Marktplatzangebote
Ein Angebot für € 16,39 €
  • Broschiertes Buch

"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."
-Stephen Northcutt, The SANS Institute
The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together…mehr

Produktbeschreibung
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."

-Stephen Northcutt, The SANS Institute

The only end-to-end guide to securing Apache Web servers and Web applications

Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.

Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.

Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."

For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.

With this book, you will learn to

Address the OS-related flaws most likely to compromise Web server security

Perform security-related tasks needed to safely download, configure, and install Apache

Lock down your Apache httpd.conf file and install essential Apache security modules

Test security with the CIS Apache Benchmark Scoring Tool

Use the WASC Web Security Threat Classification to identify and mitigate application threats

Test Apache mitigation settings against the Buggy Bank Web application

Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers

Master advanced techniques for detecting and preventing intrusions

Backcover
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."

-Stephen Northcutt, The SANS Institute

The only end-to-end guide to securing Apache Web servers and Web applications

Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.

Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.

Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."

For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.

With this book, you will learn to

Address the OS-related flaws most likely to compromise Web server security

Perform security-related tasks needed to safely download, configure, and install Apache

Lock down your Apache httpd.conf file and install essential Apache security modules

Test security with the CIS Apache Benchmark Scoring Tool

Use the WASC Web Security Threat Classification to identify and mitigate application threats

Test Apache mitigation settings against the Buggy Bank Web application

Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers

Master advanced techniques for detecting and preventing intrusions

About the Author xix

Foreword xxi

Acknowledgments xxv

Introduction xxvii

Chapter 1 Web Insecurity Contributing Factors 1

A Typical Morning 1

Why Web Security Is Important 3

Web Insecurity Contributing Factors 4

Managerial/Procedural Issues 4

Management and the Bottom Line 4

Selling Loaded Guns 5

The Two-Minute Drill 5

Development Environment Versus Production Environment 6

Firefighting Approach to Web Security (Reacting to Fires) 7

Technical Misconceptions Regarding Web Security 7

"We have our web server in a Demilitarized Zone (DMZ)." 8

"We have a firewall." 9

"We have a Network-Based Intrusion Detection System." 9

"We have a Host-Based Intrusion Detection System." 11

"We are using Secure Socket Layer (SSL)." 11

Summary 11

Chapter 2 CIS Apache Benchmark 13

CIS Apache Benchmark for UNIX: OS-Level Issues 13

Minimize/Patch Non-HTTP Services 13

Example Service Attack: 7350wu-FTP Exploit 19

Vulnerable Services' Impact on Apache's Security 22

Apply Vendor OS Patches 23

Tune the IP Stack 24

Denial of Service Attacks 25

Create the Web Groups and User Account 28

Lock Down the Web Server User Account 31

Implementing Disk Quotas 32

Accessing OS-Level Commands 35

Update the Ownership and Permissions of System Commands 39

Traditional Chroot 40

Chroot Setup Warning 41

Mod_Security Chroot 41

Chroot Setup 41

Summary 50

Chapter 3 Downloading and Installing Apache 53

Apache 1.3 Versus 2.0 53

Using Pre-Compiled Binary Versus Source Code 54

Downloading the Apache Source Code 56

Why Verify with MD5 and PGP? 56

Uncompress and Open: Gunzip and Untar 63

Patches-Get 'em While They're Hot! 64

Monitoring for Vulnerabilities and Patches 66

What Modules Should I Use? 70

Summary 80

Chapter 4 Configuring the httpd.conf File 81

CIS Apache Benchmark Settings 84

The httpd.conf File 85

Disable Un-Needed Modules 86

Directives 86

Server-Oriented Directives 87

Multi-Processing Modules (MPMs) 87

Listen 88

ServerName 88

ServerRoot 89

DocumentRoot 89

HostnameLookups 89

User-Oriented Directives 90

User 90

Group 91

ServerAdmin 91

Denial of Service (DoS) Protective Directives 92

Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration 92

TimeOut 94

KeepAlive 95

KeepAliveTimeout 95

MaxKeepAliveRequests 95

StartServers 96

MinSpareServers and MaxSpareServers 96

ListenBacklog 96

MaxClients and ServerLimit 97

Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration 97

Forward Reference 99

Software Obfuscation Directives 99

ServerTokens 99

ServerSignature 101

ErrorDocument 102

Directory Functionality Directives 104

All 104

ExecCGI 104

FollowSymLinks and SymLinksIfOwnerMatch 105

Includes and IncludesNoExec 105

Indexes 106

AllowOverride 106

Multiviews 107

Access Control Directives 107

Authentication Setup 108

Authorization 109

Order 110

Order deny, allow 110

Order allow, deny 110

Access Control: Where Clients Come From 111

Hostname or Domain 111

IP Address and IP Range 112

Client Request ENV 112

Protecting the Root Directory 113

Limiting HTTP Request Methods 114

Logging General Directives 114

LogLevel 114

ErrorLog 115

LogFormat 115

CustomLog 115

Removing Default/Sample Files 116

Apache Source Code Files 116

Default HTML Files 116

Sample CGIs 117

Webserv User Files 118

Updating Ownership and Permissions 118

Server Configuration Files 119

DocumentRoot Files 119

CGI-Bin 119

Logs 120

Bin 120

Updating the Apachectl Script 120

Nikto Scan After Updates 122

Summary 122

Chapter 5 Essential Security Modules for Apache 125

Secure Socket Layer (SSL) 125

Why Should I Use SSL? 126

How Does SSL Work? 128

Software Requirements 132

Installing SSL 133

Creating an SSL Certificate 133

Testing the Initial Configuration 134

Configuring mod_ssl 137

SSL Summary 144

Mod_Rewrite 144

Enabling Mod_Rewrite 145

Mod_Rewrite Summary &
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."

-Stephen Northcutt, The SANS Institute

The only end-to-end guide to securing Apache Web servers and Web applications

Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.

Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.

Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."

For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.

With this book, you will learn to

Address the OS-related flaws most likely to compromise Web server security
Perform security-related tasks needed to safely download, configure, and install Apache
Lock down your Apache file and install essential Apache security modules
Test security with the CIS Apache Benchmark Scoring Tool
Use the WASC Web Security Threat Classification to identify and mitigate application threats
Test Apache mitigation settings against the Buggy Bank Web application
Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
Master advanced techniques for detecting and preventing intrusions