In the past I've used a little script here: http://forum.joomla.org/viewtopic.php?t=92678 .. to scan my virtual hosts for any exploits that might have been uploaded (eg any PHP Shells, etc).
It's quite a simple but effective script (just searching for keywords and emailing the offending section of code to me to investigate) but it isn't maintained and there's probably better tools out there.
My question is: what tools do other people use/recommend?
Mark Rogers wrote:
It's quite a simple but effective script (just searching for keywords and emailing the offending section of code to me to investigate) but it isn't maintained and there's probably better tools out there.
My question is: what tools do other people use/recommend?
Not sure about the PHP testing but I tend to start security audits with Nessus (warning not free for commercial use and if you want regular automated updates)
It's not going to cope with the specifics of php code you are hosting but it's a broad scanner that will highlight problems with most services, unpatched vulnerabilities and poor configuration as well. Then if I see something I don't like I tend to go at it with one of the service specific tools as included in BackTrack security suite.
Be warned however if running it from a remote host, that nessus will fall foul of some tripwires (and in at least one case for me not at the end I was scanning. It triggered something at my ISP (plusnet) for me once that then put me in a walled garden because they thought a compromised machine on my network was attacking others :)
Mark Rogers asked: [...]
It's quite a simple but effective script (just searching for keywords and emailing the offending section of code to me to investigate) but it isn't maintained and there's probably better tools out there.
My question is: what tools do other people use/recommend?
Most distributions have some intrusion detection software, so that's a start, then there's external monitoring to try to spot the machine doing anything "strange".
Recently, I've tried apache's mod_security on some servers, but configuration seems to be a bit of an art, so test the setup somewhere first and monitor it very closely when deployed.
Other than that, following security alerts and running sweeps for specific vulnerable versions when a new alert appears will do a lot to keep intruders out. Other problem-specific tools like that script rarely hurt, but it would be hard enough to collect enough of them to cover problems in general.
What are others doing?
Also, what are the web applications which cause you the most alerts? This month, for us, it's been Zencart and Wordpress. I wish users would realise the importance of upgrading Wordpress when that "upgrade now" banner appears on the dashboard. If they installed it themselves, upgrading isn't much different. Thanks to various things, it's a pretty big "kick me" sign if you run an old version.
Regards,
-
Mark Rogers -
MJ Ray -
Wayne Stallwood