# how can i check if a web site is secure

## queen

I am trying to check if http://www.channelnewsasia.com/ is a secure site. 

I tried to use nmap and wireshark. 

nmap to scan all the ports 0-65535 takes quite a long time (tcp & udp). 

So I tried with ports 0-150  on tcp and udp. 

```
nmap -O -v -p U:0-150,T:0-150 -P0 www.channelnewsasia.com

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-07 15:33 IDT

Initiating Parallel DNS resolution of 1 host. at 15:33

Completed Parallel DNS resolution of 1 host. at 15:33, 0.02s elapsed

Initiating SYN Stealth Scan at 15:33

Scanning channelnewsasia.com (202.172.227.124) [151 ports]

Discovered open port 80/tcp on 202.172.227.124

Completed SYN Stealth Scan at 15:34, 27.43s elapsed (151 total ports)

Warning:  OS detection for 202.172.227.124 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

Initiating OS detection (try #1) against channelnewsasia.com (202.172.227.124)

Retrying OS detection (try #2) against channelnewsasia.com (202.172.227.124)

Initiating gen1 OS Detection against 202.172.227.124 at 35.650s

Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

For OSScan assuming port 80 is open, 33761 is closed, and neither are firewalled

For OSScan assuming port 80 is open, 44112 is closed, and neither are firewalled

For OSScan assuming port 80 is open, 40751 is closed, and neither are firewalled

Host channelnewsasia.com (202.172.227.124) appears to be up ... good.

Interesting ports on channelnewsasia.com (202.172.227.124):

Not shown: 150 filtered ports

PORT   STATE SERVICE

80/tcp open  http

Device type: firewall|general purpose

Running (JUST GUESSING) : WatchGuard embedded (91%), Linux 2.4.X|2.6.X (90%)

Aggressive OS guesses: WatchGuard Firebox X700 (91%), Linux 2.4.18 - 2.4.27 (90%), Linux 2.6.10 (90%)

No exact OS matches for host (test conditions non-ideal).

TCP Sequence Prediction: Difficulty=9999999 (Good luck!)

IPID Sequence Generation: All zeros

```

TCP Sequence Prediction: Difficulty=9999999 means that hijacking is very difficult. Ping also is not allowed, which makes it more secure. 

I know there is a possibility with wireshark to capture data from a live network, but i don't know how to do that. If someone knows, please let me know. 

Also, what other tools I can use to validate proper web server configuration, check if the web site is secure, HTTP Test Tool ?

----------

## pdr

Keep in mind that there's two "types" of security you are talking about here:

1. The server is secure from a socket-level point of view.

2. The web site is secure.

nmap and such are testing item 1. If this is your server then securing it just involves making sure it is not "serving" anything you don't want it to (ie that any software - including, say, iptables in the kernel - is only listening to a port because you NEED that service). Use "ps ax", netstat, "iptables -L tnat" and "iptables -L" to see what is running and listening (and in the case of iptables, possibly translating). It does not matter if a port is open if no process is listening to it (discounting if there is a bug in the tcp stack of the kernel - don't know if I've ever seen one that was actually exploitable). So, for example, port 23 can be open all day long and there is no vulnerability - unless, of course, you have sshd running and listening to that port.

What you want this for is by knowing what services you are actually running you can check the GLSAs to keep up on any vulnerabilities they might have.

Item 2 is where a LOT of sites get hacked. From the item 1 perspective you would be noting that apache(2) is listening to port 80, and you would be checking the GLSAs for apache vulnerabilities. However this is how a very small number of hacks (any in recent years?) occur; where you get bitten is that you have a vulnerable apache config or - most probable - some php pages that were written unsecurely and allow malicious users to access/modify data. Of course just having mod_php, or mod_perl, etc means you have to check GLSAs for vulnerabilities in the modules, but again most reports I see are from poorly written sites.

Another example: sshd might be secured properly, but the server has accounts that can be hacked (just check your /var/log/messages for bots that are trying to log in with well-known accounts to see what I mean).

Security is a bottom-up thing. Start with nothing listening, no accounts except root. Add user accounts as actually necessary, keeping track after you emerge packages that they didn't add an account - and if they did, that either the account is not allowed to log in (ie is only used for filesystem accessibility, such as the apache user) or that if for some reason it DOES need to log in, that it has a "good" password. Be very careful of the auto-service kinda stuff (haven't used it in so long I don't even remember what its name is! - the daemon that listens to ports and, when a connection is made, fires up the appropriate service for it); I never use this on any of my servers.

When first bringing up a service that listens to ports, make sure you lock it down before testing it. For example, before bringing up apache for testing, set iptables first so that packets can only get to port 80 if they are from localhost or the local intranet. And you should have the apache first set up to do almost nothing (or consider running it in a chroot jail) and, if possible, CHECK that your iptables are correct and only "good people" can access it (ie try hitting it from non-allowed ip addresses)! Now you can test the apache config to see that it is only performing operations you want it to.

Web site security: this is actually a piece of cake, and probably 90% of web sites get it wrong. Just assume that someone is going to post your url on Warez-R-Us and code accordingly. Validate every single piece of information that can come from the user. It does not matter if the data, say was "supposed" to come from a hidden input value that your previous page filled in - a cracker can send any data he wants. He can send unicode characters that might get interpreted differently than you want them to be, he can insert characters that allow him to do SQL injection - anything. This is called software engineering, and is nothing more than validating preconditions. Also perform consistency checks in the software. If a user is supposed to be logged in as an administrator by the time they get to a particular page, don't just check that they are logged in - make sure they are an administrator too. If a user value is going to be inserted into a SQL integer column, ensure that the value matches the regular expression for your fields data type (eg if it is a dec(9,0) field, actually validate it is a "[1-9][0-9]{0,8}" string).

The point here is that you have to design your security. While testing if something is secure can be fun and lets you use up empty hours where you had nothing else to do, the problem is that you have to test every single method a cracker might use to access your server - and that is evolving all the time - and there is an exponential growth problem when you are running multiple services.

----------

## queen

Thanks a lot for the explanation, but i can't do anything alike, because i don't have access to their computer. I was only asked "can you tell if this site is secure"? 

Which tools as an external user I can try in order to check if that web site is secure? 

I used nmap and wireshark to check if ports are open. 

Scripts?  

And I'd like to be legal as much as possible considering the situation. Meaning to check if there are vulnerabilities, without exploiting them.

----------

## Hu

 *queen wrote:*   

> Thanks a lot for the explanation, but i can't do anything alike, because i don't have access to their computer. I was only asked "can you tell if this site is secure"? 
> 
> Which tools as an external user I can try in order to check if that web site is secure? 
> 
> I used nmap and wireshark to check if ports are open. 
> ...

 

Whoever asked you that should clarify what they want.  pdr gave a good explanation of the types of security, and it would be helpful to know which type of security you are being asked to check.  Based on the little information you have provided, I do not see any of the "type 1" vulnerabilities that pdr mentioned.  Since you only scanned a small portion of the server's port range, this is an inconclusive result.  Unfortunately, type 1 is the easy part.

You can do a preliminary check of "type 2" by checking what versions of software they are running and comparing that to a list of known vulnerable versions.  Some servers will advertise their version when you make a request.  However, it is easy to make the server lie, so this should only be used to flag that it might be unsafe, not that it is safe.  A thorough check for vulnerabilities amounts to mounting a good attack on the system and considering it a "good" result when you fail to break in.

Obviously, this could be considered illegal, especially if you are doing it without the consent of the site's owners.  If the owner is the one asking you to check this, get it drawn up as a proper contract for a penetration test, with real signatures on paper from the involved parties.  I have read of people doing penetration tests, only to be subsequently prosecuted for "unauthorized access" because they did not get authorization from the right people, such as only having sign-off from the local IT contact when it needed to be run by Legal and the Chief Information Officer.

----------

## madisonicus

 *Hu wrote:*   

> Obviously, this could be considered illegal, especially if you are doing it without the consent of the site's owners.  If the owner is the one asking you to check this, get it drawn up as a proper contract for a penetration test, with real signatures on paper from the involved parties.  I have read of people doing penetration tests, only to be subsequently prosecuted for "unauthorized access" because they did not get authorization from the right people, such as only having sign-off from the local IT contact when it needed to be run by Legal and the Chief Information Officer.

 This is really, really important.  Penetration testing of someone else's server is almost certainly a violation of your ISP's terms of use, not to mention quite possibly illegal.  Even "just looking" without the express permission of everyone involved is illegal in many countries.  Just like casing a bank or someone's house, it's planning to commit a crime and not ok.

You must make sure that you have ironclad legal documents authorizing you to do something like this beforehand otherwise you expose yourself to prosecution.

Also, it doesn't look like you took any anonymizing steps, so your amateur pentesting is very easily traceable directly back to you.

-m

----------

## queen

 *Quote:*   

> Whoever asked you that should clarify what they want.  pdr gave a good explanation of the types of security, and it would be helpful to know which type of security you are being asked to check.  Based on the little information you have provided, I do not see any of the "type 1" vulnerabilities that pdr mentioned.  Since you only scanned a small portion of the server's port range, this is an inconclusive result.  Unfortunately, type 1 is the easy part.

 

I can scan all the ports, It will take ~2 hours.  I don't know even if this is legal. ;-(

 *Quote:*   

> You can do a preliminary check of "type 2" by checking what versions of software they are running and comparing that to a list of known vulnerable versions.  Some servers will advertise their version when you make a request.  However, it is easy to make the server lie, so this should only be used to flag that it might be unsafe, not that it is safe.  

 

I suspect that this is what the person  meant, but I will ask. I don't want to get into troubles of prosecution. 

 *Quote:*   

> 
> 
> If the owner is the one asking you to check this, get it drawn up as a proper contract for a penetration test, with real signatures on paper from the involved parties

 

It is not the owner who asked me.

----------

## madisonicus

 *queen wrote:*   

> It is not the owner who asked me.

 Then they're asking you to do something illegal everywhere that I can think of.

----------

## queen

 *madisonicus wrote:*   

>  *queen wrote:*   It is not the owner who asked me. Then they're asking you to do something illegal everywhere that I can think of.

 

I emailed the person and asked few complicated questions. I"ll wait for reply. I didn't admit i ran nmap at all, although from checking the web this is legal, even in asia (the web site is from singapore). Playing on the safe side.  :Wink: 

----------

## Varsuuk

 *pdr wrote:*   

> ...
> 
> 2. The web site is secure.
> 
> ...(or consider running it in a chroot jail) 
> ...

 

pdr, hey there - I was actually surfing to see if I could figure out why/how I was messing up port forwarding on my gentoo-based router (and.../blush security) web server - I am trying to setup something to allow the grandparents to see their only grandson (I'm an only child and 42...heh - they waited a long time)  Since they can only drive up every 6 months or so (Fla->NY), I thought it would be a good idea.

( https://forums.gentoo.org/viewtopic-p-4131718.html#4131718  )

Anyhow - on to my comment about THIS thread  :Wink:  :  I am 'running' a SIMPLE web site (plain apache default screen atm) with 2 forums planned (phpbb atm, one may change to vbulletin) - the first is 'up' just not 'connected' to the www page. It's for my D&D group to use and to stay in touch with old guild friends etc. The other will be a family post/gallery site.

Any SHORT (new father - 3month old and I'm a Software Engineer (C++) more hours in the office than I'd like) treatises on basic web securing for this web site and forums (I'll start watching gslas of course)?   I noticed the comment about chroot (Ive never done that other than the gentoo install but Im comfortable with google  :Wink:  ) and was looking for that sort of 'everyone who is careful does X' sort of thing.

Atm, it is in an /opt2/www/ subdir owned by apache and I have some subdirs off that holding screenshots/baby pics etc that I post time to time elsewhere (thereby exposing the web addy for all to see)

In case it matters, I used an ISP with dyn addy that hasnt changed for me in 2 years nearly - but to be on the safeside - I run scripts to update a friend's nameservers who help me with ddns.

Thanks for your time and direction (if anyone knows where to look or what to google that I havent tried for the port forwarding issue pls also holler),

Vars

https://forums.gentoo.org/viewtopic-p-4131718.html#4131718

----------

## queen

 *madisonicus wrote:*   

>  *queen wrote:*   It is not the owner who asked me. Then they're asking you to do something illegal everywhere that I can think of.

 

I got an answer. The person wanted for a hacker job. Naturally I refused.

----------

## pdr

Varsuuk -

I have seen either here or on gentoo-wiki.com a howto on running apache in a chroot jail.

If you are serving just static pages (markup, images - not php, etc) and OPS (Other People's Software) then its just a case of 1) lock down your server itself, 2) lock down apache, 3) check readme, install notes, etc for phpbb et al for any security-related config items, and 4) check for GLSA notices.

The great thing I love about Gentoo is that it starts out secure - with the base install you don't even have sshd running and you only have two login accounts - root, and the "normal" user the guide recommends to add. So if you install gentoo and then, piece by piece add/start services, you have the opportunity to make sure each new piece is locked down before it goes online. To me this is tremendously better than, say, slapping on Ubuntu and then hunting furiously through ps et al to find out what is already running and securing it.

There are lots of guides out there on securing a web server. I don't run apache in a chroot jail as I don't feel it is required - the apache user is configured to have pretty limited access so I wouldn't gain much. The first thing I do when I install apache is, before starting it up:

1. Edit /etc/conf.d/apache2. By default it only enables the default vhost and is set to only keep the PATH env variable; for a home server (not using virtual hosts) this is probably fine.

2. Edit /etc/apache2/httpd.conf. In particular I comment out all of the LoadModule lines unless I know I need it for a base install.

Handy note here: don't just put an octothorpe (#) in front of the LoadModule line - personalize it like:

```
#PDR LoadModule auth_module                 modules/mod_access.so
```

This makes it simpler later on to see which were commented out in the original install, and which you added; if you have a problem, it is probably something you did   :Embarassed: 

The apache docs on www.apache.org have pretty good descriptions of what each module does.

Note that I also comment out (although, by rights, I should delete - but this way merging differences is easier in dispatch-conf) entries in httpd.conf that have to do with the default apache web page - the access to /var/www/localhost/xxx for icons, etc. This is in relation to step 5.

3. httpd.conf will automatically include /etc/apache2/modules.d/*.conf, so go look and make sure that they are OK and locked down. While you could rename a file if you never want it included (eg rename /etc/apache2/modules.d/40_mod_ssl.conf to, say, 40_mod_ssl.ignore) note that any apache updates will probably add it back in - and since there isn't an old one with the same name, might add it without even asking you (in dispatch-conf or whatever you update /etc with). I feel it is better to check the contents and wrap stuff in a <IfDefine xxx> kind of tag instead..

4. httpd.conf will also automatically include /etc/apache2/vhosts.d/*.conf. By default you only get 00_default_vhost.conf, and for a home server you will probably only use a single host, so you can leave this file here and edit it.

5. I then "rm -fr /var/www/localhost". I do not use this as my document root, and I don't need the files as examples. Since this is the default document root, I don't want it to exist in case I update apache and it somehow gets by me that it re-installs a config that serves from this directory. If you want it as an example, I would suggest renaming the directory.

6. Then I figure out where I want to serve files from. In my case I use /var/www but that is because at home I don't support file uploads; if I did then I would probably put it in its own partition (on my server /var is on its own partition - so /var/www is on the same partition as, say, /var/log). Why? You don't want a malicious (or even stupid) user to fill up a partition that will muck with the rest of the server - such as filling up /var so that the system logger has no more room to add messages.

Note that LVM2 is wonderful for setting up such a beast - you can grow the "partition" (logical volume) as necessary.

To be able to test apache, I put a little Hello World kind of static html page in my document root. If you are going to allow index.html to be served when someone requests a directory (usually a good idea) then that should be this file's name, since you can also test that functionality at the same time.

7. Now I edit /etc/apache2/vhosts.d/00_default_vhost.conf since I know where my document root is. I change the DocumentRoot to my root (/var/www), change the <Directory> tag so it references this directory, comment out everything that was in there by default, and limit access. What I end up with is (without the comments):

```
<Directory "/var/www">

    Options none

    Order allow,deny

    Allow from 192.168.1.4 # my workstation

</Directory>
```

8. At home my intranet is behind a firewall, so instead of adding iptable rules on the server I just disable wireless access on the router (actually if I am not actively accessing it I keep wireless access off on the firewall) and make sure that nothing outside (internet) can initiate connections that I don't want with the server. At this point that means anything at all. Note that I prefer having an external firewall instead of using the server itself for this. Also note that if your intranet includes a wireless access point you should assume that the intranet is untrusted - yes, even if you are using wpa.

I personally find it easier to just assume my intranet is untrusted in general and protect each machine from the others as well as from the internet.

9. Now I fire up apache with "/etc/init.d/apache2 start".

It should have started OK - if not, check your error log and fix it. Then from my workstation I check the page via the browser. For me the url would just be http://central/index.html (my server has dnsmasq running so I can use "names" for my machines). Should see the Hello World page; if not, check the logs and fix it.

I also test from my laptop (hooked up to ethernet since I disabled wireless in the firewall) to make sure it CANNOT access the web page. This is to make sure I installed and correctly set up for mod_access.

If you want to serve up directory listings then also try http://central/ to make sure the Hello World page comes up - if not, fix it.

If you want you can try something like http://central/etc/passwd or some such to access outside the DocumentRoot (pick a file that apache has read authority to).

That is a base system. I don't actually have my home server set up to serve everything out of /var/www like that, so my next step would be to delete the index.html file and my 00_default_vhost.conf actually looks like:

```
<Directory "/var/www">

    Options None

    Order allow, deny    # need mod_access for this

    Deny from all

</Directory>

...

Include /etc/apache2/apps.d/*.conf # this is still inside the <VirtualHost> tag
```

This is because I created a /etc/apache2/apps.d directory, set the authorities as necessary, and now I can have configs for each individual web app that emerge won't accidentally muck up. I also have SSL enabled, and in the <VirtualHost> for port 443 I have:

```
Include /etc/apache2/apps.d/*.secure
```

For example, I have squirrelmail installed on the server, and in /etc/apache2/apps.d/squirrelmail.secure I have the config to enable it.

And I put apps in their own subdirectories under /var/www - for example, I put squirrelmail in /var/www/apps/squirrelmail (I put 3rd party apps in /var/www/apps and my own web sites in other subdirs under /var/www).

The next step for me would be emerging mod_php, checking for any no-no in 70_mod_php5.conf (I change the AddType for .phps so that it is also application/x-httpd-php - I don't want to display my php code), enabling it (in /etc/conf.d/apache2), restarting apache, and testing it with an index.php file (can just rename the index.html file).

If you are going to need database support then next would be installing and configuring/securing it.

Before putting any 3rd party apps on I would recommend a backup at this point (I love rsnapshot myself) - it will give you a base reference you can restore from if necessary. If any of the apps has a lot of user-defined config that would be a pain to redo, then after configuring them you might want to make a "reference" backup there too.

----------

