How to check your own server and website. (QGR)

If you have been following the previous QGR’s and the past few posts we have shown how to install LEMP on Ubuntu, and make sure we have carried out some basic hardening of the OS.

We can verify this internally by checking versions on the server but how do we get the external view and see what an attacker would see? Again, this does not need to be extremely expensive. Let’s dive in and look at some great, freely available tools.

Below is a list of free resources we are going to use in this guide.

Nmap free network scanner download

https://nmap.org/

Immuniweb free website scanner

https://www.immuniweb.com/websec

Free web security headers report

https://securityheaders.com/

Free WordPress website scanner

https://wpsec.com

OK, now you have all the links, let’s get started.

nmap

nmap is a free network scanner and we can use this to verify that our firewall is set correctly, and the exposed applications are running the latest versions. Let’s fire it up and scan our site.

nmap info.2code-monte.co.uk

This performs a basic scan of our webserver and the top 1000 ports. (we will cover more advanced scanning in a later post) The results are shown below.

This shows that as expected our server has only 3 ports exposed to the internet. Now let’s do a version check on those services by adding the “-sV” flag.

nmap -sV info.2code-monte.co.uk

We can now see the versions, a quick google shows we are on the latest versions, so we can move on.

If you want to scan all ports then add the “-p” flag, and port range as below

nmap -p 0-65535 info.2code-monte.co.uk

immuniweb scan

Right let’s go to immuniwebs site and using the free web scanner let’s scan our site by selecting “community Edition”, and “Website Security Test”.

After around 10 minutes you will get a report as shown below

This report will provide remediation advice if an issues are found so have a good read through. We will come back to these reports in later posts to show best practice configuration, and other tips.

Security Headers

Security headers are important for website security, not only for your site, but also for anyone who visits your site. Browse to the Security Headers website and start a scan. As before after a short while you will receive a report for your site as shown below.

This also has some great resources for helping you to understand what each finding means and how to remediate any issues. As with the other tests, we will come back to these in the next post.

WordPress Security

If you are using WordPress, and making use of themes and plugins it is vital you ensure you are keeping everything up to date. That means the version of WordPress itself, the current live theme, and all plugins you have installed.

Luckily there are free tools for this as well, so lets head over to the wpsec website and launch the scan.

Simply pop in your website URL , tick the box and off we go.

If there are any issues it will tell you on this page,and you can sign up for a free account to receive a more in-depth report.