Please send updates and suggestions (or better tool logos) to Fyodor. If your tool is featured or you think your site visitors might enjoy this list, you are welcome to use our link banners. Here is the list, starting with the most popular:

1. Nessus : Premier UNIX vulnerability assessment tool
Nessus was a popular free and open source vulnerability scanner until they closed the source code in 2005 and removed the free "registered feed" version in 2008. A limited “Home Feed” is still available, though it is only licensed for home network use. Some people avoid paying by violating the “Home Feed” license, or by avoiding feeds entirely and using just the plugins included with each release. But for most users, the cost has increased from free to $1200/year. Despite this, Nessus is still the best UNIX vulnerability scanner available and among the best to run on Windows. Nessus is constantly updated, with more than 20,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.
See all vulnerability scanners

2. Wireshark : Sniffing the glue that holds the Internet together
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).
See all packet sniffers

3. Snort : Everyone's favorite open source IDS
This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.
Open source Snort works fine for many individuals, small businesses, and departments. Parent company SourceFire offers a complimentary product line with more enterprise-level features and real-time rule updates. They offer a free (with registration) 5-day-delayed rules feed, and you can also find many great free rules at Bleeding Edge Snort.
See all intrusion detection systems

4. Netcat : The network Swiss army knife
This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections. The original Netcat was released by Hobbit in 1995, but it hasn't been maintained despite its immense popularity. It can sometimes even be hard to find nc110.tgz. The flexibility and usefulness of this tool have prompted people to write numerous other Netcat implementations - often with modern features not found in the original. One of the most interesting is Socat, which extends Netcat to support many other socket types, SSL encryption, SOCKS proxies, and more. It even made this list on its own merits. There is also Chris Gibson's Ncat, which offers even more features while remaining portable and compact. Other takes on Netcat include OpenBSD's nc, Cryptcat, Netcat6, PNetcat, SBD, and so-called GNU Netcat.

5. Metasploit Framework : Hack the Planet
Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical spectrum. Metasploit simply brought this capability to the masses.
See all vulnerability exploitation tools

Reference

Various high-profile hacking attacks have proven that web security remains the most critical issue to any business that conducts its operations online. Web servers are one of the most targeted public faces of an organization, because of the sensitive data they usually host. Securing a web server is as important as securing the website or web application itself and the network around it. If you have a secure web application and an insecure web server, or vice versa, it still puts your business at a huge risk. Your company’s security is as strong as its weakest point.
Although securing a web server can be a daunting operation and requires specialist expertise, it is not an impossible task. Long hours of research and an overdose of coffee and take away food, can save you from long nights at the office, headaches and data breaches in the future. Irrelevant of what web server software and operating system you are running, an out of the box configuration is usually insecure. Therefore one must take some necessary steps in order to increase web server security. Below is a list of tasks one should follow when securing a web server.

1. Remove unnecessary services
Default operating system installations and configurations, are not secure. In a typical default installation, many network services which won’t be used in a web server configuration are installed, such as remote registry services, print server service, RAS etc. The more services running on an operating system, the more ports will be left open, thus leaving more open doors for malicious users to abuse. Switch off all unnecessary services and disable them, so next time the server is rebooted, they are not started automatically. Switching off unnecessary services will also give an extra boost to your server performances, by freeing some hardware resources.

2. Remote access
Although nowadays it is not practical, when possible, server administrators should login to web servers locally. If remote access is needed, one must make sure that the remote connection is secured properly, by using tunneling and encryption protocols. Using security tokens and other single sign on equipment and software, is a very good security practice. Remote access should also be restricted to a specific number of IP’s and to specific accounts only. It is also very important not to use public computers or public networks to access corporate servers remotely, such as in internet café’s or public wireless networks.

3. Separate development / testing / production environment
Since it is easier and faster for a developer to develop a newer version of a web application on a production server, it is quite common that development and testing of web applications are done directly on the production servers itself. It is a common occurrence on the internet to find newer versions of a specific website, or some content which should not be available to the public in directories such as /test/, /new/ or other similar sub directories. Because such web applications are in their early development stages, they tend to have a number of vulnerabilities, lack input validation and do not handle exceptions appropriately. Such applications could easily be discovered and exploited by a malicious user, by using free available tools on the internet.
To ease more the development and testing of web applications, developers tend to develop specific internal applications that give them privileged access to the web application, databases and other web server resources, which a normal anonymous user would not have. Such applications usually do not have any kind of restriction, since they are just test applications accessed that should be accessed from the developers only. Unfortunately, if development and testing is done on a production server, such applications can easily be discovered from a malicious user, which could help him compromise and gain access on the production server.
Ideally, development and testing of web applications should always be done on servers isolated from the internet, and should never use or connect to real life data and databases.

4 .Web application content and server-side scripting
The web application or website files and scripts should always be on a separate partition or drive other than that of the operating system, logs and any other system files. Through experience we’ve learnt that hackers who gained access to the web root directory, were able to exploit other vulnerabilities, and were able to go a step further and escalate their privileges to gain access to the data on the whole disc, including the operating system and other system files. From there onwards, the malicious users have access to execute any operating system command, resulting in complete control of the web server.

5. Permissions and privileges
File and network services permissions play a vital role in web server security. If a web server engine is compromised via network service software, the malicious user can use the account on which the network service is running to carry out tasks, such as execute specific files. Therefore it is very important to always assign the least privileges needed for a specific network service to run, such as web server software. It is also very important to assign minimum privileges to the anonymous user which is needed to access the website, web application files and also backend data and databases.

6. Install all security patches on time
Although having fully patched software does not necessarily mean your server is fully secure, it is still very important to update your operating system and any other software running on it with the latest security patches. Up untill this day, hacking incidents still occur because hackers took advantage and exploited un-patched servers and software.

7. Monitor and audit the server
All the logs present in a web server, should ideally be stored in a segregated area. All network services logs, website access logs, database server logs (e.g. Microsoft SQL Server, MySQL, Oracle) and operating system logs should be monitored and checked frequently. One should always be on the lookout for strange log entries. Log files tend to give all the information about an attempt of an attack, and even of a successful attack, but most of the times these are ignored. If one notices strange activity from the logs, this should immediately be escalated so the issue can be investigated to see what is happening.

8. User accounts
Unused default user accounts created during an operating system install should be disabled. There is also a long list of software that when installed, user accounts are created on the operating system. Such accounts should also be checked properly and permissions need to be changed required. The built in administrator account should be renamed and is not to be used, same for the root user on a linux / unix installation. Every administrator accessing the web server should have his own user account, with the correct privileges needed. It is also a good security practice not to share each others’ user accounts.

9. Remove all unused modules and application extensions
A default Apache installation has a number of pre-defined modules enabled, which in a typical web server scenario are not used, unless they are specifically needed. Turn off such modules to prevent targeted attacks against such modules.
The same applies for Microsoft’s web server; Internet Information Services. By default, IIS is configured to serve a large number of application types, e.g. ASP, ASP.NET and more. The list of application extensions should only contain a list of extensions the website or web application will be using. Every application extension should also be restricted to use specific HTTP verbs only, where possible.

10. Use security tools provided with web server software
Microsoft released a number of tools to help administrators secure IIS web server installations, such as URL scan. There is also a module called mod_security for Apache. Although configuring such tools is a tedious process and can be time consuming, especially with custom web applications, they do add an extra bit of security and piece of mind.

11. Stay informed
Nowadays, information and tips on the software and operating system being used can be found freely on the internet. It is very important to stay informed and learn about new attacks and tools, by reading security related magazines and subscribing to newsletters, forums or any other type of community.

12. Use Scanners
Scanners are handy tools that help you automate and ease the process of securing a web server and web applications. Acunetix Web Vulnerability Scanner is also shipped with a port scanner, which when enabled will port scan the web server hosting the web application being scanned. Similar to a network security scanner, Acunetix WVS will launch a number of advanced security checks against the open ports and network services running on your web server.

Reference

Mozilla set an unofficial record for software downloads on the second day of Firefox 4's launch, the company said Friday. In the 24 hours from early Wednesday to early Thursday, users downloaded 8.75 million copies of the new browser, an uptick from the 7.1 million logged by Firefox 4 its first day. Last week's one-day tally broke the record established by Firefox 3.0 in mid-2008 when that browser was downloaded more than 8 million times within 24 hours. Then, Mozilla ran a "Download Day" campaign that resulted in a certified Guinness World Record . Mozilla launched the final version of Firefox 4 around 6:30 a.m. PT Tuesday after more than a year of development.
Although Firefox 4's downloads bested Firefox 3's record, the achievement won't be official. In 2008, a Guinness representative monitored Mozilla's download servers to audit the number; no on-site official was present at Mozilla last week, a company spokeswoman said.
Firefox also thrashed Microsoft's Internet Explorer 9 (IE9) on the download count. Last week's 8.75 million for Firefox 4 was almost four times the 2.4 million Microsoft touted the week before as the 24-hour count for IE9 when it launched March 14 .
That didn't surprise one analyst, who cited pent-up demand for Firefox because of several months' worth of delays, and the difference between Firefox and IE9 users.
"The Firefox user base is primarily power user, with a much smaller percentage of corporate users compared with IE9," said Al Hilwa, an analyst with IDC. "Most large IE9 corporate users [work in] lock-downed environments, and so upgrading is under IT control and, thus, slower."
The advantage also goes to Firefox 4 because it runs on Windows XP, the 10-year-old operating system that IE9 has left behind. "Supporting XP will ultimately lead to improving share for Firefox 4 as HTML5 proliferates and users with XP machines want to participate in that," Hilwa said.
According to Web metrics company Net Applications, XP currently accounts for more than 61% of all copies of Windows in use.
Unlike IE9, Firefox 4 also runs on Mac OS X and Linux.
Because of those advantages, Hilwa has high hopes for Firefox. "All indications are that Firefox 4 will end up being a blockbuster release for [Mozilla], helping them gain their mojo back at least for some time to come."
As of 3:30 p.m. ET Sunday, Mozilla's real-time scoreboard claimed that over 35 million copies of Firefox 4 had been downloaded since Tuesday.

Reference

For network administrators who use mikrotik V. 4:13 may have difficulty in nice.rsc automatic update, because I am too. after mikrotik I upgraded from version 3 to version 4, nice.rsc can not automatically update this probably is because there are a few commands are missing or added to the new version of Mikrotik. After I was looking at forums that are on the internet I finally found an article, unfortunately I forgot his link address so he could not specify the address here but its conclusions on the mode settings filewall - mangle nothing changed except that the existing system command scheduler nice.rsc added to download automatically,by adding :

mode=http

:if ([:len [/file find name=nice.rsc]] > 0) do={/file remove nice.rsc};
/tool fetch address=ixp.mikrotik.co.id src-path=/download/nice.rsc mode=http;
/import nice.rsc;
:log info "===== update nice done!. ====="

From the examples of cases I've ever experienced, most agencies have multiple servers for data processing needs, it's just that they do not have a public ip which is comparable in the operation of the server. This happens because usually provaider only provide 1 public IP to their customers, unless the consumer is able to pay more for some public ip.

Of course this is a constraint when we'll get into a server but outside the network from the server itself, so I tried to explain the network topology to outsmart this problem.

Ok who first noticed the image below: