Apache Security (Paperback)

Ivan Ristic

  • 出版商: O'Reilly
  • 出版日期: 2005-04-05
  • 售價: $1,360
  • 貴賓價: 9.5$1,292
  • 語言: 英文
  • 頁數: 432
  • 裝訂: Paperback
  • ISBN: 0596007248
  • ISBN-13: 9780596007249
  • 相關分類: 資訊安全
  • 海外代購書籍(需單獨結帳)
    無現貨庫存(No stock available)




With more than 67% of web servers running Apache, it is by far the most widely used web server platform in the world. Apache has evolved into a powerful system that easily rivals other HTTP servers in terms of functionality, efficiency, and speed. Despite these impressive capabilities, though, Apache is only a beneficial tool if it's a secure one.

To be sure, administrators installing and configuring Apache still need a sure-fire way to secure it--whether it's running a huge e-commerce operation, corporate intranet, or just a small hobby site.

Our new guide, Apache Security, gives administrators and webmasters just what they crave--a comprehensive security source for Apache. Successfully combining Apache administration and web security topics, Apache Security speaks to nearly everyone in the field. What's more, it offers a concise introduction to the theory of securing Apache, as well as a broad perspective on server security in general.

But this book isn't just about theory. The real strength of Apache Security lies in its wealth of interesting and practical advice, with many real-life examples and solutions. Administrators and programmers will learn how to:

  • install and configure Apache
  • prevent denial of service (DoS) and other attacks
  • securely share servers
  • control logging and monitoring
  • secure custom-written web applications
  • conduct a web security assessment
  • use mod_security and other security-related modules

And that's just the tip of the iceberg, as mainstream Apache users will also gain valuable information on PHP and SSL/ TLS. Clearly, Apache Security is packed and to the point, with plenty of details for locking down this extremely popular and versatile web server.



Table of Contents:


1. Apache Security Principles

     Security Definitions

               Essential Security Principles

               Common Security Vocabulary

               Security Process Steps

               Threat Modeling

               System-Hardening Matrix

               Calculating Risk

     Web Application Architecture Blueprints

               User View

               Network View

               Apache View

2. Installation and Configuration


               Source or Binary

               Static Binary or Dynamic Modules

               Folder Locations

               Installation Instructions

     Configuration and Hardening

               Setting Up the Server User Account

               Setting Apache Binary File Permissions

               Configuring Secure Defaults

               Enabling CGI Scripts


               Setting Server Configuration Limits

               Preventing Information Leaks

     Changing Web Server Identity

               Changing the Server Header Field

               Removing Default Content

     Putting Apache in Jail

               Tools of the chroot Trade

               Using chroot to Put Apache in Jail

               Using the chroot(2) Patch

               Using mod_security or mod_chroot

3. PHP


               Using PHP as a Module

               Using PHP as a CGI

               Choosing Modules


               Disabling Undesirable Options

               Disabling Functions and Classes

               Restricting Filesystem Access

               Setting Logging Options

               Setting Limits

               Controlling File Uploads

               Increasing Session Security

               Setting Safe Mode Options

     Advanced PHP Hardening

               PHP 5 SAPI Input Hooks


4. SSL and TLS


               Symmetric Encryption

               Asymmetric Encryption

               One-Way Encryption

               Public-Key Infrastructure

               How It All Falls into Place


               SSL Communication Summary

               Is SSL Secure?


     Apache and SSL

               Installing mod_ssl

               Generating Keys

               Generating a Certificate Signing Request

               Signing Your Own Certificate

               Getting a Certificate Signed by a CA

               Configuring SSL

     Setting Up a Certificate Authority

               Preparing the CA Certificate for Distribution

               Issuing Server Certificates

               Issuing Client Certificates

               Revoking Certificates

               Using Client Certificates

     Performance Considerations

               OpenSSL Benchmark Script

               Hardware Acceleration

5. Denial of Service Attacks

     Network Attacks

               Malformed Traffic

               Brute-Force Attacks

               SYN Flood Attacks

               Source Address Spoofing

               Distributed Denial of Service Attacks

               Reflection DoS Attacks

     Self-Inflicted Attacks

               Badly Configured Apache

               Poorly Designed Web Applications

               Real-Life Client Problems

     Traffic Spikes

               Content Compression

               Bandwidth Attacks


               The Slashdot Effect

     Attacks on Apache

               Apache Vulnerabilities

               Brute-Force Attacks

               Programming Model Attacks

     Local Attacks

               PAM Limits

               Process Accounting

               Kernel Auditing

     Traffic-Shaping Modules

     DoS Defense Strategy

6. Sharing Servers

     Sharing Problems

               File Permission Problems

               Dynamic-Content Problems

               Sharing Resources

               Same Domain Name Problems

               Information Leaks on Execution Boundaries

     Distributing Configuration Data

     Securing Dynamic Requests

               Enabling Script Execution

               Setting CGI Script Limits

               Using suEXEC


               Running PHP as a Module

     Working with Large Numbers of Users

               Web Shells

               Dangerous Binaries

7. Access  Control


     Authentication Methods

               Basic Authentication

               Digest Authentication

               Form-Based Authentication

     Access Control in Apache

               Basic Authentication Using Plaintext Files

               Basic Authentication Using DBM Files

               Digest Authentication

               Certificate-Based Access Control

               Network Access Control

               Proxy Access Control

               Final Access Control Notes

     Single Sign-on

               Web Single Sign-on

               Simple Apache-Only Single Sign-on

8. Logging and Monitoring

     Apache Logging Facilities

               Request Logging

               Error Logging

               Special Logging Modules

               Audit Log

               Performance Measurement

               File Upload Interception

               Application Logs

               Logging as Much as Possible

     Log Manipulation

               Piped Logging

               Log Rotation

               Issues with Log Distribution

     Remote Logging

               Manual Centralization

               Syslog Logging

               Database Logging

               Distributed Logging with the Spread Toolkit

     Logging Strategies

     Log Analysis


               File Integrity

               Event Monitoring

               Web Server Status

9. Infrastructure

     Application Isolation Strategies

               Isolating Applications from Servers

               Isolating Application Modules

               Utilizing Virtual Servers

     Host Security

               Restricting and Securing User Access

               Deploying Minimal Services

               Gathering Information and Monitoring Events

               Securing Network Access

               Advanced Hardening

               Keeping Up to Date

     Network Security

               Firewall Usage

               Centralized Logging

               Network Monitoring

               External Monitoring

     Using a Reverse Proxy

               Apache Reverse Proxy

               Reverse Proxy by Network Design

               Reverse Proxy by Redirecting Network Traffic

     Network Design

               Reverse Proxy Patterns

               Advanced Architectures

10. Web Application Security

     Session Management Attacks


               Session Management Concepts

               Keeping in Touch with Clients

               Session Tokens

               Session Attacks

               Good Practices

     Attacks on Clients

               Typical Client Attack Targets


     Application Logic Flaws

               Cookies and Hidden Fields

               POST Method

               Referrer Check Flaws

               Process State Management

               Client-Side Validation

     Information Disclosure

               HTML Source Code

               Directory Listings

               Verbose Error Messages

               Debug Messages

     File Disclosure

               Path Traversal

               Application Download Flaws

               Source Code Disclosure

               Predictable File Locations

     Injection Flaws

               SQL Injection

               Cross-Site Scripting

               Command Execution

               Code Execution

               Preventing Injection Attacks

     Buffer Overflows

     Evasion Techniques

               Simple Evasion Techniques

               Path Obfuscation

               URL Encoding

               Unicode Encoding

               Null-Byte Attacks

               SQL Evasion

     Web Application Security Resources

               General Resources

               Web Application Security Resources

11. Web Security Assessment

     Black-Box Testing

               Information Gathering

               Web Server Analysis

               Web Application Analysis

               Attacks Against Access Control

               Vulnerability Probing

     White-Box Testing

               Architecture Review

               Configuration Review

               Functional Review

     Gray-Box Testing

12. Web Intrusion Detection

     Evolution of Web Intrusion Detection

               Is Intrusion Detection the Right Approach?

               Log-Based Web Intrusion Detection

               Real-Time Web Intrusion Detection

               Web Intrusion Detection Features

     Using mod_security


               More Configuration Advice

               Deployment Guidelines

               Detecting Common Attacks

               Advanced Topics

Appendix: Tools