Remove CodeRed, Nimda, etc from your Aapache Logs Insecure.org ipchains Oops.org ipchains ( korean ) LinuxFromScratch.org SetEnvIf - dont Log WesternLug.org SetEnvIf - dont Log Apache.or.jp SetEnIf - dont Log ( japanese ) Gotokun.jp SetEnvIf - dont Log ( japanese ) Ikari24.com SetEnvIf - dont Log ( japanese ) No-IP.com SetEnvIf - dont Log ( japanese ) ISP-Planet.com Redirect to 127.0.0.1 BankHacker.com Redirect to error.html ( spanish ) atrid.fr Redirect ( french ) Treachery.net ScriptAliasMatch to default.ida Neohapsis.com default.ida handler back to attacker

Copyright © 2000	Linux-Consulting	All Rights Reserved.	Updated: Fri Nov 17 00:37:22 2006 PDT