Slashdot Mirror

← Back to Stories (view on slashdot.org)

Professional Apache Security

Posted by timothy on from the patchy dept.

Gianluca writes "Web sites get defaced every day -- that's routine practice for aspiring crackers who want to gain popularity by proving their bravery. Too often their attacks are aimed at unprepared, defenceless servers which were improperly secured by clumsy administrators. Just reading a book won't save you from the next cracker attack. However, having a solid knowledge of the basics of web security and a list of effective checkpoints for configuring your server, will definitely help you to prevent at least the most trivial mistakes." Gianluca reviews here Wrox Press' Professional Apache Security to see how well it can provide that kind of knowledge -- read on below. Professional Apache Security author Tony Mobily et al. pages 360 publisher Wrox Press rating 8.0 reviewer Gianluca Insolvibile ISBN 1861007760 summary A comprehensive overview of security related issues of interest for web admins, security analysts and web developers

The book walks through the most common tasks of an Apache administrator. It covers, for example, proper installation and maintenance, common practices in security and remote attacks. Some basic notions of system administration are also given, for those areas which affect the web server behaviour.

Topics of specific interest for security freaks include system hardening, intrusion detection mechanisms, monitoring and logging, server chroot()ing, session tracking, cryptography and SSL.

Throughout the book there are descriptions of common attacks like Cross-Site Scripting (XSS), CGI vulnerabilities, Denial of Service (DoS), Distributed DoS (DDoS), Reflection DDoS (RDDoS), cookie spoofing and session hijacking. Script kids be warned: there's no easily exploitable information on how to attack a web server inside the book.

What's to like
The book is well written, and an enjoyable read. It uses a very precise and yet friendly language to guide its readers through the covered subjects. Using this straightforward approach, it explains some thorny topics starting from basic notions and assuming no previous knowledge.

The explanation of essential topics like the HTTP protocol and server architecture, forms and CGI mechanisms, system configuration, etc. are nicely integrated with more tangled and scarcely documented issues. It is worth mentioning:

  • the chapter on "jailing" the web server (which explains in detail how to correctly prepare a complete yet secure chroot'ed "sandbox" for Apache);
  • the chapter on prevention of XSS attacks (explaining these types of attacks, and how to write CGI scripts to avoid them);
  • the appendix dealing with usage and configuration of mod_rewrite.

Everything is supplemented with hands-on examples, information and tricks valuable to the intermediate reader; the clear explanations of basic topics will provide complete instructions for the beginners.

Further pro's of the book include updated information (issues related to Netscape 7, IE 6, Mozilla 1.0, Apache series 1.3 and 2.0), coverage of less known topics (e.g.: P3P) and a wealth of references to the relevant sources of information like RFCs, W3C specifications and CERT Advisories.

What's to consider
The downside of writing for both beginners and intermediate readers in just 360 pages is that the depth of the information provided is necessarily limited. The book is clearly targeted to less experienced system administrators, who will be able to quickly grasp the most important concepts revolving around Apache security and secure administration. Intermediate users are likely to find some paragraphs quite trivial, however they will be rewarded by the many pearls of wisdom offered in the more detailed sections. Expert system administrators might be disappointed by the lack of more in-depth and hard-core technical explanations.

The summary
The best aspect of the book is that it assembles basic notions, rarely available information and hints derived from the authors' experience to produce a neat, clearly written and comprehensive guide to Apache security. This will enable beginning web admins to understand the key points in managing and securing a web server, while providing experienced ones with a quick reference to the most important security practices.

Table of Contents
Introduction
Chapter 1: Installation
Chapter 2: Secure administration
Chapter 3: HTTP Security and Cross-Site Scripting Attacks
Chapter 4: Authentication and authorization
Chapter 5: System security
Chapter 6: Apache in jail
Chapter 7: Denial of service attacks
Chapter 8: Cookies
Chapter 9: CGI security
Chapter 10: Logging
Chapter 11: Session tracking
Chapter 12: Apache and cryptography
Chapter 13: SSL and Apache
Appendix A: Security resources
Appendix B: Apache with mod_rewrite
Appendix C: Sample SSL Accelerator implementations

You can purchase Professional Apache Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

7 of 115 comments (clear)

  1. Justifying your time and budget by dsplat · · Score: 4, Insightful
    Just reading a book won't save you from the next cracker attack. However, having a solid knowledge of the basics of web security and a list of effective checkpoints for configuring your server, will definitely help you to prevent at least the most trivial mistakes.


    And having a published authority to refer to can help in justifying the time to a boss or a client. If they already trust you, they'll believe that the web server needs to be secured. But I find that the bulleted list of actions to take and the benefits of those actions goes a long way towards maintaining real world credibility.
    --
    The net will not be what we demand, but what we make it. Build it well.
  2. I might read this by The+Tyro · · Score: 5, Insightful

    Unlike a lot of people on Slashdot, I'm a hobbyist/amateur sysadmin (or is that term even appropriate?), and this book is probably just what I need.

    I've been using/programming computers all my life, but have never taken a single Comp Sci or MSI course; I end up going to books and HowTo's very frequently. I run several servers at home, including an apache webserver, a samba server, etc... For a guy like me who's not 3l337, these kinds of things are a godsend.

    I've spent 11years in higher education... NO WAY I'm going back for another degree; keep those understandable, non-arcane books coming.

    --
    Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
  3. Re:NOT A FLAMEBAIT by dirkx · · Score: 5, Insightful
    Besides, most people don't need all the bells and wistles Apache offers.

    How about simply stripping apache down; i.e. just run those two or three modules you really need. On for example a static images only server you could get away with just a logging module and the mmap module quite nicely. (Though realistically alias/rewrite is usually needed (or lots of symlinks) when your friendly marketing staff barges in with yet-another-campain which breaks all historic links.

    Its modular - go play with it - and have lots of fun. (And yes - you can actually run apache completely and validly with just 2 lines of config.

    Dw.

  4. Alternatives to reading this book: by zaqattack911 · · Score: 3, Insightful

    "Apache Security" is probably easy to get the latest information on. Probably for free, and without having to cut down trees.

    For example, assuming you have the latest patched apache, the left-over security issues that are CGI/web app/scripting related fall under the web applications category of security.

    In this case, have a look at some of the guidlines over at The Open Web Application Security Project (OWASP) .

    Way better than paying too much for a book that wastes paper, and will likely be out of date in no time.

    --noodles

  5. **Sigh** was Re:Not good enough. by Phoukka · · Score: 3, Insightful

    Um, you may want to consider that the tool is yer brain and yer hands.

    Somewhat more seriously, go check out the BugTraq mailing list at securityfocus.com. You will find there just about everything you so obnoxiously demand. Also, get on the main and developer mailing lists for whatever software you use, Apache httpd, mod_perl, whatever. Third, read, read, READ!!!! Read ALL the fine manuals, how-tos, etc, etc. Read the Source, Luke.

    This book (at least from the review, haven't seen it myself) will clue you in as to what CATEGORIES of exploits exist, and how to prevent them from being used against you. If you "need a detailed list of exploits" after that, if you really truly NEED a set of cookie-cutter recipes, then please do your employer a favor, and quit now.

    It is possible to make lists of every KNOWN exploit. It is nearly pointless to do this, though, since for every known exploit, there are inevitably going to be unknown exploits and unknown variations. However, learning about the KINDS of exploits and preventing them is much more efficient, intelligent, and effective.

  6. Re:NOT A FLAMEBAIT by DeadInSpace · · Score: 1, Insightful
    It's not flamebait.
    You basically say that Apache is insecure, and you don't give any arguments for that. That is flamebait.

    If you don't want to be moderated as flamebait, then back up your statements with arguments, examples, perhaps statistics or other data, more detailed opinions, etc, etc.
    There are many alternative servers available whos primary goal is security. They're easier to configure, secure, and maintain.
    That is slightly better, but you still aren't really saying anything. Basically you say "there are more secure alternatives", but that can easily be said of any product, mostly because is not verifiable. An example (which you refuse to give until it's hammered out of you; you refer to freshmeat.net instead) would do wonders at this point.
    Besides, most people don't need all the bells and wistles Apache offers.
    Finally, something that might be a real argument. Apache offers lots of functionality, and not everyone needs it. That is indeed a scenario that can lead to security risks.

    But there's more to it than that, much of Apache's unneeded functionality can be disabled for example, and there are really useful things in Apache's possibilities. But I am not (nor pretend to be) a webserver guru, so I am not going into a detailed discussion about that.
  7. Re:never be ashamed of RTFM by btlzu2 · · Score: 3, Insightful
    Comp sci, and IT in particular, is something you learn by doing.

    I think you're wrong. Computer Science is highly theoretical (hence "Science") and you should expect a great deal of algebra, matrices, etc. You sound like my friend who started majoring in Engineering and complained that he wasn't learning how to fix circuits! That's a technician's job, not an engineer's. If you want to learn programming, program. If you want to learn the theory behind computing, major in Computer Science. If people don't want to learn the theory, why do they take curricula which is highly theoretical?

    And, why on earth would you switch to pure Math if you weren't learning anything practical in Computer Science??? Was that a joke?

    --
    Zed's dead baby. Zed's dead.