My ongoing experiences with Ubuntu, and later Mythbuntu, as a media center with MythTV. I'm also using the system for a virtual machine server, a mediawiki server and a general all around home infrastructure base.

Sunday, September 14, 2008

Testing web server with nikto

I wanted to give my web server a quick test for any major security problems. nikto was recommended to me as a good way to do that. I downloaded and installed (unpacked really) it:

# cd /tmp
# wget
# tar xvfz nikto-current.tar.gz
# mv nikto /usr/local/nikto-2.03

And then I ran it against my webserver. Seems like a number of software packages are out of date, but are the freshest in the Ubuntu repositories. All together, nothing I'm concerned about.

# /usr/local/nikto-2.03/ -h web-server
- Nikto v2.03/2.04
+ Target IP:
+ Target Hostname: web-server
+ Target Port: 80
+ Start Time: 2008-09-15 16:58:59
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
- Root page / redirects to: /wiki/
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.
+ PHP/5.2.4-2ubuntu5.3 appears to be outdated (current is at least 5.2.6RC4)
+ mod_ssl/2.2.8 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ mod_ssl/2.2.8 OpenSSL/0.9.8g - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit).
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 3577 items checked: 6 item(s) reported on remote host
+ End Time: 2008-09-15 17:00:48 (109 seconds)
+ 1 host(s) tested

Test Options: -h web-server
Post a Comment