These guys. They have a free option that seems reasonably thorough. Brought my site down anyways. https://scanmyserver.com/
Eventually I plan to have a few different scans going, but for now I just want to get past this one. It picked up some interesting things too. Like a PHP easter egg that had the potential to be exploited (along with instructions on how to turn it off) and my robots.txt file exposing some rather sensitive files I had laying about. On Tue, Jan 14, 2014 at 8:00 AM, Richard K Miller <[email protected]>wrote: > On a side note, can I ask what security scanning service you're using? > > Richard > > > On Jan 14, 2014, at 4:16 AM, "S. Dale Morrey" <[email protected]> > wrote: > > > I'm building an online service. I expect that this may have to scale to > > tens of thousands of users. For the sake of having a drop dead simple > > deployment. I decided to build the website front end on top of Drupal > (the > > service itself is linked to from the site, but is actually delivered by > > node.js and thus wasn't part of this particular test). > > > > I have had all kinds of fun in the past with PHP/MySQL and even Drupal > > vulnerabilities, so I decided to sign the site up for regular security > > scanning. > > The scanner just fired up for the first time and when it was complete my > > site had essentially become non-responsive. (Strangely the security > > scanner marked the site as having passed though) > > > > Logging in via SSH showed quite literally hundreds and hundreds of > > <defunct> apache processes. I'm guessing that they were stress testing > the > > site and obviously the site fell down. > > > > What bothers me is that there were hundreds of apache processes just > > sitting there dead. Since the box is only a single core with the ability > > to use up to 2 in a burst type situation (Amazon EC2 t1.micro to be > > exact). I don't really see the advantage of spinning up a whole new > > process just to deal with a new connection. Seems like death by a > thousand > > paper cuts to me. > > > > I'm aware that node spins a new thread but not a new process. I would > > think that apache would have a mode to do that as well. Is there any > > advantage to 1 process per connection? Is there possibly a better > > configuration I could try that would allow it handle the load better? > > > > I'm aware that if the website is going to be under regular heavy load > that > > there are some really important steps I can take such as serving static > > content from a CDN, putting the site behind an autoscaling load balancer > > etc. Those are in the works, but before I do all of that I want to make > > sure I have the best apache config I can considering the hardware > > limitations. This way we only scale once we've made the most effective > use > > of hardware. > > > > FYI the server is running Ubuntu 12.04 with all the latest updates > > applied. Apache config is stock I'm even serving content right out of > > /var/www. Same with PHP. The DB server is on it's own seperate instance > > and is MySQL 5.6 managed by Amazon Simple RDS. > > > > Thanks in advance! > > > > /* > > PLUG: http://plug.org, #utah on irc.freenode.net > > Unsubscribe: http://plug.org/mailman/options/plug > > Don't fear the penguin. > > */ > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
