Hardening Apache

Thanks a lot, we are very happy to have this book in our library!

Computer security is hard, very hard. Any reasonable attempt to make a system secure has to involve more than a choice between {none, some security features, unusable}. There are so many different things that we want to do with our software and there are probably just as many ways in which it can be attacked. In order to be able to fend off attacks, it is necessary to know what kind of attacks can occur. Finally, many security procedures must be automated, which requires generic defense strategies that are capable of recognizing an attack when it differs slightly from one that has already been planned for. This book about the Apache server does all of that, starting with which version to use and how to install it with security enabled at the appropriate level. After these topics are covered in chapter one, Mobily moves on to descriptions of the most common attacks in chapter two and logging the interesting events in chapter three. If you are versed in security, most of the material in chapter two will be familiar, but it is hard to overstate the importance of chapter three. Being able to read an account of what has happened on a system is the only way to prove that your security measures are working and the only way to learn when you are successfully attacked. Mobily also shows you the critical steps in testing to determine if your log system is actually working properly. Chapter four is devoted to explanations of cross-site scripting attacks (XSS). This is an attack where a web page is designed to accept input, but that input may be used to drive erroneous results. A simple, yet excellent demonstration of how this can be done is presented. While it is not sophisticated, it demonstrates how careful you must be when accepting even the most basic of inputs from a web page. Chapters five and six deal specifically with security in the Apache server. Five explains the security modules available in Apache and six describes how you can lock down Apache by "putting it in jail." These specifics, of which there are many, should be required reading for anyone who has any hand in managing an Apache server. The last chapter shows you how to automate the security functions, clearly necessary if you are ever to get any sleep. There is a great deal of source code used to describe how the features are implemented. Demo code is in Perl, but XML, HTML and database access commands are used when appropriate. All around this country, companies and organizations are quietly paying out large sums of money to settle issues when their computer security was lax. Sometimes that payment is through the legal system, but the vast majority does not appear on the books. Reduced efficiency of the server, dropped and misplaced orders and greater effort by the staff are just some of the consequences of security problems. This book should be mandatory reading for all people who manage an Apache server, at $29.99 a copy it will probably pay for itself in less than 24 hours.

Understanding how to configure Apache from a security standpoint properly is not easy since the related information is sparse and fragmented. This could be the reason why many web administrators are pretty clueless when it comes to Apache security and why so many web servers are vulnerable. In this sense I think this book fills a huge gap, providing web administrators with a concise and yet complete guide aimed at taking them from the very beginning of the installation process through to the final steps of server configuration. Information throughout the book is very well focused and is presented with a clean and friendly writing style. The book provides a clear and detailed walkthrough of the process of securing an Apache installation, covering both versions 1.3.x and 2.x and thus providing long lasting information. The book has lots of references and pointers to resources on the web, and - more importantly - instructions on how to read them. Sure enough, the book requires some familiarity with Unix and Apache - this is not the kind of book you would buy to learn the very basics of *nix and web site administration. I totally agree with what I've read before: every serious system administrator should have this book.

I am not a server admin, but a web applications developer, so my opinion on this book has a very specific bias. I really enjoyed it, especially because similar material available on-line is usually scattered across a multitude of different sources. Most content is interesting even for application developers and I especially liked the chapters covering different security related modules. The chapter on automation, being totally based around Bash scripts was almost useless to me (but then, again, I am biased). The book is 100% Unix centric, it's somewhat of a shame, especially since Apache 2 on Windows is a viable option, but it's a choice I can understand

Apache is still by far the most common web server on the Internet. However, when the purpose of your computer is to allow access to your webpages by anyone on the Internet security needs to be a primary concern. If you are serious about hardening your Apache server you will want to have this book. Author Tony Mobily examines Apache security in detail all the way from making sure the initial installation package has not been hacked at the primary web server site through configuration and installation of security modules. The book has seven chapters that cover configuration, common attacks, logging, scripting attacks, security modules, using a jail, and automating security with scripts. While the book does cover Apache on the various operating systems the focus is on a Linux install, which is appropriate since that is the most common place to install Apache. This is not a book that I would suggest for someone who is totally new to Apache or Linux, but if you have a passing familiarity with them then you will find this to be the missing information from other Apache books. No matter which Apache book you get to learn Apache, your library will be incomplete if it doesn't include "Hardening Apache".