Apache Security
Mod Security

Table of Contents

Preface

1. Apache Security Principles

     Security Definitions
            Essential Security Principles
            Common Security Vocabulary
            Security Process Steps
            Threat Modeling
            System-Hardening Matrix
            Calculating Risk
     Web Application Architecture Blueprints
            User View
            Network View
            Apache View

2. Installation and Configuration (PDF)

     Installation
            Source or Binary
            Static Binary or Dynamic Modules
            Folder Locations
            Installation Instructions
     Configuration and Hardening
            Setting Up the Server User Account
            Setting Apache Binary File Permissions
            Configuring Secure Defaults
            Enabling CGI Scripts
            Logging
            Setting Server Configuration Limits
            Preventing Information Leaks
     Changing Web Server Identity
            Changing the Server Header Field
            Removing Default Content
     Putting Apache in Jail
            Tools of the chroot Trade
            Using chroot to Put Apache in Jail
            Using the chroot(2) Patch
            Using mod_security or mod_chroot

3. PHP (PDF)

     Installation
            Using PHP as a Module
            Using PHP as a CGI
            Choosing Modules
     Configuration
            Disabling Undesirable Options
            Disabling Functions and Classes
            Restricting Filesystem Access
            Setting Logging Options
            Setting Limits
            Controlling File Uploads
            Increasing Session Security
            Setting Safe Mode Options
     Advanced PHP Hardening
            PHP 5 SAPI Input Hooks
            Hardened-PHP

4. SSL and TLS

     Cryptography
            Symmetric Encryption
            Asymmetric Encryption
            One-Way Encryption
            Public-Key Infrastructure
            How It All Falls into Place
     SSL
            SSL Communication Summary
            Is SSL Secure?
     OpenSSL
     Apache and SSL
            Installing mod_ssl
            Generating Keys
            Generating a Certificate Signing Request
            Signing Your Own Certificate
            Getting a Certificate Signed by a CA
            Configuring SSL
     Setting Up a Certificate Authority
            Preparing the CA Certificate for Distribution
            Issuing Server Certificates
            Issuing Client Certificates
            Revoking Certificates
            Using Client Certificates
     Performance Considerations
            OpenSSL Benchmark Script
            Hardware Acceleration

5. Denial of Service Attacks

     Network Attacks
            Malformed Traffic
            Brute-Force Attacks
            SYN Flood Attacks
            Source Address Spoofing
            Distributed Denial of Service Attacks
            Reflection DoS Attacks
     Self-Inflicted Attacks
            Badly Configured Apache
            Poorly Designed Web Applications
            Real-Life Client Problems
     Traffic Spikes
            Content Compression
            Bandwidth Attacks
            Cyber-Activism
            The Slashdot Effect
     Attacks on Apache
            Apache Vulnerabilities
            Brute-Force Attacks
            Programming Model Attacks
     Local Attacks
            PAM Limits
            Process Accounting
            Kernel Auditing
     Traffic-Shaping Modules
     DoS Defense Strategy

6. Sharing Servers

     Sharing Problems
            File Permission Problems
            Dynamic-Content Problems
            Sharing Resources
            Same Domain Name Problems
            Information Leaks on Execution Boundaries
     Distributing Configuration Data
     Securing Dynamic Requests
            Enabling Script Execution
            Setting CGI Script Limits
            Using suEXEC
            FastCGI
            Running PHP as a Module
     Working with Large Numbers of Users
            Web Shells
            Dangerous Binaries

7. Access Control

     Overview
     Authentication Methods
            Basic Authentication
            Digest Authentication
            Form-Based Authentication
     Access Control in Apache
            Basic Authentication Using Plaintext Files
            Basic Authentication Using DBM Files
            Digest Authentication
            Certificate-Based Access Control
            Network Access Control
            Proxy Access Control
            Final Access Control Notes
     Single Sign-on
            Web Single Sign-on
            Simple Apache-Only Single Sign-on

8. Logging and Monitoring

     Apache Logging Facilities
            Request Logging
            Error Logging
            Special Logging Modules
            Audit Log
            Performance Measurement
            File Upload Interception
            Application Logs
            Logging as Much as Possible
     Log Manipulation
            Piped Logging
            Log Rotation
            Issues with Log Distribution
     Remote Logging
            Manual Centralization
            Syslog Logging
            Database Logging
            Distributed Logging with the Spread Toolkit
     Logging Strategies
     Log Analysis
     Monitoring
            File Integrity
            Event Monitoring
            Web Server Status

9. Infrastructure

     Application Isolation Strategies
            Isolating Applications from Servers
            Isolating Application Modules
            Utilizing Virtual Servers
     Host Security
            Restricting and Securing User Access
            Deploying Minimal Services
            Gathering Information and Monitoring Events
            Securing Network Access
            Advanced Hardening
            Keeping Up to Date
     Network Security
            Firewall Usage
            Centralized Logging
            Network Monitoring
            External Monitoring
     Using a Reverse Proxy
            Apache Reverse Proxy
            Reverse Proxy by Network Design
            Reverse Proxy by Redirecting Network Traffic
     Network Design
            Reverse Proxy Patterns
            Advanced Architectures

10. Web Application Security

     Session Management Attacks
            Cookies
            Session Management Concepts
            Keeping in Touch with Clients
            Session Tokens
            Session Attacks
            Good Practices
     Attacks on Clients
            Typical Client Attack Targets
            Phishing
     Application Logic Flaws
            Cookies and Hidden Fields
            POST Method
            Referrer Check Flaws
            Process State Management
            Client-Side Validation
     Information Disclosure
            HTML Source Code
            Directory Listings
            Verbose Error Messages
            Debug Messages
     File Disclosure
            Path Traversal
            Application Download Flaws
            Source Code Disclosure
            Predictable File Locations
     Injection Flaws
            SQL Injection
            Cross-Site Scripting
            Command Execution
            Code Execution
            Preventing Injection Attacks
     Buffer Overflows
     Evasion Techniques
            Simple Evasion Techniques
            Path Obfuscation
            URL Encoding
            Unicode Encoding
            Null-Byte Attacks
            SQL Evasion
     Web Application Security Resources
            General Resources
            Web Application Security Resources

11. Web Security Assessment

     Black-Box Testing
            Information Gathering
            Web Server Analysis
            Web Application Analysis
            Attacks Against Access Control
            Vulnerability Probing
     White-Box Testing
            Architecture Review
            Configuration Review
            Functional Review
     Gray-Box Testing

12. Web Intrusion Detection

     Evolution of Web Intrusion Detection
            Is Intrusion Detection the Right Approach?
            Log-Based Web Intrusion Detection
            Real-Time Web Intrusion Detection
            Web Intrusion Detection Features
     Using mod_security
            Introduction
            More Configuration Advice
            Deployment Guidelines
            Detecting Common Attacks
            Advanced Topics

Appendix: Tools

     Learning Environments
            WebMaven
            WebGoat
     Information-Gathering Tools
            Online Tools at TechnicalInfo
            Netcraft
            Sam Spade
            SiteDigger
            SSLDigger
            Httprint
     Network-Level Tools
            Netcat
            Stunnel
            Curl
            Network-Sniffing Tools
            SSLDump
     Web Security Scanners
            Nikto
            Nessus
     Web Application Security Tools
            Paros
            Commercial Web Security Tools
     HTTP Programming Libraries

Index

 


Apache Security Book Cover

Order the book

The book can be ordered from all major bookstores, including:

Buy from Amazon.com Buy from Amazon.co.uk

Chapter List
( detailed description )

  1. Apache Security Principles
  2. Installation and Configuration ( PDF )
  3. PHP ( PDF )
  4. SSL and TLS
  5. Denial of Service Attacks
  6. Sharing Servers
  7. Access Control
  8. Logging and Monitoring
  9. Infrastructure
  10. Web Application Security
  11. Web Security Assessment
  12. Web Intrusion Detection
  13. Tools (Appendix)