Product Description

With more than 67 per cent of web servers running Apache, it is by far the most widely used web server platform in the world. Apache has evolved into a powerful system that easily rivals other HTTP servers in terms of functionality, efficiency, and speed. Despite these impressive capabilities, though, Apache is only a beneficial tool if it's a secure one. To be sure, administrators installing and configuring Apache still need a sure-fire way to secure it--whether it's running a huge e-commerce operation, corporate intranet, or just a small hobby site. Our new guide, Apache Security, gives administrators and webmasters just what they crave--a comprehensive security source for Apache. Successfully combining Apache administration and web security topics, Apache Security speaks to nearly everyone in the field. What's more, it offers a concise introduction to the theory of securing Apache, as well as a broad perspective on server security in general. But this book isn't just about theory. The real strength of Apache Security lies in its wealth of interesting and practical advice, with many real-life examples and solutions. Administrators and programmers will learn how to: * install and configure Apache * prevent denial of service (DoS) and other attacks * securely share servers * control logging and monitoring * secure custom-written web applications * conduct a web security assessment * use mod_security and other security-related modules And that's just the tip of the iceberg, as mainstream Apache users will also gain valuable information on PHP and SSL/ TLS. Clearly, Apache Security is packed and to the point, with plenty of details for locking down this extremely popular and versatile web server.

Product Details

• Amazon Sales Rank: #172268 in Books
• Published on: 2005-02-25
• Original language: English
• Number of items: 1
• Binding: Paperback
• 432 pages

From the Publisher
This all-purpose guide for locking down Apache arms readers with all the information they need to securely deploy applications. Administrators and programmers alike will benefit from a concise introduction to the theory of securing Apache, plus a wealth of practical advice and real-life examples. Topics covered include installation, server sharing, logging and monitoring, web applications, PHP and SSL/TLS, and more.

About the Author
Ivan Ristic is a Web security specialist and the author of mod_security, an open source intrusion detection and prevention engine for web applications. He is currently working on Apache Security for O'Reilly.

Excerpted from Apache Security by Ivan Ristic. Copyright © 2005. Reprinted by permission. All rights reserved.
CHAPTER 2 Installation and Configuration

Installation is the first step in making Apache functional. Before you begin, you should have a clear idea of the installation’s purpose. This idea, together with your paranoia level, will determine the steps you will take to complete the process. The system-hardening matrix (described in Chapter 1) presents one formal way of determining the steps. Though every additional step you make now makes the installation more secure, it also increases the time you will spend maintaining security. Think about it realistically for a moment. If you cannot put in that extra time later, then why bother putting the extra time in now? Don’t worry about it too much, however. These things tend to sort themselves out over time: you will probably be eager to make everything perfect in the first couple of Apache installations you do; then, you will likely back off and find a balance among your security needs, the effort required to meet those needs, and available resources.

As a rule of thumb, if you are building a high profile web server—public or not — always go for a highly secure installation.

Though the purpose of this chapter is to be a comprehensive guide to Apache installation and configuration, you are encouraged to read others’ approaches to Apache hardening as well. Every approach has its unique points, reflecting the personality of its authors. Besides, the opinions presented here are heavily influenced by the work of others. The Apache reference documentation is a resource you will go back to often. In addition to it, ensure you read the Apache Benchmark, which is a well-documented reference installation procedure that allows security to be quantified. It includes a semi-automated scoring tool to be used for assessment.
• Apache Benchmark (cisecurity.org/bench_apache.html)• "Securing Apache: Step-by-Step" by Artur Maj (securityfocus.com/printable/infocus/1694)
• "Securing Apache 2: Step-by-Step" by Artur Maj (securityfocus.com/printable/infocus/1786)

Installation
The installation instructions given in this chapter are designed to apply to both active branches (1.x and 2.x) of the Apache web server running on Linux systems. If you are running some other flavor of Unix, I trust you will understand what the minimal differences between Linux and your system are. The configuration advice given in this chapter works well for non-Unix platforms (e.g., Windows) but the differences in the installation steps are more noticeable:

• Windows does not offer the chroot functionality (see the section "Putting Apache in Jail") or an equivalent.
• You are unlikely to install Apache on Windows from source code. Instead, download the binaries from the main Apache web site.
• Disk paths are different though the meaning is the same.
Source or Binary

One of the first decisions you will make is whether to compile the server from the source or use a binary package. This is a good example of the dilemma I mentioned at the beginning of this chapter. There is no one correct decision for everyone or one correct decision for you alone. Consider some pros and cons of the different approaches:

• By compiling from source, you are in the position to control everything. You can choose the compile-time options and the modules, and you can make changes to the source code. This process will consume a lot of your time, especially if you measure the time over the lifetime of the installation (it is the only correct way to measure time) and if you intend to use modules with frequent releases (e.g., PHP).

• Installation and upgrade is a breeze when binary distributions are used now that many vendors have tools to have operating systems updated automatically. You exchange some control over the installation in return for not having to do everything yourself. However, this choice means you will have to wait for security patches or for the latest version of your favorite module. In fact, the latest version of Apache or your favorite module may never come since most vendors choose to use one version in a distribution and only issue patches to that version to fix potential problems. This is a standard practice, which vendors use to produce stable distributions.

• The Apache version you intend to use will affect your decision. For example, nothing much happens in the 1.x branch, but frequent releases (with significant improvements) occur in the 2.x branch. Some operating system vendors have moved on to the 2.x branch, yet others remain faithful to the proven and trusted 1.x branch.

The Apache web server is a victim of its own success. The web server from the 1.x branch works so well that many of its users have no need to upgrade. In the long term this situation only slows down progress because developers spend their time maintaining the 1.x branch instead of adding new features to the 2.x branch. Whenever you can, use Apache 2!

This book shows the approach of compiling from the source code since that approach gives us the most power and the flexibility to change things according to our taste.

Customer Reviews

The place to start if you're deplying Apache web servers
This book has good explanations, meaningful illustrations, and give you a recipe on how to install and deploy your Apache web server in a secure manner. You don't have to have in-depth knowledge beforehand, the author is very good at explaining as he moves on in the chapters. As a bonus you get a brief review of handy test tools (although many of these will be well-known if you've been interested in security for a while). My #1 Apache book.