Is your web server secure?

posted in: Everything else | 0

Well, no one can tell for sure. But if you don’t want to have the most obvious security holes in your configuration, Nikto may be one of your friends. Once you have it installed (check out your Linux distro repository for details), it can be easily started via

nikto -h <your.host>

or sometimes

perl nikto.pl -h <your.host>

There’s one issue with Apache that, from my knowledge, can only be solved partly. TRACE should not be allowed as an HTTP request method. Unfortunately it can’t be turned off. It is however possible to almost disable it. Put the following configuration lines inside your “virtual host” section:

RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 
[tags]apache, security, trace, nikto[/tags]