Book Review of "Apache Security"


By Robert Auger

Author: Ivan Ristic
Pages: 432
Publisher: O'Reilly (March 15, 2005)
ISBN: 0596007248
Price: $34.95

Intro

This book was written by Ivan Ristic, the author of the popular Apache web application firewall module mod_security. Naturally this book does discuss how to use mod_security to harden your system, but I'm happy to report it isn't his main area of focus. One of the first things that I do while reviewing a book is to find all the things that the text doesn't cover that it *really* should have and point them out in my review. Simply put this book has everything, and I do mean everything. Here's the low down on a per chapter basis.

Chapter 1 'Apache Security Principles'

This brief chapter discusses common security terminology and concepts, and touches on Web Application Architecture and how apache handles it. This chapter also includes a useful Apache Hardening Matrix outlining the various security measures that should be turned on depending on your stage of deployment.

Chapter 2 'Installation and Configuration'

By far this is one of the most important chapters of the book, describing the inner workings of apache in great detail. Everything is discussed including the Pro's and Cons of Static Binary Installations verses Dynamically Loaded Apache module installs, Common Apache Backdooring techniques, configuration hardening with Apache Directives, setting Request Length restrictions, Limiting Denial of Services Attacks with Timeout restrictions, restricting information disclosure of Web Server Information, and much more!

As many of you know OpenBSD implements Apache in a chrooted environment by default, but what if you don't run OpenBSD and you want a chrooted installation? One of the best tidbits in this chapter reviews how-to chroot your apache installation with step by step directions on identifying library dependencies for those using custom installations, chrooting PHP and Perl, and some of the challenges faced when using chrooted environments.

Chapter 3 'PHP'

PHP is often a migraine for system administrators. This chapter begins discussing the security and performance differences running PHP as CGI or Apache module. Next it jumps into configuration options within PHP including restriction of Functions and Classes, Setting File system Restrictions, PHP Logging, limiting script execute times/and memory usage, request restrictions, File system Access, and Safemode. If you're paranoid about running PHP this chapter is a must read.

Chapter 4 'SSL and TLS'

This chapter starts off by describing basic cryptography terminology, concepts such as Symmetric and Asymmetric Encryption, and One-way encryption. Next it dives into installing and configuring ssl in Apache, using openssl to generate and sign certificates, and installing and managing your very own Certificate Authority.

Chapter 5 'Denial of Service Attacks'

When you first think of Denial of Service Attacks you may think of an attacker flooding a machine with bogus requests in order to crash it, or slow it down. This chapter discusses the fact that more often than not, traffic spikes (such as the Slashdot effect), brute forcing, and image hot linking can cause server slowdown and/or theft of bandwidth. Image hot linking is a fairly common problem where a person inserts a reference to an image on site B displaying content on site A through the use of an "img src" HTML tag. This chapter provides solutions against this fairly common, casual image theft by using apaches mod_rewrite within a few example recipes.

Chapter 6 'Sharing Servers'

Ivan begins this chapter discussing some of the common permission issues that arise in shared apache hosting environments. He addresses how in most Apache environments web applications execute under the same userid and the risks associated with this behavior. The pros and cons of solutions such as separate apache instances on a per-site is basis, suExec, mod_perchild, Metux MPM, and mod_suid are described in great detail.

Htaccess files are often available to users intending to write their own mod_rewrite rules, implement basic password authentication, or call specific apache directives for custom website environments. Common misconfigurations in apache may allow a user to override server specified directives within their htaccess file which may allow access to sensitive data from other locally shared websites, or from apache itself. This chapter discusses secure directive practices for users needing this functionality with a run down of risks on a per directive basis. If you're in charge of a mass hosting environment, or even host a few websites for friends the information contained within this chapter is golden.

Chapter 7 'Access Control'

This chapter jumps into basic access control theory and later migrates into to site authentication methods such as host based restrictions, Basic and Digest Authentication, Client side Certificates, and Single Sign-on Authentication with Apache.

Chapter 8 'Logging and Monitoring'

One of the most important components of any running service is the ability to track and log what's happening. Chapter 8 covers everything you'll need to know about logging web traffic including log customization walk troughs, configuring Apache to support forensic level logging with mod_forensics, statistical reporting and anomaly detection, as well as some of the special logging features in mod_security.

Chapter 9 'Infrastructure':

Basic theory of network design, and implementation is covered here. A large chunk of this chapter is dedicated towards the use of reverse proxies for load balancing and performance gains, as well as content filtering.

Chapter 10 'Web Application Security'

While this book's main scope is Apache, an entire chapter is dedicated towards Web Application Security. Everything from State Management, Phishing, Application logic flow, Application Error exposure, Buffer Overflows, Source-code disclosure, SQL Injection, Cross Site Scripting, Directory Traversal, and IDS Evasion is discussed.

Chapter 11 'Web Security Assessment'

When you run your own Web Server you're responsible for the security of it and its content. Here Ivan discusses Black Box, White Box, and Gray Box testing approaches to test a web site/server for security vulnerabilities. Data mining concepts and methods including what people often refer to as "Search Engine Hacking" is discussed along with, vulnerability assessment using vulnerabilities scanners and system information gathering tools, common ways to test your server for mis-configurations, and secure review of the system architecture.

Chapter 12 'Web Intrusion Detection'

This chapter heavily focuses on the use of Web Application Firewalls (WAF) to act as a reverse proxy filter between the web server and user. WAF methodologies such as Anomaly detection, rule based signature matching, and State keeping are discussed. This chapter heavily focuses on mod_security and its different configurations. If you've thought about using mod_security or just wondered how Web Application Firewalls work this chapter's for you.

Conclusions

The audience for this book ranges from novice users straight to web developers. If you run Apache in a production environment, your basement, or run IIS and were curious of Apache's available features this book is a must. This book also has it's own website http://www.apachesecurity.net containing a few sample chapters from the book, as well as some of the tools mentioned within it. The book can be found at amazon here

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!