- Paperback: 624 pages
- Publisher: Addison-Wesley Professional; 1 edition (February 6, 2006)
- Language: English
- ISBN-10: 0321321286
- ISBN-13: 978-0321321282
- Product Dimensions: 6.9 x 1.4 x 9.1 inches
- Shipping Weight: 2.7 pounds (View shipping rates and policies)
- Average Customer Review: 7 customer reviews
- Amazon Best Sellers Rank: #2,223,574 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Preventing Web Attacks with Apache 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
Fulfillment by Amazon (FBA) is a service we offer sellers that lets them store their products in Amazon's fulfillment centers, and we directly pack, ship, and provide customer service for these products. Something we hope you'll especially enjoy: FBA items qualify for FREE Shipping and Amazon Prime.
If you're a seller, Fulfillment by Amazon can help you increase your sales. We invite you to learn more about Fulfillment by Amazon .
See the Best Books of 2017
Looking for something great to read? Browse our editors' picks for the best books of the year in fiction, nonfiction, mysteries, children's books, and much more.
Frequently bought together
Customers who bought this item also bought
From the Back Cover
“Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information.”
–Stephen Northcutt, The SANS Institute
The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won’t protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you’ll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.
Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.
Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured “in the wild.”
For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.
With this book, you will learn to
- Address the OS-related flaws most likely to compromise Web server security
- Perform security-related tasks needed to safely download, configure, and install Apache
- Lock down your Apache httpd.conf file and install essential Apache security modules
- Test security with the CIS Apache Benchmark Scoring Tool
- Use the WASC Web Security Threat Classification to identify and mitigate application threats
- Test Apache mitigation settings against the Buggy Bank Web application
- Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
- Master advanced techniques for detecting and preventing intrusions
About the Author
Ryan C. Barnett is a chief security officer for EDS. He currently leads both Operations Security and Incident Response Teams for a government bureau in Washington, DC. In addition to his nine-to-five job, Ryan is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security, Top 20 Vulnerabilities team member, and local mentor for the SANS Track 4, “Hacker Techniques, Exploits, and Incident Handling,” course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX), and Security Essentials (GSEC). In addition to the SANS Institute, he is also the team lead for the Center for Internet Security Apache Benchmark Project and a member of the Web Application Security Consortium.
Author interviews, book reviews, editors picks, and more. Read it now
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
Author Ryan Barnett takes a wider look at the world of Web application security than Ivan Ristic. As a result I find their two books very complementary. You'll find coverage of topics in PWAWA that do not appear in AS. For example, Ryan explains how to use the Center for Internet Security Apache Benchmark Scoring Tool to evaluate your httpd.conf file. He uses the Apache Benchmark (ab) application (packaged with Apache) to measure Web server performance characteristics. He uses these tools in before-and-after situations to show how his recommended changes improve the defaults.
I thought PWAWA's coverage of the fundamentals of Web security was not as good as that of AS. That's ok, though, because PWAWA addresses areas not as well covered by AS. For example, PWAWA spends a lot of quality ink on mod_security filters. This is ironic, given that AS author Ivan Ristic coded mod_security! What's impressive about PWAWA's mod_security explanations are the many sample filters. These are developed after discussions of various attack techniques and serve as countermeasures one can implement until a patch is ready.
PWAWA is a mix of defense and offense, with a whole chapter showing how to attack and defend the WebMaven/Buggy Bank learning Web application. Attacks are nice, but showing development of defenses is excellent. PWAWA features some clever ideas too, like snort2modsec.pl and an Open Web Proxy Honeypot. I was not as keen on the inclusion of the Web Application Security Consortium's Web Security "Threat" Classification document. Please search my blog for a thorough discussion of why that guide should be an "attack, vulnerabilities, and exposures" document.
I found few technical nits. It's not correct that a NIDS protects its sniffing interface by "removing [the] IP stack" (p 299). Inline IDS isn't just for honeypots, either. I could have used inline packet rewriting to defend a Web hosting company that had lost control of its IIS customer sites. The customers were compromised and were unwittingly attaching malicious frames in their Web pages, thanks to an intruder.
I was also concerned by the author's statement that upon seeing a Snort Web attack alert, he connects to the Web server via SSH and begins reviewing logs (p 419). Proper network security monitoring wouldn't necessarily require immediate log review, and if log review is needed it should be done via a central log host. Connecting to a potential victim immediately after suspected compromise is a great way to alert the intruder and potentially alter evidence.
Overall, I liked PWAWA. The book is a mix of Apache security and Web application assessment, so if you are more interested in purely securing Apache you might prefer AS. If you want to learn about Web application hacking in general, your best bets are probably Hacking Exposed: Web Applications, 2nd Ed, and Professional Pen Testing for Web Applications. I will read and review those two books shortly.
'Preventing Web Attacks with Apache' attempts to provide a comprehensive treatment of the thorny area of web server security with the sole emphasis being on Apache. Initial doubts about the viability of a 500 page treatise on securing an Apache server were dispelled by the in-depth and thorough approach of the author.
The book kicks off by exposing common misconceptions about web server security. For example, the fact that web servers need to have ports 80 (http) and 443 (SSL) open in order to function properly means that the effectiveness of security measures such as firewalls, DMZs and intrusion detection systems is somewhat diminished.
The proper configuration of the underlying operating system is then highlighted as the first line of defence. Issues such as the timely application of vendor patches, disabling of non-essential services, user management and proper application of file permissions are addressed.
At this stage it is necessary to note that the author has tailored the book specifically to cater for the 2.0 version fork of Apache as opposed to the 1.3 version. This is in spite of the fact that the 1.3 legacy version holds the majority of market share. His reason is that the version 2.0 fork contains a number of new security features, amongst other improvements, which make it easier to secure. Therefore users of the 1.3 version will need to take this into account when reading the book. Obviously, the general principles of "OS-hardening" and other common features, which both forks still share, will ensure that the book is still a useful read for version 1.3 administrators.
The exhaustive approach is continued with a chapter dedicated to downloading and compiling the source code, while another 40-page chapter provides secure settings for httpd.conf, the primary configuration file for Apache. An interesting comparative exercise was performed using Nikto, the popular open-source vulnerability scanner. The scanner was run initially against a newly installed Apache server with the default configuration, and then again after httpd.conf had been "hardened" with revealing results.
Apache has been designed so that its functionality can be extended by the installation of additional modules. Chapter 5 deals with the installation and configuration of security-related modules that can be added to Apache in order to improve its security.
The installation and running of the CIS Apache Benchmark Scoring Tool rounds up the first part of the book, which concentrates on securing Apache and the underlying operating system. The second part of the book majors on the protection of web applications that run on top of Apache.
A vast array of possible web threats such as SQL injection attacks, cross-site scripting and path traversal attacks are detailed with corresponding countermeasures. These concepts are then applied to a suitably named demonstration web application called Buggy Bank. The use of web honeypots is also covered with a whole chapter on an open web proxy honeypot project conducted by the author.
Finally, a practical scenario is enacted to allow the application of appropriate Apache countermeasures to a vulnerability alert email. Step by step details are provided making use of skills acquired in the previous chapters.
This book will serve as a very useful tool to anyone charged with securing web servers, especially those running Apache. Concepts are clearly presented and then demonstrated using practical illustrations and examples.