Ask Slashdot: Do-It-Yourself Security Auditing Tools?

An anonymous reader writes "I'm a 'prosumer' website builder, have a few sites that are mainly hobbies, but I would like to know that they're at least fairly robust. I'm thinking of the equivalent of a 'dental clinic' — where someone interested in the white hat security field might be willing to take on an audit for the experience and to build a resume. Or, tools such as websites that let you put in a password and see how long it takes to crack it. Or sites where you can put in a URL and it gets poked and prodded by a number of different cracker tools and a 'score' is given. Ideally with suggestions on how to improve. Does anything like that exist? I'm not talking FBI/CIA level security, but just common-sense basics. I've tried to use techniques that improve security, but I don't know how well they work. And I've realized that in the ever growing, fast changing field of computers I'm not going to ever get the knowledge I need to do this myself. I know there are software suites that allow you to sniff and test things on your own, but I'm afraid it's overwhelmingly foreign to me and I just feel like I can't reliably do this myself. Any ideas?"

Anyone Compile A List?

[JacobLeclerc]

I believe this questions really requires a list of possible attack vectors. Is a list like that even possible, or is it infinite.

Re:Anyone Compile A List?

[Art+Challenor]

I believe this questions really requires a list of possible attack vectors. Is a list like that even possible, or is it infinite.

The known vectors are finite.

Re:Anyone Compile A List?

[smooth+wombat]

The known vectors are finite.

Yes, the number equals 1: human.

Fix that attack vector and you won't have anything to worry about.

Re:Anyone Compile A List?

[davester666]

And the unknown vectors are infinite.

Re:Anyone Compile A List?

[Art+Challenor]

Nah, a vector has magnitude and direction. I would say for at least human/2 the best you could hope for would approximate a drunken curve.

Good news is human/2 is finite unti human == infinte.

Re:Anyone Compile A List?

[sortius_nod]

Not true at all.

While humans are the biggest attack surface, they are far from the only one.

My suggestions are Backtrack Linux & a copy of The Art of Deception by Kevin Mitnick.

Backtrack has some great security auditing tools, however you will still need to understand exploits to test for them. The Art of Deception gives real world examples of social engineering & suggestions on how to plug those gaping holes called humans.

You could try PWNPI

[randomErr]

This is a nifty suite of programs made for a lot of what you want that runs on a Raspberry Pi. If you don;t want to get a Pi you can look at the list of software and download then into your favorite Linux distro. Most (if not all) of these are open source.

http://pwnpi.sourceforge.net/

4chan

Post your site on /b for maximum security pokes

Whats the point?

[Splab]

What's the point of "basic" security check?

But a quick search for metasploit should get you going, perhaps add a Nessus scan and go watch some Def Con presentations on SQL injection and penetration testing http://www.youtube.com/user/ChRiStIaAn008 is a good place to start.

Re:Whats the point?

[rmdashrf]

Add to that mod_security if you're using Apache and should be fairly ok for basic sites.

Re:Whats the point?

[corychristison]

Also note mod_security is also available for Nginx and IIS.

OpenVAS

Nessus is the big cheese with the big price but OpenVAS is the way to go. Do have a machine with plenty of power.

Hosting company

[schneidafunk]

If you have a decent hosting company, they'll do this for you. Mine will send out alerts if a popular CMS install has a known hole in it, and require people to upgrade the software.

C'mon

You have no idea what you're doing, you have no idea what you WANT to do, and you have no idea what you need to do in order to get the knowledge to do whatever that is.

Please, re-think your idea.

Web vulnerability scanner list

There are plenty of web (vulnerability scanners) that you could use, some requiring no experience and point and click, otherwise will require prior knowledge.

http://sectools.org/tag/web-scanners/

Security auditing is mostly about documentation

Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.

Re:Security auditing is mostly about documentation

[jeffmeden]

Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.

This. While it would seem logical to put a round of known vulnerabilities into a scanner (like a Virus Scanner works) in the real world this is extremely tricky. Vulnerabilities that come about from combinations of different packages and different configurations interacting are very hard to systematically detect, and even if you do detect them they are just one piece in the huge puzzle that is information security.

Case in point, I often get audit reports from "creditable" security professionals that there are a set of vulnerabilities in XYZ product, specific to "somesoft operating system 9.0", when in fact the product in question uses no such operating system (or even one similar to it) so the "audit" was obviously just a set of false-positives from a scanner tool. Scanner tools are just that, a TOOL, they are not even close to a true security solution that would produce a meaningful audit; that can only come (at least in this day and age) from a combination of tools and a *lot* of expertise.

Use standard software and keep it up to date

[quinto2000]

From the way you describe your goal, you are building mostly one-off websites. For small companies and the like? You'll be best off just using popular open source products like Drupal, WordPress, or ModX and keeping up to date with security updates. Many of these will automatically notify you of security updates and you can apply them right away. Don't try to host the websites on your own server either. Get a hosting product from a company that will keep the underlying OS, Apache, and PHP up to date and secure. This will reduce your exposure quite a bit. You still need to make sure to choose good passwords. Nessus or OpenVAS are also an option.

Read ArsTechnica

Two articles on arstechnica recently covered booters (paid services to attack your sites using a large set of vectors), and password cracking for script kiddies.
Here they are :
http://arstechnica.com/security/2013/03/details-on-the-denial-of-service-attack-that-targeted-ars-technica/
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

That should give you a first hint...

OWASP

Posting as AC because for some annoying reason Slashdot won't let me log ion right now...

https://www.owasp.org/index.php/Web_Application_Penetration_Testing

You probably already took the test

Whether you wanted to or not, just by having a site, you've already asked the whole Internet to check it out. One way to find out if you've done things right, is to look for evidence that you've done things wrong. And there's a little tip I learned...

Grep your logs for your table names.

If you have an injection hole, for example, then automated spiders have already found it and exploited it, and (so far) they don't obfuscate or even escape/character-encode their requests, so you'll plainly see their injected queries in your logs.

Preferably, look for site-unique table names, so that you'll know they could have only gotten the name by successfully querying the schema. You're going to see lots of scary-looking things in your logs, but some of those are just unsuccessful attempts. A unique table name (hint: use tables names with the word "user" or "password" in them) will be a dead giveaway they succeeded.

Don't ask me how I know what that looks like. Hey, it wasn't my fault. Mostly. Ok, partly but mostly not. Look, it's complicated, and involves an inherited legacy, OKAY?! Everybody just back off. ;-)

Anyway, when you see that, then it means you screwed up, so you'll learn something and know you need to fix something. If you don't see it .. sadly, you won't really know much more than you did before.

You need to sit down and read a bit

[whitroth]

And I gather you (the OP) is getting worried; the problem is that you're not paranoid enough.

Do you, for example, validate your code using the HTML validator from w3c?

You also need to learn to run tools. I mean, online website tools are nice... as long as you're *SURE* that they've not been hacked, nor are they actually crackers trying to lure you in.

Determining what tools to use is another issue: are you writing for Windows or *Nix? There's a lot more free tools on the latter, but you will have to learn more. For example, there are older, free versions of nessus.

Get yourself a good book, maybe from the publisher O'Reilly, on security.

                  mark "not even getting a kickback from O'Reilly for the plug"

Re:Post your password here

[ciderbrew]

No.You'd be able open my luggage if I gave you that.

Go check out sectools.org

[xanthos]

Sectools.org has a comprehensive list of tools with explanations of what each one does. Look at the web tools and the vulnerability scanners and you will find something you feel comfortable using. Most of the other tools mentioned so far can be found there. Also, the Open Web Applicaiton Security project (owasp.org) has some good information on secure app development.

good luck.

Be different

[holophrastic]

If yours isn't a mass-market, mass-profit, hugely-popular site, you don't need to secure it. You just need to be different enough that the standard chinese attack vectors looking for standard run-of-the-mill popular web-site building packages don't find any.

Trust me, no one's going to your tiny site and trying to find the holes -- no matter how big they are.

We secure bank vaults with big heavy locks. Your house with a tiny mediocre lock. Your car door with a tinnier very crappy lock. Your car trunk with a down-right shitty lock.

Just be different. It'll get you through the 99% that you care about.

Re:Be different

That's silly... small unsecured servers are targeted because they are easy prey and can relay spam. Just because you don't have valuable customer data to exploit does not take you off the target list.

Re:Be different

The bots don't care how popular your site is. All they want an exploitable vulnerability on a host with reasonable bandwidth. You'll be scanned within minutes of going online. And exploited minutes later if you have a common vulnerability.

Re:Be different

[holophrastic]

No one's going to find this small unsecured server, and figure out how to hack some mystery unknown customer software. It's just not worth the trouble.

Re:Be different

[holophrastic]

I think you missed my entire statement. Which is odd, because it was in both the title and the body.

Different != Common. Make a note.

Re:Be different

[holophrastic]

First of all, go back to grade six english and learn subject-verb agreement. "fewer defenses" or "less defence". Never "less defenses". The plural "defenses" is a declaration of quanta, not amount.

Second, and something I've said to others: Different != typical. Different means that a hacker would need to find you specifically, look at you specifically, and craft a hack specifically. It's very easy for them to do, and is not something that they will do.

Re:Be different

[holophrastic]

Correct on all three. But you've missed two:

Different != worth exploiting compared to the myriad others

Secure != non-exploitable, ethan hunt can break into anything

Secure != free, cost-effective, profitable, nor worth doing most of the time.

I gave you that last one free of charge. Most people forget that secure has a cost, often greater than repairing the hack, or even just tolerating the hack. Ooh, someone changed my home page. Watch me change it back. For most businesses, that's not a problem worth avoiding. It's a $10/year problem, and you're suggesting a $100/year prevention.

You're putting security above actual profit and features and development and business and customers and time and recreation and family and friends and fun. That's a very big opportunity cost and monetary cost for a web-site that isn't mission-critical.

Re:Be different

[holophrastic]

Hey, it's worked for me. It's worked for me for two decades now. It works for my clients too -- also for two decades. We're all happy. We're all making money. We're all not worried. And over the course of the last twenty years, my servers have been what we'll all call non-responsive to client requests due to hackers for a total of six hours spread out over 15 separate occasions. That basically works out to once a year it takes thirty minutes to block the attack.

Thirty minutes of down-time, once per year, due to outside hacking (usually china attacking, by the way), may or may not be acceptable in your head. But to all of my clients, it's not worth spending more than $10 to avoid. So unless you can improve security in five minutes, no one cares. What's more, thirty minutes of down-time per year is well within the SLA of anything. Think about it. 99.999% uptime still works out to over 8 hours of down-time per year. How many nine's are you expecting?

Even mission-critical sites are down more than that. Even google's down more than that. The only things that aren't are real safety-related infrastructure, and most of those are also down more than that. Even electricity in government buildings is down more than that.

You're trying to 100% solve a problem on principle that simply isn't a problem for anyone in practice.

Like I said, it's worked for me for more than two decades now. Live your own life.

And, oh yeah, put your name alongside your arguments, are you aren't worth spit.

Re:Be different

[holophrastic]

I'm not a proponent of security by obscurity. I'm a proponent of not ignoring something that works. So as a result, obscurity is a useful tool, alongside other tools, when it comes to security.

So I start like so.

First, Ethan Hunt can break into anything. So no matter what I do, I won't be secure.

Second, there's an amount of security that costs more for me to implement than the money I'd lose from the attacks. So that's my upper bound.

Third, there's an amount of attack that costs me a significant amount of money -- clients leaving and data lost and all that. So that's my lower bound.

Somewhere in between the upper bound and the lower bound is a balanced target for my security efforts that keeps things profitable for me and for my clients.

Anything that brings me to that balanced target is the perfect solution. Doesn't matter what techniques those are. It's the result that matters.

I start with obscurity, because it's often the easiest to implement in my world -- I build on in-house proprietary platforms that I've built myself over the years.

Then I check the results. Sometimes, often in my world, the obscurity has already brought me to my balanced security target. Meaning that any more effort would be a waste of money for everyone. So I stop there.

I've been doing this for twenty years. I have about six hours of security-related down-time across those twenty years. That's wonderful. No one's got a significantly better record than that (outside of some life-safety infrastructure, and certainly not all of them).

So that's how I sleep at night. I look at the time and money that I spent, and I look at my very successful results.

My question to you is thusly: how do you sleep at night, as someone who secures something that just happens to never be attacked? Isn't that like locking the door on the only house for 100 miles? If no one's attacking you, why would you wear plate armour walking down the street?

It's exactly like wearing a helmet to school. Yeah it would protect you were to bang your head into the wall. But if you don't tend to bang your head into walls, it's kind of pointless.

Re:Be different

[holophrastic]

And you might want to put your name next to your argument. Otherwise, you aren't exactly showing much confidence in your statement.

Re:Be different

[holophrastic]

Hmm, trolling. I used my name; you didn't. My post was modded up, yours was modded down to zero -- as was the post to which you replied. Hmm, trolling.

Re:Be different

[holophrastic]

Actually, I was thinking the same thing, but the car door can be broken into without accessing the locking mechanism at all -- like when you call for help having locked your keys in your car. They don't pick the lock, they simply pry the door or window.

But yeah, it all comes down to making one link in the chain stronger than the others -- does you no good. The same is true on the web-sites. Unless you're going to secure each and every possible attack vector -- and keep on top of that as new ones appear -- then that type of security isn't going to be successful.

It's worth noting that biological immune systems work by being different across a species. It's also worth noting that the vast majority of animals create safetly by hiding. And the majority of those hide by obscuring themselves in a large group of comrades.

Obscurity doesn't work against targetted attacks. It does work against wide-spread attacks. And we all know that they only way to be secure against targeted attacks is to either be better at security than your attacker (which is incredibly expensive in every way, think military power) or to not be worth attacking (which is why we have laws, by the way.).

And come on. If you're going to discuss something with someone, put your name to your argument.

Re:Be different

[holophrastic]

Read harder. I said "different". You said "standard". Different is the opposite of standard. And that was my entire point, advice, recommendation, and successful strategy for the last twenty years of my business.

Re:Be different

[achbed]

China and Russia thank you for your small unsecured server that is now a full-blown botnet C&C server. Hope your customer doesn't mind their unknown software going slow.

Re:Be different

[achbed]

If that unimportant unsecured box has any value to you at all, I would suggest a test. If it's running a variant of UNIX, get and install iptables and csf/lfd. Let it run for a day (or a week- even better). See how many logins and hack attempts it registers. If the answer is none, then you win. Otherwise, you are under attack and didnt know better.

I run what would be considered an unimportant out of the way box myself. In fact, I've gotten scans and login attempts from all over the planet. This is for boxes that are in a hosting farm and for my home machine (no DynDNS or anything there).

If you have a device on the open internet, it's getting probed. Guaranteed. And if it's probed, and can be owned, it is. In fact, most professional and/or state-sponsored groups have toolsets that are set to scan/hack/add to botnet in one step, and they're let loose on multiple subnets to gather as big an army as possible (and I use the word Army intentionally).

Re:Be different

[holophrastic]

Umm, wrong-o. I've been in business for twenty years. Over the course of two decades, my servers have been down due to security-related attacks for six hours spread out over the two decades. You'll find that to be a very successful result across the industry. I profit, my clients profit.

It's worked and is working for me.

How's your business doing?

Re:Be different

[holophrastic]

All the time my friend. Thousands each and every day. I can't even begin to count the number of dumb ones to /phpmyadmin.

But being different means that there's simply nothing there to attack. All standard things just don't show up. So I get probed, and not attacked.

Sure, it costs me loads of bandwidth, and my logs are a disgusting mess. And sometimes the number of connections alone causes a problem -- which is a part of those six hours -- so I get to block one ip, or change a port, mid-attack. That happens once or twice a year, and it takes a few minutes to notice and block. We call that down-time, and it's totally acceptable to all of my clients.

Always remember, we're not trying to be invulnerable. We're trying to spend less money on security than we would lose from the attack.

Re:Be different

[Zaelath]

If it was a good attack, you didn't even know you were pwned.

I've seen good attacks... and the only reason they were noticed at all is because they had layered security and some small file changes weren't covered up and someone with time on their hands reading the reports. The client reponse was to ask to stop reading the reports because it was more expensive to repond to the attack which caused other people a loss than to ignore it.

So any time I see a jackass suggesting security isn't something you need to worry about too much, and is "hosting" other people's data, I tend to smirk to myself and be glad they're not hosting mine.

Re:Be different

[holophrastic]

But, that's exactly the point. If I don't notice it, then it didn't hurt me. Why would I spend one penny or one minute trying to respond to something that has zero impact on me?

Re:Be different

[Zaelath]

Because by that logic, you're ok with me drugging you in your sleep, sitting around in your livingroom watching the TV and watching your kids sleep, then leaving before you wake up.

And to extend the analogy to the "damage to others", I send your kids a video after your death of their toothbrushes being used to polish your anus.

Yes it's a stupid analogy, but yours is a stupid argument.

Re:Be different

[holophrastic]

I won't let you cross the line between the safety and security of my life, and that of my business.

My life is my own, for my own pleasure and desires.

My business isn't for anything but profit. You improve my life by safe-guarding my sleep and my couch. You cost me profits when you add security efforts to my business. The sole purpose of my business is for me to profit. Taking that away isn't improving the business, it isn't even limiting the business; it's completely eliminating the purpose of the business in the first place.

If you drug me in my sleep, you remove my ability to escape from a fire, protect my property or my family.

If you infest my web server, and use it for your own purposes, without affecting my business, then you simply have me paying for your benefit. I don't want to do so, but it's business -- stopping you costs money. If that's unused capacity, then stopping you costs more than leaving you be.

Re:Be different

[Miamicanes]

Three big things you can do to de-target-ify yourself:

* use SQL prepared statements, never concatenate strings

* never touch the user's real password... key-stretch it client-side using PBKDF2, and only send the salt & hash to your server. People use the same password everywhere, and attackers know it. If you don't KNOW the passwords of your own users, your site is a lot less interesting to attackers.

* block outbound traffic on port 25.

ok, I lied... here are a few more...

* Don't allow connections to your sql server from anywhere besides localhost... then use ssh to connect to it remotely

* never, ever, EVER think you can omit logins & rely on secret URLs. Http-Referrer is a nasty bitch, and she'll bite you eventually... probably via your phone's browser, which doesn't allow you to disable it, and sends https referrers, too.

* (the hard one) make sure your site isn't vulnerable to XSS, so others can't use it as their own attack vector.

Re:Be different

[holophrastic]

Yeah, realism, reality, experience, ROI, cost-benefit, risk-reward, and statistics are a straw-man argument. Good one.

You work your way. I'll work mine. I'm happy with mine. If you're happy with yours, so much the better. A few observations though.

a) you don't put your name alongside your argument. So neither is worth spit.

b) The original poster asked for advice. I gave mine. I've not asked for your advice. I don't want it. And yet, you've decided not only to advise me, but to do so with vulgarities. So, once again, yours are not worth spit.

Enjoy fencing in -- or I guess you'd build a ten-foot stone wall -- a six acre field to keep out trespassers who only want to camp on your land. Have fun with that.

Kali Linux

[Jane+Q.+Public]

This suite of tools used to go under the name of "BackTrack", most recently BackTrack 5. It has now been named Kali Linux.

This is a full-blown Linux distro with all the security tools you are ever likely to need. Metasploit? It's there. Nessus? It's there. The actual list of tools is huge.

Kali won't teach you everything about using the tools (though there are good instructions available online). But it does offer all you could want in one package.

Re:Kali Linux

[geminidomino]

I didn't know BT was renamed. I thought it had just petered out. Thanks for that.

I thought it was more of a forensic distro, though.

Re:Kali Linux

[Jane+Q.+Public]

Some of the tools can be used for forensics. But it has a large number of penetration testing tools for doing security audits. The largest and best collection I know about. Of free and open source tools, anyway.

Re:Kali Linux

[muridae]

If you want to do it yourself, yes, this is the way to go about it. The OP is an idiot to think that any site on the internet that 'asks permission before hacking your site, just give us the URL or code'' is not going to turn around an sell that information afterwards. Either hire professionals, or DIY.

I keep a copy of BT 5 (i hadn't seen the move to Kali Linux) in a virtual machine. Not the fastest scanner out there, but a small networked box in my house gets the same copy of code installed on it as my webserver has (i know what they run because I asked nicely). Then, I beat the hell out of it and my own code. If my code gives out first, that gets fixed (php scanners, sqli scanners, etc). If my code stands up, then I start scanning the server code. Metasploit, NMAP, anything else that might show where a hole is located. If it turns out to be the server code, I make damn sure it's not my configuration of my local server before contacting the hosting company and asking them. So far, all of them have been my config files and not theirs.

Re:Kali Linux

[andy.ruddock]

http://www.kali.org/official-documentation/

It's a link on the top of the home page. I bet you couldn't find your arse with both hands and a mirror.

Re:none

[6ULDV8]

It is tough, but not impossible. SAINT, Nessus, OpenVAS, Nikto and others will generate a report with CVE info that points to articles providing some guidance.

OWASP

Try the OWASP website: https://www.owasp.org/index.php/Main_Page. They have a lot of free tools for doing security testing of websites.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Consider an easy to use commercial webapp scanner

[pjtpj]

Check out https://purecloud.ncircle.com/solutions/en/WebApp/. It is not free, but it covers common web applications, and it is very easy to use. Disclaimer: I work for nCircle

Re:Post your password here

hunter2

Sorry, no

[gweihir]

The only things tools can tell you is whether another person running the same tool could get in. For anything else they are pretty worthless. Also, the FBI/CIA does not have a clue about IT security. If you must name a TLA, make it at least the NSA.

Use SDHC memory in a card reader-writer, set lock

[Jameson+Burt]

No matter what an intruder tries, if you put your operating system on read-only media, intrusion becomes limited.
Of course, installation and changes become more difficult because you must reboot with your media set to read-write, then reboot again to read-only. SDHC memory works well for this, since it has a read-write switch like the old floppy drives. Put the memory in a
      USB "card reader" for SD
(microSD doesn't appear to have a read-write switch).
You can insert the SDHC in something that looks like a flash drive, then insert the whole in a USB slot.

Or, you can use something like the Adonics eSATA/USB Digidrive
http://www.addonics.com/products/aepddesu.php
to connect to your computer's eSATA port (if you have such a port on the back of your computer),
which is probably more efficient (fewer waits) than a USB 3.0 connection.

In Linux, you might choose to put most of your operating system on SDHC switched to read-only,
then put a variable area on a regular disk drive for logs, although you can put logs into a memory area that disappears on reboot.
Or you might put your webpages on a separate SDHC,
so your webpages get no intrusion changes.
You could then unmount your webpage SDHC, switch to read-write, make changes, unmount, switch to read-only.

In Debian Linux, the foundation for most Linuxes (eg, Ubuntu), you can look at the "Securing Debian Manual",
http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.pdf
Debian has a highly tailored Aide (like tripwire) that uses checksums to detect any file changes.
In Debian, "dar" Disk Archiver (like tar) makes backups on external disk drives, but dar probably requires some tailoring (I use dar).
For a firewall, you could use Debian's easily used Guarddog.
In some sense, Debian is the administrator's operating system -- for the serious.

Re:Happy Tuesday from The Golden Girls!

[Marxist+Hacker+42]

Completely OT, but I've got Karma to burn

The last line of the first verse should read "You're a pal and a confidant". None of the Golden Girls went into space, though I'm sure they thought about sending Sophia there.

Don't forget to test your FTP (or SFTP) access...

[xxxJonBoyxxx]

You can use this free scanner to test your FTP or SFTP access.
http://www.filetransferconsulting.com/low-and-slow-ftp-scanner/

Set this utility up with about four garbage usernames, then your actual admin credentials in the username list, and put four junk passwords before your admin password in the password list. Then run the utility with one-second intervals. If your FTP server (or SFTP service) is set up well, your IP (and possibly your username) should be locked out before the utility gets to your legit credentials on its 25th try. (In other words, if the utility can sign on as you, your FTP or SFTP service could use some additional security.)

Some other things to think about

[bobstreo]

You may want to see if any of your local colleges have computer security tracks. You may be able to do an Internship, or someone may
be available to just do it for experience. YMMV

While you are doing these scans, please note, you may clog up your pipes to the Internet. If you are using hosted services
DO NOT RUN SCANS WITHOUT NOTIFIYING THE HOSTING SERVICE.

There are many sites with CVE information, Secunia is ok, search for applications you care about.
http://secunia.com/community/advisories/historic/

Be careful scanning log files, at least sanitize them before you read them.

You should probably know what ports should be open on which systems.

A spreadsheet of systems/applications/versions of SW OS... would be a good start.

Look for ports that are open, or Listening that shouldn't be...

CloudFlare + Nessus Home Version + Hardened SSH

[Midnight_Falcon]

I'd recommend you proxy your web site through CloudFlare -- www.cloudflare.com -- by having them handle your DNS. You can read more about them at their web site -- I'm not affiliated with them in any way. They offer a free proxy service that acts as a web application firewall and will do a good job at blocking hack attempts.

From there, you should restrict your webserver's firewall to only allow traffic from CloudFlare's known IPs, so people cannot directly hit your webserver.

If Linux, install fail2ban on the SSH daemon + require SSH-key based access (no passwords!)

Finally, get a copy of the home version of Nessus from Tenable and use that to scan your server. It's interface is relatively easy to use, and if you hit your webserver IPs every couple months with this, in addition to using CloudFlare and hardening your SSH daemon, you should be in good shape and not have to worry about silly hacks.

Re:CloudFlare + Nessus Home Version + Hardened SSH

[Legion303]

I wouldn't recommend CloudFlare. Their engineers are fucking morons, and their service doesn't actually block attacks.

Re:CloudFlare + Nessus Home Version + Hardened SSH

[Sigg3.net]

+ revoke old / unused keys.
+ encrypt the computers that have keys (truecrypt, luks) in case of theft.

Acunetix

[exodus2287]

I'd venture acunetix from http://www.acunetix.com/ it does a decent job

Learn the problems, then tools help

[Tool+Man]

If you don't understand the application-layer issues which might be present in your programs, then you won't necessarily understand what the tools (whichever) are trying to tell you. Read and learn, grasshopper. You can get a ton of info from OWASP (http://owasp.org) for free, including some issue-specific "cheat sheet" pages. Next, buy the Web Application Hacker's Handbook. Really, do it now, or at least after you've read the OWASP stuff. It's in dead-tree and e-book versions, now second edition.

Tool-wise, go to portswigger.net, and download the freebie version of Burp Suite. It doesn't have the scanner portion, but you can proxy all your traffic through it, and see what happens when you twiddle all the things that might be twiddled. Buy the pro version (few hundred bucks/year) when you're ready for the other features. By then, you'll know why you want them. The author is Dafydd Stuttard, one of the WAHH book authors. Great support, helpful and responsive.

Oh, and the suggestions for Nessus, OpenVAS and Backtrack/Kali aren't bad, they're good tools. Mostly for the infrastructure-level things such as the operating system and known services which are exposed, though this does include your web server. They mostly won't tell you much about your one-off apps though.

Be safe: Set up a little security lab

[SirGarlon]

If you are going to get into active testing, then I think professional ethics demand you take precautions to avoid harming other users or their systems, even (or especially) by mistake.

If you have two computers, then set up a little testing lab for yourself. Take both machines off the Net but put them on the same LAN (preferably a wired LAN but wireless will do). Set up one box as the target with a Web server and the site of your design. Use the other to run your attacks, Kali Linux or whatever.

The reason to do all this on a LAN is quite simply to avoid accidentally scanning/attacking some unintended host, and to avoid violating any laws or terms of service that prevent you running attacks. If you test a target on the real Internet, you may accidentally hit something else by mistake, especially if you're a beginner. Whereas on your own LAN you can be as wild and experimental as you want and no one will complain.

It may sound like a lot of work to set up an isolated network, but explaining to an ISP or a judge that you really had perfectly innocent intentions is also a lot of work.

More popular DIY titles:

[Rob_Bryerton]

"Do-it-yourself Cryptography"
"Home Heart Surgery"
"Roll Yer Own O.S."
"Kernel and Driver Programming for Dummies"

Security...

[Stax]

A lot of this conversation has been about remote security scans, but once you find a vulnerability, how do you remediate it? How do you maintain your security posture, and continue auditing your hosts on a regular bases? To what standard?

The National Institute of Standards & Technology provides a lot of help to those attempting to implement security standards.

First is the Security Content Automation Protocol (SCAP) - scap.nist.gov. This defines how you manage, measure and evaluate vulnerabilities.

Second would be SCAP content. You'll note on the NIST SCAP page the word "community" appears 5 times in the first paragraph. That's not on accident. SCAP content is generally community generated, and there are lots of great lists of people working on SCAP content for a variety of operating systems.

Red Hat maintains the gov-sec mailing list and fedora, for example has loads of content available for Red Hat Enterprise Linux based systems.

Our friends at NIST also publish what is called the US Gov't Configuration Baseline (USGCB for short). USGCB content is available in SCAP format for Windows & RHEL. These standards are certainly a good starting point.

If your standards come in the form of a STIG - that content is available as well from the Aqueduct project.

[Disclaimer - I work for Red Hat, I support the US Gov't, and I think making security easier is probably an important thing to do]

Re:Use SDHC memory in a card reader-writer, set lo

[Carnildo]

The SDHC read-write tab? It's more like a vague suggestion than a lock. I've yet to find a card reader that will actually refuse to write to a "write-protected" card.

Re:learn the truth... apk

[ediron2]

tl;dr: OMGMYEYES!!!

Srsly, I'm a security geek and I'm laughing at the copypasta quantity you just put in there. For a guy who admits he doesn't know security. For a guy who admits he'll never likely know it.

Automation

[SampleFish]

I would bump Kali Linux as the true DIY solution.
-OR-
You could just leave it up to someone else and have someone to blame. These guys would make a good scapegoat:

http://sitecheck.sucuri.net/scanner/

I have actually used their scanner to find a backdoor in a common PHP script that shall remain nameless. They did report exactly where the vulnerable file was. After I deleted the file they told me the site was secure. Simple.

Not really DIY and I wouldn't trust anyone 100% but if you pay for a service you have done due diligence to CYA and you can just bill your customer.

Re:Try NSA Security Guides...

[alreaud]

Check this out also as a guide to security. All 20 need not be implemented, just the ones pertinent to your organization.

CSIS: 20 Critical Security Controls Version 4.1
http://www.sans.org/critical-security-controls/?utm_campaign=resources&utm_source=featured&utm_medium=web&utm_content=critical_controls

Re:Be careful!

[Ash-Fox]

Such as?

Re:Use SDHC memory in a card reader-writer, set lo

[Jameson+Burt]

The operating system often seems to write to a lock-switched memory card, and "ls" indicates it has.
But removing the card reveals data has not been written.
I'll keep an eye out for actually writing when actually lock-switched.

Re:Use SDHC memory in a card reader-writer, set lo

[Jameson+Burt]

I have now actually checked this.
I switched an SDHC to read-only, wrote a file to it on Linux, took the SDHC to another computer, and the file was indeed written.
So, the SDHC lock is no guarantee against writing, and is apparently useless.
I stand corrected, and thank Carnildo for ending my misadventure.

I prefer using read-only hardware to "chattr -i" immutability plus a Linux kernel enforcing this,
since the software approach is cumbersome and changes files' ctime attribute.
What is available?
The following in the alternate model AEPDDESUWP will not write to any memory it can read,
and outputs to either eSATA or USB computer ports,
http://www.addonics.com/products/aepddesu.php
I still need to put my operating system on flash memory before I insert it into such a read-only device.