Apache Security Cover
Free: Read Now
Release date: 15 March 2005
Language: English (436 pages)
Formats: PDF, EPUB, Online
Apache Security
The complete guide to securing your Apache web server

This all-purpose guide for locking down Apache arms readers with all the information they need to securely deploy applications. Administrators and programmers alike will benefit from a concise introduction to the theory of securing Apache, plus a wealth of practical advice and real-life examples. Topics covered include installation, server sharing, logging and monitoring, web applications, PHP and SSL/TLS, and more.

“The single best Apache security book in print”

Richard Bejtlich, author of The Tao of Network Security Monitoring: Beyond Intrusion Detection and Extrusion Detection: Security Monitoring for Internal Intrusions

“Everyone running Apache needs this book”

Rich Bowen, author of Apache Administrator's Handbook and coauthor of Apache Cookbook

Table of Contents
Preface to Digital Reprint

1. Apache Security Principles
       Security Definitions        
       Architecture Blueprints        
2. Installation and Configuration
       Configuration and Hardening                
       Changing Web Server Identity                
       Putting Apache in Jail                
3. PHP
       Advanced PHP Hardening                
4. SSL and TLS
       Apache and SSL           
       Setting Up a Certificate Authority                
       Performance Considerations                
5. Denial of Service Attacks
       Network Attacks               
       Self-Inflicted Attacks               
       Traffic Spikes               
       Attacks on Apache               
       Local Attacks               
       Traffic-Shaping Modules
       DoS Defense Strategy
6. Sharing Servers
       Sharing Problems                
       Distributing Configuration Data
       Securing Dynamic Requests
	   Mass Hosting                
7. Access Control
       Authentication Methods                
       Access Control in Apache                
       Single Sign-on

8. Logging and Monitoring
       Apache Logging Facilities                
       Log Manipulation                
       Remote Logging                
       Logging Strategies
       Log Analysis

9. Infrastructure
       Application Isolation Strategies               
       Host Security               
       Network Security               
       Using a Reverse Proxy               
       Network Design               
10. Web Application Security
       Session Management Attacks               
       Attacks on Clients               
       Application Logic Flaws               
       Information Disclosure               
       File Disclosure               
       Injection Flaws               
       Buffer Overflows
       Evasion Techniques               
       Web Application Security Resources               
11. Web Security Assessment
       Black-Box Testing                
       White-Box Testing                
       Gray-Box Testing

12. Web Intrusion Detection
       Evolution of Web Intrusion Detection                
       Using mod_security                

Appendix A: Tools
       Learning Environments       
       Information-Gathering Tools                
       Network-Level Tools       
       Web Security Scanners       
       Web Application Security Tools       
       HTTP Programming Libraries

Note: This book was originally released in 2005. Although the book remains relevant at a high level, much of the lower level advice is probably obsolete by now.

About Ivan Ristić

Ivan Ristić is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs web site.

He is the author of three books—Apache Security, ModSecurity Handbook, and Bulletproof SSL and TLS—which he publishes via Feisty Duck, his own platform for continuous writing and publishing. You'll often find him speaking at computer security conferences such as Black Hat, RSA, OWASP AppSec, and others. His latest project, Hardenize, is a security posture analysis service that makes security fun again.