Problem: Apache HTTP Server on a web hosting system will undoubtedly run multiple virtual hosts. Each of those virtual hosts logs its activity in a separate location making it impossible to effectively monitor each log and each virtual host for errors or security issues.

Solution: Use mod_status to monitor Apache’s activities. This module for Apache allows the system administrator to have real-time viewing of all of the web server’s activity. It is part of the default Apache 2 package on many Linux systems, and you can enable it by doing the following:

1. Make sure you have mod_info module loaded:

a2nmod info

Continue reading: Monitor Apache web server with mod_status

Nginx (pronounced “Engine X”) is a lightweight web server that offers speed and flexibility without all of the extra features that larger web servers like Apache offer. Although it is a free and open source application, CentOS does not offer the latest version in its default YUM repository. To install it, you need to add the EPEL (Extra Packages for Enterprise Linux) repository, which is part of the Fedora Project.

1. Install the EPEL repository:

# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5Server/x86_64/epel-release-5-3.noarch.rpm

2. Install nginx

# yum install nginx

3. You will be asked to install the gpg-key for EPEL. Answer yes

4. Start Nginx

# /etc/init.d/nginx start

5. Check the installation by going to your web server’s default site, either using your ip address or domain name.

Continue reading: How to install Nginx via YUM in CentOS

Microsoft provides a tool for Windows Server 2008 that tests for security misconfiguration. It comes with a graphical interface and a command line interface for both local and remote scans. It looks for vulnerabilities, performs assessment checks, and checks SQL Server 2005.

In addition to Windows Server 2008, MBSA runs on Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 systems. It scans for misconfigurations on Internet Information Server (IIS), SQL Server, Internet Explorer, and MS Office.

MBSA is available for download from the Microsoft website. It is free to download and use on Windows systems. It comes with a readme.html document containing information on system requirements, scan options, and tool support options.

Source: Microsoft

Photo: Flickr

Continue reading: Test Windows Server 2008 with MBSA

It is very difficult to test a server’s real-world performance under stress. While you could hire a company or individual to bombard your server, the cost involved may not be worth the results. The open source application called curl-loader simulates load and application behavior of thousands of HTTP/HTTPS and FTP/FTPS clients.

Imagine having your website visited by thousands of visitors at once. Will your website hold up to the stress? Curl-loader allows you to test it and find out. Some of the features include:

• GET, POST, and PUT tests
• Web and proxy authentication
• Cookies and DNS caches
• URL fetching probability
• and much more.

Curl-loader is free and open source software released under the GNU GPL, available for download from the sourceforge.net.

Source: curl-loader

Continue reading: Test your server load with curl-loader

Over the past year, we have discussed several web servers. For your convenience, here is a quick list of each one we have already mentioned, as well as a couple we did not, including links to their project sites.

Apache - This is the most widely used and the one we have spent the most time covering. It is free and open source and runs on nearly every platform available. It is released under the Apache license.

Microsoft IIS - As Microsoft’s proprietary web server, it only comes with and works on Windows. If for some reason you have to run this but do not have Windows, you will have to consider virtualization.

Sun Java System Web Server - This is Sun’s proprietary web server technology that is primarily intended for Sun appliances. Nevertheless, it is cross-platform, and Sun recently opened some of its code under a BSD license.

Ngnix - This is a lightweight web server that runs on both Unix and Windows machines. It has become the fourth most popular HTTP server and is available under a BSD-style license.

Lighttpd - This lightweight HTTP server is designed to take on heavy loads while maintaining a good balance, low memory and CPU usage. It powers YouTube, Wikipedia, and many other high-traffic sites. It is free and open source under a BSD style license.

Photo: Flickr

Continue reading: Web server round-up

Question: How do I restart Apache HTTP Server on a Mac OS X server?

Answer: Linux other Unix-based servers, you can start and stop Apache from the command line. If you are familiar with Redhat-based systems, then you are used to logging in and then using “su” to become Root. Mac OS Xrelies on “sudo” like many Debian-based systems (such as Ubuntu).

The command for Apache in Mac OS X is “apachectl” (Apache control). To restart Apache, type the following:

$ sudo apachectl restart

To stop Apache, enter:

$ sudo apachectl -k stop

And to start Apache again, type:

$ sudo apachectl -k start

After entering a command with “sudo” you will be prompted for your password. Enter it and continue. You will still need to use “sudo” for each command run as Root, but it will not ask you for the password again until you have stopped using it for a period of time in that session.

Source: nixCraft

Continue reading: How to restart Apache in Mac OS X Server

Yesterday, we took a look at a web application security testing tool, and there are many other tools like it available both for a fee and for free. But there are not many tools available that actually test the web server itself and even fewer that are designed to test a Windows server.

Wikto, which apparently borrowed its name from Nikto (a Unix-based assessment tool), is a free and open source windows-based web scanner that searches a windows server environment for potential security issues. Unlike web application scanners that focus on the scripting code, Wikto looks at the web server setup and searches for security problems.

Wikto relies on the .NET environment, and you will need to have .NET installed in order to use it. Full documentation is available on the project’s website. You can download it for free from their website as well.

Continue reading: Wikto web server assessment tool

Any security-minded system administrator has heard of cross site scripting (XSS). It might even keep you up at night, but there are steps you can take to identify vulnerabilities in your websites and deal with them. One method of finding vulnerabilities is to use fuzz testing (the insertion of random commands and code into web applications to see how they react).

Powerfuzzer is a free web fuzzer that allows administrators to create custom tests for their web applications to identify vulnerabilities. In essence, it is a web application vulnerability scanner. Currently, Powerfuzzer tests for the following security vulnerabilities:

• Cross Site Scripting (XSS)
• Injenctions (SQL, LDAP, code, commands, and XPATh)
• CRLF
• HTTP 500 statuses

You can download Powerfuzzer from the project’s website. It is free and open source software, released under the GNU General Public License.

Continue reading: Find security holes in web applications with Powerfuzzer

Apache HTTP Server gives you the flexibility to decide where you want to store the web-accessible files for your websites. Most operating systems have their own unique directory structure for their default web server installations, but even those can be changed. The Apache default document root is /usr/local/apache/htdocs.

To change the document root, use the following directive in your httpd.conf or virtual host configuration file:

DocumentRoot directory-path

Replace “directory-path” with the path you want to use. For example:

DocumentRoot /var/www/public_html

Make sure you do not have a trailing slash. With this setup, a file, such as index.html, found in /var/www/public_html/index.html will appear on the web at: http://www.yourdomain.com/index.html. Whatever directory you choose must be readable (but not writable) by outside users.

Source: Apache.org

Continue reading: Apache's DocumentRoot directive

Continuing with our series this week on non-Linux operating system servers, today we will learn about FreeBSD. Its proponents (of BSD distributions in general) call it the most secure and reliable operating system for Internet-connected servers. It comes with several different versions of Apache. Here is a quick guide to getting the one you want installed.

1. Make sure your ports collection is up to date:

# portsnap fetch update

2. Using ports, install Apache (2.2 in this example):

# cd /usr/ports/www/apache22/
# make install clean

It will take a minute to go through the installation, but it will ask you configuration options. You will also need to configure the Apache httpd.conf file as you would on a Linux server. If you would like a more in-depth guide to the specifics of that configuration, see the nixCraft article on the subject.

Source: nixCraft
Photo: Flickr

Continue reading: How to install Apache on a FreeBSD server

Question: How do I setup remote management of an IIS 7 server on Windows Server 2008?

Answer: By default, remote management is turned off. Therefore, you must turn it on before you can use any of its features. Although IIS is available for Vista and other versions of Microsoft Windows, remote management only works on Windows Server. You can install remote management with three easy steps:

1. Install the service called Web Management Service (WMSVC)
2. Turn on remote connections.
3. Set any other configurations you desire, such as ports, IP address and domain settings.
4. Start the WMSVC service. You can also set it to start up automatically at boot.

A full detailed description of each step is available on the Learn IIS website.

Tomorrow, we will learn about using the remote management software.

Photo: Flickr

Continue reading: Remotely managing your Windows web server

Question: How do I install FTP on IIS 7.5 in Windows?

Answer: IIS (Internet Information Service) is a set of Microsoft’s Internet-based services. As a web server, it is second only to Apache HTTP Server, serving 29% of all websites. In addition to HTTP services, it also includes FTP. On Windows Server 2008, installing FTP is pretty painless. Just follow these easy steps:

1. Click Start on the taskbar and select Administrative Tools -> Server Manager
2. In the Server Manager window, click Roles to expand it and then select Web Server (IIS).
3. Now in the Web Server (IIS) pane, go to Role Services and click Add Role Services.
4. Now expand FTP Server in the Select Role Services page.
5. Choose FTP Service and click Next.
6. Finally, click Install and Close.

It is that simple. Now, you should have an FTP service running and ready to start receiving clients. In a future post, we will learn how to configure an FTP server.

Source: Learn IIS

Continue reading: How do I install FTP on IIS 7.5