The Apache Web server has long had the largest market share of any Web server, according to the oft-quoted Netcraft Web server survey. The downside of the server's popularity is that it makes it an attractive target for hackers. Many system administrators feel that by using firewalls and SSL they will be safe from these attacks.
These measures alone, however, do not provide adequate protection. A new book by Ryan Barnett outlines ways Apache can be used to prevent Web attacks.
Ryan Barnett is heavily involved in the server security business. He is currently chief security officer with EDS, and leads the Operations Security and Incident Response teams for the federal government in Washington, D.C. He is also an instructor at the SANS Institute, the team lead for the Center for Internet Security Apache Benchmark Project, and a member of the Web Application Security Consortium.
In short, Barnett knows his stuff when it comes to Apache security. And, now, he is sharing his knowledge with the general populace in a book titled, Preventing Web Attacks with Apache, published by Addison Wesley Professional.
The book begins by taking a look at the different factors that impact the security of the server, including a section on technical misconceptions about Web security. Many people have a false sense of security brought about by misunderstandings of their Web environment. Barnett explains the problems with these "misunderstandings."
Next, Barnett discusses the foundation of the Web server, the underlying operating system (OS). Although he does not focus on the OS itself, Barnett takes a look at how it interacts with the server and what is needed to accomplish greater security. He includes a few examples of the mechanics of a server attack, and provides keen insight into what is happening behind the scenes.
Once the OS issues are resolved, Barnett gets down to the nitty-gritty of downloading and installing the Apache server software. As anyone with experience knows, this is not an easy task. Many decisions must be made in the process, but Barnett is an excellent guide. From there, he goes into great detail regarding the important, and often overlooked, process of configuring the
httpd.conf file. To begin, he uses the Nikto open source vulnerability scanner. This Web server scanner performs comprehensive tests for multiple items, including more than 3,200 potentially dangerous files/CGIs, versions on more than 625 servers, and version-specific problems on more than 230 servers. In all, the 42-page chapter is filled with important information.
From there, Barnett takes a look at the essential security modules for Apache. This covers SSL, the
mod_rewrite module, and several other security-related modules.
The remainder of the book covers prevention and countermeasures in explicit detail. The appendix contains an Apache module listing and a
httpd.conf file, which can be used as an example.
Overall, this is an important book to use when securing your server against Web attacks. Many of the exploits covered include denial of service (DoS) attacks, buffer overflows, brute force attacks, and client parameter manipulation. Barnett's coverage of the Center for Internet Security Apache Benchmarks is an excellent guide for configuring the Apache server.
If you're involved at any level with the administration of an Apache server, we recommend getting a copy of this book. Barnett's background, coupled with detailed explanations, makes it a must-have.
This article was originally published on PHP Builder.