| | |  | Home Computing | Home » » Hardening Apache | | | | | | | Description: | | This is a book which should definitely be included in any serious Apache administrator's bookshelf. The book walks intuitively through the setup process, from download and verification, to configuration and modifications, to running in production mode. — Blane Warrene, Expert Columnist, SitePoint. This book can save you pain, humiliation, and hair loss. — Mitchell Pirtle, International PHP Magazine A must-read for any system administrator installing or currently using Apache, Hardening Apache shows you exactly what to do to make Apache more secure. Throughout this book, renowned author Tony Mobily introduces you to many of the security problems you'll inevitably stumble across when using Apache---and most important, you'll learn how to protect yourself and your server. Mobily provides in-depth instruction on the safe installation and configuration of Apache and gives detailed guidance on tightening the security of your existing Apache installation. This comprehensive book covers a wide variety of the most important issues, including common attacks, logging, downloading, administration, cross-site scripting attacks, and web-related RFC details. The book also delves into many of the more advanced system administration techniques including "jailing" Apache and securing third-party modules. | | | Product Details: | | | Author:
| Tony Mobily | | Paperback:
| 296 pages | | Publisher:
| Apress | | Publication Date:
| May 17, 2004 | | Language:
| English | | ISBN:
| 1590593782 | | Package Length:
| 9.2 inches | | Package Width:
| 7.0 inches | | Package Height:
| 0.8 inches | | Package Weight:
| 1.25 pounds | | Average Customer Rating:
|  based on 8 reviews |
| | | | Customer Reviews: | |
Average Customer Review:
Write an online review and share your thoughts with other customers.
1 of 1 found the following review helpful:
 Assumes *nix?!May 07, 2007
To be honest I have only made it perhaps 1/3 of the way into this book. I found it to be interesting, but what had not been clear or even mentioned in the book description was that the book seems to assume you are running Apache on Linux. For the rest of us, that is a huge bummer. I'm sure I will plow on, but the enthusiasm is somewhat gone, I wish authors or publishers would mention that sort of thing in the writeups.
0 of 1 found the following review helpful:
 superMar 08, 2007
Thanks a lot, we are very happy to have this book in our library!
To the point!Jul 03, 2006
Hardening Apache by Tony Mobily is a book for server administrators who want to learn how to secure the Apache web server. On 260 pages, in a loosely howto-like fashion, the author covers all aspects of keeping intruders out of your web server.
In constrast to other books which appear to but usually fail in covering all aspects of Unix/Linux security, this volume explicitly takes on one program only: the Apache web server. After discussing installation and configuration as well as covering common attacks on the server, Mobily introduces logging and its security issues, and he presents some very interesting ideas for solutions. XSS is given its own chapter as are the Apache security modules: half a dozen server modules are described.
Apache goes to jail in chapter 6. Here the author describes setting up a chroot environment for the server and details how to get both Perl & PHP to work. The last chapter presents a number of useful shell scripts that can help a systems administrator to keep a watchful eye on her servers.
Together with the Apache documentation this book is an essential eye-opener for anybody who puts up an Apache web server to face a public network. I will be applying some of what I learnt from the book to our servers very quickly indeed! Even though it was published in 2004, Hardening Apache goes on my list of recommended books.
8 of 10 found the following review helpful:
Your return will exceed the price in a very short timeFeb 01, 2005
Computer security is hard, very hard. Any reasonable attempt to make a system secure has to involve more than a choice between {none, some security features, unusable}. There are so many different things that we want to do with our software and there are probably just as many ways in which it can be attacked. In order to be able to fend off attacks, it is necessary to know what kind of attacks can occur. Finally, many security procedures must be automated, which requires generic defense strategies that are capable of recognizing an attack when it differs slightly from one that has already been planned for.
This book about the Apache server does all of that, starting with which version to use and how to install it with security enabled at the appropriate level. After these topics are covered in chapter one, Mobily moves on to descriptions of the most common attacks in chapter two and logging the interesting events in chapter three. If you are versed in security, most of the material in chapter two will be familiar, but it is hard to overstate the importance of chapter three. Being able to read an account of what has happened on a system is the only way to prove that your security measures are working and the only way to learn when you are successfully attacked. Mobily also shows you the critical steps in testing to determine if your log system is actually working properly.
Chapter four is devoted to explanations of cross-site scripting attacks (XSS). This is an attack where a web page is designed to accept input, but that input may be used to drive erroneous results. A simple, yet excellent demonstration of how this can be done is presented. While it is not sophisticated, it demonstrates how careful you must be when accepting even the most basic of inputs from a web page.
Chapters five and six deal specifically with security in the Apache server. Five explains the security modules available in Apache and six describes how you can lock down Apache by "putting it in jail." These specifics, of which there are many, should be required reading for anyone who has any hand in managing an Apache server. The last chapter shows you how to automate the security functions, clearly necessary if you are ever to get any sleep.
There is a great deal of source code used to describe how the features are implemented. Demo code is in Perl, but XML, HTML and database access commands are used when appropriate.
All around this country, companies and organizations are quietly paying out large sums of money to settle issues when their computer security was lax. Sometimes that payment is through the legal system, but the vast majority does not appear on the books. Reduced efficiency of the server, dropped and misplaced orders and greater effort by the staff are just some of the consequences of security problems. This book should be mandatory reading for all people who manage an Apache server, at $29.99 a copy it will probably pay for itself in less than 24 hours.
13 of 13 found the following review helpful:
An excellent book filling a huge gapSep 06, 2004
Understanding how to configure Apache from a security standpoint properly is not easy since the related information is sparse and fragmented. This could be the reason why many web administrators are pretty clueless when it comes to Apache security and why so many web servers are vulnerable.
In this sense I think this book fills a huge gap, providing web administrators with a concise and yet complete guide aimed at taking them from the very beginning of the installation process through to the final steps of server configuration.
Information throughout the book is very well focused and is presented with a clean and friendly writing style. The book provides a clear and detailed walkthrough of the process of securing an Apache installation, covering both versions 1.3.x and 2.x and thus providing long lasting information. The book has lots of references and pointers to resources on the web, and - more importantly - instructions on how to read them.
Sure enough, the book requires some familiarity with Unix and Apache - this is not the kind of book you would buy to learn the very basics of *nix and web site administration.
I totally agree with what I've read before: every serious system administrator should have this book.
| | |
|
