Join Amazon Prime and ship Two-Day for free and Overnight for $3.99. Already a member? Sign in.

 

or
Sign in to turn on 1-Click ordering.
 
   
More Buying Choices
46 used & new from $8.85

Have one to sell? Sell yours here
 
   
Preventing Web Attacks with Apache
 
See larger image
 
Tell the Publisher!
I’d like to read this book on Kindle

Don’t have a Kindle? Get yours here.
 
  

Preventing Web Attacks with Apache (Paperback)

by Ryan C. Barnett (Author)
4.6 out of 5 stars See all reviews (7 customer reviews)

List Price: $54.99
Price: $34.21 & this item ships for FREE with Super Saver Shipping. Details
You Save: $20.78 (38%)
In Stock.
Ships from and sold by Amazon.com. Gift-wrap available.

Only 5 left in stock--order soon (more on the way).

Want it delivered Tuesday, July 7? Choose One-Day Shipping at checkout. Details
26 new from $8.92 20 used from $8.85

Frequently Bought Together

Preventing Web Attacks with Apache + Apache Security + Apache Cookbook: Solutions and Examples for Apache Administrators
Price For All Three: $80.37

Customers Who Bought This Item Also Bought

Hardening Apache

Hardening Apache

by Tony Mobily
4.6 out of 5 stars (8)  $26.99
Apache Cookbook: Solutions and Examples for Apache Administrators

Apache Cookbook: Solutions and Examples for Apache Administrators

by Rich Bowen
4.2 out of 5 stars (12)  $23.09
Pro Apache, Third Edition (Expert's Voice)

Pro Apache, Third Edition (Expert's Voice)

by Peter Wainwright
4.6 out of 5 stars (7)  $31.49
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning

by Gordon Fyodor Lyon
4.9 out of 5 stars (14)  $32.97
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

by Dafydd Stuttard
4.9 out of 5 stars (14)  $31.50
Explore similar items

Editorial Reviews

Product Description
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information." --Stephen Northcutt, The SANS Institute The only end-to-end guide to securing Apache Web servers and Web applications Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files. Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild." For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security. With this book, you will learn to *Address the OS-related flaws most likely to compromise Web server security *Perform security-related tasks needed to safely download, configure, and install Apache *Lock down your Apache httpd.conf file and install essential Apache security modules *Test security with the CIS Apache Benchmark Scoring Tool *Use the WASC Web Security Threat Classification to identify and mitigate application threats *Test Apache mitigation settings against the Buggy Bank Web application *Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers *Master advanced techniques for detecting and preventing intrusions

From the Back Cover

“Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information.”

–Stephen Northcutt, The SANS Institute

 

The only end-to-end guide to securing Apache Web servers and Web applications

 

Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won’t protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you’ll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.

 

Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.

 

Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured “in the wild.”

 

For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.

 

With this book, you will learn to

  • Address the OS-related flaws most likely to compromise Web server security
  • Perform security-related tasks needed to safely download, configure, and install Apache
  • Lock down your Apache httpd.conf file and install essential Apache security modules
  • Test security with the CIS Apache Benchmark Scoring Tool
  • Use the WASC Web Security Threat Classification to identify and mitigate application threats
  • Test Apache mitigation settings against the Buggy Bank Web application
  • Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
  • Master advanced techniques for detecting and preventing intrusions


See all Editorial Reviews

Product Details

  • Paperback: 624 pages
  • Publisher: Addison-Wesley Professional (February 6, 2006)
  • Language: English
  • ISBN-10: 0321321286
  • ISBN-13: 978-0321321282
  • Product Dimensions: 9.1 x 6.6 x 1.4 inches
  • Shipping Weight: 1.9 pounds (View shipping rates and policies)
  • Average Customer Review: 4.6 out of 5 stars See all reviews (7 customer reviews)
  • Amazon.com Sales Rank: #499,996 in Books (See Bestsellers in Books)

    Popular in this category: (What's this?)

    #24 in  Books > Computers & Internet > Web Development > Web Servers > Apache

What Do Customers Ultimately Buy After Viewing This Item?

Preventing Web Attacks with Apache
56% buy the item featured on this page:
Preventing Web Attacks with Apache 4.6 out of 5 stars (7)
$34.21
Apache Security
26% buy
Apache Security 4.8 out of 5 stars (14)
$23.07
Apache Cookbook: Solutions and Examples for Apache Administrators
10% buy
Apache Cookbook: Solutions and Examples for Apache Administrators 4.2 out of 5 stars (12)
$23.09
Pro Apache, Third Edition (Expert's Voice)
5% buy
Pro Apache, Third Edition (Expert's Voice) 4.6 out of 5 stars (7)
$31.49

Tags Customers Associate with This Product

 (What's this?)
Click on a tag to find related items, discussions, and people.
Check the boxes next to the tags you consider relevant or enter your own tags in the field below.

Your tags: Add your first tag
 
Help others find this product — tag it for Amazon search
No one has tagged this product for Amazon search yet. Why not be the first to suggest a search for which it should appear?

Sell a Digital Version of This Book in the Kindle Store

If you are a publisher or author and hold the digital rights to a book, you can sell a digital version of it in our Kindle Store. Learn more

 

Customer Reviews

7 Reviews
5 star:
 (4)
4 star:
 (3)
3 star:    (0)
2 star:    (0)
1 star:    (0)
 
 
 
 
 
Average Customer Review
4.6 out of 5 stars (7 customer reviews)
 
 
 
 
Share your thoughts with other customers:
Most Helpful Customer Reviews

 
7 of 7 people found the following review helpful:
5.0 out of 5 stars If you run Apache, read this book, March 12, 2006
By Stephen Northcutt (Kauai, HI USA) - See all my reviews
(REAL NAME)   
I should start with a disclaimer, I know Ryan Barnett and have followed his work through the years. That said, my responsibility as a reviewer is to help you as the reader decide whether to purchase this book, take the time to leaf through the book with the sample pages or Amazon, or to skip this book. I take that responsibility seriously.

If you have nothing to do with Web servers, you can safely skip this book. If you have operations, security or audit responsibilities for an organization that runs Apache and you do not read this book at least twice you are negligent. Please allow me to explain why I say that.

The book introduces the Center for Internet Security benchmark early on. This group, www.cisecurity.org, does two things very well, they determine to appropriate security configuration for a number of operating systems, devices, and programs and they produce tools to check the configuration. Wouldn't it make sense to know if your web server is configured properly, on average there are about 1,000 web defacements per day.

There are security books that about things and that is OK, but the best security books tell you how to do things. Ryan takes you through the download, installation and configuration of Apache. The "secret sauce" in the book starts in Chapter 5, where you are introduced to what is possible with the security modules for Apache. If you are an auditor, grab your highlighter, mark the tools and configurations and go pay the web admins a visit! Chapter 8 gives you a scenario to bring everything together. For the average reader, this is about as far as you are going to go.

Beyond Chapter 8, you are in advanced material, where Ryan is sharing the results of years of his research. This is for the security person looking for a bit of an edge to help protect their organization, or to do additional research. This is not a book for everyone, but it is a book for everyone running Apache!
Comment Comment | Permalink | Was this review helpful to you? Yes No (Report this)



 
5 of 5 people found the following review helpful:
5.0 out of 5 stars bolt down your Apache!, March 5, 2006
By W Boudville (Terra, Sol 3) - See all my reviews
(TOP 50 REVIEWER)    (REAL NAME)      
Apache is the most common web server out there. It has been heavily built up in functionality by volunteer programmers. Naturally, there are numerous books detailing all that you can do with it. Very versatile. Unfortunately, that is one of the problems! As many commercial websites use Apache, there is a huge incentive for crackers to subvert it in various fashions. Perhaps to get at the back end SQL database. In which might be stored useful information like people's names and credit card data.

Barnett offers inoculation. You can read this book as the sysadmin's manual to installing and running Apache. Where the overriding priority is to bolt down any known weaknesses from the get go.

There is a comprehensive list of attacks. Some might not necessarily be directed against Apache per se, but against any web server. But there are others that might scan for particular versions of Apache or the operating system, if these have bugs that can be exploited. The text suggests possibly providing disinformation. In an earlier, more innocent time, a web server might write its name and version at the bottom of a page that it publishes, for example. Now, you are shown how Apache can suppress this. Better yet, you can tell Apache to pretend to be another web server. A defensive fib that makes the cracker's job a little harder.

Buffer overflows, cross site scripting and SQL injection are possibly the most dangerous attacks explained. For each attack, examples are usually given. Followed by Apache countermeasures. Tangentially, you also get to cast scrutiny at your database and at the entire way your multitier server system is arranged.

The book is a sad but necessary commentary on the times we live in.
Comment Comment | Permalink | Was this review helpful to you? Yes No (Report this)



 
4 of 4 people found the following review helpful:
4.0 out of 5 stars A strong mix of Apache security and Web application assessment, September 27, 2006
I recently received copies of Apache Security (AS) by Ivan Ristic and Preventing Web Attacks with Apache (PWAWA) by Ryan Barnett. I read AS first, then PWAWA. Both are excellent books, but I expect potential readers want to know which is best for them. The following is a radical simplification, and I could honestly recommend readers buy either (or both) books. If you are more concerned with a methodical, comprehensive approach to securing Apache, choose AS. If you want more information on offensive aspects of Web security, choose PWAWA.

Author Ryan Barnett takes a wider look at the world of Web application security than Ivan Ristic. As a result I find their two books very complementary. You'll find coverage of topics in PWAWA that do not appear in AS. For example, Ryan explains how to use the Center for Internet Security Apache Benchmark Scoring Tool to evaluate your httpd.conf file. He uses the Apache Benchmark (ab) application (packaged with Apache) to measure Web server performance characteristics. He uses these tools in before-and-after situations to show how his recommended changes improve the defaults.

I thought PWAWA's coverage of the fundamentals of Web security was not as good as that of AS. That's ok, though, because PWAWA addresses areas not as well covered by AS. For example, PWAWA spends a lot of quality ink on mod_security filters. This is ironic, given that AS author Ivan Ristic coded mod_security! What's impressive about PWAWA's mod_security explanations are the many sample filters. These are developed after discussions of various attack techniques and serve as countermeasures one can implement until a patch is ready.

PWAWA is a mix of defense and offense, with a whole chapter showing how to attack and defend the WebMaven/Buggy Bank learning Web application. Attacks are nice, but showing development of defenses is excellent. PWAWA features some clever ideas too, like snort2modsec.pl and an Open Web Proxy Honeypot. I was not as keen on the inclusion of the Web Application Security Consortium's Web Security "Threat" Classification document. Please search my blog for a thorough discussion of why that guide should be an "attack, vulnerabilities, and exposures" document.

I found few technical nits. It's not correct that a NIDS protects its sniffing interface by "removing [the] IP stack" (p 299). Inline IDS isn't just for honeypots, either. I could have used inline packet rewriting to defend a Web hosting company that had lost control of its IIS customer sites. The customers were compromised and were unwittingly attaching malicious frames in their Web pages, thanks to an intruder.

I was also concerned by the author's statement that upon seeing a Snort Web attack alert, he connects to the Web server via SSH and begins reviewing logs (p 419). Proper network security monitoring wouldn't necessarily require immediate log review, and if log review is needed it should be done via a central log host. Connecting to a potential victim immediately after suspected compromise is a great way to alert the intruder and potentially alter evidence.

Overall, I liked PWAWA. The book is a mix of Apache security and Web application assessment, so if you are more interested in purely securing Apache you might prefer AS. If you want to learn about Web application hacking in general, your best bets are probably Hacking Exposed: Web Applications, 2nd Ed, and Professional Pen Testing for Web Applications. I will read and review those two books shortly.
Comment Comment | Permalink | Was this review helpful to you? Yes No (Report this)


Share your thoughts with other customers: Create your own review
 
 
 
Most Recent Customer Reviews

5.0 out of 5 stars super
Thanks a lot, we are very happy to have this book in our library!
Published on March 8, 2007 by E. Schnyder

4.0 out of 5 stars pretty good
It's a good book. I'm glad to have it. But I'm only giving it 4 stars, not 5. To me - not as mind blowing as some of the other people have said. Read more
Published on April 26, 2006 by chavruta

4.0 out of 5 stars A comprehensive treatment of the thorny area of web server security
According to Netcraft's latest Website Server Survey (February 2006), over 68% of internet websites are hosted on Apache servers. Read more
Published on April 11, 2006 by Christos Partsenidis

5.0 out of 5 stars Thorough security work on Apache
This book is a well written, in depth, look into the security issues around Apache and applications developed on top of Apache. Read more
Published on March 8, 2006 by Jack D. Herrington

Only search this product's reviews



Customer Discussions

 Beta (What's this?)
New! See all customer communities, and bookmark your communities to keep track of them.
This product's forum (0 discussions)
  Discussion Replies Latest Post
  No discussions yet

Ask questions, Share opinions, Gain insight
Start a new discussion
Topic:
First post:
Prompts for sign-in
  [Cancel]

   


Product Information from the Amapedia Community

Beta (What's this?)



Look for Similar Items by Category


Get Within Reach

Shop for extension cords

Expand your power options with an extension cord. Get the cord type, indoor or outdoor, in the length you need in Lighting & Electrical.

Shop all extension cords

 

Big Savings in Books

Bargain Books
Find great titles at fantastic prices in our Bargain Books Store.
 

Buy Three Books, Get a Fourth Free

4-for-3 Books
Order any four eligible books under $10 and get the lowest-price book free in our 4-for-3 Books Store. See more details.
 

Best Books

Best of the Month
See our editors' picks and more of the best new books on our Best of the Month page.
 

 

Feedback

If you need help or have a question for Customer Service, contact us.
 Would you like to update product info or give feedback on images?
Is there any other feedback you would like to provide?

Your comments can help make our site better for everyone.


Where's My Stuff?

Shipping & Returns

Need Help?

Your Recent History

  (What's this?)
You have no recently viewed items or searches.

After viewing product detail pages or search results, look here to find an easy way to navigate back to pages you are interested in.

Look to the right column to find helpful suggestions for your shopping session.

Continue shopping: Top Sellers
Glenn Beck's Common Sense
Paranoia
Paranoia by Joseph Finder
Glenn Beck's Common Sense
Darkfever
Darkfever by Karen Marie Moning

Conditions of Use | Privacy Notice © 1996-2009, Amazon.com, Inc. or its affiliates