A
- AcceptMutex directive, Apache 2
- access control
- attacks against, Attacks Against Access Control
- authentication and network access, combined, Combining authentication with network access control
- authentication methods, Authentication Methods
, Form-Based Authentication
- basic, Basic Authentication
, Basic Authentication
- Digest, Digest Authentication
- factors (authentication types 1-;3), Overview
- flawed, real-life example of, Referrer Check Flaws
- form-based, Form-Based Authentication
, Form-Based Authentication
- two-factor authentication, Overview
- basic plaintext authentication, Basic Authentication Using Plaintext Files
, Working with groups
- groups, Working with groups
- htpasswd utility, Basic Authentication Using Plaintext Files
- certificate-based authentication, Certificate-Based Access Control
- combining authentication modules, Combining multiple authentication modules
- DBM file authentication, Basic Authentication Using DBM Files
- dbmmanage problems, Basic Authentication Using DBM Files
- htdigest for password database, Digest Authentication
- Digest authentication, Digest Authentication
- mod_auth_digest module required, Digest Authentication
- network, Network Access Control, Using environment variables
- environment variables, Using environment variables
- notes on, Final Access Control Notes, Combining multiple authentication modules
- overview, Overview, Overview
- proxy, Proxy Access Control
, Reverse proxies
- central and reverse proxies, Front door
- reverse proxies, Reverse proxies
- request methods, limiting, Limiting request methods, Limiting request methods
- SSO, Single Sign-on
, Simple Apache-Only Single Sign-on
- web-only, Web Single Sign-on
- accountability security goal, Security Definitions
- AddHandler directive, Using PHP as a CGI
, Restricting mod_security to process dynamic requests only
- AddType directive, Restricting mod_security to process dynamic requests only
- Advanced Encryption Standard (AES), Symmetric Encryption
- AES (Advanced Encryption Standard), Symmetric Encryption
- AgentLog directive (deprecated), Request Logging
- Alan Ralsky DoS retribution, Denial of Service Attacks
- Allow directive, Network Access Control
- AllowEncodedSlashes directive, Changing Web Server Identity
- AllowOverride directive, AllowOverride directive
- access file usage control, Distributing Configuration Data
- antivirus, Clam AntiVirus program, File upload interception and validation
- Apache
- backdoors, Static Binary or Dynamic Modules
- chroot(2) patch, Using the chroot(2) Patch
- chroot (jail) (see chroot)
- clients, limiting, Setting Server Configuration Limits
- configuration and hardening, Configuration and Hardening
, Preventing Information Leaks
- AllowOverride directive, AllowOverride directive
- binary file permissions, Setting Apache Binary File Permissions
- CGI scripts, enabling, Enabling CGI Scripts
- email address, turning off, Preventing Information Leaks
- information leaks, preventing, Preventing Information Leaks
, Preventing Information Leaks
- logging, Logging
- Options directive, Options directive
, Options directive
- root sole write access, Setting Apache Binary File Permissions
- secure defaults, Configuring Secure Defaults, AllowOverride directive
- server configuration limits, Setting Server Configuration Limits, Setting Server Configuration Limits
- server identity, changing, Changing Web Server Identity
, Removing Default Content
- server user accounts, Setting Up the Server User Account
- connection timeout, Setting Server Configuration Limits
- -DBIG_SECURITY_HOLE compile
option, Per-request change of Apache identity
- documentation, Installation and Configuration
- installation, Installation, Selecting modules to install
- binary or source, Source or Binary, Downloading patches
- documentation, Installation and Configuration
- folder locations, Folder Locations
- modules, default activation list, Selecting modules to install
- module selection, Selecting modules to install
, Selecting modules to install
- patch download, Downloading patches
- procedures for, Installation Instructions, Selecting modules to install
- source code download, Downloading the source code
- static binary or dynamic modules, Static Binary or Dynamic Modules
- system-hardening matrix for planning, System-Hardening Matrix
- testing of, Testing the installation
- jail (see chroot)
- mod_parmguard module, Deploying positive security model protection
- module repository, Access Control in Apache
- MPMs, Setting Server Configuration Limits
- options, adding and removing, Options directive
- PHP integration functions, Running PHP as a Module
- Slapper Worm, Putting Apache in Jail
- SSL, Apache and SSL
, Preventing configuration mistakes
- broken SSL clients, Supporting broken SSL clients
- certificates, signing, Generating a Certificate Signing Request
, Getting a Certificate Signed by a CA
- configuring, Configuring SSL
, Preventing configuration mistakes
- directives, Configuring SSL
- keys, generating, Generating Keys
- mod_ssl, installing, Installing mod_ssl
- non-SSL content, Preventing configuration mistakes
- reliable startup, Ensuring reliable SSL startup
- server private key, Securing the server private key
- session issues, Preventing configuration mistakes
- SSO, Simple Apache-Only Single Sign-on
- apache-protect brute-force DoS tool, Brute-Force Attacks
- application logs, Application Logs
- apxs third-party module interface tool, Using PHP as a Module
- architectures (see network architectures)
- Argus network monitoring tool, Network Monitoring
- assessment
- security phase, Security Definitions
- asymmetric (public key) encryption, Asymmetric Encryption
, Digital certificates
- (see also public-key cryptography)
- asymmetric (public-key) encryption, How It All Falls into Place, OpenSSL Benchmark Script
- attacks, Detecting Common Attacks
- (see also DoS attacks; injection attacks; intrustion detection; mod_security
firewall module; web application security)
- command execution and file disclosure, Command execution and file disclosure
- content management systems problems, Detecting Common Attacks
- database, Database attacks
- database-specific patterns, Database attacks
- detecting common, Detecting Common Attacks
, Command execution and file disclosure
- XSS, Cross-site scripting attacks
- attack warning patterns, Cross-site scripting attacks
- attack surface, Common Security Vocabulary
- attack vector, Common Security Vocabulary
- audit log, Audit Log
- AuthAuthoritative directive, Combining multiple authentication modules
- AuthDBMAuthoritative directive, Combining multiple authentication modules
- AuthDigestDomain directive, Digest Authentication
- authentication methods, Authentication Methods
, Form-Based Authentication
- Basic, Basic Authentication
, Basic Authentication
, Basic Authentication Using Plaintext Files
, Working with groups
- Digest, Digest Authentication
, Digest Authentication
- form-based, Form-Based Authentication
, Form-Based Authentication
- availability security goal, Security Definitions
B
- backdoors, Apache, Static Binary or Dynamic Modules
- Basic authentication, Basic Authentication
, Basic Authentication
- using DBM files, Basic Authentication Using DBM Files
- using plaintext files, Basic Authentication Using Plaintext Files
, Working with groups
- Bejtlich, Richard, defensible networks, Security Definitions
- blacklist brute-force DoS tool, Brute-Force Attacks
- blacklist-webclient brute-force DoS tool, Brute-Force Attacks
- Blowfish encryption, Symmetric Encryption
- buffer overflow security flaws, Buffer Overflows
C
- CA (certificate authority), Certificate authorities
- certificate signed by, Getting a Certificate Signed by a CA
- setting up, Setting Up a Certificate Authority
, Using Client Certificates
- CA keys, generating, Setting Up a Certificate Authority
- distribution, preparing for, Preparing the CA Certificate for Distribution
- issuing client certificates, Issuing Client Certificates
- issuing server certificates, Issuing Server Certificates
, Issuing Server Certificates
- process, Setting Up a Certificate Authority
, Setting Up a Certificate Authority
- revoking certificates, Revoking Certificates
- using client certificates, Using Client Certificates
- certificate authority (see CA)
- certificates, Digital certificates
- chain of, OpenSSL
- client, Issuing Client Certificates
- CSR, generating request for, Generating a Certificate Signing Request
- server, Issuing Server Certificates
, Issuing Server Certificates
- signing your own, Signing Your Own Certificate
- certificate-signing request (CSR), Generating a Certificate Signing Request
- CGI
- PHP used as, Using PHP as a CGI
- script limits, setting, Setting CGI Script Limits
- scripts, enabling, Enabling CGI Scripts
- sendmail replacement for jail, Taking care of small jail problems
- chroot (jail), Putting Apache in Jail
, Apache 2
- basic user authentication facilities, Putting user, group, and name resolution files in jail
- CGI scripts, Taking care of small jail problems
- chroot(2) patch, Using the chroot(2) Patch
- database problems, Taking care of small jail problems
- finishing touches, Finishing touches for Apache jail preparation
- internal and external, Using the chroot(2) Patch
- jailing processes, Using chroot to Put Apache in Jail, Taking care of small jail problems
- mod_chroot, mod_security, Using mod_security or mod_chroot
- Apache 1, Apache 1
- Apache 2, Apache 2
- Perl working in, Preparing Perl to work in jail
- PHP working in, Preparing PHP to work in jail
- tools, Tools of the chroot Trade, Using strace to see inside processes
- user, group, and name resolution files, Putting user, group, and name resolution files in jail
- CIA security triad, Security Definitions
- cipher, Cryptography
- ciphertext, Cryptography
- Clam Antivirus tool, File upload interception and validation
- cleartext, Cryptography
- CLF (Common Log Format), LogFormat
, TransferLog
- client-side validation logic flaw, Client-Side Validation
- clusters, DNS Round Robin (DNSRR) load balancing
, Reverse proxy clusters
- fault-tolerant with Wackamole, DNS Round Robin (DNSRR) load balancing
- management node, Management node clusters
- node failure, DNS Round Robin (DNSRR) load balancing
- reverse proxy, Reverse proxy clusters
, Reverse proxy clusters
- code execution security flaw, Code Execution
- command execution security flaw, Command Execution
- Common Log Format (see CLF)
- compartmentalization, security principle, Essential Security Principles
- confidentiality, Cryptography
- security goal, Security Definitions
- configuration data, distributing, Distributing Configuration Data
, Distributing Configuration Data
- configuration of Apache (see Apache, configuration and hardening)
- configuration review, Configuration Review
, Reviewing the files
- applications, Reviewing the application configuration
- file permissions, Reviewing file permissions
- files, Reviewing the files
- file storage area, Preparing a storage area for review files
- initial notes, Preparing a file listing and initial notes
- web server, Reviewing the web server configuration
- connection timeout, Setting Server Configuration Limits
- CookieLog directive (deprecated), Request Logging
- cookies
- logic flaws, Cookies and Hidden Fields
- namespace collisions, Cookie namespace collisions
- session management attacks, Cookies
, Cookies
- sessions, implementing with, Keeping in Touch with Clients
- transport mechanism, Cookies
- types of, Cookies
- cross-site scripting (XSS) attacks (see XSS attacks)
- cryptography, Cryptography
, How It All Falls into Place
- encryption
- asymmetric (public key), Asymmetric Encryption
, One-Way Encryption
- asymmetric (public-key), How It All Falls into Place, OpenSSL Benchmark Script
- one-way, One-Way Encryption
, How It All Falls into Place
- symmetric (private key), Symmetric Encryption
, Asymmetric Encryption
, How It All Falls into Place
- goals, Cryptography
- how it works, How It All Falls into Place
- legal issues, Cryptography
- CSR (certificate-signing request), Generating a Certificate Signing Request
- Curl network-level tool, Curl
- CustomLog directive, Request Logging, CustomLog
- Cygwin Windows command-line tool, Information-Gathering Tools
D
- data
- configuration, Badly Configured Apache
- distributing, Distributing Configuration Data
, Distributing Configuration Data
- RRDtool for storing large quantities of, Web Server Status
- session, Increasing Session Security
- database problems with jail, Taking care of small jail problems
- Data Encryption Standard (DES), Symmetric Encryption
- -DBIG_SECURITY_HOLE compile
option, Per-request change of Apache identity
- debug messages, vulnerability, Debug Messages
- decryption, Cryptography
- defense in depth security principle, Essential Security Principles
- defensible networks (Bejtlich), Security Definitions
- Deny directive, Network Access Control
- DES (Data Encryption Standard), Symmetric Encryption
- detection security phase, Security Definitions
- Digest authentication, Digest Authentication
, Digest Authentication
- Digital Signature Algorithm (DSA) public-key
encryption, Asymmetric Encryption
- directives
- AcceptMutex, Apache 2
- AddHandler, Using PHP as a CGI
, Restricting mod_security to process dynamic requests only
- AddType, Restricting mod_security to process dynamic requests only
- AgentLog AgentLog (deprecated), Request Logging
- Allow, Network Access Control
- AllowEncodedSlashes, Changing Web Server Identity
- AllowOverride, AllowOverride directive
- AuthAuthoritative, Combining multiple authentication modules
- AuthDBMAuthoritative, Combining multiple authentication modules
- AuthDigestDomain, Digest Authentication
- CookieLog (deprecated), Request Logging
- CustomLog, Request Logging
- Deny, Network Access Control
- Directory, Limiting request methods
- DirectoryIndex, Using PHP as a Module
- disable_classes, Disabling Functions and Classes
- disable_functions, Disabling Functions and Classes
- doc_root, Restricting Filesystem Access
- enable_dl configuration, Running PHP as a Module
- ErrorLog, Error Logging
- file_uploads, Controlling File Uploads
- FilesMatch, Preventing Information Leaks
- Limit, Limiting request methods
- LimitExcept, Limiting request methods
- LimitXMLRequestBody, Setting Server Configuration Limits
- LogFormat, Request Logging
- MaxClients, Setting Server Configuration Limits
- MaxRequestsPerChild, Setting Server Configuration Limits
- MaxSpareServers, Setting Server Configuration Limits
- MaxSpareThreads, Setting Server Configuration Limits
- MinSpareServers, Setting Server Configuration Limits
- MinSpareThreads, Setting Server Configuration Limits
- mod_auth, Basic Authentication Using DBM Files
- mod_auth_dbm, Basic Authentication Using DBM Files
- open_basedir, Restricting Filesystem Access
- Options, Options directive
, Options directive
- Order, Network Access Control
- Proxy, Proxy Access Control
- ProxyMatch, Proxy Access Control
- RefererIgnore (deprecated), Request Logging
- RefererLog (deprecated), Request Logging
- RLimitCPU, Setting CGI Script Limits
- RLimitMEM, Setting CGI Script Limits
- RLImitNPROC, Setting CGI Script Limits
- Satisfy configuration, Combining authentication with network access control
- ScriptAlias, Enabling CGI Scripts
- SecFilterForceByteRange, Byte-range restriction
- SecFilterInheritance, Complex configuration scenarios
- SecFilterScanPOST, Request body monitoring
- SecFilterSelective, Response body monitoring
- SecUploadInMemoryLimit, Memory consumption
- ServerLimit, Setting Server Configuration Limits
- ServerSignature, Preventing Information Leaks
- ServerTokens, Preventing Information Leaks
- SetEnvIf, Using environment variables
- SetHandler, Distributing Configuration Data
- SSLRequireSSL, Certificate-Based Access Control
- SSLVerifyClient require, Certificate-Based Access Control
- SSLVerifyDepth 1, Certificate-Based Access Control
- StartServers, Setting Server Configuration Limits
- ThreadsPerChild, Setting Server Configuration Limits
- TransferLog, Request Logging
- VirtualHost, Using suEXEC for mass virtual hosting
- Directory directive, Limiting request methods
- DirectoryIndex directive, Using PHP as a Module
- directory-indexing vulnerability, Preventing Information Leaks
- directory-listing vulnerability, Directory Listings
, WebDAV
- WebDAV, WebDAV
- disable_classes directive, Disabling Functions and Classes
- disable_functions directive, Disabling Functions and Classes
- DMZ architecture example, Network Design
- DNSRR (DNS Round Robin) load balancing, DNS Round Robin (DNSRR) load balancing
, DNS Round Robin (DNSRR) load balancing
- DNSSEC (Domain Name System Security Extensions), Man in the middle attacks
- doc_root directive, Restricting Filesystem Access
- domain name
- lookup, Domain name system
- sharing, Same Domain Name Problems
- cookie namespace collisions, Cookie namespace collisions
- fake security realms, Fake security realms
- Domain Name System Security Extensions (DNSSEC), Man in the middle attacks
- DoS (denial of service) attacks
- Alan Ralsky retribution, Denial of Service Attacks
- Apache-specific, Attacks on Apache, Programming Model Attacks
- brute force against, Brute-Force Attacks
- programming model, Programming Model Attacks
- vulnerabilities of, Apache Vulnerabilities
- causes, Denial of Service Attacks
- defense strategy, DoS Defense Strategy
- local, Local Attacks, Kernel Auditing
- kernel auditing, Kernel Auditing
- process accounting, Process Accounting
- process limits, Process Limits
- network attacks, Network Attacks, Reflection DoS Attacks
- brute-force, Brute-Force Attacks
- DDoS, Distributed Denial of Service Attacks
- distributed, Distributed Denial of Service Attacks
- egress filtering, Source Address Spoofing
- Linux SYN cookies defense, SYN Flood Attacks
- malformed traffic, Malformed Traffic
- reflection, Reflection DoS Attacks
- source address spoofing, Source Address Spoofing
- SYN flood, SYN Flood Attacks
- self-inflicted, Self-Inflicted Attacks, Real-Life Client Problems
- Apache badly configured, Badly Configured Apache, Badly Configured Apache
- caching and cacheability, Poorly Designed Web Applications
- client problems, real-life, Real-Life Client Problems
- database connection bottleneck, Poorly Designed Web Applications
- keep-alive functionality, Real-Life Client Problems
- large files, Real-Life Client Problems
- slow clients, Real-Life Client Problems
- web applications poorly designed, Poorly Designed Web Applications
- traffic-shaping modules, Traffic-Shaping Modules
- traffic spikes, Traffic Spikes, The Slashdot Effect
- bandwidth stealing (hotlinking), Bandwidth Attacks
- content compression, Content Compression
- coordinated DoS attacks, Cyber-Activism
- cyber-activism, Cyber-Activism
- Slashdot effect, The Slashdot Effect
- types of, Denial of Service Attacks
- DSA (Digital Signature Algorithm) public-key
encryption, Asymmetric Encryption
- dynamic-content problems, Dynamic-Content Problems
, Multiple Apache instances
- execution wrappers, Execution wrappers
- FastCGI, FastCGI
- identity change per-request, Per-request change of Apache identity
- mod_perchild module versus Metux MPM, Perchild MPM and Metux MPM
- multiple server instances, Multiple Apache instances
- ptrace, Dynamic-Content Problems
- solutions, Dynamic-Content Problems
E
- Elliptic curve public-key encryption, Asymmetric Encryption
- enable_dl configuration directive, Running PHP as a Module
- encryption, Cryptography
- asymmetric (public key), Asymmetric Encryption
, Digital certificates
- asymmetric (public-key), How It All Falls into Place, OpenSSL Benchmark Script
- one-way, One-Way Encryption
, How It All Falls into Place
- private key (symmetric), Symmetric Encryption
, Asymmetric Encryption
, How It All Falls into Place
- env_audit leakage tool, Information Leaks on Execution Boundaries
- ErrorLog directive, Error Logging
- error logging, Error Logging
- levels listing, Error Logging
- turning on for PHP, Setting Logging Options
- error messages, verbose, vulnerability, Verbose Error Messages
- event monitoring, Event Monitoring
, Simple Event Correlator
- periodic reporting, Periodic reporting
, Periodic reporting
- SEC, Simple Event Correlator
, Simple Event Correlator
- rules types, Simple Event Correlator
- Swatch, Swatch
- exploit, defined, Common Security Vocabulary
F
- fail safely security principle, Essential Security Principles
- FastCGI, FastCGI
, FastCGI
- FastCGI protocol, FastCGI
- file_uploads directive, Controlling File Uploads
- file descriptor leakage vulnerability, Information Leaks on Execution Boundaries
- files
- access restrictions, PHP, File access restrictions
- configuration review of, Reviewing the files
- large causing DoS, Real-Life Client Problems
- monitoring integrity, File Integrity
- reviewing permissions for, Reviewing file permissions
- security disclosure, File Disclosure
, Predictable File Locations
- download script flaws, Application Download Flaws
- path traversal, Path Traversal
- predictable locations, Predictable File Locations
, Predictable File Locations
- source code disclosure, Source Code Disclosure
- Tripwire integrity checker, File Integrity
- upload logging, File Upload Interception
- virtual filesystems, permissions, Virtual filesystems for users
- FilesMatch directive, Preventing Information Leaks
- firewalls, Firewall Usage
- basic rules for, Securing Network Access
- configuration mistake, recovering from, Securing Network Access
- deep-inspection, Evolution of Web Intrusion Detection
- deployment guidelines, Deployment Guidelines
, Reasonable configuration starting point
- configuration starting point, reasonable, Reasonable configuration starting point
- steps, Deployment Guidelines
- host-based, Securing Network Access
, Securing Network Access
- Linux Netfilter, configuring with, Securing Network Access
- hosts, each having, Securing Network Access
- HTTP, appliances for, Intrusion detection and HTTP
- mod_security, Using mod_security
, Deploying positive security model protection
- actions, Actions
- anti-evasion features, Anti-evasion features
- basic configuration, Introduction
, Logging
- byte-range restriction, Byte-range restriction
- complex configuration scenarios, Complex configuration scenarios
- configuration advice, More Configuration Advice
, Event monitoring
- dynamic requests, restriction to, Restricting mod_security to process dynamic requests only
- encoding-validation features, Encoding validation features
- file upload interception and validation, File upload interception and validation
- installation, Installation and basic configuration
- logging, Logging
- positive security model, deploying, Deploying positive security model protection
- request body monitoring, Request body monitoring
- request processing order, Processing order
- response body monitoring, Response body monitoring
- rule engine flexibility, Rules
, Rules
- scope, Using mod_security
- WAFs, Evolution of Web Intrusion Detection
- forensic logging, Logging as Much as Possible
, Alternative integration method
- alternative integration method, Alternative integration method
- format, recommended, Recommended log format
- HTTP status codes, Using HTTP status codes
- PHP integration, Using HTTP status codes
, Integration with PHP
- form-based authentication, Form-Based Authentication
, Form-Based Authentication
- form fields, logic flaws, Cookies and Hidden Fields
- functional reviews, Functional Review
, Hot spot review
- applications, Basic application review
- infrastructure, Application infrastructure review
- hotspots, Hot spot review
- RATS statistical source code analysis tool, Hot spot review
H
- Hardened-PHP project, Hardened-PHP
- hardening of Apache (see Apache, configuration and hardening)
- hash functions, One-Way Encryption
- MD5, One-Way Encryption
- md5sum hash computing tool, Gathering Information and Monitoring Events
- SHA-1, One-Way Encryption
- SHA-256, One-Way Encryption
- SHA-384, One-Way Encryption
- SHA-512, One-Way Encryption
- HIDS (host-based intrusion detection system), Evolution of Web Intrusion Detection
- host-based intrusion detection system (HIDS), Evolution of Web Intrusion Detection
- host security, Host Security
, Keeping Up to Date
- advanced hardening, Advanced Hardening
- kernel patches, Advanced Hardening
- firewalls
- basic rules for, Securing Network Access
- individual, Securing Network Access
- Linux Netfilter, configuring, Securing Network Access
- information and event monitoring, Gathering Information and Monitoring Events
- minimal services, Deploying Minimal Services
- network access, Securing Network Access
, Securing Network Access
- updating software, Keeping Up to Date
- user access, Restricting and Securing User Access
- .htaccess configuration
files, AllowOverride directive
, Distributing Configuration Data
- HTTP
- communication security, SSL and TLS
- fingerprinting, Changing Web Server Identity
- firewalls, Intrusion detection and HTTP
- Keep-Alive, OpenSSL Benchmark Script
- programming libraries, HTTP Programming Libraries
- status codes, logging, Using HTTP status codes
- Httprint information-gathering tool, Httprint
I
- IDEA (International Data Encryption Algorithm), Symmetric Encryption
- identity verification (see public-key infrastructure)
- information disclosure security issues, Information Disclosure
, Debug Messages
- directory
- indexes, Preventing Information Leaks
- listings, Directory Listings
, Debug Messages
- HTML source code, HTML Source Code
- not volunteering principle, Essential Security Principles
- information-gathering tools, Information-Gathering Tools
, Httprint
- Httprint, Httprint
- Netcraft, Netcraft
- Sam Spade, Sam Spade
- SiteDigger, SiteDigger
- SSLDigger, SSLDigger
- TechnicalInfo, Online Tools at TechnicalInfo
- information leaks, preventing, Preventing Information Leaks
, Preventing Information Leaks
- infrastructure
- application isolation, Application Isolation Strategies
, Utilizing Virtual Servers
- modules, Isolating Application Modules
- from servers, Isolating Applications from Servers
- virtual servers, Utilizing Virtual Servers
- book recommendations, Infrastructure
- host security (see host security)
- network design (see network design)
- network security (see network security)
- injection attacks, Injection Flaws
, Preventing Injection Attacks
- SQL, SQL Injection
, SQL injection attack resources
- database feature problems, Special database features
- example, A working example
, A working example
- query statements, Multiple statements in a query
- resources for, SQL injection attack resources
- UNION construct, Union
- integrity security goal, Security Definitions
- International Data Encryption Algorithm (IDEA), Symmetric Encryption
- intrusion containment, chroot (jail), Putting Apache in Jail
, Apache 2
- intrusion detection
- Apache backdoors, Static Binary or Dynamic Modules
- detecting common attacks, Detecting Common Attacks
, Command execution and file disclosure
- command execution and file disclosure, Command execution and file disclosure
- content management system problems, Detecting Common Attacks
- database, Database attacks
- database-specific patterns, Database attacks
- XSS, Cross-site scripting attacks
- evolution of, Evolution of Web Intrusion Detection, Response monitoring and information leak prevention
- HIDSs, Evolution of Web Intrusion Detection
- NIDS, Evolution of Web Intrusion Detection
- features, Web Intrusion Detection Features, Response monitoring and information leak prevention
- anti-evasion techniques, Anti-evasion techniques
- input validation enforcement, Enforcing input validation
- negative versus positive models, Negative versus positive security models
- protocol anomaly, Protocol anomaly detection
- response monitoring (information leak detection), Response monitoring and information leak prevention
- rule-based versus anomaly-based, Rule-based versus anomaly-based protection
- state management, State management
- firewall deployment guidelines, Deployment Guidelines
, Reasonable configuration starting point
- configuration starting point, reasonable, Reasonable configuration starting point
- steps, Deployment Guidelines
- host-based, Evolution of Web Intrusion Detection
- HTTP traffic and, Intrusion detection and HTTP
- log-based, Log-Based Web Intrusion Detection
- mod_security firewall module (see mod_security firewall module)
- network, Evolution of Web Intrusion Detection
- real-time, Real-Time Web Intrusion Detection
- systems for, Network Monitoring
, Evasion Techniques
- Prelude tool, Network Monitoring
- Snort tool, Network Monitoring
- value of, Is Intrusion Detection the Right Approach?
L
- ldd shared library namer tool, Using ldd to discover dependencies
- learning environments, Learning Environments
, WebGoat
- WebGoat, WebGoat
- WebMaven, WebMaven
- least privilege security principle, Essential Security Principles
- Limit directive, Limiting request methods
- LimitExcept directive, Limiting request methods
- LimitXMLRequestBody directive, Setting Server Configuration Limits
- LogFormat logging directive, LogFormat
, LogFormat
- Apache 2 format strings, LogFormat
- CLF, LogFormat
- common formats, LogFormat
- standard format strings, LogFormat
- logging, Apache Logging Facilities, Log Analysis
- activity report, Logwatch tool, Gathering Information and Monitoring Events
- advice about, Logging Strategies
- analysis, Log Analysis
- logscan tool, Log Analysis
- applications, Application Logs
- audit logging, Audit Log
- file uploads, File Upload Interception
- centralized, Centralized Logging
- CLF, LogFormat
, TransferLog
- conditional, CustomLog
, Recommended log format
- configuring Apache, Logging
- default through mod_log_config module, Log Manipulation
- distribution issues, Issues with Log Distribution
- errors, Error Logging
- levels listing, Error Logging
- field additions to format, Logging as Much as Possible
- forensic expansion of, Logging as Much as Possible
, Alternative integration method
- alternative integration method, Alternative integration method
- HTTP status codes, Using HTTP status codes
- PHP integration, Using HTTP status codes
, Integration with PHP
- forensic resources, Log Analysis
- format, recommended, Logging as Much as Possible
, Alternative integration method
- manipulation of, Log Manipulation, Issues with Log Distribution
- missing features, Log Manipulation
- offloading from Apache, Piped Logging
- performance measurement, Performance Measurement
- PHP
- error logging, turning on, Setting Logging Options
- options, Setting Logging Options
- piped, Piped Logging
- remote, Remote Logging, Distributed Logging with the Spread Toolkit
- centralization, Manual Centralization
- database, Database Logging
- distributed with Spread Toolkit, Distributed Logging with the Spread Toolkit
- NTsyslog, Syslog Logging
- syslog, Syslog Logging, Syslog Logging
- request type, Request Logging, CustomLog
- CustomLog, CustomLog
- LogFormat, LogFormat
, LogFormat
- TransferLog, TransferLog
- rotation, Log Rotation, Real-time rotation
- Cronolog utility, Real-time rotation
- logrotate, Linux utility, Periodic rotation
- periodic, Periodic rotation
- real-time, Real-time rotation
- restart server requirement, Periodic rotation
- rotatelogs, Apache utility, Real-time rotation
- server crash, request causing, Special Logging Modules
- special modules, Special Logging Modules
- strategies for, Logging Strategies
- synchronizing clocks on servers (ntpdate utility), Gathering Information and Monitoring Events
- Logwatch modular Perl script tool, Gathering Information and Monitoring Events
M
- man-in-the-middle (MITM) attacks, Man in the middle attacks
- MaxClients directive, Setting Server Configuration Limits
- maximum clients, limiting, Setting Server Configuration Limits, Badly Configured Apache
- MaxRequestsPerChild directive, Setting Server Configuration Limits
- MaxSpareServers directive, Setting Server Configuration Limits
- MaxSpareThreads directive, Setting Server Configuration Limits
- MD5 (Message Digest Algorithm 5) hash function, One-Way Encryption
- md5sum hash computing tool, Gathering Information and Monitoring Events
- Message Digest algorithm 5 (MD5) hash functions, One-Way Encryption
- message digest functions, One-Way Encryption
- MinSpareServers directive, Setting Server Configuration Limits
- MinSpareThreads directive, Setting Server Configuration Limits
- MITM (man-in-the-middle) attacks, Man in the middle attacks
- mod_access network access control module, Network Access Control
- mod_auth_dbm module, Basic Authentication Using DBM Files
- mod_auth_digest module, Digest Authentication
- required for Digest authentication, Digest Authentication
- mod_auth_ldap module, Access Control in Apache
- mod_auth module, Basic Authentication Using Plaintext Files
, Basic Authentication Using DBM Files
- mod_bwshare traffic-shaping module, Traffic-Shaping Modules
- mod_cgi module, Information Leaks on Execution Boundaries
- mod_dosevasive DoS defense module, Traffic-Shaping Modules
- mod_fastcgi module, FastCGI
, FastCGI
, FastCGI
- mod_forensics module, Special Logging Modules
- mod_headers module, Selecting modules to install
, Changing the name using mod_headers with Apache 2
- mod_include module, Selecting modules to install
- mod_info module, Selecting modules to install
- mod_limitipconn traffic-shaping module, Traffic-Shaping Modules
- mod_log_config module, Apache Logging Facilities
- default logging done through, Log Manipulation
- mod_log_sql module, Database Logging
- mod_logio module, LogFormat
- mod_parmguard module, Deploying positive security model protection
- mod_perchild module versus Metux MPM, Perchild MPM and Metux MPM
- mod_php module, Information Leaks on Execution Boundaries
- mod_proxy module, Proxy Access Control
- mod_rewrite module, Selecting modules to install
- map file, Using suEXEC for mass virtual hosting
- mass virtual hosting deployment, Using suEXEC for mass virtual hosting
- symbolic link effect, Distributing Configuration Data
- mod_security firewall module, Using mod_security
, Deploying positive security model protection
- (see also WAFs)
- actions, Actions
- per-rule, Actions
- anti-evasion features, Anti-evasion features
- Apache 2 performance measurement, Performance Measurement
- basic configuration, Introduction
, Logging
- byte-range restriction, Byte-range restriction
- changing identity server header field, Changing the name using mod_security
- complex configuration scenarios, Complex configuration scenarios
- configuration advice, Introduction
, More Configuration Advice
, Event monitoring
- activation time, Activation time
- Apache integration, Tight Apache integration
- event monitoring, Event monitoring
- memory consumption, Memory consumption
- per-context configuration, Per-context configuration
- performance impact, Performance impact
- dynamic requests, restriction to, Restricting mod_security to process dynamic requests only
- encoding-validation features, Encoding validation features
- file upload interception and validation, File upload interception and validation
- installation, Installation and basic configuration
- logging, Logging
- positive security model, deploying, Deploying positive security model protection
- preventing sensitive handler use, Distributing Configuration Data
- request body monitoring, Request body monitoring
- request processing order, Processing order
- response body monitoring, Response body monitoring
- rule engine flexibility, Rules
, Rules
- extended variables, Rules
- standard variables, Rules
- scope, Using mod_security
- mod_setenvif module, Selecting modules to install
, Using environment variables
- mod_ssl module, Changing the name in the source code
- custom format strings for logging, LogFormat
- mod_status module, Selecting modules to install
- server status monitoring, Web Server Status
- unreliability of, Using the scripts
- mod_throttle traffic-shaping module, Traffic-Shaping Modules
- mod_unique_id module, Special Logging Modules
- mod_userdir module, Selecting modules to install
- mod_vhost_alias module, Using suEXEC for mass virtual hosting
- mod_watch third-party monitoring module, mod_watch
- modules
- access set in options directive, Options directive
- Apache
- default activation list, Selecting modules to install
- installation, selecting, Selecting modules to install
, Selecting modules to install
- module repository, Access Control in Apache
- compiled-in, listing, Apache 1
- intermodule communication (notes), Integration with PHP
- isolation of, Isolating Application Modules
- logging, special, Special Logging Modules
- mod_access, Network Access Control
- mod_auth, Basic Authentication Using Plaintext Files
, Basic Authentication Using DBM Files
- mod_auth_dbm, Basic Authentication Using DBM Files
- mod_auth_digest, Digest Authentication
- mod_auth_ldap, Access Control in Apache
- mod_bwshare, Traffic-Shaping Modules
- mod_cgi, Information Leaks on Execution Boundaries
- mod_dosevasive, Traffic-Shaping Modules
- mod_fastcgi, FastCGI
- mod_forensics, Special Logging Modules
- mod_headers, Selecting modules to install
, Changing the name using mod_headers with Apache 2
- mod_include, Selecting modules to install
- mod_info, Selecting modules to install
- mod_limitipconn, Traffic-Shaping Modules
- mod_log_config, Apache Logging Facilities
- mod_log_sql, Database Logging
- mod_logio, LogFormat
- mod_parmguard, Deploying positive security model protection
- mod_perchild, Perchild MPM and Metux MPM
- mod_php, Information Leaks on Execution Boundaries
- mod_proxy, Proxy Access Control
- mod_rewrite, Selecting modules to install
- mod_security, Using mod_security
- mod_setenvif, Selecting modules to install
, Using environment variables
- mod_ssl, Changing the name in the source code
- mod_status, Selecting modules to install
- mod_throttle, Traffic-Shaping Modules
- mod_unique_id, Special Logging Modules
- mod_userdir, Selecting modules to install
- mod_vhost_alias, Using suEXEC for mass virtual hosting
- mod_watch third-party monitoring, mod_watch
- MPMs, Setting Server Configuration Limits
- multiple authentication, combining, Combining multiple authentication modules
- PHP
- choosing, Choosing Modules
- installation as, Using PHP as a Module
, Using PHP as a Module
- posix, Choosing Modules
- monitoring, Monitoring, mod_watch
- events, Event Monitoring
, Simple Event Correlator
- periodic reporting, Periodic reporting
, Periodic reporting
- rules for, Event Monitoring
- SEC, Simple Event Correlator
, Simple Event Correlator
- Swatch, Swatch
- file integrity, File Integrity
- Tripwire integrity checker, File Integrity
- networks, Network Monitoring
- external, External Monitoring
- intrusion detection, HTTP traffic and, Intrusion detection and HTTP
- Nagios and OpenNMS tools, External Monitoring
- recommended practices, External Monitoring
- real-time, gone bad, Event Monitoring
- web server status, Web Server Status
, mod_watch
- graphing, Graphing
- mod_status module, Web Server Status
, Using the scripts
- mod_watch third-party module, mod_watch
- RRDtool, Web Server Status
, Using the scripts
- scripts for, Using the scripts
- SNMP, Web Server Status
- statistics, fetching and storing, Fetching and storing statistics
, Fetching and storing statistics
N
- Nagios network-monitoring tool, External Monitoring
- negative security model, Negative versus positive security models
- Nessus security scanner, Nessus
- Netcat network-level tool, Netcat
- Netcraft information-gathering tool, Netcraft
- netstat port-listing tool, Deploying Minimal Services
- network architectures, Network Design
- (see also web application architectures)
- advanced HTTP, Advanced Architectures
- DNSSR load balancing, DNS Round Robin (DNSRR) load balancing
, DNS Round Robin (DNSRR) load balancing
- high availability, High availability
- management node clusters, Management node clusters
- manual load balancing, Manual load balancing
- reverse proxy clusters, Reverse proxy clusters
, Reverse proxy clusters
- single server, No load balancing, no high availability
- terms, defining, Advanced Architectures
- DMZ example, Network Design
- reverse proxy, Using a Reverse Proxy
, Reverse Proxy Patterns
, Performance reverse proxy
- front door, Front door
- integration, Integration reverse proxy
- performance, Performance reverse proxy
- protection, Protection reverse proxy
- network design, Network Design
, Reverse proxy clusters
- architectures (see network architectures)
- paths for, Network Design
- reverse proxies (see reverse proxies)
- network intrusion detection system (NIDS), Evolution of Web Intrusion Detection
- network-level tools, Network-Level Tools
, SSLDump
- Curl, Curl
- Netcat, Netcat
- network-sniffing, Network-Sniffing Tools
- SSLDump, SSLDump
- Stunnel, Stunnel
- network security, Network Security
, External Monitoring
- defensible networks (Bejtlich), Security Definitions
- external monitoring, External Monitoring
- Nagios and OpenNMS tools, External Monitoring
- firewalls, Firewall Usage
- intrusion detection (see intrusion detection)
- isolating risk, Network Design
- logging, centralized, Centralized Logging
- network monitoring, Network Monitoring
- Argus tool, Network Monitoring
- recommended practices, External Monitoring
- network-sniffing tools, Network-Sniffing Tools
- NIDS (network intrusion detection system), Evolution of Web Intrusion Detection
- Nikto security scanner, Nikto
- nonrepudiation, Cryptography
- notes, intermodule communication, Integration with PHP
O
- one-way encryption, One-Way Encryption
, How It All Falls into Place
- MD5, One-Way Encryption
- SHA-1, One-Way Encryption
- SHA-256, One-Way Encryption
- SHA-384, One-Way Encryption
- SHA-512, One-Way Encryption
- open_basedir directive, Restricting Filesystem Access
- securing PHP, Running PHP as a Module
- OpenNMS network-monitoring tool, External Monitoring
- OpenSSL, OpenSSL
, OpenSSL
, Generating a Certificate Signing Request
- benchmark script, OpenSSL Benchmark Script
, OpenSSL Benchmark Script
- certificate chain, OpenSSL
- for CA setup, Setting Up a Certificate Authority
, Using Client Certificates
- openssl command-line tool, OpenSSL
- operating system fingerprinting, Changing Web Server Identity
- Options directive, Options directive
, Options directive
- problems, Distributing Configuration Data
- Order directive, Network Access Control
P
- Paros web application security tool, Paros
- performance increase with reverse proxy, Performance reverse proxy
- performance measurement, Performance Measurement
- Perl, working in jail, Preparing Perl to work in jail
- phishing scams, Phishing
- PHP
- Apache integration functions, Running PHP as a Module
- auto_prepend problem, Distributing Configuration Data
- configuration, Configuration, Other safe mode restrictions
- allow_url_fopen, register_globals and allow_url_fopen
- file_uploads directive, Controlling File Uploads
- filesystem, restricting access, Restricting Filesystem Access
- file uploads, Controlling File Uploads
- functions and classes, disabling, Disabling Functions and Classes
- limits, setting, Setting Limits
- logging options, Setting Logging Options
- modules, dynamically loading, Dynamic module loading
- open_basedir directive, Restricting Filesystem Access
- options, disabling, Disabling Undesirable Options, Display of information about PHP
- register_globals problem, register_globals and allow_url_fopen
- safe mode restrictions, Setting Safe Mode Options
, Other safe mode restrictions
- session security, Increasing Session Security
, Increasing Session Security
- doc_root directive, Restricting Filesystem Access
- environmental variable restrictions, Environment variable restrictions
- error logging, turning on, Setting Logging Options
- external process restrictions, External process execution restrictions
- file access restrictions, File access restrictions
- forensic logging integration, Using HTTP status codes
, Integration with PHP
- Hardened-PHP project, Hardened-PHP
- hardening, advanced, Advanced PHP Hardening, Hardened-PHP
- SAPI Input Hooks, PHP 5 SAPI Input Hooks
- information about, disabling, Display of information about PHP
- installation, Installation, Choosing Modules
- CGI script approach, Using PHP as a CGI
- configuration file location error, Using PHP as a Module
- modules, Using PHP as a Module
, Choosing Modules
- interpreter security issues, Using PHP as a CGI
- jail, working in, Preparing PHP to work in jail
- module, making secure, Running PHP as a Module
- posix module, disabling, Choosing Modules
- SAPI input hooks, PHP 5 SAPI Input Hooks
- Security Consortium, PHP
- security resources, PHP
- source download, Installation
- PKI (public-key infrastructure), Public-Key Infrastructure
, Web of trust
- plaintext, Cryptography
- port connection for SSL, OpenSSL
- port scanning, Port scanning, Port scanning
- netstat port-listing tool, Deploying Minimal Services
- positive security model, Negative versus positive security models
- posix module, Choosing Modules
- POST method logic flaws, POST Method
- private key (symmetric) encryption, Symmetric Encryption
, Asymmetric Encryption
, How It All Falls into Place
- process limits, Process Limits
- process state management logic flaws, Process State Management
- protection security phase, Security Definitions
- protocol analyzer SSLDump, SSLDump
- proxies
- access control, Proxy Access Control
, Reverse proxies
- reverse proxies do not require, Reverse proxies
- reverse (see reverse proxies)
- Proxy directive, Proxy Access Control
- ProxyMatch directive, Proxy Access Control
- ptrace, process hijacking with, Dynamic-Content Problems
- public key (asymmetric) encryption, Asymmetric Encryption
, One-Way Encryption
- (see also public key cryptography)
- public-key (asymmetric) encryption, How It All Falls into Place, OpenSSL Benchmark Script
- certificate authorities, Certificate authorities
- digital certificates, Digital certificates
- DSA, Asymmetric Encryption
- Elliptic curve, Asymmetric Encryption
- infrastructure, Public-Key Infrastructure
, Web of trust
- RSA, Asymmetric Encryption
- web of trust, Web of trust
- public-key cryptography, SSL Communication Summary, Nontechnical issues
- (see also public-key encryption)
- public-key infrastructure (PKI), Public-Key Infrastructure
, Web of trust
R
- RC4 encryption, Symmetric Encryption
- RefererIgnore directive (deprecated), Request Logging
- RefererLog directive (deprecated), Request Logging
- referrer check logic flaws, Referrer Check Flaws
- response security phase, Security Definitions
- reverse proxies, Using a Reverse Proxy
, Reverse Proxy by Redirecting Network Traffic
- access control not required, Reverse proxies
- advantages, Using a Reverse Proxy
- Apache, Apache Reverse Proxy, mod_proxy_html
- central access policies, for, Front door
- designed into network, Reverse Proxy by Network Design
- network traffic redirect, Reverse Proxy by Redirecting Network Traffic
- patterns, usage, Reverse Proxy Patterns
, Performance reverse proxy
- front door, Front door
- integration, Integration reverse proxy
- performance, Performance reverse proxy
- protection, Protection reverse proxy
- risk
- calculating, Calculating Risk
- factors, Calculating Risk
- isolating in a network, Network Design
- multiple levels of, Isolating Application Modules
- public service as root, Per-request change of Apache identity
- Rivest, Shamir, and Adleman (RSA) public-key
encryption, Asymmetric Encryption
- RLimitCPU directive, Setting CGI Script Limits
- RLimitMEM directive, Setting CGI Script Limits
- RLImitNPROC directive, Setting CGI Script Limits
- RRDtool (data storage), Web Server Status
, Using the scripts
- RSA (Rivest, Shamir, and Adleman) public-key
encryption, Asymmetric Encryption
- run_test.pl automated test tool, Deployment Guidelines
S
- safe mode, PHP, Setting Safe Mode Options
, Other safe mode restrictions
- Sam Spade information-gathering tool, Sam Spade
- SAPI input hooks, PHP 5 SAPI Input Hooks
- Satisfy, Combining authentication with network access control
- ScriptAlias directive, Enabling CGI Scripts
- enabling script execution, ScriptAlias versus script enabling by configuration
- scripting, XSS security flaw, Cross-Site Scripting
, XSS attack resources
- attack warning patterns, Cross-site scripting attacks
- consequences, Cross-Site Scripting
- detecting attacks, Cross-site scripting attacks
- resources for, XSS attack resources
- search engines, Search engines
- SEC (Simple Event Correlator), Simple Event Correlator
- SecFilterForceByteRange directive, Byte-range restriction
- SecFilterInheritance directive, Complex configuration scenarios
- SecFilterScanPOST directive, Request body monitoring
- SecFilterSelective directive, Response body monitoring
- secret-key encryption, Symmetric Encryption
- SecUploadInMemoryLimit directive, Memory consumption
- Secure FTP (SFTP), Restricting and Securing User Access
- Secure Hash Algorithm 1 (SHA-1), One-Way Encryption
- Secure Sockets Layer (see SSL)
- security
- Apache backdoors, Static Binary or Dynamic Modules
- authentication, flawed, real-life example of, Referrer Check Flaws
- CIA triad, Security Definitions
- common phases example, Security Definitions
- cryptography (see cryptography)
- defensible networks (Bejtlich), Security Definitions
- file descriptor leakage vulnerability, Information Leaks on Execution Boundaries
- hardening, system-hardening matrix, System-Hardening Matrix
- HTTP communication security, SSL and TLS
- hybrid model, Execution wrappers
- models, negative versus positive, Negative versus positive security models
- PHP
- interpreter issues, Using PHP as a CGI
- module, making secure, Running PHP as a Module
- resources, PHP
- safe mode, Setting Safe Mode Options
, Other safe mode restrictions, Running PHP as a Module
- sessions, Increasing Session Security
, Increasing Session Security
- principles
- essential, Essential Security Principles
- goals for, Apache Security Principles
- process steps, Security Process Steps
- protection reverse proxies, Protection reverse proxy
- risk
- calculating, Calculating Risk
- factors, Calculating Risk
- isolating in a network, Network Design
- multiple levels of, Isolating Application Modules
- public service as root, Per-request change of Apache identity
- scanners, Web Security Scanners
, Nessus
- Nessus, Nessus
- Nikto, Nikto
- shared server resources, Apache View
- symbolic links, Options directive
, Options directive
- term definitions, Security Definitions
- threat modeling, Threat Modeling
- methodology, Threat Modeling
- mitigation practices, Threat Modeling
- resources, Threat Modeling
- typical attacks, Threat Modeling
- vocabulary, common, Common Security Vocabulary
- segmentation fault, Special Logging Modules
- server header field, changing, Changing the Server Header Field
, Changing the name using mod_headers with Apache 2
- ServerLimit directive, Setting Server Configuration Limits
- servers, Reverse proxies
- changing identity, Changing Web Server Identity
, Removing Default Content
- default content, removing, Removing Default Content
- server header field, Changing the Server Header Field
, Changing the name using mod_headers with Apache 2
- clusters, DNS Round Robin (DNSRR) load balancing
, Reverse proxy clusters
- fault-tolerant with Wackamole, DNS Round Robin (DNSRR) load balancing
- management node, Management node clusters
- node failure, DNS Round Robin (DNSRR) load balancing
- reverse proxy, Reverse proxy clusters
, Reverse proxy clusters
- crashing, log request causing, Special Logging Modules
- Digest authentication of, Digest Authentication
- firewalls (see firewalls)
- high availability, High availability
- host security, Host Security
, Keeping Up to Date
- advanced hardening, Advanced Hardening
- information and event monitoring, Gathering Information and Monitoring Events
- minimal services, Deploying Minimal Services
- network access, Securing Network Access
, Securing Network Access
- SFTP, Restricting and Securing User Access
- updating software, Keeping Up to Date
- user access, Restricting and Securing User Access
- HTTP Keep-Alive, OpenSSL Benchmark Script
- load balancing
- DNSRR, DNS Round Robin (DNSRR) load balancing
, DNS Round Robin (DNSRR) load balancing
- manual, Manual load balancing
- netstat port-listing tool, Deploying Minimal Services
- performance reverse proxy, Performance reverse proxy
- proxy, access control, Proxy Access Control
, Reverse proxies
- software updating, Keeping Up to Date
- symbolic links, Options directive
, Options directive
- synchronizing clocks on (ntpdate utility), Gathering Information and Monitoring Events
- tuning steps (Lim), No load balancing, no high availability
- user accounts, setting up, Setting Up the Server User Account
- server-side includes (SSIs), Server-side includes
- ServerSignature directive, Preventing Information Leaks
- ServerTokens directive, Preventing Information Leaks
- SetEnvIf directive, Using environment variables
- SetHandler directive, Distributing Configuration Data
- SFTP (Secure FTP), Restricting and Securing User Access
- SHA-1 secure hash algorithm, One-Way Encryption
- SHA-256 secure hash algorithm, One-Way Encryption
- SHA-384 secure hash algorithm, One-Way Encryption
- SHA-512 secure hash algorithm, One-Way Encryption
- sharing servers
- configuration data, distributing, Distributing Configuration Data
, Distributing Configuration Data
- .htaccess, Distributing Configuration Data
- configuration errors, Distributing Configuration Data
- dynamic requests, securing, Securing Dynamic Requests, Running PHP as a Module
- CGI limits, setting, Assigning handlers, types, or filters
- FastCGI, FastCGI
, FastCGI
- handlers, types, and filters, assigning, Assigning handlers, types, or filters
- PHP as module, Running PHP as a Module
- ScriptAlias directive, ScriptAlias versus script enabling by configuration
- script execution, Enabling Script Execution
- SSIs, Server-side includes
- suEXEC (see suEXEC execution wrapper)
- problems, Sharing Problems, Information Leaks on Execution Boundaries
- domain names, sharing, Same Domain Name Problems
- dynamic-content, Dynamic-Content Problems
, Multiple Apache instances
- file permissions, File Permission Problems, Virtual filesystems for users
- information leaks, Information Leaks on Execution Boundaries, Information Leaks on Execution Boundaries
- resources, sharing, Sharing Resources
- untrusted parties, Apache View
- users, large number of, Working with Large Numbers of Users
- dangerous binaries, Dangerous Binaries
- web shells, Web Shells
- Simple Event Correlator (SEC), Simple Event Correlator
- Simple Network Management Protocol (SNMP), Web Server Status
- simplicity security principle, Essential Security Principles
- single sign-on (see SSO)
- SiteDigger information-gathering tool, SiteDigger
- Slapper Worm, Putting Apache in Jail
- Slashdot effect, The Slashdot Effect
- SNMP (Simple Network Management Protocol), Web Server Status
- Spread Toolkit (distributed logging), Distributed Logging with the Spread Toolkit
- SQL injection attacks, SQL Injection
, SQL injection attack resources
- database feature problems, Special database features
- detecting attacks, Database attacks
- example, A working example
, A working example
- query statements, Multiple statements in a query
- resources for, SQL injection attack resources
- UNION construct, Union
- SSIs (server-side includes), Server-side includes
- SSL (Secure Sockets Layer), SSL and TLS, SSL
, Hardware Acceleration
- Apache, and, Apache and SSL
, Preventing configuration mistakes
- broken SSL clients, Supporting broken SSL clients
- certificates, signing, Generating a Certificate Signing Request
, Getting a Certificate Signed by a CA
- configuring, Configuring SSL
, Preventing configuration mistakes
- directives, Configuring SSL
- keys, generating, Generating Keys
- mod_ssl, installing, Installing mod_ssl
- non-SSL content, Preventing configuration mistakes
- reliable startup, Ensuring reliable SSL startup
- server private key, Securing the server private key
- session issues, Preventing configuration mistakes
- CA, setting up, Setting Up a Certificate Authority
, Using Client Certificates
- distribution, preparing for, Preparing the CA Certificate for Distribution
- issuing client certificates, Issuing Client Certificates
- issuing server certificates, Issuing Server Certificates
, Issuing Server Certificates
- keys, generating, Setting Up a Certificate Authority
- process, Setting Up a Certificate Authority
, Setting Up a Certificate Authority
- revoking certificates, Revoking Certificates
- using client certificates, Using Client Certificates
- certificate chain, OpenSSL
- communication summary, SSL Communication Summary
- OpenSSL (see OpenSSL)
- performance, Performance Considerations, Hardware Acceleration
- HTTP Keep-Alive, OpenSSL Benchmark Script
- OpenSSL benchmark script, OpenSSL Benchmark Script
, OpenSSL Benchmark Script
- port, connection, OpenSSL
- security of, Is SSL Secure?, Nontechnical issues
- MITM attacks, Man in the middle attacks
- nontechnical issues, Nontechnical issues
- testing, Testing SSL
- SSLDigger information-gathering tool, SSLDigger
- SSLDump protocol analyzer, SSLDump
- SSLRequireSSL directive, Certificate-Based Access Control
- SSLVerifyClient require directive, Certificate-Based Access Control
- SSLVerifyDepth 1 directive, Certificate-Based Access Control
- SSO (single sign-on), Single Sign-on
, Simple Apache-Only Single Sign-on
- Apache, Simple Apache-Only Single Sign-on
- web-only, Web Single Sign-on
- StartServers directive, Setting Server Configuration Limits
- strace system call tracer, Using strace to see inside processes
- Stunnel network-level tool, Stunnel
- suEXEC execution wrapper, Using suEXEC
, Using suEXEC for mass virtual hosting
- CGI script limits, setting, Setting CGI Script Limits
- error messages, Using suEXEC
- hybrid security model, Execution wrappers
- mass virtual hosting, Using suEXEC for mass virtual hosting
- outside virtual hosts, Using suEXEC outside virtual hosts
- suid modules, third-party, Per-request change of Apache identity
- Swatch monitoring program, Swatch
- symbolic links, Options directive
, Options directive
- symmetric (privatekey) encryption, Symmetric Encryption
, Asymmetric Encryption
- symmetric (private key) encryption, How It All Falls into Place
- synchronizing clocks on servers (ntpdate utility), Gathering Information and Monitoring Events
- system-hardening matrix, System-Hardening Matrix
T
- TechnicalInfo information-gathering tool, Online Tools at TechnicalInfo
- testing
- Apache installation, Testing the installation
- automated test tool, run_test.pl, Deployment Guidelines
- black-box, Black-Box Testing
, Vulnerability Probing
- access control attacks, Attacks Against Access Control
- information gathering, Information Gathering, Port scanning
- vulnerability probing, Vulnerability Probing
- web application analysis, Web Application Analysis
, Examining well-known locations
- web server analysis, Web Server Analysis
, Assessing the execution environment
- gray-box, Gray-Box Testing
- white-box, White-Box Testing
, Hot spot review
- architecture review, Architecture Review
- configuration review, Configuration Review
, Reviewing the files
- functional reviews, Functional Review
, Hot spot review
- steps for, White-Box Testing
- ThreadsPerChild directive, Setting Server Configuration Limits
- threat modeling, Threat Modeling
- methodology, Threat Modeling
- mitigation practices, Threat Modeling
- resources, Threat Modeling
- typical attacks, Threat Modeling
- tools
- apache-protect brute-force DoS, Brute-Force Attacks
- apxs third-party module interface, Using PHP as a Module
- Argus network monitoring, Network Monitoring
- blacklist brute-force DoS, Brute-Force Attacks
- blacklist-webclient brute-force DoS tool, Brute-Force Attacks
- Clam Antivirus, File upload interception and validation
- Cygwin Windows command-line, Information-Gathering Tools
- env_audit leakage detector, Information Leaks on Execution Boundaries
- HTTP programming libraries, HTTP Programming Libraries
- information-gathering, Information-Gathering Tools
, Httprint
- Httprint, Httprint
- Netcraft, Netcraft
- Sam Spade, Sam Spade
- SiteDigger, SiteDigger
- SSLDigger, SSLDigger
- TechnicalInfo, Online Tools at TechnicalInfo
- ldd shared library namer, Using chroot to Put Apache in Jail
- learning environments, Learning Environments
, WebGoat
- WebGoat, WebGoat
- WebMaven, WebMaven
- logscan logging analysis, Log Analysis
- Logwatch modular Perl script, Gathering Information and Monitoring Events
- md5sum hash computing, Gathering Information and Monitoring Events
- mod_watch monitoring module, mod_watch
- Nagios network-monitoring, External Monitoring
- netstat (port listing), Deploying Minimal Services
- network-level, Network-Level Tools
, SSLDump
- Curl, Curl
- Netcat, Netcat
- network-sniffing, Network-Sniffing Tools
- SSLDump, SSLDump
- Stunnel, Stunnel
- OpenNMS network-monitoring, External Monitoring
- openssl command-line, OpenSSL
- Prelude intrusion detection, Network Monitoring
- RATS statistical source code analysis, Hot spot review
- RRDtool (data storage), Web Server Status
, Using the scripts
- run_test.pl automated test, Deployment Guidelines
- SEC, Simple Event Correlator
- Snort intrusion detection, Network Monitoring
- Spread Toolkit (distributed logging), Distributed Logging with the Spread Toolkit
- Swatch monitoring program, Swatch
- Tripwire integrity checker, File Integrity
- web application, Web Application Security Tools
, Commercial Web Security Tools
- commercial, Commercial Web Security Tools
- Paros, Paros
- WebScarab, Web Application Security Tools
- web security scanners, Web Security Scanners
, Nessus
- Nessus, Nessus
- Nikto, Nikto
- traceroute, Connectivity
- TransferLog directive, Request Logging, TransferLog
- Triple-DES (3DES) encryption, Symmetric Encryption
- Tripwire integrity checker, File Integrity
- two-factor authentication, Overview
W
- WAFs (web application firewalls), Evolution of Web Intrusion Detection
- (see also mod_security firewall module)
- weakest link security principle, Essential Security Principles
- weakness, Common Security Vocabulary
- web application analysis, Web Application Analysis
, Examining well-known locations
- page elements, Examining page elements
- page parameters, Enumerating pages with parameters
- spiders, Using a spider to map out the application structure
- well-known directories, Examining well-known locations
- web application architectures, Web Application Architecture Blueprints
- Apache changes, effect on, Apache 2, LogFormat
- security review of, Architecture Review
- views
- Apache, Apache View
- network, Network View
- user, User View
- web application firewalls (see WAFs)
- (see also mod_security firewall module)
- web applications
- integration with reverse proxies, Integration reverse proxy
- isolation strategies, Application Isolation Strategies
, Utilizing Virtual Servers
- modules, Isolating Application Modules
- from servers, Isolating Applications from Servers
- virtual servers, Utilizing Virtual Servers
- logic flaws, Application Logic Flaws
, Client-Side Validation
- client-side validation, Client-Side Validation
- cookies, Cookies and Hidden Fields
- hidden fields, Cookies and Hidden Fields
- POST method, POST Method
- process state management, Process State Management
- real-life example, Referrer Check Flaws
- referrer check, Referrer Check Flaws
- logs, Application Logs
- WAFs, Evolution of Web Intrusion Detection
- web application security
- application logic flaws (see web applications, logic flaws)
- buffer overflows, Buffer Overflows
- chained vulnerabilities compromise example, Null-Byte Attacks
- client attacks, Attacks on Clients, Phishing
- phishing, Phishing
- typical, Typical Client Attack Targets
- configuration review, Reviewing the application configuration
- evasion techniques, Evasion Techniques
, SQL Evasion
- path obfuscation, Path Obfuscation
- simple, Simple Evasion Techniques
- SQL injection, SQL Evasion, SQL Evasion
- Unicode encoding, Unicode Encoding
- URL encoding, URL Encoding
- file disclosure, File Disclosure
, Predictable File Locations
- download script flaws, Application Download Flaws
- path traversal, Path Traversal
- predictable locations, Predictable File Locations
, Predictable File Locations
- source code, Source Code Disclosure
- information disclosure (see information disclosure security issues)
- injection attacks, Injection Flaws
, Preventing Injection Attacks
- code execution, Code Execution
- command execution, Command Execution
- preventing, Preventing Injection Attacks
- scripting, XSS, Cross-Site Scripting
, XSS attack resources
- SQL, SQL Injection
, SQL injection attack resources
- learning environments, Learning Environments
, WebGoat
- WebGoat, WebGoat
- WebMaven, WebMaven
- null-byte attacks, Null-Byte Attacks
- PHP safe mode, Setting Safe Mode Options
, Other safe mode restrictions
- resources, Web Application Security Resources
- session management attacks, Session Management Attacks, Good Practices
- concepts, Session Management Concepts
- cookies, Cookies
, Cookies
- design flaw example, Brute-force attacks
- good practices, Good Practices
- sessions, attacks on, Session Attacks, Brute-force attacks
- session tokens, Session Tokens, Brute-force attacks
- sessions, Increasing Session Security
, Increasing Session Security
- directory for not shared, Increasing Session Security
- tools, Web Application Security Tools
, Commercial Web Security Tools
- commercial, Commercial Web Security Tools
- Paros, Paros
- WebScarab, Web Application Security Tools
- WebDAV (Web Distributed Authoring and
Versioning), Limiting request methods, WebDAV
- Web Distributed Authoring and Versioning (see WebDAV)
- WebGoat learning environment, WebGoat
- WebMaven learning environment, WebMaven
- web of trust identity verification, Web of trust
- WebScarab web application security tool, Web Application Security Tools
- web security assessment
- administrator responsibility, Web Security Assessment
- black-box testing (see testing, black-box)
- gray-box testing, Gray-Box Testing
- security scanners, Web Security Scanners
, Nessus
- Nessus, Nessus
- Nikto, Nikto
- white-box testing (see testing, white-box)
- web servers
- analysis, Web Server Analysis
, Assessing the execution environment
- application enumeration, Enumerating applications
- configuration problems, Probing for common configuration problems
- configuration review, Reviewing the web server configuration
- default location searching, Examining default locations
- exceptional requests response, Examining responses to exceptional requests
- identifying the application server, Identifying the application server
- identifying the server, Identifying the web server
- SSL, Testing SSL
- vulnerabilities, probing known, Probing for known vulnerabilities
- status monitoring, Web Server Status
, mod_watch
- graphing, Graphing
- mod_status module, Web Server Status
, Using the scripts
- mod_watch third-party module, mod_watch
- RRDtool, Web Server Status
, Using the scripts
- scripts for, Using the scripts
- SNMP, Web Server Status
- statistics, fetching and storing, Fetching and storing statistics
, Fetching and storing statistics
- web server tree, Folder Locations
- web site for book, Online Companion
