The Apache Web server has the largest market share, according to the latest figures from Netcraft. Because of its popularity, it's a very attractive target for hackers. Many system administrators feel that, by using firewalls and SSL, they will be safe from these attacks. According to Ryan Barnett, these measures won't provide the protection you need.
Ryan Barnett is heavily involved in the server security business. He is currently chief security officer with EDS, and leads the Operations Security and Incident Response teams for the federal government in Washington, DC. He is also an instructor at the SANS Institute, as well as the team lead for the Center for Internet Security Apache Benchmark Project and a member of the Web Application Security Consortium.
In short, Ryan knows his stuff when it comes to Apache security. And now he has shared a great deal of that information in his book, Preventing Web Attacks with Apache, published by Addison Wesley Professional.
The book begins by taking a look at the different factors that impact the security of the server, including a section on technical misconceptions regarding Web security. Many people have a false sense of security brought about by misunderstandings of their Web environment. Ryan does an excellent job of explaining the problems with these "misunderstandings".
Next, Ryan discusses the building of the foundation of the Web server, the underlying operating system (OS). While not focusing on the OS itself, Ryan takes a look at how it interacts with the server and what is needed to accomplish greater security. Included are a few examples of the mechanics of a server attack, providing keen insight to what is happening behind the scenes.
Once the OS issues are taken care of, Ryan then gets down to the nitty gritty of downloading and installing the Apache server software. Coming from experience, I can say that this is not any easy task. There are many decisions to be made in this process but Ryan is an excellent guide. From there, Ryan goes into much detail regarding the important, and often overlooked, process of configuring the httpd.conf file. To begin, he uses the Nikto open source vulnerability scanner. This Web server scanner performs comprehensive tests for multiple items, including over 3,200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. In all, the chapter covers 42 pages of detailed, important information.
From there, Ryan takes a look at the essential security modules for Apache. This covers SSL, the mod_rewrite module, and several other security-related modules.
The remainder of the book covers prevention and countermeasures in explicit detail. In addition, the appendix contains an Apache module listing and a httpd.conf file, which can be used as an example.
Overall, this is an important book to use in securing your server against Web attacks. Many of the exploits covered include denial of service (DoS) attacks, buffer overflows, brute force attacks, and client parameter manipulation. Ryan's coverage of the Center for Internet Security Apache Benchmarks is an excellent guide for configuring the Apache server.
If you're involved — at any level — with the administration of an Apache server, you need to get a copy of this book. Ryan's background, coupled with detailed explanations, makes this a must-have book.