Professional Apache Security 115
| Professional Apache Security | |
| author | Tony Mobily et al. |
| pages | 360 |
| publisher | Wrox Press |
| rating | 8.0 |
| reviewer | Gianluca Insolvibile |
| ISBN | 1861007760 |
| summary | A comprehensive overview of security related issues of interest for web admins, security analysts and web developers |
The book walks through the most common tasks of an Apache administrator. It covers, for example, proper installation and maintenance, common practices in security and remote attacks. Some basic notions of system administration are also given, for those areas which affect the web server behaviour.
Topics of specific interest for security freaks include system hardening, intrusion detection mechanisms, monitoring and logging, server chroot()ing, session tracking, cryptography and SSL.
Throughout the book there are descriptions of common attacks like Cross-Site Scripting (XSS), CGI vulnerabilities, Denial of Service (DoS), Distributed DoS (DDoS), Reflection DDoS (RDDoS), cookie spoofing and session hijacking. Script kids be warned: there's no easily exploitable information on how to attack a web server inside the book.
What's to like
The book is well written, and an enjoyable read. It uses a very precise and yet friendly language to guide its readers through the covered subjects. Using this straightforward approach, it explains some thorny topics starting from basic notions and assuming no previous knowledge.
The explanation of essential topics like the HTTP protocol and server architecture, forms and CGI mechanisms, system configuration, etc. are nicely integrated with more tangled and scarcely documented issues. It is worth mentioning:
- the chapter on "jailing" the web server (which explains in detail how to correctly prepare a complete yet secure chroot'ed "sandbox" for Apache);
- the chapter on prevention of XSS attacks (explaining these types of attacks, and how to write CGI scripts to avoid them);
- the appendix dealing with usage and configuration of mod_rewrite.
Everything is supplemented with hands-on examples, information and tricks valuable to the intermediate reader; the clear explanations of basic topics will provide complete instructions for the beginners.
Further pro's of the book include updated information (issues related to Netscape 7, IE 6, Mozilla 1.0, Apache series 1.3 and 2.0), coverage of less known topics (e.g.: P3P) and a wealth of references to the relevant sources of information like RFCs, W3C specifications and CERT Advisories.
What's to consider
The downside of writing for both beginners and intermediate readers in just 360 pages is that the depth of the information provided is necessarily limited. The book is clearly targeted to less experienced system administrators, who will be able to quickly grasp the most important concepts revolving around Apache security and secure administration. Intermediate users are likely to find some paragraphs quite trivial, however they will be rewarded by the many pearls of wisdom offered in the more detailed sections. Expert system administrators might be disappointed by the lack of more in-depth and hard-core technical explanations.
The summary
The best aspect of the book is that it assembles basic notions, rarely available information and hints derived from the authors' experience to produce a neat, clearly written and comprehensive guide to Apache security. This will enable beginning web admins to understand the key points in managing and securing a web server, while providing experienced ones with a quick reference to the most important security practices.
Table of Contents
Introduction
Chapter 1: Installation
Chapter 2: Secure administration
Chapter 3: HTTP Security and Cross-Site Scripting Attacks
Chapter 4: Authentication and authorization
Chapter 5: System security
Chapter 6: Apache in jail
Chapter 7: Denial of service attacks
Chapter 8: Cookies
Chapter 9: CGI security
Chapter 10: Logging
Chapter 11: Session tracking
Chapter 12: Apache and cryptography
Chapter 13: SSL and Apache
Appendix A: Security resources
Appendix B: Apache with mod_rewrite
Appendix C: Sample SSL Accelerator implementations
You can purchase Professional Apache Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Re:Defacing (Score:4, Interesting)
Correction (Score:1)
It will help prevent defacing, if the webserver and/or the modules are used to do it.
Whuh? (Score:3, Interesting)
If it's that easy to make stuff insecure without realising it, then the httpd.conf file needs more obvious comments.
If it's not actually that easy and it's down to the stupidity of the admin, then a book is unlikely to help: just read the various HOWTOs and follow them step by step, you can't really go wrong.
Of course there will be ways around security models but you'll defeat the average script kiddy just by following word-for-word instructions and installing the latest patches.
Re:Whuh? (Score:5, Interesting)
Hey - toss me a bone here :-) this is open source, tell me/us [apache.org] what annotations should be added to httpd.conf.. and we'll make apache a beter product.
Action >> Reaction ;-)
Dw.
Re:Whuh? (Score:1)
As far as I know I've never managed to do it - no-one's hacked any of the sites I've built. But there may be a first time :)
Re:Whuh? (Score:2)
XSS (Score:2, Interesting)
Anyone have any links on this topic?
Re:XSS (Score:5, Informative)
http://www.cgisecurity.com/articles/xss-faq.sht
Re:XSS (Score:2, Informative)
http://www.cgisecurity.com/articles/xss-faq.shtml [cgisecurity.com]
other apache/XSS books (Score:1)
Justifying your time and budget (Score:4, Insightful)
And having a published authority to refer to can help in justifying the time to a boss or a client. If they already trust you, they'll believe that the web server needs to be secured. But I find that the bulleted list of actions to take and the benefits of those actions goes a long way towards maintaining real world credibility.
When crackers attack!! (Score:1, Funny)
The saltines can be particularly nasty. Don't even get me started on the TownHouse.
*shudders*
I always thought that "crackers" were people who remove the copy protection from programs.
Maybe a matter of symantecs... whatever.
Re:When crackers attack!! (Score:4, Funny)
Nope, them's the virus people.
Re:When crackers attack!! (Score:2, Informative)
Re:When crackers attack!! (Score:2)
an over-generalization would be (for example) saying that arabs are people who commit terrorist acts, which wouldn't be an over-generalization if there weren't non-arabs who were also terrorists. as it is the hacker thing is merely a generalization.
Re:When crackers attack!! (Score:1)
Re:When crackers attack!! (Score:1)
Noticing a hint of irony in the other sections of your post, there is a distinct possibility that this comment was meant to be ironic as well, but I'm gonna ignore that possibility and be informative instead.
Anywho, according to the New Hacker's Dictionary (http://www.jargon.8hz.com/jargon_toc.html):
" cracker
One who breaks security on a system. Coined ca. 1985 by hackers in defense against journalistic misuse of hacker (q.v., sense 8). An earlier attempt to establish `worm' in this sense around 1981--82 on Usenet was largely a failure.
Use of both these neologisms reflects a strong revulsion against the theft and vandalism perpetrated by cracking rings. While it is expected that any real hacker will have done some playful cracking and knows many of the basic techniques, anyone past larval stage is expected to have outgrown the desire to do so except for immediate, benign, practical reasons (for example, if it's necessary to get around some security in order to get some work done).
Thus, there is far less overlap between hackerdom and crackerdom than the mundane reader misled by sensationalistic journalism might expect. Crackers tend to gather in small, tight-knit, very secretive groups that have little overlap with the huge, open poly-culture this lexicon describes; though crackers often like to describe themselves as hackers, most true hackers consider them a separate and lower form of life.
Ethical considerations aside, hackers figure that anyone who can't imagine a more interesting way to play with their computers than breaking into someone else's has to be pretty losing. Some other reasons crackers are looked down on are discussed in the entries on cracking and phreaking."
Professional? argh!! (Score:4, Interesting)
Re:Professional? argh!!-Sloppy Joe. (Score:1, Funny)
Re:Professional? argh!! (Score:2, Funny)
About $8.00 to the cover price :)
Re:Professional? argh!! (Score:1)
Oh wait.
Re:Professional? argh!! (Score:3, Funny)
Re:Professional? argh!! (Score:5, Funny)
About US$20, I'd wager.
Not good enough. (Score:4, Interesting)
That's not good enough. I want a detailed list of exploits and how to configure my web server not to be vulnerable. I want to know what patches fix what. I want to know what vulnerabilities exist. Since we're not talking about Apache and not IIS, I'll assume this information isn't being kept a secret to prevent script kiddies from using an exploit on my box. So, where the heck can I get a definitive answer? Is there some kind of tool I can run (for free) that checks my system for vulnerabilities?
Re:Not good enough. (Score:5, Informative)
Try FreeScan [qualys.com] from Qualys. Nice web based tool.
Re:Not good enough. (Score:2)
Not sure how much you'll pick up for just your webserver, but it's a good starting point to pick up from.
Malk
**Sigh** was Re:Not good enough. (Score:4, Insightful)
Somewhat more seriously, go check out the BugTraq mailing list at securityfocus.com. You will find there just about everything you so obnoxiously demand. Also, get on the main and developer mailing lists for whatever software you use, Apache httpd, mod_perl, whatever. Third, read, read, READ!!!! Read ALL the fine manuals, how-tos, etc, etc. Read the Source, Luke.
This book (at least from the review, haven't seen it myself) will clue you in as to what CATEGORIES of exploits exist, and how to prevent them from being used against you. If you "need a detailed list of exploits" after that, if you really truly NEED a set of cookie-cutter recipes, then please do your employer a favor, and quit now.
It is possible to make lists of every KNOWN exploit. It is nearly pointless to do this, though, since for every known exploit, there are inevitably going to be unknown exploits and unknown variations. However, learning about the KINDS of exploits and preventing them is much more efficient, intelligent, and effective.
Re:**Sigh** was Re:Not good enough. (Score:1)
And, the thing is, the best reason to use the web for up to date exploit information instead of a book (if you must know of all the exploits as this person wants to) is that by the time a book actually hits a shelf at a bookstore on "current" exploits, it is already extremely out of date.
I agree, understanding how your server software works will help you understand what can potentially be exploited on it! It is infinitely more useful to understand how Apache works than to *only* get a list of currently known exploits. Both should be intelligently employed together.
I think also important is, following strict policies of enabling functionality only when it is necessary *and* securable. If new features are not currently securable, they are potentially dangerous and probably not worth the risk they pose to data on an otherwise secure system in exchange for their benefits.
Re:**Sigh** was Re:Not good enough. (Score:2)
Re:**Sigh** was Re:Not good enough. (Score:2)
If you want *easy*, I can't help you. Humans write code, and humans are prone to error. If you want the most secure server possible, you will need to learn buckets about system administration. A starting point is to use an OS that is built for security: OpenBSD comes to mind, and maybe something like SELinux, I don't know enough about it to say. Then, run only the minimum of services you need, and make sure that the software providing those services is the most secure possible. Check out Bastille, the Linux hardening system. As others have pointed out, there are simpler, easier, more secure web servers available than Apache. Apache is stable, reliable, reasonably (though not the best) performant, and HIGHLY configurable. It is the kitchen sink of web servers -- everything gets thrown into it, and it does a darn good job of it all. But having lots of options means there is a good chance that some of those options will allow you to leave your system unsecured in some way.
Use intrusion detection systems, keep your system up to date at all times (and THIS is where the BugTraq mailing list is optimally useful, as a notification method for newly discovered problems), go to insane lengths and go bald, blind, and crazy trying to keep up with it all. Because, while a black hat only has to come up with ONE new exploit, YOU have to stay on top of ALL of them.
So, easy is nice, and I'll very likely check out the suggestions others have posted. But security isn't easy on the whole, you're either uber-paranoid or too complacent. You just have to figure out where your level of complacency lies. In all truth and honesty, on my own server I make sure that I'm fully patched, and aren't using anything too obviously open for intrusion, and that's about it. But then, I don't have any massively important data on my server anyway, and as a result, I don't NEED to be uber-paranoid. So, I know where my level of complacency is and I'm not unhappy about it. At the same time, I realize that I'm not on the cutting edge of security, and I also realize that easy isn't really an option to obtain true security. What you seek will give you something that you shouldn't have, and that's a false sense of security. You need to be aware, deep down in your heart, that as long as there are people out there who care enough to spend enough time at it, nothing -- say it with me, now -- NOTHING is truly secure.
And, oh yeah, people who become well-versed with everything that comes out on BugTraq to the point where they start contributing are called security experts, and are typically very well paid for that expertise. If you want to have security to that level, that's what you have to do. And by that time you are too paranoid to ever feel secure again...
Re:Not good enough. (Score:2)
So you aren't willing to pay anything to secure your site? I guess you'll get what you pay for.
Re:Not good enough. (Score:2)
Re:Not good enough. (Score:2)
Re:Not good enough. (Score:1)
I totally understand what you mean.
I must say that the point of the book is to give solid knowledge in order to understand *why* such exploits exist, and how to prevent them. A raw list will help you for the current version of Apache, where a deeper understanding will help you prevent and help you prevent any kind of vulnerability...
Clumsy Admins (Score:4, Interesting)
Now if we can just get those admins that are clumsy, to admit to it and force them to read the book.
But seriously, I am glad that books like this are being printed, it makes it that much harder for crackers to play immature -and sometimes harmful- pranks and give the rest of us bad names.
Just my humble opinion,
SirLantos
I might read this (Score:5, Insightful)
I've been using/programming computers all my life, but have never taken a single Comp Sci or MSI course; I end up going to books and HowTo's very frequently. I run several servers at home, including an apache webserver, a samba server, etc... For a guy like me who's not 3l337, these kinds of things are a godsend.
I've spent 11years in higher education... NO WAY I'm going back for another degree; keep those understandable, non-arcane books coming.
never be ashamed of RTFM (Score:1)
Now personally I prefer the Apache docs, FAQs and mod_perl mailing list to cover anything I don't understand in it, and go to source code when in doubt, so I don't think I'll be tempted to buy this book...
Re:never be ashamed of RTFM (Score:4, Interesting)
The straw that broke my back was the OpenGL course I took, where we spent the whole semester revisiting high school algebra, matrices and projections and normal vectors and whatnot. Not one line of friggen code written, not one technique learned (I wanted to learn a bit about bsp trees, gourad shading, environment mapping, you know.. the cool stuff). We didnt even learn the differences between gl.h, glu.h, glut.h.. It was a huge crock of crap.
So I just switched to a pure math degree.
Comp sci, and IT in particular, is something you learn by doing.
Re:never be ashamed of RTFM (Score:3, Insightful)
I think you're wrong. Computer Science is highly theoretical (hence "Science") and you should expect a great deal of algebra, matrices, etc. You sound like my friend who started majoring in Engineering and complained that he wasn't learning how to fix circuits! That's a technician's job, not an engineer's. If you want to learn programming, program. If you want to learn the theory behind computing, major in Computer Science. If people don't want to learn the theory, why do they take curricula which is highly theoretical?
And, why on earth would you switch to pure Math if you weren't learning anything practical in Computer Science??? Was that a joke?
Re:never be ashamed of RTFM (Score:1)
Re:never be ashamed of RTFM (Score:1)
The CS program was full of
I love and appreciate mathematics, and how it relates to CS. But spending two weeks discussing dot products in a 3rd year CS course? It was a joke.
Re:never be ashamed of RTFM (Score:2, Interesting)
Things come easier when you understand the underlying technologies/science, although not necessary to know. Books, like this one, targeting beginners to intermediates will help ease the learning curve and that's always welcome. Besides, how many IT folks are really going to cruise the source. If they're from a Microsoft background... nil (there's no source in Bill's world).
Why know matrices and vectors if all you're going to use is someones rendering engine? Why know sorting algorthims and trees if all you're going to do is drag and drop in access? Why understand tcp if all you're going to do is turn-on/off properties on tabs of win2k?
BTW: I gots two tech diplomas, plethora of certs, and 2 1/2 years on my CS degree. Overkill for the day to day MS monkey stuff but that's okay I'm NOT a monkey.
no amateurs allowed (Score:4, Funny)
Unlike a lot of people on Slashdot, I'm a hobbyist/amateur sysadmin (or is that term even appropriate?), and this book is probably just what I need.
No, I'm sorry - this book is only for professionals. "Professional Apache Security" - see? Move along...
webapp side of the equation (Score:5, Informative)
A very good site for (free) information on this area is http://www.owasp.org/ [owasp.org]. OWASP seems to mainly focus on webapp level security, which is ok given the wealth of informative resources out there for the host and network layer. (OWASP = Open Web Application Security Project)
It's a start (Score:5, Informative)
If you're running a web server, use my painfully-earned experience and never trust a single source to tell you you're secure. (This includes you. Get someone else to double-check your servers for you. Otherwise, you will never know what you missed until it's too late.)
kneht
Re:It's a start (Score:1)
Usually when I see a server get pooched, it's the admin that did it.
Ie, they mean to type "DELETE FROM customers WHERE last_name = 'malda'", but forget the where clause.
Or wiping the current directory with rm -rf
It happens to the best of em.
Re:It's a start (Score:2)
Re:It's a start (Score:1)
>There's never gonna be a single source for all
>things security--even for a single item such as
>Apache. Those looking for a good start can go
>with this book, or google for how-to's, but
>another place is www.securityspace.com
>[securityspace.com].
I coulnd't agree more. For this reason, tis book is *full* of references to web sites, CERT pages, RFCs, etc.
As I wrote in the introduction, this book is a start, a way of finding your way through the great deal of documentation available for Apache (and concerning security).
Merc.
Secure Web Sites... (Score:5, Interesting)
As far as securing Apache itself, don't load modules you don't need, and keep it patched. That's about all you'll need to do to shun a majority of exploits. There's plenty of other security hardening modes and methods for Apache out there, Google them up and you'll probably get more than out of this book.
Re:Secure Web Sites... (Score:2)
Of course, under some OSs you can make it so filesystem mounts can't be changed without a reboot. It all comes down to how much convenience you need for yourself, and perhaps your end-users. (I know many companies that are not in a position to audit all customer CGI scripts for security holes, DOS holes, etc).
Re:Secure Web Sites... (Score:2)
Hmm....
Re:Secure Web Sites... (Score:1)
It seems you misunderstand the nature of dynamic content. Dynamic content comes from SSI languages and database backends. The content is derived from static code, such as a PHP script. The PHP script doesn't change, only the values it displays.
Or run a secure web server (Score:3, Informative)
Re:Or run a secure web server (Score:2)
Re:Or run a secure web server (Score:2)
Re:Secure Web Sites... (Score:1)
Most intrusions AFAIK are done by replacing common commands with a new one.
If the commands are read-only they can't do that.
I imagine the commands could be bypassed by altering your path, but that's another level of complexity that would need to be done.
Oscar
Alternatives to reading this book: (Score:4, Insightful)
For example, assuming you have the latest patched apache, the left-over security issues that are CGI/web app/scripting related fall under the web applications category of security.
In this case, have a look at some of the guidlines over at The Open Web Application Security Project (OWASP) [owasp.org] .
Way better than paying too much for a book that wastes paper, and will likely be out of date in no time.
--noodles
Re:Alternatives to reading this book: (Score:1)
the beautiful thing about books, especially if they have an underlying message, is that they will not be dated......
if this book is what it promises to be, it could teach young sysadmins where-to and how-to check for web abnormalities, and web server security risks.
just my 2cents.
Hah! (Score:1)
So, what's next on the crackers' list of challenges to prove their bravery - stuffing kittens into sacks and throwing them off bridges?
Re:Hah! (Score:3, Funny)
Posting something like 'linux is gay' as AC on slashdot.
Need HTTPD Security? (Score:3, Funny)
Computers and air conditioners are both the same.
Apache installation the source of defacing/etc? (Score:1)
web server security documentation (Score:1, Informative)
www.cgisecurity.com/lib [cgisecurity.com]
For static sites, use something else. (Score:2)
Poll: Apache + suEXEC + blog package? (Score:1)
But.. I want to install a blog package on my own (as in my own box in a colo) server.
I'm strongly considering Moveable Type. I like its features.
Apache + suEXEC + Moveable Type, properly configured.. thumbs up or thumbs down? Would you stay away from CGI-based packages on principle, or is suEXEC really that good? I would restrict suEXEC to the one vhost running the blog package.
And if not Moveable Type, then what blog package securely [1] runs with Apache under some mod_* setup?
[1] "securely" meaning "reasonable amount of security that would frustrate all casual attempts"
why... (Score:2, Funny)
Wait a sec... Then why are you showing us this book??
CHROOT (Score:1)
NOT A FLAMEBAIT (Score:1, Flamebait)
Examples? (Score:2)
Freshmeat (Score:2)
Re:NOT A FLAMEBAIT (Score:5, Insightful)
How about simply stripping apache down; i.e. just run those two or three modules you really need. On for example a static images only server you could get away with just a logging module and the mmap module quite nicely. (Though realistically alias/rewrite is usually needed (or lots of symlinks) when your friendly marketing staff barges in with yet-another-campain which breaks all historic links.
Its modular - go play with it - and have lots of fun. (And yes - you can actually run apache completely and validly with just 2 lines of config.
Dw.
Stripping down (Score:2)
Re:Stripping down (Score:3, Informative)
Because, when the time comes that you need a feature that Apache provides, you just setup the module and restart Apache. Otherwise, you have to change your server setup from (insert odd other web server here) to Apache and go through all the setup steps anyway.
Re:Stripping down (Score:2)
Re:Stripping down (Score:3, Interesting)
Not planning for the future?
Why wouldn't you take a free (speech/beer) server like Apache and deploy it?
So again, what's your beef with Apache? And, what do you suggest insted?
Re:Stripping down (Score:2)
Re:NOT A FLAMEBAIT (Score:1)
>run those two or three modules you really need.
Sometimes you just can't do that. Your customers or your boss will ask you to have fancy options, and without some kind of knowledge on Apache Security, you will be more likely to make mistakes...
flexibility is useful too (Score:2, Interesting)
Which takes time. But if it's important you should be taking time, I'd suggest.
I think Apache is a decent example of an application that's mature enough to provide useful flexibility, useful performance, and still be managable. Finally, it's unlikely to disappear which will be important for anything other than very short term projects or those where you just install and forget.
flexibility (Score:2)
Re:NOT A FLAMEBAIT (Score:1, Insightful)
If you don't want to be moderated as flamebait, then back up your statements with arguments, examples, perhaps statistics or other data, more detailed opinions, etc, etc. That is slightly better, but you still aren't really saying anything. Basically you say "there are more secure alternatives", but that can easily be said of any product, mostly because is not verifiable. An example (which you refuse to give until it's hammered out of you; you refer to freshmeat.net instead) would do wonders at this point. Finally, something that might be a real argument. Apache offers lots of functionality, and not everyone needs it. That is indeed a scenario that can lead to security risks.
But there's more to it than that, much of Apache's unneeded functionality can be disabled for example, and there are really useful things in Apache's possibilities. But I am not (nor pretend to be) a webserver guru, so I am not going into a detailed discussion about that.
Re:Apache security. (Score:2)