what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Wednesday, February 16, 2011

Yes, An old Friend scanned the site...

Was with one of my friends the other day and he had just set up a financial website, and he was telling me that they will be doing serious stuff with several Financial institutions all over Africa.

So the discussion about security came up, and boldly said, "Old Friend from India did a Penetration Test on it by, scanning it, now its safe and secure" So he actually did not even do this for his comfort but wanted to pass Compliance test from some banks and CBK. I don't like pointing fingers, but i think the CBK, should also regulate how such Assessment and Audits are done. CBK should update their mandate on such matters.

So the box , LAMPs, several organizations use, has several vulnerabilities or rather non-hardened LAMPs. Hackers will always look for such default installs and if found will probe for more information and use such intel to exploit further, especially if they see a gain, financially or Infrastructure-wise. So lets look at a few tips on how to harden the LAMPs. These tips are just 10% of what you should do to protect a LAMP. Otherwise, if they have not been done, you have a 0% security on your webserver.


No one needs to know which version of apache or php your are running, when browing your site, except hackers. So inside httpd.conf, change the ServerSignature from On to Off. Below there is ServerTokens, change from OS to PROD. Also inside php.ini file, there is expose_php which is on, turn it off, also change SafeMode to ON from Off. There are also some dangerous configurations which need to be turned off, in disable_functions=

After that restart Apache.


You will need to install a WAF, to protect against online login bruteforces, web directory bruteforce, and other forms of attacks. PHPIDS is another solution which needs to be installed. PHPIDS is capable of detecting attacking pattern strings, e.g File Inclusions either remote or local attacks, SQLIs, XSS etc.


Sometimes developers like to have files like phpinfo. These files expose paths to web folders, server kernels and internal IPs. Was doing a Pentest last year where i found one. Prior to that, i had no idea that the webservers had connectivity to internal business networks. The internal security personnel had no idea either, so during the test, i found one on a server and it had an internal connectivity. That's when i released the Admins had deployed internal IPs to the network for easier access of the Webservers. So these phpinfo files, remove them. Other folders are like /phpmyadmin, /mysql, /admin etc which need to be blocked from the public.


Directory listing is on immature mistake developers and webmasters make. Most of the Apache servers will have these turned on. Inside httpd.conf, edit Options Indexes FollowSymLinks to Options -Indexes FollowSymLinks.

The other security fixes are much more exercised by Security Personnel in your organization. These will include Code analysis, Checklists, Top Owasp risks test, Penetration testing, Vulnerability Assessments etc.

Any questions, comments, please post below.



1 comment:

Idd Salim (Cdr) said...

mambo mazito mzee. good stuff.