Apache Security

Name: Apache Security
Price: 3.06 USD
Availability: InStock
ISBN: 9780596007249

ISBN-10: 0596007248

ISBN-13: 9780596007249

Edition: 2005

Authors: Ivan Ristic

List price: $34.95

30 day, 100% satisfaction guarantee!

Marketplace

3 new & used from $3.06

what's this?

Rush Rewards U
Members Receive:

You have reached 400 XP and carrot coins. That is the daily max!

With more than 67% of web servers running Apache, it is by far the most widely used web server platform in the world. Apache has evolved into a powerful system that easily rivals other HTTP servers in terms of functionality, efficiency, and speed. Despite these impressive capabilities, though, Apache is only a beneficial tool if it's a secure one. To be sure, administrators installing and configuring Apache still need a sure-fire way to secure it--whether it's running a huge e-commerce operation, corporate intranet, or just a small hobby site. Our new guide, "Apache Security, gives administrators and webmasters just what they crave--a comprehensive security source for Apache.…

Book details

List price: $34.95
Copyright year: 2005
Publisher: O'Reilly Media, Incorporated
Publication date: 3/7/2005
Binding: Paperback
Pages: 432
Size: 7.25" wide x 9.50" long x 1.00" tall
Weight: 1.540
Language: English



Preface



Apache Security Principles


Security Definitions


Essential Security Principles


Common Security Vocabulary


Security Process Steps


Threat Modeling


System-Hardening Matrix


Calculating Risk


Web Application Architecture Blueprints


User View


Network View


Apache View



Installation and Configuration


Installation


Source or Binary


Static Binary or Dynamic Modules


Folder Locations


Installation Instructions


Configuration and Hardening


Setting Up the Server User Account


Setting Apache Binary File Permissions


Configuring Secure Defaults


Enabling CGI Scripts


Logging


Setting Server Configuration Limits


Preventing Information Leaks


Changing Web Server Identity


Changing the Server Header Field


Removing Default Content


Putting Apache in Jail


Tools of the chroot Trade


Using chroot to Put Apache in Jail


Using the chroot(2) Patch


Using mod_security or mod_chroot



PHP


Installation


Using PHP as a Module


Using PHP as a CGI


Choosing Modules


Configuration


Disabling Undesirable Options


Disabling Functions and Classes


Restricting Filesystem Access


Setting Logging Options


Setting Limits


Controlling File Uploads


Increasing Session Security


Setting Safe Mode Options


Advanced PHP Hardening


PHP 5 SAPI Input Hooks


Hardened-PHP



SSL and TLS


Cryptography


Symmetric Encryption


Asymmetric Encryption


One-Way Encryption


Public-Key Infrastructure


How It All Falls into Place


SSL


SSL Communication Summary


Is SSL Secure?


Open


SSL


Apache and SSL


Installing mod_ssl


Generating Keys


Generating a Certificate Signing Request


Signing Your Own Certificate


Getting a Certificate Signed by a CA


Configuring SSL


Setting Up a Certificate Authority


Preparing the CA Certificate for Distribution


Issuing Server Certificates


Issuing Client Certificates


Revoking Certificates


Using Client Certificates


Performance Considerations


Open


SSL Benchmark Script


Hardware Acceleration



Denial of Service Attacks


Network Attacks


Malformed Traffic


Brute-Force Attacks


SYN Flood Attacks


Source Address Spoofing


Distributed Denial of Service Attacks


Reflection DoS Attacks


Self-Inflicted Attacks


Badly Configured Apache


Poorly Designed Web Applications


Real-Life Client Problems


Traffic Spikes


Content Compression


Bandwidth Attacks


Cyber-Activism


The Slashdot Effect


Attacks on Apache


Apache Vulnerabilities


Brute-Force Attacks


Programming Model Attacks


Local Attacks


PAM Limits


Process Accounting


Kernel AuditingTraffic-Shaping Modules


DoS Defense Strategy



Sharing Servers


Sharing Problems


File Permission Problems


Dynamic-Content Problems


Sharing Resources


Same Domain Name Problems


Information Leaks on Execution Boundaries


Distributing Configuration Data


Securing Dynamic Requests


Enabling Script Execution


Setting CGI Script Limits


Using su


EXEC


Fast


CGI


Running PHP as a Module


Working with Large Numbers of Users


Web Shells


Dangerous Binaries



Access Control


Overview


Authentication Methods


Basic Authentication


Digest Authentication


Form-Based Authentication


Access Control in Apache


Basic Authentication Using Plaintext Files


Basic Authentication Using DBM Files


Digest Authentication


Certificate-Based Access Control


Network Access Control


Proxy Access Control


Final Access Control Notes


Single Sign-on


Web Single Sign-on


Simple Apache-Only Single Sign-on



Logging and Monitoring


Apache Logging Facilities


Request Logging


Error Logging


Special Logging Modules


Audit Log


Performance Measurement


File Upload Interception


Application Logs


Logging as Much as Possible


Log Manipulation


Piped Logging


Log Rotation


Issues with Log Distribution


Remote Logging


Manual Centralization


Syslog Logging


Database Logging


Distributed Logging with the Spread Toolkit


Logging Strategies


Log Analysis


Monitoring


File Integrity


Event Monitoring


Web Server Status



Infrastructure


Application Isolation Strategies


Isolating Applications from Servers


Isolating Application Modules


Utilizing Virtual Servers


Host Security


Restricting and Securing User Access


Deploying Minimal Services


Gathering Information and Monitoring Events


Securing Network Access


Advanced Hardening


Keeping Up to Date


Network Security


Firewall Usage


Centralized Logging


Network Monitoring


External Monitoring


Using a Reverse Proxy


Apache Reverse Proxy


Reverse Proxy by Network Design


Reverse Proxy by Redirecting Network Traffic


Network Design


Reverse Proxy Patterns


Advanced Architectures



Web Application Security


Session Management Attacks


Cookies


Session Management Concepts


Keeping in Touch with Clients


Session Tokens


Session Attacks


Good Practices


Attacks on Clients


Typical Client Attack Targets


Phishing


Application Logic Flaws


Cookies and Hidden Fields


POST Method


Referrer Check Flaws


Process State Management


Client-Side Validation


Information Disclosure


HTML Source Code


Directory Listings


Verbose Error Messages


Debug Messages


File Disclosure


Path Traversal


Application Download Flaws


Source Code Disclosure


Predictable File Locations


Injection Flaws


SQL Injection


Cross-Site Scripting


Command Execution


Code Execution


Preventing Injection Attacks


Buffer Overflows


Evasion Techniques


Simple Evasion Techniques


Path Obfuscation


URL Encoding


Unicode Encoding


Null-Byte Attacks


SQL Evasion


Web Application Security Resources


General Resources


Web Application Security Resources



Web Security Assessment


Black-Box Testing


Information Gathering


Web Server Analysis


Web Application Analysis


Attacks Against Access Control


Vulnerability Probing


White-Box Testing


Architecture Review


Configuration Review


Functional Review


Gray-Box Testing



Web Intrusion Detection


Evolution of Web Intrusion DetectionIs Intrusion Detection the Right Approach?


Log-Based Web Intrusion Detection


Real-Time Web Intrusion Detection


Web Intrusion Detection Features


Using mod_securityIntroduction


More Configuration Advice


Deployment Guidelines


Detecting Common Attacks


Advanced Topics


Appendix: Tools


Index