With more than 67% of web servers running Apache, it is by far the most widely used web server platform in the world. Apache has evolved into a powerful system that easily rivals other HTTP servers in terms of functionality, efficiency, and speed. Despite these impressive capabilities, though, Apache is only a beneficial tool if it's a secure one. To be sure, administrators installing and configuring Apache still need a sure-fire way to secure it--whether it's running a huge e-commerce operation, corporate intranet, or just a small hobby site. Our new guide, Apache Security, gives administrators and webmasters just what they crave--a comprehensive security source for Apache. Successfully combining Apache administration and web security topics, Apache Security speaks to nearly everyone in the field. What's more, it offers a concise introduction to the theory of securing Apache, as well as a broad perspective on server security in general. But this book isn't just about theory. The real strength of Apache Security lies in its wealth of interesting and practical advice, with many real-life examples and solutions. Administrators and programmers will learn how to: * install and configure Apache * prevent denial of service (DoS) and other attacks * securely share servers * control logging and monitoring * secure custom-written web applications * conduct a web security assessment * use mod_security and other security-related modules And that's just the tip of the iceberg, as mainstream Apache users will also gain valuable information on PHP and SSL/ TLS. Clearly, Apache Security is packed and to the point, with plenty of details for locking down this extremely popular and versatile web server.

Table of Contents:
Preface 1. Apache Security Principles Security Definitions Essential Security Principles Common Security Vocabulary Security Process Steps Threat Modeling System-Hardening Matrix Calculating Risk Web Application Architecture Blueprints User View Network View Apache View 2. Installation and Configuration Installation Source or Binary Static Binary or Dynamic Modules Folder Locations Installation Instructions Configuration and Hardening Setting Up the Server User Account Setting Apache Binary File Permissions Configuring Secure Defaults Enabling CGI Scripts Logging Setting Server Configuration Limits Preventing Information Leaks Changing Web Server Identity Changing the Server Header Field Removing Default Content Putting Apache in Jail Tools of the chroot Trade Using chroot to Put Apache in Jail Using the chroot(2) Patch Using mod_security or mod_chroot 3. PHP Installation Using PHP as a Module Using PHP as a CGI Choosing Modules Configuration Disabling Undesirable Options Disabling Functions and Classes Restricting Filesystem Access Setting Logging Options Setting Limits Controlling File Uploads Increasing Session Security Setting Safe Mode Options Advanced PHP Hardening PHP 5 SAPI Input Hooks Hardened-PHP 4. SSL and TLS Cryptography Symmetric Encryption Asymmetric Encryption One-Way Encryption Public-Key Infrastructure How It All Falls into Place SSL SSL Communication Summary Is SSL Secure? OpenSSL Apache and SSL Installing mod_ssl Generating Keys Generating a Certificate Signing Request Signing Your Own Certificate Getting a Certificate Signed by a CA Configuring SSL Setting Up a Certificate Authority Preparing the CA Certificate for Distribution Issuing Server Certificates Issuing Client Certificates Revoking Certificates Using Client Certificates Performance Considerations OpenSSL Benchmark Script Hardware Acceleration 5. Denial of Service Attacks Network Attacks Malformed Traffic Brute-Force Attacks SYN Flood Attacks Source Address Spoofing Distributed Denial of Service Attacks Reflection DoS Attacks Self-Inflicted Attacks Badly Configured Apache Poorly Designed Web Applications Real-Life Client Problems Traffic Spikes Content Compression Bandwidth Attacks Cyber-Activism The Slashdot Effect Attacks on Apache Apache Vulnerabilities Brute-Force Attacks Programming Model Attacks Local Attacks PAM Limits Process Accounting Kernel Auditing Traffic-Shaping Modules DoS Defense Strategy 6. Sharing Servers Sharing Problems File Permission Problems Dynamic-Content Problems Sharing Resources Same Domain Name Problems Information Leaks on Execution Boundaries Distributing Configuration Data Securing Dynamic Requests Enabling Script Execution Setting CGI Script Limits Using suEXEC FastCGI Running PHP as a Module Working with Large Numbers of Users Web Shells Dangerous Binaries 7. Access Control Overview Authentication Methods Basic Authentication Digest Authentication Form-Based Authentication Access Control in Apache Basic Authentication Using Plaintext Files Basic Authentication Using DBM Files Digest Authentication Certificate-Based Access Control Network Access Control Proxy Access Control Final Access Control Notes Single Sign-on Web Single Sign-on Simple Apache-Only Single Sign-on 8. Logging and Monitoring Apache Logging Facilities Request Logging Error Logging Special Logging Modules Audit Log Performance Measurement File Upload Interception Application Logs Logging as Much as Possible Log Manipulation Piped Logging Log Rotation Issues with Log Distribution Remote Logging Manual Centralization Syslog Logging Database Logging Distributed Logging with the Spread Toolkit Logging Strategies Log Analysis Monitoring File Integrity Event Monitoring Web Server Status 9. Infrastructure Application Isolation Strategies Isolating Applications from Servers Isolating Application Modules Utilizing Virtual Servers Host Security Restricting and Securing User Access Deploying Minimal Services Gathering Information and Monitoring Events Securing Network Access Advanced Hardening Keeping Up to Date Network Security Firewall Usage Centralized Logging Network Monitoring External Monitoring Using a Reverse Proxy Apache Reverse Proxy Reverse Proxy by Network Design Reverse Proxy by Redirecting Network Traffic Network Design Reverse Proxy Patterns Advanced Architectures 10. Web Application Security Session Management Attacks Cookies Session Management Concepts Keeping in Touch with Clients Session Tokens Session Attacks Good Practices ttacks on Clients Typical Client Attack Targets Phishing Application Logic Flaws Cookies and Hidden Fields POST Method Referrer Check Flaws Process State Management Client-Side Validation Information Disclosure HTML Source Code Directory Listings Verbose Error Messages Debug Messages File Disclosure Path Traversal Application Download Flaws Source Code Disclosure Predictable File Locations Injection Flaws SQL Injection Cross-Site Scripting Command Execution Code Execution Preventing Injection Attacks Buffer Overflows Evasion Techniques Simple Evasion Techniques Path Obfuscation URL Encoding Unicode Encoding Null-Byte Attacks SQL Evasion Web Application Security Resources General Resources Web Application Security Resources 11. Web Security Assessment Black-Box Testing Information Gathering Web Server Analysis Web Application Analysis Attacks Against Access Control Vulnerability Probing White-Box Testing Architecture Review Configuration Review Functional Review Gray-Box Testing 12. Web Intrusion Detection Evolution of Web Intrusion Detection Is Intrusion Detection the Right Approach? Log-Based Web Intrusion Detection Real-Time Web Intrusion Detection Web Intrusion Detection Features Using mod_security Introduction More Configuration Advice Deployment Guidelines Detecting Common Attacks Advanced Topics Appendix: Tools Index