BKAPASEC.RVW 20061119 "Apache Security", Ivan Ristic, 2005, 0-596-00724-8, U$34.95/C$48.95 %A Ivan Ristic www.apachesecurity.net %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2005 %G 0-596-00724-8 %I O'Reilly & Associates, Inc. %O U$34.95/C$48.95 707-829-0515 fax: 707-829-0104 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596007248/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596007248/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596007248/robsladesin03-20 %O Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 396 p. %T "Apache Security" In the preface, the author states (along with remarks about the value of books with which I heartily concur) that this work is intended to provide system administrators, (Web application) programmers, system architects, and Web security professionals "all the information one needs to secure an Apache-based system." It's a tall order. In addition to the details of Apache, "[s]ecurity concepts relevant for discussion are introduced and described whenever necessary." (The specifics of Apache are given for the 1.x and 2.0.x branches of the project. Operating system examples use Linux.) Chapter one sets out a brief but useful background to security, albeit with some minor idiosyncracies in vocabulary. (Threats are not listed in the basic terms, and what is otherwise known as risk assessment is described under the phrase "threat modelling." Risk is not completely ignored: a short section is entitled "Calculating Risk.") Installation and configuration, in chapter two, outlines a number of measures to make the Web server more secure, and lists helpful information such as those modules which are not strictly necessary and may become a point of attack. (The reasons for the extensive discussion of the concept of "jail" or "chroot" may not be immediately obvious to those not using Linux, but the details of the deliberation should make the issues clearer.) General instructions for installation of PHP, the popular language for scripting Web activities, is covered in chapter three, along with configuration options and modification for more secure operations. There are also cross-references to other chapters for instructions on protection against specific attacks. Chapter four looks at SSL (Secure Sockets Layer), starting with a basic but handy background in cryptography, installation and configuration of OpenSSL, and finishing off with a section on certificates and the necessary parts of a public key infrastructure for running your own certificate authority. Denial of service (DoS) attacks are reviewed in chapter five, which examines the possibilities for network attacks. (No protection is suggested, since these attacks are not strictly related to Apache.) There is an interesting mention of the ways you can create problems for yourself, with a list of problems specific to Apache itself (there are controls suggested for these latter two topics). Chapter six notes the problems with sharing servers among multiple users. Noting that there is no single answer for these issues, various options are analyzed. The details on most of the alternatives are left to the reader to explore, a reasonable position given the complexity of the problem. Fundamental concepts of access control are described in chapter seven, along with standard Apache authentication tools and single sign-on (SSO) choices. Types of logs, custom options, strategies for storing and monitoring audit information, and external log and review tools are all part of chapter eight. The avoidance of network attacks in chapter five is somewhat inconsistent in view of the fact that chapter nine surveys the infrastructure, including system and network hardening. Chapter ten lists various general difficulties and attacks that are generically part of Web applications, but does not address safeguards for most of them (although it does reference many Web resources dealing with specific topics and exploits). Instructions and resources for performing a penetration test or security review on yourself are contained in chapter eleven. Chapter twelve discusses some factors in intrusion detection, has a bit of confusing editorial comment, but mostly describes the author's mod_security application firewall. Ristic basically fulfills his promise. The minor faults with the book do not detract from the fact that any Apache administrator or developer will benefit, in terms of increased security, from the information provided in this book. copyright Robert M. Slade, 2006 BKAPASEC.RVW 20061119