How can I test the security of my server ?
Please I know it is too general question. But I was wondering if there is a tester software or web service checking all ports of your server, or possibly security holes ?
I usually check unix permissions and that's it, but there is something I can do ?
ps. Users cannot upload files with my web applications, so I don't have that issue.
Based on your tags, here's some basic advice:
OS (Linux)
netstat -tulpen
)PHP
MySQL
That's just the pure basics written down in 2 minutes. Theres much more.
Download Backtrack and run FastTrack's AutoPwn against your server. It's a completely automated approach, but it's a great low effort way of finding the low-hanging fruit.
If you got web components, SkipFish is another great automated testing tool.
There are many tests you can perform and many tools available to test with. For starters you might like to run Nikto.
Although you may believe users can't upload files, a security hole in the applications or services may well prove otherwise, as many have learned the hard way. Always work on the assumption that your system is broken and vulnerable and look for ways to fix it, before someone else finds the holes for you.
If you have access to the system, you can find out what ports may be open using
netstat
. It can list all listening ports. Firewalls and other security measures may mitigate the risk.Match this list to a remote scan. Investigate any ports the remote scan shows that aren't listed by netstat. There should be none that are not accounted for by DNAT rules on a firewall.
Disable any services you don't need. It used to be common to file a variety of unnecessary services running. Many were trivial such as chargen, time, daytime, and other. Some were significant such as Telnet, FTP, HTTP.
For services only needed internally configure them to listen on 127.0.0.1 and/or ::1 (IPv6) if possible.
BackTrack FastTrack's AutoPwn good for really old servers with very old packages installed. If you have modern updated linux/windows it won't find anything. (I like backtrack but that serious tool that require extensive knowledge of security and pen testing)
I would recommend to install and scan your server with Nessus, it pretty powerful (even though free version does not have latest vulnerability signatures) and can not only scan for open ports and remote vulnerable software but also login to server with root credentials and perform local audit.
It just a tool, it is not enough to make your server "secure" but together with, for example, weeheavy's tips you can get closer.
I would also add Monitoring. Install OSSEC or its analog (tripwire, etc), you want to be notified if anything weird happening on the server in real time via email/sms/etc.
There are some services for doing this, generally marketed as PCI-DSS compliance scanning. I mean, that's not the be-all and end-all of security scanning, but PCI-DSS compliance does require a high level of security.
It's probably a sensible starting point. Be warned. It's not cheap.
edit: I've used HackerGuardian in the past, and it's bloody good. Pricing comes in after the first free scan at $249/year
Well, you can start with nmap and check which ports/services are opened.
If you want to learn you can take a look at http://www.hackthissite.org/ and http://www.hellboundhackers.org/ and day by day learn how to protect yourself from others, but keep in mind that will be a long long way.
Software reports can help you, but they will keep you safe just from Script kiddies, a good hacker will find an hole and only another human can find and fix (prevent) the problem.
This software costs money and enough to pay a professional to have the report and the solution at the same time.
So, if your web server is really important ask for help, are money well spent (again the the above sites).
Examine each attack vector.
Physical: This one is pretty straight forward. Is the server in a rack? is it locked? who has the key? How secure is the key? Is the server is a room? Is the room locked? Usb ports are accessible or enabled? etc.
If it is a switch are you using port security? etc.
Network: Less simple, but the most common. Test your ports by scanning all open ports on the server with nmap or wireshark or something. Determine how restricted you want those network services to be depending on how you want them to work and how vulnerable they make you.
For example; a http service, restrict who has access but subnet? by host? by user? Check common vulnerabilities; is indexing turned on, etc.
Human/Social: This is something that isn't easily fixed though IT, normally HR. But here are some things you can do. Password policy; The old school of thought is to change passwords regularly, but this seems to force end users to choose weak passwords. Generating passwords for users tends to make them write them down. You will need to find a policy that best suits you, but you may want to go with educating end users on how to make a strong password, but make the password change once a year or never. Also educate end users on how to manage passwords, and keep them secret.
Is google down again?
The apps listed in the link above mostly provide fingerprint type checks for well defined single mode attacks - this is not a substitute for a proper security evaluation, however running nessus/nikto is a start, and eliminating what may seem unexploitable issues can prevent multiple vectored attacks. (It also clears up the low hanging fruit so you can be a bit more sure that anyone you do engage to test the security properly has to earn their fee).
err, yes - there's a lot more you should be doing. Does that statement mean you've got a permissions security model? Is it valid? What about other access to the server (console, ssh, ftp...). If you don't already have a detailled security policy then there's not much point asking someone to test the system if its secure. The policy should cover such things as deploying software, identifying and implementing vendor patches, backups, rootkit checking.