Tools to Test Your Servers Security

[ProBlazer]

What tools (preferably free) is everyone using to test the security of their web servers.

I'm pretty new to this yet, and I'm hosting a server out of my home for streaming music to where ever I am.  

I'm running Apache, Tomcat, SQL, and PHP5.  What recomendations do you all have?

[Jorge]

I usually start by doing a port scan of the computer and close all port that shouldn't be open.

I then install a firewall Kerio ServerFirewall is great and configure this carfully.

Also i check my error logs and access logs for fishy stuff.

[admin]

Its all setup secured by default.

[DeliriumServers]

there are actually a great deal of these types of testing tools out on the net, however many are ment for linux or are hard to run

the best one that I have used is Nessus (the windows version)

you can find out about it here

http://www.nessus.org/index.php

[majika]

I am what you would call a security type of person who like to test things out and spen time trying new ideaas on penatration testing etc, that aside I would recommend Dameware NT Utilities or better still X-Scan v2.5 or GFI Languard.

A nice couple of article to read about Vulnerability Assessment and IP Scanning (YOUR OWN LOCALHOST OF COURES :) can be found here and a full write up about the tools used and a bit more info on them can also be found here. here

[admin]

IMHO, having a router is step 1... Since it will do DNAT, which has the effect of blocking any incoming connections that were not initiated from the inside.

I used to use Netgear [my last one died on me a year or two ago], but Linksys has moved up since, and the WRT54GS is a thumbs up... It will run a custom Linux based firewall/router firmware. Its also very cheap, and with the mentioned firmware, will have the same features as a router that you can expect to pay thousands for.

My last blog post here... http://www.devside.net/blog/category/web-server/ has some other info, CIS and SANS.

[japreja]

I have heard of an organization that monitors, for free, your site from hacking attempts, A friend of mine used it and they notify the FBI or other agency immediatly upon discovering a hack attempt and they also call you within ten minutes or so.  I dont know the organizations name but I do know it is out there someplace.  I was at his house when he got the call, his site used to be calld kidslinux but I don't think he runs it any more.  It was neet to see it on the news.

Maybee someone here knows what is called.

[Esthet]

http://www.maxpatrol.com/ is a good security scanner. Here http://www.maxpatrol.com/download/mp7demo.zip is the demo lacking some original heuristic mechanisms, potentially unsafe checks for DoS-vulnerabilities, online updates for vulnerabilities database and some scheduler & reports generating features... but still very useful.