Title: Preventing Web Attacks with Apache
Authors: Ryan C. Barnett
Publisher: Addison-Wesley Professional
Published: February 6, 2006
Edition: 1st Edition
According to Netcraft's latest Website Server Survey (February 2006), over 68% of internet websites are hosted on Apache servers. This presents a large group of potential targets for malicious attacks.
'Preventing Web Attacks with Apache' attempts to provide a comprehensive treatment of the thorny area of web server security with the sole emphasis being on Apache. Initial doubts about the viability of a 500 page treatise on securing an Apache server were dispelled by the in-depth and thorough approach of the author.
The book kicks off by exposing common misconceptions about web server security. For example, the fact that web servers need to have ports 80 (http) and 443 (SSL) open in order to function properly means that the effectiveness of security measures such as firewalls, DMZs and intrusion detection systems is somewhat diminished.
The proper configuration of the underlying operating system is then highlighted as the first line of defence. Issues such as the timely application of vendor patches, disabling of non-essential services, user management and proper application of file permissions are addressed.
At this stage it is necessary to note that the author has tailored the book specifically to cater for the 2.0 version fork of Apache as opposed to the 1.3 version. This is in spite of the fact that the 1.3 legacy version holds the majority of market share. His reason is that the version 2.0 fork contains a number of new security features, amongst other improvements, which make it easier to secure. Therefore users of the 1.3 version will need to take this into account when reading the book. Obviously, the general principles of "OS-hardening" and other common features, which both forks still share, will ensure that the book is still a useful read for version 1.3 administrators.
The exhaustive approach is continued with a chapter dedicated to downloading and compiling the source code, while another 40-page chapter provides secure settings for httpd.conf, the primary configuration file for Apache. An interesting comparative exercise was performed using Nikto, the popular open-source vulnerability scanner. The scanner was run initially against a newly installed Apache server with the default configuration, and then again after httpd.conf had been "hardened" with revealing results.
Apache has been designed so that its functionality can be extended by the installation of additional modules. Chapter 5 deals with the installation and configuration of security-related modules that can be added to Apache in order to improve its security.
The installation and running of the CIS Apache Benchmark Scoring Tool rounds up the first part of the book, which concentrates on securing Apache and the underlying operating system. The second part of the book majors on the protection of web applications that run on top of Apache.
A vast array of possible web threats such as SQL injection attacks, cross-site scripting and path traversal attacks are detailed with corresponding countermeasures. These concepts are then applied to a suitably named demonstration web application called Buggy Bank. The use of web honeypots is also covered with a whole chapter on an open web proxy honeypot project conducted by the author.
Finally, a practical scenario is enacted to allow the application of appropriate Apache countermeasures to a vulnerability alert email. Step by step details are provided making use of skills acquired in the previous chapters.
This book will serve as a very useful tool to anyone charged with securing web servers, especially those running Apache. Concepts are clearly presented and then demonstrated using practical illustrations and examples.