Slashdot Mirror

← Back to Stories (view on slashdot.org)

Professional Apache Security

Posted by timothy on from the patchy dept.

Gianluca writes "Web sites get defaced every day -- that's routine practice for aspiring crackers who want to gain popularity by proving their bravery. Too often their attacks are aimed at unprepared, defenceless servers which were improperly secured by clumsy administrators. Just reading a book won't save you from the next cracker attack. However, having a solid knowledge of the basics of web security and a list of effective checkpoints for configuring your server, will definitely help you to prevent at least the most trivial mistakes." Gianluca reviews here Wrox Press' Professional Apache Security to see how well it can provide that kind of knowledge -- read on below. Professional Apache Security author Tony Mobily et al. pages 360 publisher Wrox Press rating 8.0 reviewer Gianluca Insolvibile ISBN 1861007760 summary A comprehensive overview of security related issues of interest for web admins, security analysts and web developers

The book walks through the most common tasks of an Apache administrator. It covers, for example, proper installation and maintenance, common practices in security and remote attacks. Some basic notions of system administration are also given, for those areas which affect the web server behaviour.

Topics of specific interest for security freaks include system hardening, intrusion detection mechanisms, monitoring and logging, server chroot()ing, session tracking, cryptography and SSL.

Throughout the book there are descriptions of common attacks like Cross-Site Scripting (XSS), CGI vulnerabilities, Denial of Service (DoS), Distributed DoS (DDoS), Reflection DDoS (RDDoS), cookie spoofing and session hijacking. Script kids be warned: there's no easily exploitable information on how to attack a web server inside the book.

What's to like
The book is well written, and an enjoyable read. It uses a very precise and yet friendly language to guide its readers through the covered subjects. Using this straightforward approach, it explains some thorny topics starting from basic notions and assuming no previous knowledge.

The explanation of essential topics like the HTTP protocol and server architecture, forms and CGI mechanisms, system configuration, etc. are nicely integrated with more tangled and scarcely documented issues. It is worth mentioning:

  • the chapter on "jailing" the web server (which explains in detail how to correctly prepare a complete yet secure chroot'ed "sandbox" for Apache);
  • the chapter on prevention of XSS attacks (explaining these types of attacks, and how to write CGI scripts to avoid them);
  • the appendix dealing with usage and configuration of mod_rewrite.

Everything is supplemented with hands-on examples, information and tricks valuable to the intermediate reader; the clear explanations of basic topics will provide complete instructions for the beginners.

Further pro's of the book include updated information (issues related to Netscape 7, IE 6, Mozilla 1.0, Apache series 1.3 and 2.0), coverage of less known topics (e.g.: P3P) and a wealth of references to the relevant sources of information like RFCs, W3C specifications and CERT Advisories.

What's to consider
The downside of writing for both beginners and intermediate readers in just 360 pages is that the depth of the information provided is necessarily limited. The book is clearly targeted to less experienced system administrators, who will be able to quickly grasp the most important concepts revolving around Apache security and secure administration. Intermediate users are likely to find some paragraphs quite trivial, however they will be rewarded by the many pearls of wisdom offered in the more detailed sections. Expert system administrators might be disappointed by the lack of more in-depth and hard-core technical explanations.

The summary
The best aspect of the book is that it assembles basic notions, rarely available information and hints derived from the authors' experience to produce a neat, clearly written and comprehensive guide to Apache security. This will enable beginning web admins to understand the key points in managing and securing a web server, while providing experienced ones with a quick reference to the most important security practices.

Table of Contents
Introduction
Chapter 1: Installation
Chapter 2: Secure administration
Chapter 3: HTTP Security and Cross-Site Scripting Attacks
Chapter 4: Authentication and authorization
Chapter 5: System security
Chapter 6: Apache in jail
Chapter 7: Denial of service attacks
Chapter 8: Cookies
Chapter 9: CGI security
Chapter 10: Logging
Chapter 11: Session tracking
Chapter 12: Apache and cryptography
Chapter 13: SSL and Apache
Appendix A: Security resources
Appendix B: Apache with mod_rewrite
Appendix C: Sample SSL Accelerator implementations

You can purchase Professional Apache Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

4 of 115 comments (clear)

  1. Meta-mod == gift to trolls by MondoMor · · Score: -1, Offtopic

    I've seen several posts recently where people complain about having "infinite" Meta-Mod points. Almost like it's a burden.

    It most certainly is not. It is a gift to patient, karma-whoring trolls. Read the Meta-Mod FAQ.

    Say you encounter a typical "OMG BILL GATES IS TEH SATAN!" post by, say, circletimessquare. It's been duly modded up as "Insightful" by some unknown editor or slashbot. Why not Meta-Mod that as "unfair"? Sure, you won't have any significant effect on either the poster's karma or the person who modded them up, but you will "help ... remove bad moderators from the M1 eligibility pool."

    Similarly, suppose you encounter a post by a troll seething with racism and hatred. It's been duly modded down as "Troll" or "Flamebait". This too is "unfair"! That post increased the noise, and as such was very valuable. It belongs in +2 territory with something by Perens, surely! Whoever modded that down should be removed from the moderation eligibility pool, post haste!

    (Note that you don't have to support the racist shite in the post. The poster probably doesn't either; he's just doing it for the reaction.)

    This is the same thing that happens to positive-karma troll accounts when they upmod a troll. They're found out in Meta-Mod, and lose their ability to moderate.

    It's time the trolls use the same weapons as the slashbots! If you moderate, use "-1 Overrated" since those don't get Meta-Modded. And Meta-Mod whenever you get the chance! I mark almost everything as "unfair", though I occasionally see a very obvious troll being upmodded, which I mark as "fair" or leave alone.

    Either that, or just have fun. Whichever.

    Edit I've recently realized that my alter ego and I make up a fifth of $$$$$exyGal's foes. I am beaming with pride. Almost as much pride as nabbing 5,000,001st post, or having my sordid past with michael crapflooded by SexualAssPussy.

    D'oh!

  2. Re:When crackers attack!! by Anonymous Coward · · Score: -1, Offtopic

    Hey, I've known about Troll Tuesday for a while, but this "Dumbass Wednesday" you seem to be participating in is a new one for me.

  3. YOU FAIL IT!!!! by Anonymous Coward · · Score: -1, Offtopic

    You were brave, young man, but, YOU FAILED IT!!! Go lick your wounds now, and come back tomorrow because today you were a COMPLETE FAILURE!!!!

  4. Comment removed by account_deleted · · Score: -1, Offtopic

    Comment removed based on user account deletion