Skip to main content
← Back to all posts

Bullet-proof Apache: Nikto Security Scanner

apache

If you’ve ever been responsible for maintaining an Apache web server, you know how important security is.

http://www.cirt.net/nikto2">Nikto provides an easy way to scan for known (and unknown) vulnerabilities within your Apache server.  Actually, it does a fairly comprehensive scan on over 200 web servers, not just Apache.  To run a security scan, download the tool, then extract the archive to the desired location.  To initiate a scan from the Nikto directory, type:

./nikto.pl -host [ip address]

Note: when specifying an IP address, make sure you use the external IP of your webserver, not the internal IP.

Here is what my results look like:

- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP:          10.0.0.1
+ Target Hostname:    <em>blurred for security</em>
+ Target Port:        80
+ Start Time:         2009-01-26 16:44:36
---------------------------------------------------------------------------
+ Server: Apache
+ OSVDB-3092: GET /manual/ : Web server manual found.
+ OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 3577 items checked: 3 item(s) reported on remote host
+ End Time:        2009-01-26 16:45:25 (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Test Options: -host 10.0.0.1
---------------------------------------------------------------------------

I would then look up the results and fix each issue until there have been no issues detected.  See the OSVDB-ID?  These IDs are found in the http://osvdb.org">Open Source Vulnerability Database.  Each ID will contain a description, classification, and solution.

To aid in your research, I have created an http://mycroft.mozdev.org/search-engines.html?name=osvdb">OSVDB Firefox search plugin.  Install the plugin and then search for 3092, 3268, 3233, etc.

Hopefully this makes securing your web server quick & painless.

New posts, shipping stories, and nerdy links straight to your inbox

2× per month, pure signal, zero noise

Type to search blog posts