Slashdot Mirror
Professional Apache Security
The book walks through the most common tasks of an Apache administrator. It covers, for example, proper installation and maintenance, common practices in security and remote attacks. Some basic notions of system administration are also given, for those areas which affect the web server behaviour.
Topics of specific interest for security freaks include system hardening, intrusion detection mechanisms, monitoring and logging, server chroot()ing, session tracking, cryptography and SSL.
Throughout the book there are descriptions of common attacks like Cross-Site Scripting (XSS), CGI vulnerabilities, Denial of Service (DoS), Distributed DoS (DDoS), Reflection DDoS (RDDoS), cookie spoofing and session hijacking. Script kids be warned: there's no easily exploitable information on how to attack a web server inside the book.
What's to like
The book is well written, and an enjoyable read. It uses a very precise and yet friendly language to guide its readers through the covered subjects. Using this straightforward approach, it explains some thorny topics starting from basic notions and assuming no previous knowledge.
The explanation of essential topics like the HTTP protocol and server architecture, forms and CGI mechanisms, system configuration, etc. are nicely integrated with more tangled and scarcely documented issues. It is worth mentioning:
- the chapter on "jailing" the web server (which explains in detail how to correctly prepare a complete yet secure chroot'ed "sandbox" for Apache);
- the chapter on prevention of XSS attacks (explaining these types of attacks, and how to write CGI scripts to avoid them);
- the appendix dealing with usage and configuration of mod_rewrite.
Everything is supplemented with hands-on examples, information and tricks valuable to the intermediate reader; the clear explanations of basic topics will provide complete instructions for the beginners.
Further pro's of the book include updated information (issues related to Netscape 7, IE 6, Mozilla 1.0, Apache series 1.3 and 2.0), coverage of less known topics (e.g.: P3P) and a wealth of references to the relevant sources of information like RFCs, W3C specifications and CERT Advisories.
What's to consider
The downside of writing for both beginners and intermediate readers in just 360 pages is that the depth of the information provided is necessarily limited. The book is clearly targeted to less experienced system administrators, who will be able to quickly grasp the most important concepts revolving around Apache security and secure administration. Intermediate users are likely to find some paragraphs quite trivial, however they will be rewarded by the many pearls of wisdom offered in the more detailed sections. Expert system administrators might be disappointed by the lack of more in-depth and hard-core technical explanations.
The summary
The best aspect of the book is that it assembles basic notions, rarely available information and hints derived from the authors' experience to produce a neat, clearly written and comprehensive guide to Apache security. This will enable beginning web admins to understand the key points in managing and securing a web server, while providing experienced ones with a quick reference to the most important security practices.
Table of Contents
Introduction
Chapter 1: Installation
Chapter 2: Secure administration
Chapter 3: HTTP Security and Cross-Site Scripting Attacks
Chapter 4: Authentication and authorization
Chapter 5: System security
Chapter 6: Apache in jail
Chapter 7: Denial of service attacks
Chapter 8: Cookies
Chapter 9: CGI security
Chapter 10: Logging
Chapter 11: Session tracking
Chapter 12: Apache and cryptography
Chapter 13: SSL and Apache
Appendix A: Security resources
Appendix B: Apache with mod_rewrite
Appendix C: Sample SSL Accelerator implementations
You can purchase Professional Apache Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
If it's that easy to make stuff insecure without realising it, then the httpd.conf file needs more obvious comments.
If it's not actually that easy and it's down to the stupidity of the admin, then a book is unlikely to help: just read the various HOWTOs and follow them step by step, you can't really go wrong.
Of course there will be ways around security models but you'll defeat the average script kiddy just by following word-for-word instructions and installing the latest patches.
I guess I need to learn more about Cross-site Scripting. I have heard of it before and am not real sure of what it is and how it works. I think this book would be good just for that topic alone.
Anyone have any links on this topic?
This is a pet peeve of mine. What is professional about it? Why not just name the book Apache Security? What does the word "Professional" add?
Just reading a book won't save you from the next cracker attack. However, having a solid knowledge of the basics of web security and a list of effective checkpoints for configuring your server, will definitely help you to prevent at least the most trivial mistakes.
That's not good enough. I want a detailed list of exploits and how to configure my web server not to be vulnerable. I want to know what patches fix what. I want to know what vulnerabilities exist. Since we're not talking about Apache and not IIS, I'll assume this information isn't being kept a secret to prevent script kiddies from using an exploit on my box. So, where the heck can I get a definitive answer? Is there some kind of tool I can run (for free) that checks my system for vulnerabilities?
Too often their attacks are aimed at unprepared, defenceless servers which were improperly secured by clumsy administrators.
Now if we can just get those admins that are clumsy, to admit to it and force them to read the book.
But seriously, I am glad that books like this are being printed, it makes it that much harder for crackers to play immature -and sometimes harmful- pranks and give the rest of us bad names.
Just my humble opinion,
SirLantos
The flying hamster of DOOM rains coconuts on your pitiful city.
it's not the server that's always vulnerable. If you get into the system, you can get into the web site. There was an exploit with Cobalt servers which allowed an attacker to upload packages, one of which, in one case, happened to be a custom shell, which was used to bypass restrictions and deface a site.
Don't want your web site defaced? Stick it on a CD and serve it from there. I know this isn't always feasible, but 99% of the time it is. Of course, this won't protect you from a rooting, as they can simply change the web directory to serve the defaced html. This is still a bit easier to remedy than having your customers files wiped out and having to notify them to re upload their webpage, as "hacked by chinese" doesn't seem to sell products/services well.
As far as securing Apache itself, don't load modules you don't need, and keep it patched. That's about all you'll need to do to shun a majority of exploits. There's plenty of other security hardening modes and methods for Apache out there, Google them up and you'll probably get more than out of this book.
Everyone is entitled to their own opinion. It's just that yours is stupid.
But many people want some of the bells and whistles. They also having changing needs. That's where an application like Apache can make sense, though as always you should spend time choosing something that meets your needs.
Which takes time. But if it's important you should be taking time, I'd suggest.
I think Apache is a decent example of an application that's mature enough to provide useful flexibility, useful performance, and still be managable. Finally, it's unlikely to disappear which will be important for anything other than very short term projects or those where you just install and forget.
"we demand rigidly defined areas of doubt and uncertainty!"
I spent 3 years chasing a CS degree, when I realized it was an absolute waste of my time. Everything I know about computers I learned on my own, by doing.
The straw that broke my back was the OpenGL course I took, where we spent the whole semester revisiting high school algebra, matrices and projections and normal vectors and whatnot. Not one line of friggen code written, not one technique learned (I wanted to learn a bit about bsp trees, gourad shading, environment mapping, you know.. the cool stuff). We didnt even learn the differences between gl.h, glu.h, glut.h.. It was a huge crock of crap.
So I just switched to a pure math degree.
Comp sci, and IT in particular, is something you learn by doing.
I don't need no instructions to know how to rock!!!!
The question you should be asking yourself is, 'Am I obtaining education for a job or higher learning?'. Computing science is science - the quest for knowledge. Tech. College and a ton of certifications in every app and/or framework you use is the way to go if you have/want a non-research job.
.... Because whenever things go seriously wrong the deeper low-level knowledges saves the day.
Things come easier when you understand the underlying technologies/science, although not necessary to know. Books, like this one, targeting beginners to intermediates will help ease the learning curve and that's always welcome. Besides, how many IT folks are really going to cruise the source. If they're from a Microsoft background... nil (there's no source in Bill's world).
Why know matrices and vectors if all you're going to use is someones rendering engine? Why know sorting algorthims and trees if all you're going to do is drag and drop in access? Why understand tcp if all you're going to do is turn-on/off properties on tabs of win2k?
BTW: I gots two tech diplomas, plethora of certs, and 2 1/2 years on my CS degree. Overkill for the day to day MS monkey stuff but that's okay I'm NOT a monkey.
Not planning for the future?
Why wouldn't you take a free (speech/beer) server like Apache and deploy it?
So again, what's your beef with Apache? And, what do you suggest insted?
Overrated / Underrated : Moderation