Apache Security
Mod Security

Notes and Updates

This page contains a set of notes, errata, and updates I find complementary to the material already in the book. This is where I will add extended coverage of the additional topics. If you have a topic you'd like me to cover let me know.

Chapter 2: Installation and Configuration

Errata In the section "Setting Apache Binary File Permissions" (page 27) I recommended the following commands to make sure only the root user has write access: 

# find /usr/local/apache -type d | xargs chmod 755
# find /usr/local/apache -type f | xargs chmod 644

While they will succeed in removing the write access from others, they will also remove the execution flag from the binaries, making it impossible to start Apache. That will teach me to never use absolute file permission changes again! A much better approach is to just remove the permission we don't want, leaving the others intact. Like this: 

# chmod -R go-w /usr/local/apache

Update Genco Yilmaz wrote to me saying he needs /dev/urandom to make a jail on Gentoo work. This special device is needed or some systems, not needed on others. To add it: 

# mknod -m 644 /chroot/apache/dev/urandom c 1 9

There will always be small differences between the procedures on different systems. This is because these systems are different and continue to change. It is vital to learn to use strace/truss (page 47) to figure out exactly what is going wrong. Use the following command to see inside a chrooted Apache (the -X switch tells Apache not to fork into multiple processes): 

# strace -f chroot /chroot/apache /usr/local/apache/bin/httpd -X

Note Genco Yilmaz is doing a lot of interesting work related to Apache jails:

  • He wrote a Gentoo Apache chroot ebuild.
  • PHP needs /bin/sh to execute external binaries (and to send email).
  • Perl needs /etc/protocols inside jail to send email.

Errata On page 47 I wrote PHP can send email through SMTP directly. This is only partially true. It can, but only on Windows systems, making this feature completely useless for a Unix jail. To make PHP send email from a jail use the other solution I recommended: mini_sendmail. [Genco Yilmaz]

Chapter 8: Logging and Monitoring

Note Just right after I sent the book manuscript to the publisher Andy Armstrong published mod_log_rotate. This module is designed to handle log rotation directly from the web server process, making it more efficient than the alternatives.

Note ApacheTop is a useful tool you can use to monitor the requests served by your web server in real time. Written by Chris Elsworth.



Apache Security Book Cover

Order the book

The book can be ordered from all major bookstores, including:

Buy from Amazon.com Buy from Amazon.co.uk

Chapter List
( detailed description )

  1. Apache Security Principles
  2. Installation and Configuration ( PDF )
  3. PHP ( PDF )
  4. SSL and TLS
  5. Denial of Service Attacks
  6. Sharing Servers
  7. Access Control
  8. Logging and Monitoring
  9. Infrastructure
  10. Web Application Security
  11. Web Security Assessment
  12. Web Intrusion Detection
  13. Tools (Appendix)