Archive for the ‘Tools’ Category
Last year Zone-H reported a record number of 1.5 million websites defacements. 1 million of those websites where running Apache.
When it comes to configuring a web server, some people tend to turn everything on by default. Developers are happy because the functionality that they wanted is available without any extra configuration, and there is a reduction in support calls due to functionality not working out-of-the-box. This has proven to be a major source of problems for security in general. A web server should start off with total restriction and then access rights should be applied appropriately.
You can check whether your web server is correctly configured by using Nikto, a great open source vulnerability scanners that is able to scan for quite a large number of web server vulnerabilities. From their site:
“Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.”
I’m going to run a default scan by just supplying the IP of the target:
$ cd nikto-2.1.4 $ ./nikto.pl -h 127.0.0.1 - ***** SSL support not available (see docs for SSL install) ***** - Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost.localdomain + Target Port: 80 + Start Time: 2011-12-12 13:06:59 --------------------------------------------------------------------------- + Server: Apache + No CGI Directories found (use '-C all' to force check all possible dirs) + 6448 items checked: 0 error(s) and 0 item(s) reported on remote host + End Time: 2011-12-12 13:08:07 (68 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
By looking at the last section of the Nikto report, I can see that there are no issues that need to be addressed.
Nicholas Tang wrote a nice little perl script that shows a basic memcached top display for a list of servers. You can specify thresholds, for instance, and it’ll change color to red if you exceed the thresholds. You can also choose the refresh/sleep time, and whether to show immediate (per second) stats, or lifetime stats.
To install it you only need to download the script and make it executable:
$ curl http://memcache-top.googlecode.com/files/memcache-top-v0.6 > ~/bin/memcache-top $ chmod +x ~/bin/memcache-top $ memcache-top --sleep 3 --instances 10.50.11.3,10.50.11.4,10.50.11.5
Here’s some sample output:
memcache-top v0.6 (default port: 11211, color: on, refresh: 3 seconds) INSTANCE USAGE HIT % CONN TIME EVICT/s GETS/s READ/s WRITE/s 10.50.11.3:11211 88.9% 69.7% 1661 0.9ms 0.3 47 13.9K 9.8K 10.50.11.4:11211 88.8% 69.9% 2121 0.7ms 1.3 168 17.6K 68.9K 10.50.11.5:11211 88.9% 69.4% 1527 0.7ms 1.7 48 14.4K 13.6K AVERAGE: 84.7% 72.9% 1704 1.0ms 1.3 69 13.5K 30.3K TOTAL: 19.9GB/ 23.4GB 20.0K 11.7ms 15.3 826 162.6K 363.6K (ctrl-c to quit.)
Yesterday an interesting HTTP DoS tool has been released. The tool performs a Denial of Service attack on Apache (and some other, see below) servers by exhausting available connections. While there are a lot of DoS tools available today, this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests to the server.
When you profile a web page with Page Speed, it evaluates the page’s conformance to a number of different rules. These rules are general front-end best practices you can apply at any stage of web development. Google provides documentation of each of the rules, so whether or not you run the Page Speed tool, you can refer to these pages at any time.
The best practices are grouped into five categories that cover different aspects of page load optimization:
- Optimizing caching: Keeping your application’s data and logic off the network altogether
- Minimizing round-trip times: Reducing the number of serial request-response cycles
- Minimizing request size: Reducing upload size
- Minimizing payload size: Reducing the size of responses, downloads, and cached pages
- Optimizing browser rendering: Improving the browser’s layout of a page
TypeFriendly is a documentation generation script written in PHP5. It was designed to be easy in use and it allows to achieve the first results immediately, a couple of minutes after you start the work. The script contains everything you need to write clear, multilingual documentation for your project, so that you do not have to code everything on your own.
The most important features of TypeFriendly:
- Modular documentation structure – it is generated from text files and the structure and navigation are generated from the file names.
- Simple syntax – the text is written in intuitive and clean Markdown syntax.
- Multilingual support and tools – TypeFriendly allows you to create your manuals in many language versions. It also contains a tool that shows whether the derived languages are up-to-date.
- Configurable output formats – currently, TypeFriendly is able to generate the documentation in XHTML (many pages) and XHTML (single page). There is also a third format – metadata – still under development. It will allow to import the docs to a database in order to make an on-line version with, for example, user comments.
- Various add-ons such as syntax highlighting, references, class description fields.
- Navigation generators.
- It is portable – works under Linux, FreeBSD and Windows. All you need is the PHP interpreter available.
TypeFriendly is distributed under the terms of GNU General Public License 3, which means that you can use, modify and share it for free.
Meet TYPOlight, a powerful Web content management system that specializes in accessibility (back end and front end) and uses XHTML and CSS to generate W3C/WAI compliant pages.
A growing number of countries around the world have introduced legislation which either directly addresses the need for websites to be accessible to people with disabilities, or which addresses the more general requirement for people with disabilities not to be discriminated against. TYPOlight does not treat accessibility as just an additional feature and is thoroughly accessible.
- Different page types
- Multiple websites in one tree
- Manual or timed publication
- Hidden pages
- Password protect pages
- Clipboard feature
- Edit multiple records
- Built-in rich text editor (TinyMCE)
- Different content elements and modules
- Multilingual spellchecker
- Insert tags (similar to server side includes)
- Manual or timed publication
- Multiple file uploads
- Image thumbnails and file preview
- Edit uploaded files with the source editor
- File operation permissions
- Copy, move, rename files or folders
- Delete folders recursively
- Automatic input validation
- Store uploaded files on the server
- Send form data via e-mail
- Send uploaded files as e-mail attachment
- Automatic page indexing
- Search indexing on protected pages
- Phrase search, wildcard search, AND/OR search
- Search result caching and pagination
Full feature list
- Intuitive user interface
- Accessible XHTML strict output
- Meets W3C/WAI requirements
- Web 2.0 support (mootools-based)
- Live update service
- Accessible administration area
- Multiple back end languages and themes
- Generates search engine friendly URLs
- Multi-language support
- Powerful permission system
- Versioning and undo management
- Advanced search and sorting options
- Front end output 100% template based
- Automatic e-mail encryption (spam protection)
- Supports SMTP in addition to PHP’s mail function
- Supports multiple websites in one tree
- Supports GZip compression
- Print articles as PDF
- Open Source (LGPL)
- Web-based administration
- Platform independent
- Over 150 third party extensions
- Multilingual documentation
phpWatch is a general purpose service monitor that is able to send notifications of outages via e-mail or text-message (SMS). The purpose of this system is to allow administrators to easily check the status of many different services running on any number of servers and also allow developers to interface with the query and notification APIs.
The basic installation is very simple: chmod config.php to 777 and simply navigate to the install directory in your browser. Fill in the database information and the setup will create the required tables and setup the configuration file as needed. The only required task beyond the automated install is to add cron.php as a cron job (Unix/Linux) or scheduled task (Windows).
phpWatch uses pre-existing SMS gateways provided by the cell-carriers themselves. For example, to send a message to a Verizon subscriber with the phone number 123-456-7890, an e-mail can be sent to firstname.lastname@example.org and it will then be forwarded to the individual’s phone.
As commercial book publishing crashes, personal book publishing is booming. Blurb is an online application which can be used to design and print your books in professional looking formats. Blurb makes it easier for you to write, share, promote and sell your own books.
Blurb BookSmart software is the most straightforward and easy to use software available. Multiple demos and tutorials are available, showcasing the potential that each Blurb book offers. Some of the books you buy on Amazon are manufactured with this same technology. You just can’t tell the difference!
From their site:
Holding a finished book with your name on the cover is a truly amazing feeling; it’s one of those experiences everyone should have. As software people, designers and publishing professionals at the top of our game, we realized something both incredible and obvious: there’s no good reason why it should take tons of time, technical skills, big bucks or friends in high places to publish a book. Or a zillion books, for that matter.
- Design your book with free software
- Print your book by ordering online (as few as 1 book needs ordering)
- Books created are of bookstore quality
- Free to register and design books
- Use the site to promote your books
- Print your books with or without the Blurb Logo
Time to write some books :)
Here’s the thing: you’re developing a server deployed application, it could be a web application but it doesn’t have to be, and you’re probably deploying to more than one server. Even if you just have one server to deploy to, it still get tiresome in the long run to build your project, fire up your favorite SFTP utility, upload your build, log in to the server with SSH, possibly stop the server, deploy the build, and finally start the server again.
What we’d like to do, is to build, upload and deploy our application with a single command line. Fabric is a tool that, at its core, logs into a number of hosts with SSH, and executes a set of commands, and possibly uploads or downloads files.