1

We are running apache web server on fedora 8 and need to check for vulnerabilities. What should we check?

HTTP500
  • 4,833
  • 4
  • 23
  • 31
neolix
  • 528
  • 7
  • 20

2 Answers2

4

What you're doing is generally ill-advised, however you can take some steps to make it safer. I'm assuming you're using a distribution that old because you have some unsupported application that "requires" that platform. If you don't have to use that old distro then, as @HTTP500 suggests, dump it for a newer distro.

@HTTP500 recommends a web application vulnerability scanner, but I'd be more apt to recommend a general vulnerability scanner like Tenable Nessus or OpenVAS.

Otherwise, secure the machine as you would normally. Start by doing the basics: Remove any unnecessary software from the installation. Disable any unnecessary services. Tighten up the firewall rules to allow only inbound and outbound traffic that you expect. Change any default passwords and remove any accounts that aren't needed. Update everything to the last supported version.

After you've done all that, start researching every piece of software that untrusted users will be interacting with for vulnerabilities. I like CVE Details, personally, but there are a number of vulnerability databases out there.

If you find a significant vulnerability in any of the software stack you should either dump the software or backport a fixed version onto your distro. The difficulty of backporting will depend on how much other software (shared libraries, etc) depends on the software being fixed. In some cases you may be able to setup another machine running the old distribution with compilers and build an RPM for a new program fairly easily. In other cases you're going to find yourself backporting a huge amount of software.

If the vulnerabilities you find can be mitigated by an application layer firewall / filter application (a "web application firewall", etc) you might consider deploying such a thing in front of the vulnerable server. I always caution that this doesn't actually mitigate the vulnerabilities, it just makes them more difficult to exploit. You have to be extra-vigilant that there aren't ways around the filtering functionality that would allow attackers to directly attack the vulnerable server.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Hi Evan, you said that right we will paste config details of server in sample mode to have look let us know. We really thank you for your quick reply to our question. :) – neolix Feb 21 '12 at 14:33
3

First of all you should update the distribution you are running. Fedora 8 went end-of-life over 3 years ago and does not provide security updates anymore.

Once you have updated your system to a recent/supported version you can run a web application scanner like Nikto against it to determine your exposure. Remediate based on its recommendations. There are more sophisticated web application scanners like QualysGuard or Acunetix but Nikto is a good place to start.

Hope this helps.

HTTP500
  • 4,833
  • 4
  • 23
  • 31
  • Hi we are agree with you and we are planning to FC16 and Apache 2.X, we are looking using open source tools and scanner. – neolix Feb 21 '12 at 14:15