"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."
-Stephen Northcutt, The SANS Institute
The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.
Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.
Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."
For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.
With this book, you will learn to
Address the OS-related flaws most likely to compromise Web server security
Perform security-related tasks needed to safely download, configure, and install Apache
Lock down your Apache httpd.conf file and install essential Apache security modules
Test security with the CIS Apache Benchmark Scoring Tool
Use the WASC Web Security Threat Classification to identify and mitigate application threats
Test Apache mitigation settings against the Buggy Bank Web application
Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
Master advanced techniques for detecting and preventing intrusions
Backcover
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."
-Stephen Northcutt, The SANS Institute
The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.
Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.
Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."
For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.
With this book, you will learn to
Address the OS-related flaws most likely to compromise Web server security
Perform security-related tasks needed to safely download, configure, and install Apache
Lock down your Apache httpd.conf file and install essential Apache security modules
Test security with the CIS Apache Benchmark Scoring Tool
Use the WASC Web Security Threat Classification to identify and mitigate application threats
Test Apache mitigation settings against the Buggy Bank Web application
Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
Master advanced techniques for detecting and preventing intrusions
About the Author xix
Foreword xxi
Acknowledgments xxv
Introduction xxvii
Chapter 1 Web Insecurity Contributing Factors 1
A Typical Morning 1
Why Web Security Is Important 3
Web Insecurity Contributing Factors 4
Managerial/Procedural Issues 4
Management and the Bottom Line 4
Selling Loaded Guns 5
The Two-Minute Drill 5
Development Environment Versus Production Environment 6
Firefighting Approach to Web Security (Reacting to Fires) 7
Technical Misconceptions Regarding Web Security 7
"We have our web server in a Demilitarized Zone (DMZ)." 8
"We have a firewall." 9
"We have a Network-Based Intrusion Detection System." 9
"We have a Host-Based Intrusion Detection System." 11
"We are using Secure Socket Layer (SSL)." 11
Summary 11
Chapter 2 CIS Apache Benchmark 13
CIS Apache Benchmark for UNIX: OS-Level Issues 13
Minimize/Patch Non-HTTP Services 13
Example Service Attack: 7350wu-FTP Exploit 19
Vulnerable Services' Impact on Apache's Security 22
Apply Vendor OS Patches 23
Tune the IP Stack 24
Denial of Service Attacks 25
Create the Web Groups and User Account 28
Lock Down the Web Server User Account 31
Implementing Disk Quotas 32
Accessing OS-Level Commands 35
Update the Ownership and Permissions of System Commands 39
Traditional Chroot 40
Chroot Setup Warning 41
Mod_Security Chroot 41
Chroot Setup 41
Summary 50
Chapter 3 Downloading and Installing Apache 53
Apache 1.3 Versus 2.0 53
Using Pre-Compiled Binary Versus Source Code 54
Downloading the Apache Source Code 56
Why Verify with MD5 and PGP? 56
Uncompress and Open: Gunzip and Untar 63
Patches-Get 'em While They're Hot! 64
Monitoring for Vulnerabilities and Patches 66
What Modules Should I Use? 70
Summary 80
Chapter 4 Configuring the httpd.conf File 81
CIS Apache Benchmark Settings 84
The httpd.conf File 85
Disable Un-Needed Modules 86
Directives 86
Server-Oriented Directives 87
Multi-Processing Modules (MPMs) 87
Listen 88
ServerName 88
ServerRoot 89
DocumentRoot 89
HostnameLookups 89
User-Oriented Directives 90
User 90
Group 91
ServerAdmin 91
Denial of Service (DoS) Protective Directives 92
Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration 92
TimeOut 94
KeepAlive 95
KeepAliveTimeout 95
MaxKeepAliveRequests 95
StartServers 96
MinSpareServers and MaxSpareServers 96
ListenBacklog 96
MaxClients and ServerLimit 97
Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration 97
Forward Reference 99
Software Obfuscation Directives 99
ServerTokens 99
ServerSignature 101
ErrorDocument 102
Directory Functionality Directives 104
All 104
ExecCGI 104
FollowSymLinks and SymLinksIfOwnerMatch 105
Includes and IncludesNoExec 105
Indexes 106
AllowOverride 106
Multiviews 107
Access Control Directives 107
Authentication Setup 108
Authorization 109
Order 110
Order deny, allow 110
Order allow, deny 110
Access Control: Where Clients Come From 111
Hostname or Domain 111
IP Address and IP Range 112
Client Request ENV 112
Protecting the Root Directory 113
Limiting HTTP Request Methods 114
Logging General Directives 114
LogLevel 114
ErrorLog 115
LogFormat 115
CustomLog 115
Removing Default/Sample Files 116
Apache Source Code Files 116
Default HTML Files 116
Sample CGIs 117
Webserv User Files 118
Updating Ownership and Permissions 118
Server Configuration Files 119
DocumentRoot Files 119
CGI-Bin 119
Logs 120
Bin 120
Updating the Apachectl Script 120
Nikto Scan After Updates 122
Summary 122
Chapter 5 Essential Security Modules for Apache 125
Secure Socket Layer (SSL) 125
Why Should I Use SSL? 126
How Does SSL Work? 128
Software Requirements 132
Installing SSL 133
Creating an SSL Certificate 133
Testing the Initial Configuration 134
Configuring mod_ssl 137
SSL Summary 144
Mod_Rewrite 144
Enabling Mod_Rewrite 145
Mod_Rewrite Summary &
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."
-Stephen Northcutt, The SANS Institute
The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.
Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.
Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."
For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.
With this book, you will learn to
Address the OS-related flaws most likely to compromise Web server security
Perform security-related tasks needed to safely download, configure, and install Apache
Lock down your Apache file and install essential Apache security modules
Test security with the CIS Apache Benchmark Scoring Tool
Use the WASC Web Security Threat Classification to identify and mitigate application threats
Test Apache mitigation settings against the Buggy Bank Web application
Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
Master advanced techniques for detecting and preventing intrusions
-Stephen Northcutt, The SANS Institute
The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.
Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.
Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."
For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.
With this book, you will learn to
Address the OS-related flaws most likely to compromise Web server security
Perform security-related tasks needed to safely download, configure, and install Apache
Lock down your Apache httpd.conf file and install essential Apache security modules
Test security with the CIS Apache Benchmark Scoring Tool
Use the WASC Web Security Threat Classification to identify and mitigate application threats
Test Apache mitigation settings against the Buggy Bank Web application
Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
Master advanced techniques for detecting and preventing intrusions
Backcover
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."
-Stephen Northcutt, The SANS Institute
The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.
Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.
Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."
For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.
With this book, you will learn to
Address the OS-related flaws most likely to compromise Web server security
Perform security-related tasks needed to safely download, configure, and install Apache
Lock down your Apache httpd.conf file and install essential Apache security modules
Test security with the CIS Apache Benchmark Scoring Tool
Use the WASC Web Security Threat Classification to identify and mitigate application threats
Test Apache mitigation settings against the Buggy Bank Web application
Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
Master advanced techniques for detecting and preventing intrusions
About the Author xix
Foreword xxi
Acknowledgments xxv
Introduction xxvii
Chapter 1 Web Insecurity Contributing Factors 1
A Typical Morning 1
Why Web Security Is Important 3
Web Insecurity Contributing Factors 4
Managerial/Procedural Issues 4
Management and the Bottom Line 4
Selling Loaded Guns 5
The Two-Minute Drill 5
Development Environment Versus Production Environment 6
Firefighting Approach to Web Security (Reacting to Fires) 7
Technical Misconceptions Regarding Web Security 7
"We have our web server in a Demilitarized Zone (DMZ)." 8
"We have a firewall." 9
"We have a Network-Based Intrusion Detection System." 9
"We have a Host-Based Intrusion Detection System." 11
"We are using Secure Socket Layer (SSL)." 11
Summary 11
Chapter 2 CIS Apache Benchmark 13
CIS Apache Benchmark for UNIX: OS-Level Issues 13
Minimize/Patch Non-HTTP Services 13
Example Service Attack: 7350wu-FTP Exploit 19
Vulnerable Services' Impact on Apache's Security 22
Apply Vendor OS Patches 23
Tune the IP Stack 24
Denial of Service Attacks 25
Create the Web Groups and User Account 28
Lock Down the Web Server User Account 31
Implementing Disk Quotas 32
Accessing OS-Level Commands 35
Update the Ownership and Permissions of System Commands 39
Traditional Chroot 40
Chroot Setup Warning 41
Mod_Security Chroot 41
Chroot Setup 41
Summary 50
Chapter 3 Downloading and Installing Apache 53
Apache 1.3 Versus 2.0 53
Using Pre-Compiled Binary Versus Source Code 54
Downloading the Apache Source Code 56
Why Verify with MD5 and PGP? 56
Uncompress and Open: Gunzip and Untar 63
Patches-Get 'em While They're Hot! 64
Monitoring for Vulnerabilities and Patches 66
What Modules Should I Use? 70
Summary 80
Chapter 4 Configuring the httpd.conf File 81
CIS Apache Benchmark Settings 84
The httpd.conf File 85
Disable Un-Needed Modules 86
Directives 86
Server-Oriented Directives 87
Multi-Processing Modules (MPMs) 87
Listen 88
ServerName 88
ServerRoot 89
DocumentRoot 89
HostnameLookups 89
User-Oriented Directives 90
User 90
Group 91
ServerAdmin 91
Denial of Service (DoS) Protective Directives 92
Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration 92
TimeOut 94
KeepAlive 95
KeepAliveTimeout 95
MaxKeepAliveRequests 95
StartServers 96
MinSpareServers and MaxSpareServers 96
ListenBacklog 96
MaxClients and ServerLimit 97
Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration 97
Forward Reference 99
Software Obfuscation Directives 99
ServerTokens 99
ServerSignature 101
ErrorDocument 102
Directory Functionality Directives 104
All 104
ExecCGI 104
FollowSymLinks and SymLinksIfOwnerMatch 105
Includes and IncludesNoExec 105
Indexes 106
AllowOverride 106
Multiviews 107
Access Control Directives 107
Authentication Setup 108
Authorization 109
Order 110
Order deny, allow 110
Order allow, deny 110
Access Control: Where Clients Come From 111
Hostname or Domain 111
IP Address and IP Range 112
Client Request ENV 112
Protecting the Root Directory 113
Limiting HTTP Request Methods 114
Logging General Directives 114
LogLevel 114
ErrorLog 115
LogFormat 115
CustomLog 115
Removing Default/Sample Files 116
Apache Source Code Files 116
Default HTML Files 116
Sample CGIs 117
Webserv User Files 118
Updating Ownership and Permissions 118
Server Configuration Files 119
DocumentRoot Files 119
CGI-Bin 119
Logs 120
Bin 120
Updating the Apachectl Script 120
Nikto Scan After Updates 122
Summary 122
Chapter 5 Essential Security Modules for Apache 125
Secure Socket Layer (SSL) 125
Why Should I Use SSL? 126
How Does SSL Work? 128
Software Requirements 132
Installing SSL 133
Creating an SSL Certificate 133
Testing the Initial Configuration 134
Configuring mod_ssl 137
SSL Summary 144
Mod_Rewrite 144
Enabling Mod_Rewrite 145
Mod_Rewrite Summary &
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information."
-Stephen Northcutt, The SANS Institute
The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.
Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.
Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild."
For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.
With this book, you will learn to
Address the OS-related flaws most likely to compromise Web server security
Perform security-related tasks needed to safely download, configure, and install Apache
Lock down your Apache file and install essential Apache security modules
Test security with the CIS Apache Benchmark Scoring Tool
Use the WASC Web Security Threat Classification to identify and mitigate application threats
Test Apache mitigation settings against the Buggy Bank Web application
Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
Master advanced techniques for detecting and preventing intrusions