Slashdot Mirror
Professional Apache Security
The book walks through the most common tasks of an Apache administrator. It covers, for example, proper installation and maintenance, common practices in security and remote attacks. Some basic notions of system administration are also given, for those areas which affect the web server behaviour.
Topics of specific interest for security freaks include system hardening, intrusion detection mechanisms, monitoring and logging, server chroot()ing, session tracking, cryptography and SSL.
Throughout the book there are descriptions of common attacks like Cross-Site Scripting (XSS), CGI vulnerabilities, Denial of Service (DoS), Distributed DoS (DDoS), Reflection DDoS (RDDoS), cookie spoofing and session hijacking. Script kids be warned: there's no easily exploitable information on how to attack a web server inside the book.
What's to like
The book is well written, and an enjoyable read. It uses a very precise and yet friendly language to guide its readers through the covered subjects. Using this straightforward approach, it explains some thorny topics starting from basic notions and assuming no previous knowledge.
The explanation of essential topics like the HTTP protocol and server architecture, forms and CGI mechanisms, system configuration, etc. are nicely integrated with more tangled and scarcely documented issues. It is worth mentioning:
- the chapter on "jailing" the web server (which explains in detail how to correctly prepare a complete yet secure chroot'ed "sandbox" for Apache);
- the chapter on prevention of XSS attacks (explaining these types of attacks, and how to write CGI scripts to avoid them);
- the appendix dealing with usage and configuration of mod_rewrite.
Everything is supplemented with hands-on examples, information and tricks valuable to the intermediate reader; the clear explanations of basic topics will provide complete instructions for the beginners.
Further pro's of the book include updated information (issues related to Netscape 7, IE 6, Mozilla 1.0, Apache series 1.3 and 2.0), coverage of less known topics (e.g.: P3P) and a wealth of references to the relevant sources of information like RFCs, W3C specifications and CERT Advisories.
What's to consider
The downside of writing for both beginners and intermediate readers in just 360 pages is that the depth of the information provided is necessarily limited. The book is clearly targeted to less experienced system administrators, who will be able to quickly grasp the most important concepts revolving around Apache security and secure administration. Intermediate users are likely to find some paragraphs quite trivial, however they will be rewarded by the many pearls of wisdom offered in the more detailed sections. Expert system administrators might be disappointed by the lack of more in-depth and hard-core technical explanations.
The summary
The best aspect of the book is that it assembles basic notions, rarely available information and hints derived from the authors' experience to produce a neat, clearly written and comprehensive guide to Apache security. This will enable beginning web admins to understand the key points in managing and securing a web server, while providing experienced ones with a quick reference to the most important security practices.
Table of Contents
Introduction
Chapter 1: Installation
Chapter 2: Secure administration
Chapter 3: HTTP Security and Cross-Site Scripting Attacks
Chapter 4: Authentication and authorization
Chapter 5: System security
Chapter 6: Apache in jail
Chapter 7: Denial of service attacks
Chapter 8: Cookies
Chapter 9: CGI security
Chapter 10: Logging
Chapter 11: Session tracking
Chapter 12: Apache and cryptography
Chapter 13: SSL and Apache
Appendix A: Security resources
Appendix B: Apache with mod_rewrite
Appendix C: Sample SSL Accelerator implementations
You can purchase Professional Apache Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
If it's that easy to make stuff insecure without realising it, then the httpd.conf file needs more obvious comments.
If it's not actually that easy and it's down to the stupidity of the admin, then a book is unlikely to help: just read the various HOWTOs and follow them step by step, you can't really go wrong.
Of course there will be ways around security models but you'll defeat the average script kiddy just by following word-for-word instructions and installing the latest patches.
And having a published authority to refer to can help in justifying the time to a boss or a client. If they already trust you, they'll believe that the web server needs to be secured. But I find that the bulleted list of actions to take and the benefits of those actions goes a long way towards maintaining real world credibility.
The net will not be what we demand, but what we make it. Build it well.
This is a pet peeve of mine. What is professional about it? Why not just name the book Apache Security? What does the word "Professional" add?
Just reading a book won't save you from the next cracker attack. However, having a solid knowledge of the basics of web security and a list of effective checkpoints for configuring your server, will definitely help you to prevent at least the most trivial mistakes.
That's not good enough. I want a detailed list of exploits and how to configure my web server not to be vulnerable. I want to know what patches fix what. I want to know what vulnerabilities exist. Since we're not talking about Apache and not IIS, I'll assume this information isn't being kept a secret to prevent script kiddies from using an exploit on my box. So, where the heck can I get a definitive answer? Is there some kind of tool I can run (for free) that checks my system for vulnerabilities?
Too often their attacks are aimed at unprepared, defenceless servers which were improperly secured by clumsy administrators.
Now if we can just get those admins that are clumsy, to admit to it and force them to read the book.
But seriously, I am glad that books like this are being printed, it makes it that much harder for crackers to play immature -and sometimes harmful- pranks and give the rest of us bad names.
Just my humble opinion,
SirLantos
The flying hamster of DOOM rains coconuts on your pitiful city.
Unlike a lot of people on Slashdot, I'm a hobbyist/amateur sysadmin (or is that term even appropriate?), and this book is probably just what I need.
I've been using/programming computers all my life, but have never taken a single Comp Sci or MSI course; I end up going to books and HowTo's very frequently. I run several servers at home, including an apache webserver, a samba server, etc... For a guy like me who's not 3l337, these kinds of things are a godsend.
I've spent 11years in higher education... NO WAY I'm going back for another degree; keep those understandable, non-arcane books coming.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
The webapp side of the security equation is often sadly neglected by people focusing on the network and host levels of the system. (Which, don't get me wrong, are very important in their own rights.) It's nice to see a book that addresses "programmer-level" holes as well as "administrator-level" holes.
A very good site for (free) information on this area is http://www.owasp.org/. OWASP seems to mainly focus on webapp level security, which is ok given the wealth of informative resources out there for the host and network layer. (OWASP = Open Web Application Security Project)
News for Geeks in Austin, TX
>Maybe a matter of symantecs... whatever.
Nope, them's the virus people.
it's not the server that's always vulnerable. If you get into the system, you can get into the web site. There was an exploit with Cobalt servers which allowed an attacker to upload packages, one of which, in one case, happened to be a custom shell, which was used to bypass restrictions and deface a site.
Here's a good place to start:
m l
http://www.cgisecurity.com/articles/xss-faq.sht
If you're running a web server, use my painfully-earned experience and never trust a single source to tell you you're secure. (This includes you. Get someone else to double-check your servers for you. Otherwise, you will never know what you missed until it's too late.)
kneht
"Are you on some kind of medication?"
"No"
"Well, you should be."
--Bean
Don't want your web site defaced? Stick it on a CD and serve it from there. I know this isn't always feasible, but 99% of the time it is. Of course, this won't protect you from a rooting, as they can simply change the web directory to serve the defaced html. This is still a bit easier to remedy than having your customers files wiped out and having to notify them to re upload their webpage, as "hacked by chinese" doesn't seem to sell products/services well.
As far as securing Apache itself, don't load modules you don't need, and keep it patched. That's about all you'll need to do to shun a majority of exploits. There's plenty of other security hardening modes and methods for Apache out there, Google them up and you'll probably get more than out of this book.
Everyone is entitled to their own opinion. It's just that yours is stupid.
How about simply stripping apache down; i.e. just run those two or three modules you really need. On for example a static images only server you could get away with just a logging module and the mmap module quite nicely. (Though realistically alias/rewrite is usually needed (or lots of symlinks) when your friendly marketing staff barges in with yet-another-campain which breaks all historic links.
Its modular - go play with it - and have lots of fun. (And yes - you can actually run apache completely and validly with just 2 lines of config.
Dw.
But many people want some of the bells and whistles. They also having changing needs. That's where an application like Apache can make sense, though as always you should spend time choosing something that meets your needs.
Which takes time. But if it's important you should be taking time, I'd suggest.
I think Apache is a decent example of an application that's mature enough to provide useful flexibility, useful performance, and still be managable. Finally, it's unlikely to disappear which will be important for anything other than very short term projects or those where you just install and forget.
"we demand rigidly defined areas of doubt and uncertainty!"
"Apache Security" is probably easy to get the latest information on. Probably for free, and without having to cut down trees.
For example, assuming you have the latest patched apache, the left-over security issues that are CGI/web app/scripting related fall under the web applications category of security.
In this case, have a look at some of the guidlines over at The Open Web Application Security Project (OWASP) .
Way better than paying too much for a book that wastes paper, and will likely be out of date in no time.
--noodles
>> So, what's next on the crackers' list of challenges to prove their bravery
Posting something like 'linux is gay' as AC on slashdot.
I don't need no instructions to know how to rock!!!!
About $8.00 to the cover price :)
Outside of a dog, a book is man's best friend. Inside a dog it's too dark to read. - Groucho Marx
Um, you may want to consider that the tool is yer brain and yer hands.
Somewhat more seriously, go check out the BugTraq mailing list at securityfocus.com. You will find there just about everything you so obnoxiously demand. Also, get on the main and developer mailing lists for whatever software you use, Apache httpd, mod_perl, whatever. Third, read, read, READ!!!! Read ALL the fine manuals, how-tos, etc, etc. Read the Source, Luke.
This book (at least from the review, haven't seen it myself) will clue you in as to what CATEGORIES of exploits exist, and how to prevent them from being used against you. If you "need a detailed list of exploits" after that, if you really truly NEED a set of cookie-cutter recipes, then please do your employer a favor, and quit now.
It is possible to make lists of every KNOWN exploit. It is nearly pointless to do this, though, since for every known exploit, there are inevitably going to be unknown exploits and unknown variations. However, learning about the KINDS of exploits and preventing them is much more efficient, intelligent, and effective.
Just close port 80 for all traffic. It works everytime (except when the firewall blows up).
Computers and air conditioners are both the same.
I spent 3 years chasing a CS degree, when I realized it was an absolute waste of my time. Everything I know about computers I learned on my own, by doing.
The straw that broke my back was the OpenGL course I took, where we spent the whole semester revisiting high school algebra, matrices and projections and normal vectors and whatnot. Not one line of friggen code written, not one technique learned (I wanted to learn a bit about bsp trees, gourad shading, environment mapping, you know.. the cool stuff). We didnt even learn the differences between gl.h, glu.h, glut.h.. It was a huge crock of crap.
So I just switched to a pure math degree.
Comp sci, and IT in particular, is something you learn by doing.
I don't need no instructions to know how to rock!!!!
Actually... hackers are people who use clever techniques to improve code (or modify it for whichever purpose. The meaning of the word is usually a good one till society today dirtied it and made it "malicious people who break into servers") and programs in general. Now crackers are not the people who remove copyright protection...although the "cracking" of the program can be referred to as hacking code or whichever variation of the expression... Cracking is breaking into servers without prior consent from the owner or administrator. So the problem is not with semantics it's with what you (or should I say what most people) think a cracker and what a hacker or such things. A good knowledge of these things is never a bad thing.
Be doubly nice and add a link, please.
http://www.cgisecurity.com/articles/xss-faq.shtml
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
Yeah, as opposed to what, "Amateurish Apache Security"? From the same series as "Half-assed Programming in 10 minutes a day"?
-Andrei
About US$20, I'd wager.
!#@%*)anks for hanging up the phone, dear.
I think you're wrong. Computer Science is highly theoretical (hence "Science") and you should expect a great deal of algebra, matrices, etc. You sound like my friend who started majoring in Engineering and complained that he wasn't learning how to fix circuits! That's a technician's job, not an engineer's. If you want to learn programming, program. If you want to learn the theory behind computing, major in Computer Science. If people don't want to learn the theory, why do they take curricula which is highly theoretical?
And, why on earth would you switch to pure Math if you weren't learning anything practical in Computer Science??? Was that a joke?
Zed's dead baby. Zed's dead.
Unlike a lot of people on Slashdot, I'm a hobbyist/amateur sysadmin (or is that term even appropriate?), and this book is probably just what I need.
No, I'm sorry - this book is only for professionals. "Professional Apache Security" - see? Move along...
I want to drag this out as long as possible. Bring me my protractor.
Because, when the time comes that you need a feature that Apache provides, you just setup the module and restart Apache. Otherwise, you have to change your server setup from (insert odd other web server here) to Apache and go through all the setup steps anyway.
Overrated / Underrated : Moderation
http://cr.yp.to/publicfile.html
The question you should be asking yourself is, 'Am I obtaining education for a job or higher learning?'. Computing science is science - the quest for knowledge. Tech. College and a ton of certifications in every app and/or framework you use is the way to go if you have/want a non-research job.
.... Because whenever things go seriously wrong the deeper low-level knowledges saves the day.
Things come easier when you understand the underlying technologies/science, although not necessary to know. Books, like this one, targeting beginners to intermediates will help ease the learning curve and that's always welcome. Besides, how many IT folks are really going to cruise the source. If they're from a Microsoft background... nil (there's no source in Bill's world).
Why know matrices and vectors if all you're going to use is someones rendering engine? Why know sorting algorthims and trees if all you're going to do is drag and drop in access? Why understand tcp if all you're going to do is turn-on/off properties on tabs of win2k?
BTW: I gots two tech diplomas, plethora of certs, and 2 1/2 years on my CS degree. Overkill for the day to day MS monkey stuff but that's okay I'm NOT a monkey.
Just reading a book won't save you from the next cracker attack.
Wait a sec... Then why are you showing us this book??
Not planning for the future?
Why wouldn't you take a free (speech/beer) server like Apache and deploy it?
So again, what's your beef with Apache? And, what do you suggest insted?
Overrated / Underrated : Moderation