Several books on the subject of security with Apache are available.
This review compares the most up-to-date of these:
- Apache Security, by Ivan Ristic. ISBN 0596007248
Published March 2005 by O'Reilly
- Preventing Web Attacks with Apache, by Ryan Barnett. ISBN 0321321286
Published February 2006 by Addison-Wesley.
Both of these have got good reviews elsewhere, and are worth reading
if you're responsible for running a server. In reviewing them,
I should also mention a third book which I haven't read but which
has been well-received elsewhere:
- Hardening Apache, by Tony Mobily. ISBN 1590593782
Published May 2004 by Apress.
Executive Summary
Barnett is insightful on the Big Picture.
He is chief of security at a big software and services company,
and his book is in essence an apprenticeship to that job.
Ristic is more of the classic textbook, and is the more thorough and
comprehensive of the two if you're looking for a reference manual.
If your job is to run servers, keep the Ristic always to hand.
If you're managing people who run servers, get both and read
the Barnett yourself.
Ryan Barnett: Preventing Web Attacks with Apache
Barnett is chief of security at EDS, and project lead for the
Apache security benchmark at the Center of Internet Security.
His book is in essence an apprenticeship, taking in the tools,
techniques and thought processes involved in his job.
For a techie book, this is very, very readable. Barnett's writing
engages the reader, and guides you to think secure.
He is a disciple of Sun Tzu (who he even mentions by name),
and exhorts you to know the enemy. He makes great
use of anecdotes to bring his points home. If you find it
hard to motivate yourself to read techie books, this one
will make a pleasant change.
On the downside, the technical detail is rather patchy. In parts
it's excellent, but there are also omissions and inaccuracies I find alarming.
There are matters of detail in which I would firmly disagree with
his recommendations, particularly where they have very severe
performance implications (which he doesn't discuss at all).
The areas where Barnett offers more than Ristic focus on "Big Picture"
insights, such as running a "honeypot" to gather intelligence on
the threats active on the Web.
This article about filtering
information leaks gives a feel for both what's good and bad
about this book.
Chapters
- The issues we have to deal with. This is well-presented
and benefits from his writing style.
- Hardening the platform. Mostly good, but not comprehensive.
- Downloading and Installing Apache. Covers the basics,
but fails to explain the crucial role of PGP.
- Configuring httpd.conf. Covers the basics well, but some
of his recommendations are unusual.
- Security modules. mod_ssl, mod_rewrite, mod_log_forensic,
mod_dosevasive, mod_security. A good chapter and excellent on mod_ssl -
and why SSL does not make a secure site. Very enthusiastic on
mod_security.
- The CIS Apache Benchmark tool.
He presents a tool and sample output, but doesn't discuss the
implications of the warnings issued by the tool.
- WASC web security threat classification.
The Web Application Security Consortium enumerates and classifies
threats to a webserver. This useful chapter presents an exhaustive list
of threat types, together with countermeasures available to an Apache admin.
- Protecting a buggy application.
Training for security professionals includes practical sessions with
web applications known to be buggy. You can be either attacking or
defending the application, and it's a controlled simulation of the
real-life job. This chapter describes attacking and defending a
buggy application, and illustrates both what's right and wrong with
this book. The information he gains as an attacker from
innocuous-looking bugs is a real eye-opener. But his remedies
are nasty hacks and almost as scary as the bugs!
- Firewalls, Web Application Firewalls, Intrusion Detection
systems. Barnett explains why firewalls and IDS offer little
protection, and moves on to Web Application Firewalls, including
mod_security hands-on.
- Open proxy honeypot.
Barnett describes deploying a web honeypot, to gather real-time
information on the threats he's dealing with. This presents a
very practical approach to knowing your enemy, and being in a
position to react promptly when a threat arises.
- Putting it all together.
Takes a scenario from his regular job, and applies techniques from the
book "for real". Then moves on to miscellaneous/unrelated topics.
Ivan Ristic: Apache Security
Ristic's principal claim to fame in the area is
mod_security, the
market-leader in web application firewalls, and the only
open-source product in its class. In September 2006, Ristic's
company Thinking Stone was acquired by Breach Security, Inc,
with whom Ristic took up a senior position.
Ristic writes very well, though I find his style dryer and less
engaging than Barnett's. As a manual, Ristic is the more thorough
of the two by a clear margin, both in range of core server
administration topics and depth of technical detail. Topics Ristic
covers on which Barnett says little or nothing include:
- PHP security
- Theory of cryptographic security
- Securing a server with many users (the ISP/hosting situation).
- Authentication and Authorization
Ristic, like Barnett, puts security ahead of performance.
He does discuss performance issues, but it is not his strongest point.
My main reservation there is in his coverage of mod_security.
Using mod_security to scan and processes HTTP headers and log
suspect events is cheap. But scanning incoming or outgoing
bodies with it gets very, very expensive as the size grows.
Neither author is clear on this important distinction.
Chapters
- A brief look at the principles of security: what needs
to be accomplished. The remainder of the book describes how to
accomplish it.
- Installation and configuration.
- Setting up PHP for security.
- Cryptography, starting with an exposition of
the theory, and moving on to applying it in Apache.
- Denial of Service attacks, and how to mitigate them.
- Configuring a server for multiple users, as in
a hosting company.
- Apache's access control mechanisms. This chapter
is now in part outdated, so it will have to be taken in conjunction
with Apache's own manual.
- Logging, starting with details of Apache's
standard logging, then moves on to techniques for logging more
information to detect threats, and managing large volumes of data.
In a rather serious error, he advocates contravening the HTTP
standard in the interests of logging.
- Infrastructure - describes hardening the platform
and environment, continuing from Chapter 2.
- Web application security. It presents the range
of threats, with suggestions for dealing with them.
- Web security assessment.
- Web intrusion detection, including an extended
manual for mod_security.
Ristic also has one appendix, in which he briefly introduces a
number of tools that may be of interest. Nicely written, with
just enough description of each tool to motivate you to try it!