Nikto Server Auditing and Resolving Issues.

If you are security conscious and want to find an easy way to determine what aspects of your server setup are presently vulnerable to known exploits; then you may want to try a server security auditor/scanner. There are lots of security scanning/auditing scripts and apps out there, including some websites that will audit your site and provide you with a free report.

Here we will look at the basic usage of Nikto 2 and some of the common issues that it points out, and how we can resolve them. This guide is targeted at users running a LAMP stack (Linux, Apache, MySQL and PHP). However, it may still apply to some other setups out there. Hopefully the information in this article will help get you started.

If you do not have Nikto already, you can download it here.

Usage is relatively simple, just type:

$ perl nikto.pl -h yourdomain.com

Or do a more comprehensive scan with:

$ perl nikto.pl -j yourdomain.com -C all

Here are some common results you will get and what some things to consider when remedying the issue.

+ Cookie PHPSESSID created without the httponly flag

+ Cookie __cfduid created without the httponly flag

The __cfduid cookie is set by CloudFlare, so you won’t see this if you do not use CloudFlare. Its nothing to be concerned about.

+ The anti-clickjacking X-Frame-Options header is not present.

How to set the X-Frame-Options Response Header. Just add this code snippet below to your /etc/httpd/conf/httpd.conf file. Don’t forget to restart the httpd server.

After setting this, and running another test, you might find you now get this:

+ Uncommon header ‘x-frame-options’ found, with contents: DENY

I am not sure why this is, my best guess is that nikto expects SAMEORIGIN instead of DENY. Either of which is fine though. Unless you know otherwise, i would just ignore this at this point.

+ Uncommon header ‘cf-cache-status’ found, with contents: MISS

This is CloudFlares cache for your sites assets. Make sure your servers clock time and your httpd.conf’s headers are set properly to ensure that the sites assets are not interpreted as being stale. You may need to login to CloudFlare, purge the cache and visit the site a few times to ensure the CloudFlare cache is up to date. Then this issue should be resolved.

+ Server leaks inodes via ETags, header found with file /n8YeaczG.pl, fields: 0x3c3 0x4bbd982a52140

Disable ETags from within your /etc/httpd/conf/httpd.conf by setting the following:

+ robots.txt retrieved but it does not contain any ‘disallow’ entries (which is odd).
+ “robots.txt” contains 7 entries which should be manually viewed.

If you have a robots.txt file, you may receive one of the 2 above messages, they are not that important. If it says you do not have any disallow entries, while it is not much of a security risk (unless you are exposing sensitive data in html files [which is ridiculous and you shouldn’t be doing that]) you should add some default disallow entries. The reason why this is, search engines will use this file to determine what pages on your site should be indexed and cached etc. By adding some disallow entries for pages that will present just forms or stuff that is useless to your users google and other search engines can focus on indexing the pages on your site that really count. This is important because since googles panda update, pages on your site that have a high html to content ratio are actually really bad for your sites page rank. So for SEO purposes, block form pages and pages with useless junk or high html/content ratios in your robots.txt file. This will mean the pages that google does index should have better content:html ratios that will improve your overall page rank.

How to write a robots file.

+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.

I get this despite using Apache on a Linux machine with no .net/asp or other MSFT technologies on board. I can only presume its a cautionary tale told for all scans. If you know otherwise, please let me know in the comments as i could not find anything related to this on a LAMP stack. If you are running IIS though, and have .net setup, check the link in the error message for some advice on how to disable the debugging setup.

+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)

If you denied from all the traffic for the cgi directories then that is the most likely message. This is a good thing. However it is best to do as it says and use the ‘-C all’ option as a precaution. This might possibly be a little brutal on your server though as it scans every possible known location for cgi directories and other stuff no doubt. It will likely take a long time, though should you find any directories still open, you best make sure you have a directive to deny from all.

The cgi directories are not the only directories you will likely need to close up. Plesk for example has a number of directories left wide open. See my other post on hardening plesk for more information on how you can fix some of the remaining issues.

HP Pavilion dv6-3119sa Entertainment Notebook PC (XU644EA) Review

New laptop! YAY. So i decided i wanted a new machine to run linux on as its a bit tiresome running Linux in a VM, and on my Macbook Pro the EFI is often problematic for linux installs; that said there are work arounds but i preferred to avoid that grief and go for the simpler option. So i bought a new laptop for my Linux installs so i could take it out and share what i am working on with friends with anything *nix related.

I had planned in the future to learn a bit about hypervisors and how to effectively run and manage linux machines on a hypervisor and this is great for that. Now i can take it out and work with friends in person with it.

So for the review; i had looked around pretty hard to find a decent laptop that wouldn’t break the bank but that also had good hardware and a design that does not compromise. Which incidently is very difficult to find. Most laptops out there in my humble opinion are just ugly; though for those of us who prefer something with a bit more taste the HP Pavilion DV6-4119SA is a beautiful machine. If your a fan of Mac’s; much like myself, then you will love this machine for running Windows. The typical install of Windows it ships with (Windows 7) works great on the Core i5 processor in it, though like most new machines you will need to decrapify it (URL: http://www.pcdecrapifier.com/) to make it run at its best.

The streamline shape and slim profile along with its black chick keys and multi touch trackpad this machine is quite reminiscent of the aluminium Macbook’s. Of course this is discounting the fact that the case design is not a unibody design and it comes with a drive trey instead of slot loading optical drive. That said overall its a really nice machine, specially for windows users who desire a better looking machine that delivers results.

Things of note however are that you don’t get a recovery dvd as seems to be customary in so many modern PC manufacturers these days and that for running Linux you may encounter a few hick-ups.

I find the trackpad to be somewhat annoying in Linux distro’s, namely because HP decided to emulate the Macbook to the degree that the trackpad has only one click button under its surface which maps wether you have a right or left click on the basis of which side of the touchpad your finger is pressed on. This is very annoying on the typical Linux desktop environment because Synaptic’s don’t seem to offer any linux drivers or software to support this; or least not that i have found yet and so i am left without a right click option as a result because Linux considers clicking anywhere a left click even on the right hand portion of the trackpad.

Also in my experience thus far i find the Wireless to be sketchy but this may not be the fault of the machine or Linux. To clarify on this Windows 7 runs on Wifi just fine with no problems; setup was quick and pane-less and i was on the web in no time. In Linux however it has been a different story, Linux Mint 10 LXDE and XFCE seem to connect to the wireless router just fine, though Mint 10 KDE and Gnome seem to not want to connect at all and i have tried playing around with the settings but am yet to find the problem, it could be a configuration issue. Xubuntu is also facing similar problems. Kubuntu and Ubuntu are yet to be tested on this issue.

On the plus side however i consider the boot up of most Linux distro’s on this machine to be very fast.

In terms of price, i find ordering directly from HP to offer the best price on this laptop and was not able to find it cheaper elsewhere so i would recommend buying direct. I did do a froogle search and also checked amazon and ebuyer directly but they could not beat HP’s own price.

http://h40059.www4.hp.com/uk/homelaptops/product.php?id=XU644EA&experience=direct

In conclusion i highly recommend this laptop from my usage of it thus far, it has great design, works well, boots fast and looks great.