Hi guys,
I have been using Metasploit, a pen-testing framework, to find all the holes in my server. It then links me to the suggested fixes but even though I am sure I have fixed a bunch of them they are still showing. Can you suggest what I may have missed? Here are the issues that I am sure I have fixed:
Apache Server mod_info is Publicly Accessible SOLVED server-info was redirecting back to the home page, this confided the scanner
The link advises that I comment out the server-info lines as such:
Which I have done in ../apache22/extras/http-info.conf
Even after restarting this issue is still reported by Metasploit.
WebDAV Extensions are Enabled SOLVED As above
The link says to disable mod_dav which I have done by commenting out the DAV lines as such:
I also moved ../apache22/extras/http-dav.conf to ../http-dav.conf.bak
But it is still being reported.
TLS/SSL Server Supports Weak Cipher Algorithms SOLVED - Thirdparty tool confirms sslV2 is disabled.
The link says to replace the SSLCipherSuite line in /../apache22/extras/http-ssl.conf with this:
But the issue is still reported
These are not particularly difficult things to change. What could I possibly be doing wrong? I have even restarted the server to be sure the changes are picked up. I made an info.php page and can not see either mod_dav orf server-info. Should I just ignore these as false positives?
I have been using Metasploit, a pen-testing framework, to find all the holes in my server. It then links me to the suggested fixes but even though I am sure I have fixed a bunch of them they are still showing. Can you suggest what I may have missed? Here are the issues that I am sure I have fixed:
Apache Server mod_info is Publicly Accessible SOLVED server-info was redirecting back to the home page, this confided the scanner
The link advises that I comment out the server-info lines as such:
Code:
#<Location /server-info>
# SetHandler server-info
#</Location>Which I have done in ../apache22/extras/http-info.conf
Even after restarting this issue is still reported by Metasploit.
WebDAV Extensions are Enabled SOLVED As above
The link says to disable mod_dav which I have done by commenting out the DAV lines as such:
Code:
#LoadModule dav_module libexec/apache22/mod_dav.so
#LoadModule dav_fs_module libexec/apache22/mod_dav_fs.so
# Distributed authoring and versioning (WebDAV)
#Include etc/apache22/extra/httpd-dav.confI also moved ../apache22/extras/http-dav.conf to ../http-dav.conf.bak
But it is still being reported.
TLS/SSL Server Supports Weak Cipher Algorithms SOLVED - Thirdparty tool confirms sslV2 is disabled.
The link says to replace the SSLCipherSuite line in /../apache22/extras/http-ssl.conf with this:
Code:
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUMBut the issue is still reported
These are not particularly difficult things to change. What could I possibly be doing wrong? I have even restarted the server to be sure the changes are picked up. I made an info.php page and can not see either mod_dav orf server-info. Should I just ignore these as false positives?