I recently heard about a new book out that is just about Apache Security written by Ivan Ristic. I haven't ever really found many books on this topic and wondered why since its such a widely popular web server. Ivan Ristic is well known for being the single man behind an invaluable tool for web servers called mod_security.

So many security related books are very expensive and thousands of pages long, which is great if you have lots of time but no system admin does. Apache Security is both thorough and quick to get through while walking you through the most imporant issues you'll encounter or never thought about until now.



First off go buy the book, don't bother to read this review at http://www.webhostgear.com/313.html It's really that good. I use it on a daily basis and keep a copy at the office and at home. I advise anyone that owns a server or works with Apache to get this book, you won't be disappointed. It's not
for somoene that's completely a newbie to web servers, I recommend it more for someone with a bit of experience or advanced user of Linux. Since this isn't a book on dummy installations but about security so you need a basic understanding of file permissions and so on.

I thoroughly enjoyed Ivan's "Apache Security", even when I was a reviewer for an unfinished book. I remember how I was eagerly waiting to receive more new chapters from the publisher.

The book contains a nice combination of generic web stuff and Apache stuff. It starts with the discussion of security principles, such as defense-in-depth and minimum access privilege. Although not new, they are useful for those just entering the field, such as for beginner apache admins.

The chapter on Apache's installation and configuration sounds boring and many might be tempted to skip it. But it does contain a gem: a guide on setting Apache in a chroot jail!

PHP, a main web application platform for Apache at the time of this writing, is covered as well. I found some tips on PHP hardening that I didn't know previously. While the last PHP application I deployed was configured to be 'hackable' (it was a honeypot deployment, after all!), I found the tips to be practical.

One entertaining chapter is on denial-of-service attacks. There are many ways to overwhelm a network server, and Apache is now exception. It's a must-read for those running highly-available sites, where downtime costs a lot.

An important chapter covers Apache access control, from basic auth to single sign-on. Of course, of particular interest to me was a chapter on logging and monitoring, as it is one of my favorite subjects. Ivan did a great job covering not only logging facilities available within the server, but also log centralization, log analysis for security, integrity monitoring and other stuff. Distributed logging with Spread kit is indeed 'cool', just as Ivan mentions.

A brief chapter covers the security of the underlying 'infrastructure', such as the OS that Apache runs on. I liked the overview since it is not 'generic', but covers material relevant to running Apache web server.

Chapter 10-12 are at the center of the book, providing the core of the new material. Those cover web application attacks, web security assessment and web intrusion detection,. The latter is based on Ivan's famous mod_security Apache module. While web attacks are covered in many places, I think the overview in the book is clear, focused and useful even for those who do web security for a living. As far as the mod_security chapter is concerned, I would read it with most care since it covers a lot of advanced usage tips, not available elsewhere.

The book is well written, easy to follow and displays clear writing style. I would strongly recommend it to everybody who is involved in running Apache web servers, web applications or has web security as part of his job responsibility. Obviously, everybody who thinks that this subject is fun should also read it :-) Also, check out www.apachesecurity.net for some free chapters, ToC, tools covered in the book, as well as a couple presentations given by Ivan. The book focuses on the defensive side, but mentions various attacks against web infrastructure as well.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II" and the upcoming "Hacker's Challenge III". In his spare time, he maintains his security portal info-secure.org and his blog at O'Reilly. His next book will be about security log analysis.

I'm sure it was tempting for the author to just concentrate on the Apache portions of the web application security world. But in reality the security of web applications is a whole, and a vulnerability in the application layer is just as bad as one in the web server layer. Ivan Ristic does a good job of talking about security at every layer and uniting it into a single reference. This is an excellent, focused, resource that is well written and makes difficult security topics easy to understand.

Ideally, this book should not exist. Because no one would try to intrude onto your Apache server. Besides, you don't mind a stranger being able to to that anyway, eh? After all, surely there is nothing important on your server's disk and in the computer on which it runs?

If you agree with the above, then stop reading.

Otherwise, reflect on a symptom of our times. As intrusion attacks become more sophisticated and your Apache perhaps has to guard valuable data, then its security has been promoted to an entire book. Basically, all of its material has been discussed elsewhere, but often scattered across the literature.

Here, Ristic gives an extended discussion of many aspects. Some of this involves educating you about related topics. Especially a PKI and how to integrate Apache with it. The book skims over any serious crypto complications, but explains how to use such a system.

Ristic also devotes a chapter to Denial of Service attacks. These can be low tech brute force affairs. Or perhaps a cracker might mobilise a massive botnet to launch a DDoS, which is the more dangerous form. There are ways to militate against these. But since the book is about Apache, it does not devote enough space to the use of an Intrusion Detection System or Intrusion Prevention System, in conjunction with upstream routers. Apache by itself is not enough to defend against the worst DoS attacks.

The book also mentions phishing. It claims the problem is hard and that there are no quick remedies. It's a reasonable assessment of the commonly understood state of the publicly known antiphishing methods. Though this does not preclude the deployment of better methods that are not yet publicly known. [I am the co-inventor of 15 US Patents Pending on antiphishing, which our company plans on implementing.]

I don't agree that this is detailed and comprehensive. Yes, it touches all the necessary ground, but it only touches, and left me quite confused at several points.

It's good - I don't want to imply otherwise. But the average web site owner is going to struggle with a lot of this and spend a lot of time Googling to understand it. That's inevitable: this would probably need to be thousands of pages if it really were comprehensive. But if you think this is going to teach you Apache security, well, it certainly will point you toward the right places but it doesn't stand alone.

Also: I was quite annoyed at the index. Several times I could not get back to some thing I knew I had read about and had to page-flip to find what I wanted.

Anyone running Apache on the internet knows how important it is to secure the server. This book covers just about everything to do with securing your Apache server. I imagine an Apache expert could point out deficiencies of this book, but I was able to find everything I was interested in - as well as a lot of great info I wasn't aware of. Even though this is an "Apache Security" book, there is a lot of information on securing your web environment in general.

I found the information on Denial of Service attacks very interesting. While you can't stop a determined attacker, you can do a lot of things to minimize the effects. I guess it is a bit like installing a car alarm - an attacker will realize there are plenty of other cars in the parking lot if you make yours less attractive a target. I found the chapter on logging and monitoring very useful as well. It describes how to get the most out of the potentially massive amounts of information that can be gleaned from the apache logs.

This comprehensive, systematic, task-oriented book covers all the alternative approaches to securing servers -- from secure to paranoid -- complete with examples to demonstrate vulnerabilities such as session management, (Javascript) cross-site scripting, and SQL injection. Subjects such as hardening PHP, shared-server vulnerabilities, and logging/monitoring, each get a whole chapter. This up-to-date, well-written (concise yet encyclopedic) book will be indispensible to system designers, administrators and programmers.