BKAPASEC.RVW 20061119
"Apache Security", Ivan Ristic, 2005, 0-596-00724-8, U$34.95/C$48.95
%A Ivan Ristic www.apachesecurity.net
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 2005
%G 0-596-00724-8
%I O'Reilly & Associates, Inc.
%O U$34.95/C$48.95 707-829-0515 fax: 707-829-0104 nuts%40ora.com">nuts
ora.com
%O http://www.amazon.com/exec/obidos/ASIN/0596007248/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0596007248/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0596007248/robsladesin03-20
%O Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P 396 p.
%T "Apache Security"
In the preface, the author states (along with remarks about the value
of books with which I heartily concur) that this work is intended to
provide system administrators, (Web application) programmers, system
architects, and Web security professionals "all the information one
needs to secure an Apache-based system." It's a tall order. In
addition to the details of Apache, "[s]ecurity concepts relevant for
discussion are introduced and described whenever necessary." (The
specifics of Apache are given for the 1.x and 2.0.x branches of the
project. Operating system examples use Linux.)
Chapter one sets out a brief but useful background to security, albeit
with some minor idiosyncracies in vocabulary. (Threats are not listed
in the basic terms, and what is otherwise known as risk assessment is
described under the phrase "threat modelling." Risk is not completely
ignored: a short section is entitled "Calculating Risk.";)
Installation and configuration, in chapter two, outlines a number of
measures to make the Web server more secure, and lists helpful
information such as those modules which are not strictly necessary and
may become a point of attack. (The reasons for the extensive
discussion of the concept of "jail" or "chroot" may not be immediately
obvious to those not using Linux, but the details of the deliberation
should make the issues clearer.) General instructions for
installation of PHP, the popular language for scripting Web
activities, is covered in chapter three, along with configuration
options and modification for more secure operations. There are also
cross-references to other chapters for instructions on protection
against specific attacks. Chapter four looks at SSL (Secure Sockets
Layer), starting with a basic but handy background in cryptography,
installation and configuration of OpenSSL, and finishing off with a
section on certificates and the necessary parts of a public key
infrastructure for running your own certificate authority. Denial of
service (DoS) attacks are reviewed in chapter five, which examines the
possibilities for network attacks. (No protection is suggested, since
these attacks are not strictly related to Apache.) There is an
interesting mention of the ways you can create problems for yourself,
with a list of problems specific to Apache itself (there are controls
suggested for these latter two topics).
Chapter six notes the problems with sharing servers among multiple
users. Noting that there is no single answer for these issues,
various options are analyzed. The details on most of the alternatives
are left to the reader to explore, a reasonable position given the
complexity of the problem. Fundamental concepts of access control are
described in chapter seven, along with standard Apache authentication
tools and single sign-on (SSO) choices. Types of logs, custom
options, strategies for storing and monitoring audit information, and
external log and review tools are all part of chapter eight. The
avoidance of network attacks in chapter five is somewhat inconsistent
in view of the fact that chapter nine surveys the infrastructure,
including system and network hardening. Chapter ten lists various
general difficulties and attacks that are generically part of Web
applications, but does not address safeguards for most of them
(although it does reference many Web resources dealing with specific
topics and exploits). Instructions and resources for performing a
penetration test or security review on yourself are contained in
chapter eleven. Chapter twelve discusses some factors in intrusion
detection, has a bit of confusing editorial comment, but mostly
describes the author's mod_security application firewall.
Ristic basically fulfills his promise. The minor faults with the book
do not detract from the fact that any Apache administrator or
developer will benefit, in terms of increased security, from the
information provided in this book.
copyright Robert M. Slade, 2006 BKAPASEC.RVW 20061119
====================== (quote inserted randomly by Pegasus Mailer)
rslade%40vcn.bc.ca">rsladevcn.bc.ca slade%40victoria.tc.ca">sladevictoria.tc.ca rslade%40computercrime.org">rsladecomputercrime.org
The test of a first-rate intelligence is the ability to hold two
opposed ideas in mind at the same time and still retain the
ability to function. - F. Scott Fitzgerald
http://www.wileytoons.com/comics/1999/november/1127.jpg
Dictionary of Information Security www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm
.
