Professional Apache Security
The book walks through the most common tasks of an Apache administrator. It covers, for example, proper installation and maintenance, common practices in security and remote attacks. Some basic notions of system administration are also given, for those areas which affect the web server behaviour.
Topics of specific interest for security freaks include system hardening, intrusion detection mechanisms, monitoring and logging, server chroot()ing, session tracking, cryptography and SSL.
Throughout the book there are descriptions of common attacks like Cross-Site Scripting (XSS), CGI vulnerabilities, Denial of Service (DoS), Distributed DoS (DDoS), Reflection DDoS (RDDoS), cookie spoofing and session hijacking. Script kids be warned: there's no easily exploitable information on how to attack a web server inside the book.
What's to like
The book is well written, and an enjoyable read. It uses a very precise and yet friendly language to guide its readers through the covered subjects. Using this straightforward approach, it explains some thorny topics starting from basic notions and assuming no previous knowledge.
The explanation of essential topics like the HTTP protocol and server architecture, forms and CGI mechanisms, system configuration, etc. are nicely integrated with more tangled and scarcely documented issues. It is worth mentioning:
- the chapter on "jailing" the web server (which explains in detail how to correctly prepare a complete yet secure chroot'ed "sandbox" for Apache);
- the chapter on prevention of XSS attacks (explaining these types of attacks, and how to write CGI scripts to avoid them);
- the appendix dealing with usage and configuration of mod_rewrite.
Everything is supplemented with hands-on examples, information and tricks valuable to the intermediate reader; the clear explanations of basic topics will provide complete instructions for the beginners.
Further pro's of the book include updated information (issues related to Netscape 7, IE 6, Mozilla 1.0, Apache series 1.3 and 2.0), coverage of less known topics (e.g.: P3P) and a wealth of references to the relevant sources of information like RFCs, W3C specifications and CERT Advisories.
What's to consider
The downside of writing for both beginners and intermediate readers in just 360 pages is that the depth of the information provided is necessarily limited. The book is clearly targeted to less experienced system administrators, who will be able to quickly grasp the most important concepts revolving around Apache security and secure administration. Intermediate users are likely to find some paragraphs quite trivial, however they will be rewarded by the many pearls of wisdom offered in the more detailed sections. Expert system administrators might be disappointed by the lack of more in-depth and hard-core technical explanations.
The summary
The best aspect of the book is that it assembles basic notions, rarely available information and hints derived from the authors' experience to produce a neat, clearly written and comprehensive guide to Apache security. This will enable beginning web admins to understand the key points in managing and securing a web server, while providing experienced ones with a quick reference to the most important security practices.
Table of Contents
Introduction
Chapter 1: Installation
Chapter 2: Secure administration
Chapter 3: HTTP Security and Cross-Site Scripting Attacks
Chapter 4: Authentication and authorization
Chapter 5: System security
Chapter 6: Apache in jail
Chapter 7: Denial of service attacks
Chapter 8: Cookies
Chapter 9: CGI security
Chapter 10: Logging
Chapter 11: Session tracking
Chapter 12: Apache and cryptography
Chapter 13: SSL and Apache
Appendix A: Security resources
Appendix B: Apache with mod_rewrite
Appendix C: Sample SSL Accelerator implementations
You can purchase Professional Apache Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
because i'm a pretty cool guy, that's why.
mmmmmmm oh yeah baby
la la la this is pointless, and i hate when others do it, but oh well
ya!
-cornjchob
It's all about the Pentiums, baby
Uhh, uh-huh, yeah Uhh, uh-huh, yeah
It's all about the Pentiums, baby
It's all about the Pentiums, baby
What y'all wanna do?
Wanna be hackers? Code crackers? Slackers
Wastin' time with all the chatroom yakkers?
9 to 5, chillin' at Hewlett Packard?
Workin' at a desk with a dumb little placard?
Yeah, payin' the bills with my mad programming skills
Defraggin' my hard drive for thrills
I got me a hundred gigabytes of RAM
I never feed trolls and I don't read spam
Installed a T1 line in my house
Always at my PC, double-clickin' on my mizouse
Upgrade my system at least twice a day
I'm strictly plug-and-play, I ain't afraid of Y2K
I'm down with Bill Gates, I call him Money for short
I phone him up at home and I make him do my tech support
It's all about the Pentiums, what?
You gotta be the dumbest newbie I've ever seen
You've got white-out all over your screen
You think your Commodore 64 is really neato
What kinda chip you got in there, a Dorito?
You're using a 286? Don't make me laugh
Your Windows boots up in what, a day and a half?
You could back up your whole hard drive on a floppy diskette
You're the biggest joke on the internet
Your database is a disaster
You're waxin' your modem tryin' to make it go faster
Hey fella, I bet you're still livin' in your parents' cellar
Downloadin' pictures of Sarah Michelle Gellar
And postin "Me too!" like some brain-dead AOL-er
I should do the world a favor and cap you like Old Yeller
You're just about as useless as jpegs to Helen Keller
It's all about the Pentiums!
It's all about the Pentiums!
Now, what y'all wanna do?
Wanna be hackers? Code crackers? Slackers
Wastin' time with all the chatroom yakkers?
9 to 5, chillin at Hewlett Packard?
Uh, uh, loggin' in now
Wanna run wit my crew, hah?
Rule cyberspace and crunch numbers like I do?
They call me the king of the spreadsheets
Got em all printed out on my bedsheets
My new computer's got the clocks, it rocks
But it was obsolete before I opened the box
You say you've had your desktop for over a week?
Throw that junk away, man, it's an antique!
Your laptop is a month old? Well, that's great
If you could use a nice, heavy paperweight
My digital media is write-protected
Every file inspected, no viruses detected
I beta tested every operating system
Gave props to some, and others? I dissed 'em
While your computer's crashin', mine's multitaskin'
It does all my work without me even askin'
Got a flat-screen monitor, 40" wide
I believe that yours says "Etch-A-Sketch" on the side
In a 32-bit world, you're a 2-bit user
You've got your own newsgroup, alt.total-loser
Your mother board melts when you try to send a fax
Where'd you get your CPU, in a box of Cracker Jacks?
Play me online? Well, you know that I'll beat you
If I ever meet you I'll control-alt-delete you
It's all about the Pentiums!
It's all about the Pentiums!
What y'all wanna do?
Wanna be hackers? Code crackers? Slackers
Wastin' time with all the chatroom yakkers?
9 to 5, chillin' at Hewlett Packard?
1) $ sudo killall httpd ... okay, fine:
2) ???
3) Profit
"I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
Where were you folks raised? Where I'm from, we're neither a) that strict with our kids nor b) that lax with our criminals.
What a perverse terminology combination.