Apache Security

Larger Cover

Apache Security

By Ivan Ristic

Publisher: O'Reilly Media

Released: February 2005

Pages: 432

With more than 67% of web servers running Apache, it is by far the most widely used web server platform in the world. Apache has evolved into a powerful system that easily rivals other HTTP servers in terms of functionality, efficiency, and speed. Despite these impressive capabilities, though, Apache is only a beneficial tool if it's a secure one.

To be sure, administrators installing and configuring Apache still need a sure-fire way to secure it--whether it's running a huge e-commerce operation, corporate intranet, or just a small hobby site.

Our new guide, Apache Security, gives administrators and webmasters just what they crave--a comprehensive security source for Apache. Successfully combining Apache administration and web security topics, Apache Security speaks to nearly everyone in the field. What's more, it offers a concise introduction to the theory of securing Apache, as well as a broad perspective on server security in general.

But this book isn't just about theory. The real strength of Apache Security lies in its wealth of interesting and practical advice, with many real-life examples and solutions. Administrators and programmers will learn how to:

install and configure Apache
prevent denial of service (DoS) and other attacks
securely share servers
control logging and monitoring
secure custom-written web applications
conduct a web security assessment
use mod_security and other security-related modules

And that's just the tip of the iceberg, as mainstream Apache users will also gain valuable information on PHP and SSL/ TLS. Clearly, Apache Security is packed and to the point, with plenty of details for locking down this extremely popular and versatile web server.

Chapter 1 Apache Security Principles
1. Security Definitions
2. Web Application Architecture Blueprints
Chapter 2 Installation and Configuration
1. Installation
2. Configuration and Hardening
3. Changing Web Server Identity
4. Putting Apache in Jail
Chapter 3 PHP
1. Installation
2. Configuration
3. Advanced PHP Hardening
Chapter 4 SSL and TLS
1. Cryptography
2. SSL
3. OpenSSL
4. Apache and SSL
5. Setting Up a Certificate Authority
6. Performance Considerations
Chapter 5 Denial of Service Attacks
1. Network Attacks
2. Self-Inflicted Attacks
3. Traffic Spikes
4. Attacks on Apache
5. Local Attacks
6. Traffic-Shaping Modules
7. DoS Defense Strategy
Chapter 6 Sharing Servers
1. Sharing Problems
2. Distributing Configuration Data
3. Securing Dynamic Requests
4. Working with Large Numbers of Users
Chapter 7 Access Control
1. Overview
2. Authentication Methods
3. Access Control in Apache
4. Single Sign-on
Chapter 8 Logging and Monitoring
1. Apache Logging Facilities
2. Log Manipulation
3. Remote Logging
4. Logging Strategies
5. Log Analysis
6. Monitoring
Chapter 9 Infrastructure
1. Application Isolation Strategies
2. Host Security
3. Network Security
4. Using a Reverse Proxy
5. Network Design
Chapter 10 Web Application Security
1. Session Management Attacks
2. Attacks on Clients
3. Application Logic Flaws
4. Information Disclosure
5. File Disclosure
6. Injection Flaws
7. Buffer Overflows
8. Evasion Techniques
9. Web Application Security Resources
Chapter 11 Web Security Assessment
1. Black-Box Testing
2. White-Box Testing
3. Gray-Box Testing
Chapter 12 Web Intrusion Detection
1. Evolution of Web Intrusion Detection
2. Using mod_security

Appendix A Tools
1. Learning Environments
2. Information-Gathering Tools
3. Network-Level Tools
4. Web Security Scanners
5. Web Application Security Tools
6. HTTP Programming Libraries
Colophon

Description

Table of Contents

Product Details

About the Author

Recommended for You

Recently Viewed

Learning GNU Emacs

By Debra Cameron, Bill Rosenblatt

October 1991

Office 2008 for Macintosh: The Missing Manual

By Jim Elferdink

March 2008

Ebook: $27.99

Print & Ebook: $38.49

Print: $34.99

QuickBooks 2009: The Missing Manual

By Bonnie Biafore

October 2008

Ebook: $23.99

Print: $29.99

Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews

O'Reilly Media Apache Security

4.0

(based on 1 review)

REVIEWS

Reviewed by 1 customer

Displaying review 1

10/2/2009

(2 of 2 customers found this review helpful)

4.0

Good book, but needs a new revision

By Entropologist

from Des Moines, IA

About Me Security Consultant, Sys Admin

Pros

Accurate
Easy to understand
Well-written

Cons

Not comprehensive enough

Best Uses

Intermediate

Comments about O'Reilly Media Apache Security:

Like most O'Reilly books, it's well thought out and fairly complete. Unsurprisingly, it focuses on the standard LAMP stack, giving advice on building and deploying Apache and hooking in PHP and SSL. Ruby seem to be missing, and Perl is just discussed within a chroot environment. It discusses performance tuning a bit, in the guise of protection against DOS, and then moves onto issues in a shared hosting environment.

Much of what is in this book is more general than just Apache, so it's best to consider this as a general security book for people running both Linux and Apache, and ideally using PHP and MySQL. It would be less useful to people running Apache on Windows and for people using less common languages. However, it is very good for the basics:

* Installing Apache
* Hardening Apache
* Setting up chroot
* Hardening PHP
* Configuring logging and access
* Understanding web attacks

Where it seems to lack a bit is:

* It presumes that the reader will install Apache from source, whereas most these days will install from a package. More advice on hardening Apache in the SuSE, Red Hat and Ubuntu/Debian environments would be useful.
* There is no mention of AppArmor or SELinux (which, to be fair, were pretty new when this book came out). A second edition will have to have these, as they are a key way to protect Apache against itself.
* A few pages on how to use Suhosin to protect PHP applications would be good.
* A section on protecting Ruby and one on Perl would be good. While it is certainly true that no book can cover everything, these three languages are the most common in the LAMP world and should probably be addressed, at least in passing.
* While we're at it, a section on hardening MySQL wouldn't be out place, as the book is more of a LAMP book than an Apache book anyway.

I recommend this book for the beginner to moderate admin, be they a web admin or in the security space. However, experienced people may not find much new in here. I would, however, love to see a second edition released.

Displaying review 1

Save a Tree - Go Digital what is this?

Print: $34.95

Chapter 1 Apache Security Principles

Security Definitions

Web Application Architecture Blueprints

Chapter 2 Installation and Configuration

Installation

Configuration and Hardening

Changing Web Server Identity

Putting Apache in Jail

Chapter 3 PHP

Installation

Configuration

Advanced PHP Hardening

Chapter 4 SSL and TLS

Cryptography

SSL

OpenSSL

Apache and SSL

Setting Up a Certificate Authority

Performance Considerations

Chapter 5 Denial of Service Attacks

Network Attacks

Self-Inflicted Attacks

Traffic Spikes

Attacks on Apache

Local Attacks

Traffic-Shaping Modules

DoS Defense Strategy

Chapter 6 Sharing Servers

Sharing Problems

Distributing Configuration Data

Securing Dynamic Requests

Working with Large Numbers of Users

Chapter 7 Access Control

Overview

Authentication Methods

Access Control in Apache

Single Sign-on

Chapter 8 Logging and Monitoring

Apache Logging Facilities

Log Manipulation

Remote Logging

Logging Strategies

Log Analysis

Monitoring

Chapter 9 Infrastructure

Application Isolation Strategies

Host Security

Network Security

Using a Reverse Proxy

Network Design

Chapter 10 Web Application Security

Session Management Attacks

Attacks on Clients

Application Logic Flaws

Information Disclosure

File Disclosure

Injection Flaws

Buffer Overflows

Evasion Techniques

Web Application Security Resources

Chapter 11 Web Security Assessment

Black-Box Testing

White-Box Testing

Gray-Box Testing

Chapter 12 Web Intrusion Detection

Evolution of Web Intrusion Detection

Using mod_security

Appendix A Tools

Learning Environments

Information-Gathering Tools

Network-Level Tools

Web Security Scanners

Web Application Security Tools

HTTP Programming Libraries

Colophon

Ivan Ristic

About O'Reilly

Community

More O'Reilly Sites

Partner Sites