Comments on Security Testing your Apache Configuration with Nikto

apt-get nikto

There goes two thirds of your howto.

Apart from that, Nikto appears to be searching mostly for PHP cross-site scripting attacks, only reaffirming my reasons not to use that terrible language.

Anyway, it seems to interpret the 500 status codes returned by my Trac site to most of the URL's as meaning that something executed. So it claims all sorts attacks on my site that I know don't exist. Still, it did make me aware of the "TRACE" method.

apt-get is all fine and well if you don't want control over where it goes and what version you use. In addition it makes you beholden to the package mantainer to keep you in the most up to date versions. Especially for LibWhisker, which should be updated to take advantage of it's performance and bug tweaks.

php is not the issue, it's always the coder that creates insecure code. XSS is even an issue in static pages served by an insecure configuration of Apache. So not only is your statement clearly false, but is a gross misinterpretation of web server security.

I'm glad you got something out of the tutorial. 

"apt-get is all fine and well if you don't want control over where it goes and what version you use. In addition it makes you beholden to the package mantainer to keep you in the most up to date versions."

 I think you've made a mistake in your suggestion there. You should not encourage the use of non-packaged methods for installing software considering the audience your article seems to aim for - beginner as a majority, intermediate at most. You are not dealing with Enterprise solutions here, so suggesting that users should use or compile it for themselves when the main reason for package management is to keep the system clean. If you're encouraging people to maintain the software themselves, they do not get the ciritical updates provided by package managers as and when they are available. Compiling and installing themselves is dangerous if you're a beginner.

That's what I want!

My intended audience was those that have followed along with the other tutorials and wanted to see what kind of system it left them with. Providing them instructions that required them to think about such things as file system storage, updating Libraries, etc. gets them thinking in Linux terms, instead of just parroting Linux commands. This is how people learn (at least I do).

Personally I use apt-get when I'm lazy, or just what to play with a new tool to see what it can do and do for me. Doing things the "long way" or the "hard way" promotes critical thinking skills, and keeps you closer to the metal of your system. I want to know the why and the how to, and humbly tried to supply that in my short howto.

 And I agree with the previous poster. Public servers should not be run without adequate knowledge of what you're doing. These howtos get you up and running, but that's about all. They don't teach you to keep it running and to keep it safe. Only experience and additional training/reading will get you that.

A simple mod_rewrite rule to disable the TRACE HTTP method:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]

Since Apache 2 you can disable trace by adding this line to your Apache configuration:

TraceEnable off 

Don't forget to restart Apache. ;)

Keep in mind that although Nikto is an excellent tool it is primarily useful for poor web server configuration and checking for default files and paths that may create vulnerable systems.

 It is one tool to use during a vulnerability assessment but should be used in conjunction with other tools to ensure your systems are secure.

Expanding upon what Peter said above, there are also other Apache tools which could be used to take even more preventative measures to ensure security.

Here is a small article that I have written about Nikto

 http://brainfry.in/administration/scanning-website-vulnerabilities-nikto-examples/

Very nice article.