Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardening Apache

Posted by timothy on from the crunchy dept.

Gianluca writes "If security is not a concern, installing the Apache web server is a simple task even for an inexperienced system administrator. The problem is that security should always be a concern, and in case of Apache the information about making it secure can be sparse and fragmented. This is probably the reason why many web administrators are pretty clueless when it comes to Apache security. Needless to say, this creates a worrisome situation (to say the least): many web servers are vulnerable and exposed to thousands of potential attackers." Read on for Gianluca's review of Hardening Apache, a book intended to consolidate and clarify that information. Hardening Apache author Tony Mobily pages 270 publisher Apress rating 9 reviewer Gianluca Insolvibile ISBN 1590593782 summary A thorough guide through the intricacies and gotchas involved in securing an Apache installation

Hardening Apache fills a huge gap in this sense, providing web administrators with a complete and yet concise book aimed to guide them from the very beginning of the installation process to the final steps of the server configuration. The author, Tony Mobily, is also the mind behind Professional Apache Security, a book published by Wrox Press which I reviewed on Slashdot about 17 months ago. Since Wrox's unfortunate closure, some of the material from that book has been moved into Hardening Apache. More specifically:

  • The excellent chapter on "jailing" Apache is exactly the same;
  • The chapter on XSS attacks has been slightly improved;
  • The chapter on logging, which was nothing remarkable, has been greatly improved. It now includes a complete architecture to log on a remote host using encryption and a TCP/IP connection.

The first chapter of the book deals with deploying a clean and safe base installation, which will then be the grounds for adding extra functionality. Unfortunately, this task is often underestimated. What I liked in this chapter is the step-by-step guide to correctly downloading the source distribution and verifying its integrity (by checking its digital signature), as well as the clean approach to the creation of a lean, easily readable configuration file, which grants a painless maintenance. A highlight of this section is the use of Nikto to analyse and explain common weaknesses and to show how to fix them.

Chapter 2 presents some vulnerabilities and explains how to exploit them. The chapter doesn't have any "pearls of wisdom" (but it's nevertheless important to show that Apache can be vulnerable), and presents some important reference sites every web administrator should be aware of.

Chapter 3 definitely deserves a special mention: after introducing the "common" ways of logging and syslogd's architecture, the author describes a rational approach to realizing a complete logging solution which entails remote log servers, encryption of logs, and the use of a MySQL database to better organize them.

Chapter 4 is the only one which deals with the "programming" side of web security. It is not a comprehensive guide on how to write safe programs for the web, as it focuses on cross-site scripting attacks; it shows how to secure a simple and vulnerable message board written in PHP.

The following chapter talks about security modules: it presents an interesting overview of the most useful modules related to security, which will help administrators understand the importance of third-party modules and explains how to install and use some of them. I also liked Chapter 6, which deals with the installation of Apache in a secure, chrooted environment: the chapter does a great job in guiding the reader through the non-trivial steps required to get Apache, Perl and PHP working correctly in such a restricted environment.

The last chapter presents a number of powerful and well-written scripts which anybody can use to automate security and keep an eye on their web server (monitoring log growth, Apache's responsiveness, and so on).

What's to like Information throughout the book is very well focused and presented with a clean and friendly writing style. The book provides a clear and detailed walkthrough of the process of securing an Apache installation, covering both versions 1.3.x and 2.x and thus providing long lasting information. The book has lots of references and pointers to resources on the web, and - what's more important - instructions on how to read them. I also liked the "checkpoints" at the end of each chapter.

What's to consider Apart from chapter 4 on cross-site scripting attacks, the book does not cover secure web programming at all. It doesn't cover OS hardening either, which is out of scope but part of the game anyway. Going through the book requires some familiarity with Unix and Apache; otherwise you will have to resort to other books for the very basic steps.

All in all, I found this sort of "new edition" of the book by Apress to be greatly enhanced, more homogeneous and better focused than the previous book: I had been happy with Wrox's version, but I am enthusiastic about this one. This is a book which should definitely be included in any serious Apache administrator's bookshelf.

You can purchase Hardening Apache from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

25 of 241 comments (clear)

  1. One of the unfortunate things about Apache... by Sheetrock · · Score: 4, Insightful
    Its configuration is unusually complex for a webserver. I wouldn't be surprised if many of its so-called "security holes" actually came about because of misconfiguration by an administrator who was confused by the layout of the documentation or config files.

    In a way, Internet Information Services provides a more secure environment because an administrator gets a wealth of help and a decent initial configuration. In the end it's all about knowing your product, but it helps if the product helps you.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




    1. Re:One of the unfortunate things about Apache... by tcopeland · · Score: 5, Informative

      > In the end it's all about knowing your product,

      In "Apache: The Definitive Guide", Ben and Peter Laurie suggest a way to learn how to build an Apache config file - start with a blank file, and start Apache. Oops, it won't start. OK, so what's it missing? Check the log files. It needs a User directive - OK, add that. Try to start. Hm, it started, but where do I put my HTML? Ah, add a DocumentRoot. And so forth.

      This really doesn't take as long as it sounds - and after about 10 minutes of adding directives and restarting Apache, you'll have a lean configuration file that has just what you need in it - and you'll know how you got there, where the error logs are, and so on.

      --
      The Army reading list
    2. Re:One of the unfortunate things about Apache... by ThogScully · · Score: 4, Interesting

      When I've used Apache2, it's configuration setup seems a lot more organized and structured. It's still text files, but they make more sense and they are modularized better.

      Granted, that's just the in the distribution, not the server version... but at least it shows it's getting better at that. Now if only more people used Apache2, things would just fix themselves ;-)
      -N

      --
      I've nothing to say here...
    3. Re:One of the unfortunate things about Apache... by AKAImBatman · · Score: 4, Informative

      Its configuration is unusually complex for a webserver.

      Really? I never found it all that hard. Most of the complex stuff is inserted in the default file, but is not insecure in of itself. You just have to think about everything you do after that.

      I wouldn't be surprised if many of its so-called "security holes" actually came about because of misconfiguration by an administrator who was confused by the layout of the documentation or config files.

      In my experience, most Apache security issues are related to giving access to files that shouldn't be on the web. Doing things like symlinking directories is very powerful, but it's also very dangerous. Also keep in mind that if an attacker can upload a script, he already has access to your system. These sorts of problems (as well as undiscovered buffer overflow issues) can be mitigated by the use of Jails. When you jail Apache, you ensure that any attacker that does gain access, will only have access to Apache files.

      A typical Apache security problem would be something like an FTP server that has an anonymous account with access to a web-sharable directory. An attacker uploads a PHP script to the web-share, and it's game over for your machine/network.

      --
      Javascript + Nintendo DSi = DSiCade
    4. Re:One of the unfortunate things about Apache... by Foofoobar · · Score: 5, Informative

      Sorry but IIS has more critical exploits in any given month than Apache has all YEAR! Why do you think Apache owns 70% of the web? Microsoft made a push in 2001 but could only get as high as 35%... at which point it tanked back to it's previous high of about 22%

      --
      This is my sig. There are many like it but this one is mine.
    5. Re:One of the unfortunate things about Apache... by Blue+Lang · · Score: 4, Insightful

      you'll also have a gimpy, crapped-up config file that other admins have to wade through after you get fired.

      the best thing about the pre-built apache config files is the degree to which they are self-documenting. you can learn everything you need to know about apache just by reading through the comments. the second-best thing about them is that they're the same on all of your servers. the third best thing about them is that you don't have to read through a bunch of documentation to find out-of-date and non-working examples of config stanzas, because they're already there, commented out and waiting for some s/ action.

      --
      i browse at -1 because they're funnier than you are.
    6. Re:One of the unfortunate things about Apache... by tcopeland · · Score: 4, Insightful

      > a gimpy, crapped-up config file

      Hm. I find smaller configuration files to have both a lower gimp quotient and a reduced crapification level.

      > they are self-documenting.

      True, although there's a ton of stuff in there most folks won't use - content negotiation and such-like.

      > they're the same on all of your servers

      Hm. Most of my servers have different config files - different vhost names, different modules, etc. Perhaps if they were all fronting one application that might be different...

      --
      The Army reading list
    7. Re:One of the unfortunate things about Apache... by tonymercmobily · · Score: 5, Interesting

      I coulnd't agree more with you.

      The point is that if you write your config file by hand, then you HAVE TO know each directive (well, sort of).
      That's part of the reason why I wrote the first chapter that way...

      Merc.
      (The book's author)

    8. Re:One of the unfortunate things about Apache... by Skjellifetti · · Score: 5, Insightful

      In "Apache: The Definitive Guide", Ben and Peter Laurie suggest a way to learn how to build an Apache config file - start with a blank file, and start Apache. Oops, it won't start. OK, so what's it missing? Check the log files. It needs a User directive - OK, add that. Try to start. Hm, it started, but where do I put my HTML? Ah, add a DocumentRoot. And so forth.

      No, its not add that. Its copy that and the associated comment from the original stock config file apache provides. Now your lean config file is documented, looks just like apache's and won't confuse your successor. I generally do this with any new daemon I install that requires a config file. Note that from a security standpoint this may not be good enough if the daemon's secure options are turned off by default since you may not see any warnings in the logs.

      --
      FreeSpeech.org
    9. Re:One of the unfortunate things about Apache... by jc42 · · Score: 4, Insightful

      Of course, you could reinterpret "start with a blank file" to mean "Add a '#' to the start of every line in the sample httpd.conf file". That would give you a "blank" file, but with all the documentation and examples very easily available.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  2. secure by Anonymous Coward · · Score: 4, Funny

    If security is not a concern, installing the Apache web server is a simple task even for an inexperienced system administrator Yet I still preffer IIS, according to research, it's more easy to install, and up to 70% more secure; according to research that is.

  3. Don't forget by Anonymous Coward · · Score: 4, Informative

    To Harden PHP while you're at it.

  4. Umm. by Anonymous Coward · · Score: 5, Interesting


    OpenBSD's Apache has a diff of 3 or 4 thousand lines over "stock" Apache. Why not just use that?

    1. Re:Umm. by Triumph+The+Insult+C · · Score: 5, Interesting

      here is a link about just that

      and it's not that they haven't tried feeding the patches back, either. the ASF is being utterly retarded about accepting them. more and more

      --
      vodka, straight up, thank you!
  5. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  6. Devil's Advocate by Anonymous Coward · · Score: 5, Informative

    You could also take the time to read about Hardening IIS. Come get me Mods =)

    1. Re:Devil's Advocate by Zeebs · · Score: 5, Funny

      We can also read The Bible if we believe in miracles.

      --

      Happy Noodle Boy says "F###ing doughnut! Mock me? You fried cyclops!!"
  7. Is that anything like... by gregarican · · Score: 4, Funny

    a cigar store wooden Indian? Sorry, I hadda say it...

  8. Re:Stupid is a Stupid does by cbreaker · · Score: 4, Funny

    How many of you so called admins do this:

    %su
    %httpd start

    when we all know it should be

    %su
    #httpd start

    --
    - It's not the Macs I hate. It's Digg users. -
  9. Don't advertise version number by captaineo · · Score: 5, Insightful

    I wish web servers wouldn't advertise their version number be default (e.g. in directory listings or HTTP headers). It's like giving an attacker an exact list of the exploits that will work on your server.

  10. Great. Another Book of The Arcane. by Thalia · · Score: 4, Insightful

    There is a fundamental flaw with security hardening being in a separate book, sold by advertising and word of mouth, read separately and in a different medium than installation documentation, updated asynchronously, and expected to work. Would you accept a word processor with a separate book on "Master's Secrets on Keeping Your Word Processor From Crashing"?

    With any luck, many hardening techniques will migrate towards the Apache installation process, or at least the Apache documentation.

  11. Re:Interesting by bigbadunix · · Score: 4, Insightful



    Don't let not knowing about security hold you back from hosting your own site. Experiment, learn, have fun. Put an apache box up on a DMZ, put stupid content on it, see what happens. Look at your logs, see what's going on, learn from any mistakes you make along the way.

    If you're in this industry, and are afraid to be the "fall guy" who has do deal with the inevitable attacks, or the "fall guy" in general, you'd better fasten your seat belt...you're in for a bumpy ride.

    He who makes no mistakes makes nothing at all

    --

    The older I get, the less I like everyone else.
  12. just put an IIS server in front of it by seringen · · Score: 5, Funny

    you're apache install will stay safe because they'll be too distracted

  13. Re:Problems by djh101010 · · Score: 4, Informative

    Ohh, and you do know that on unix you can remove a binary of a program that's running, put a new one in, and do a quick kill/start?

    Actually, for most of the configuration changes (short of an actual version upgrade or SSL cert change), you can do an 'apachectl graceful' and it applies your changes to the _new_ sessions, while letting the existing sessions close in the natural flow of the users' use of your site. Nice for minor tweaks on the fly during the day, with zero downtime.

  14. Re:Well by The+Angry+Mick · · Score: 4, Funny

    So that's where all those "child" processes come from . . .

    --

    I'm not tense. I'm just terribly, terribly, alert.