text.skipToContent text.skipToNavigation
  1. Home
  2. Computer Science & IT
  3. Preventing Web Attacks with Apache

Preventing Web Attacks with Apache, 1st edition

  • Ryan C. Barnett

Published by Addison-Wesley Professional (January 27th 2006) - Copyright © 2006

1st edition

Preventing Web Attacks with Apache

ISBN-13: 9780132800358

Includes: Instant Access

This product is not available in your country

What's included

  • Instant Access

    You'll get instant access to the digital content.

Overview

“Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information.”

–Stephen Northcutt, The SANS Institute

 

The only end-to-end guide to securing Apache Web servers and Web applications

 

Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won’t protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you’ll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.

 

Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.

 

Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured “in the wild.”

 

For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.

 

With this book, you will learn to

  • Address the OS-related flaws most likely to compromise Web server security
  • Perform security-related tasks needed to safely download, configure, and install Apache
  • Lock down your Apache httpd.conf file and install essential Apache security modules
  • Test security with the CIS Apache Benchmark Scoring Tool
  • Use the WASC Web Security Threat Classification to identify and mitigate application threats
  • Test Apache mitigation settings against the Buggy Bank Web application
  • Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
  • Master advanced techniques for detecting and preventing intrusions

Table of contents

About the Author     xix

Foreword     xxi

Acknowledgments     xxv

Introduction     xxvii

Chapter 1     Web Insecurity Contributing Factors     1

A Typical Morning     1

Why Web Security Is Important     3

Web Insecurity Contributing Factors     4

Managerial/Procedural Issues     4

Management and the Bottom Line     4

Selling Loaded Guns     5

The Two-Minute Drill     5

Development Environment Versus Production Environment     6

Firefighting Approach to Web Security (Reacting to Fires)     7

Technical Misconceptions Regarding Web Security     7

“We have our web server in a Demilitarized Zone (DMZ).”     8

“We have a firewall.”     9

“We have a Network-Based Intrusion Detection System.”     9

“We have a Host-Based Intrusion Detection System.”     11

“We are using Secure Socket Layer (SSL).”     11

Summary     11

Chapter 2     CIS Apache Benchmark     13

CIS Apache Benchmark for UNIX: OS-Level Issues     13

Minimize/Patch Non-HTTP Services     13

Example Service Attack: 7350wu–FTP Exploit     19

Vulnerable Services’ Impact on Apache’s Security     22

Apply Vendor OS Patches     23

Tune the IP Stack     24

Denial of Service Attacks     25

Create the Web Groups and User Account     28

Lock Down the Web Server User Account     31

Implementing Disk Quotas     32

Accessing OS-Level Commands     35

Update the Ownership and Permissions of System Commands     39

Traditional Chroot     40

Chroot Setup Warning     41

Mod_Security Chroot     41

Chroot Setup     41

Summary     50

For teachers

All the material you need to teach your courses.

Discover teaching material