Apache Security Table of Contents SPECIAL OFFER: Upgrade this ebook with O’Reilly Preface Audience Scope Contents of This Book Online Companion Conventions Used in This Book Programming Conventions Typesetting Conventions Using Code Examples We'd Like to Hear from You Safari Enabled Acknowledgments 1. Apache Security Principles 1.1. Security Definitions 1.1.1. Essential Security Principles 1.1.2. Common Security Vocabulary 1.1.3. Security Process Steps 1.1.4. Threat Modeling 1.1.5. System-Hardening Matrix 1.1.6. Calculating Risk 1.2. Web Application Architecture Blueprints 1.2.1. User View 1.2.2. Network View 1.2.3. Apache View 2. Installation and Configuration 2.1. Installation 2.1.1. Source or Binary 2.1.2. Static Binary or Dynamic Modules 2.1.3. Folder Locations 2.1.4. Installation Instructions 2.2. Configuration and Hardening 2.2.1. Setting Up the Server User Account 2.2.2. Setting Apache Binary File Permissions 2.2.3. Configuring Secure Defaults 2.2.4. Enabling CGI Scripts 2.2.5. Logging 2.2.6. Setting Server Configuration Limits 2.2.7. Preventing Information Leaks 2.3. Changing Web Server Identity 2.3.1. Changing the Server Header Field 2.3.2. Removing Default Content 2.4. Putting Apache in Jail 2.4.1. Tools of the chroot Trade 2.4.2. Using chroot to Put Apache in Jail 2.4.3. Using the chroot(2) Patch 2.4.4. Using mod_security or mod_chroot 3. PHP 3.1. Installation 3.1.1. Using PHP as a Module 3.1.2. Using PHP as a CGI 3.1.3. Choosing Modules 3.2. Configuration 3.2.1. Disabling Undesirable Options 3.2.2. Disabling Functions and Classes 3.2.3. Restricting Filesystem Access 3.2.4. Setting Logging Options 3.2.5. Setting Limits 3.2.6. Controlling File Uploads 3.2.7. Increasing Session Security 3.2.8. Setting Safe Mode Options 3.3. Advanced PHP Hardening 3.3.1. PHP 5 SAPI Input Hooks 3.3.2. Hardened-PHP 4. SSL and TLS 4.1. Cryptography 4.1.1. Symmetric Encryption 4.1.2. Asymmetric Encryption 4.1.3. One-Way Encryption 4.1.4. Public-Key Infrastructure 4.1.5. How It All Falls into Place 4.2. SSL 4.2.1. SSL Communication Summary 4.2.2. Is SSL Secure? 4.3. OpenSSL 4.4. Apache and SSL 4.4.1. Installing mod_ssl 4.4.2. Generating Keys 4.4.3. Generating a Certificate Signing Request 4.4.4. Signing Your Own Certificate 4.4.5. Getting a Certificate Signed by a CA 4.4.6. Configuring SSL 4.5. Setting Up a Certificate Authority 4.5.1. Preparing the CA Certificate for Distribution 4.5.2. Issuing Server Certificates 4.5.3. Issuing Client Certificates 4.5.4. Revoking Certificates 4.5.5. Using Client Certificates 4.6. Performance Considerations 4.6.1. OpenSSL Benchmark Script 4.6.2. Hardware Acceleration 5. Denial of Service Attacks 5.1. Network Attacks 5.1.1. Malformed Traffic 5.1.2. Brute-Force Attacks 5.1.3. SYN Flood Attacks 5.1.4. Source Address Spoofing 5.1.5. Distributed Denial of Service Attacks 5.1.6. Reflection DoS Attacks 5.2. Self-Inflicted Attacks 5.2.1. Badly Configured Apache 5.2.2. Poorly Designed Web Applications 5.2.3. Real-Life Client Problems 5.3. Traffic Spikes 5.3.1. Content Compression 5.3.2. Bandwidth Attacks 5.3.3. Cyber-Activism 5.3.4. The Slashdot Effect 5.4. Attacks on Apache 5.4.1. Apache Vulnerabilities 5.4.2. Brute-Force Attacks 5.4.3. Programming Model Attacks 5.5. Local Attacks 5.5.1. PAM Limits 5.5.2. Process Accounting 5.5.3. Kernel Auditing 5.6. Traffic-Shaping Modules 5.7. DoS Defense Strategy 6. Sharing Servers 6.1. Sharing Problems 6.1.1. File Permission Problems 6.1.2. Dynamic-Content Problems 6.1.3. Sharing Resources 6.1.4. Same Domain Name Problems 6.1.5. Information Leaks on Execution Boundaries 6.2. Distributing Configuration Data 6.3. Securing Dynamic Requests 6.3.1. Enabling Script Execution 6.3.2. Setting CGI Script Limits 6.3.3. Using suEXEC 6.3.4. FastCGI 6.3.5. Running PHP as a Module 6.4. Working with Large Numbers of Users 6.4.1. Web Shells 6.4.2. Dangerous Binaries 7. Access Control 7.1. Overview 7.2. Authentication Methods 7.2.1. Basic Authentication 7.2.2. Digest Authentication 7.2.3. Form-Based Authentication 7.3. Access Control in Apache 7.3.1. Basic Authentication Using Plaintext Files 7.3.2. Basic Authentication Using DBM Files 7.3.3. Digest Authentication 7.3.4. Certificate-Based Access Control 7.3.5. Network Access Control 7.3.6. Proxy Access Control 7.3.7. Final Access Control Notes 7.4. Single Sign-on 7.4.1. Web Single Sign-on 7.4.2. Simple Apache-Only Single Sign-on 8. Logging and Monitoring 8.1. Apache Logging Facilities 8.1.1. Request Logging 8.1.2. Error Logging 8.1.3. Special Logging Modules 8.1.4. Audit Log 8.1.5. Performance Measurement 8.1.6. File Upload Interception 8.1.7. Application Logs 8.1.8. Logging as Much as Possible 8.2. Log Manipulation 8.2.1. Piped Logging 8.2.2. Log Rotation 8.2.3. Issues with Log Distribution 8.3. Remote Logging 8.3.1. Manual Centralization 8.3.2. Syslog Logging 8.3.3. Database Logging 8.3.4. Distributed Logging with the Spread Toolkit 8.4. Logging Strategies 8.5. Log Analysis 8.6. Monitoring 8.6.1. File Integrity 8.6.2. Event Monitoring 8.6.3. Web Server Status 9. Infrastructure 9.1. Application Isolation Strategies 9.1.1. Isolating Applications from Servers 9.1.2. Isolating Application Modules 9.1.3. Utilizing Virtual Servers 9.2. Host Security 9.2.1. Restricting and Securing User Access 9.2.2. Deploying Minimal Services 9.2.3. Gathering Information and Monitoring Events 9.2.4. Securing Network Access 9.2.5. Advanced Hardening 9.2.6. Keeping Up to Date 9.3. Network Security 9.3.1. Firewall Usage 9.3.2. Centralized Logging 9.3.3. Network Monitoring 9.3.4. External Monitoring 9.4. Using a Reverse Proxy 9.4.1. Apache Reverse Proxy 9.4.2. Reverse Proxy by Network Design 9.4.3. Reverse Proxy by Redirecting Network Traffic 9.5. Network Design 9.5.1. Reverse Proxy Patterns 9.5.2. Advanced Architectures 10. Web Application Security 10.1. Session Management Attacks 10.1.1. Cookies 10.1.2. Session Management Concepts 10.1.3. Keeping in Touch with Clients 10.1.4. Session Tokens 10.1.5. Session Attacks 10.1.6. Good Practices 10.2. Attacks on Clients 10.2.1. Typical Client Attack Targets 10.2.2. Phishing 10.3. Application Logic Flaws 10.3.1. Cookies and Hidden Fields 10.3.2. POST Method 10.3.3. Referrer Check Flaws 10.3.4. Process State Management 10.3.5. Client-Side Validation 10.4. Information Disclosure 10.4.1. HTML Source Code 10.4.2. Directory Listings 10.4.3. Verbose Error Messages 10.4.4. Debug Messages 10.5. File Disclosure 10.5.1. Path Traversal 10.5.2. Application Download Flaws 10.5.3. Source Code Disclosure 10.5.4. Predictable File Locations 10.6. Injection Flaws 10.6.1. SQL Injection 10.6.2. Cross-Site Scripting 10.6.3. Command Execution 10.6.4. Code Execution 10.6.5. Preventing Injection Attacks 10.7. Buffer Overflows 10.8. Evasion Techniques 10.8.1. Simple Evasion Techniques 10.8.2. Path Obfuscation 10.8.3. URL Encoding 10.8.4. Unicode Encoding 10.8.5. Null-Byte Attacks 10.8.6. SQL Evasion 10.9. Web Application Security Resources 10.9.1. General Resources 10.9.2. Web Application Security Resources 11. Web Security Assessment 11.1. BlackBox Testing 11.1.1. Information Gathering 11.1.2. Web Server Analysis 11.1.3. Web Application Analysis 11.1.4. Attacks Against Access Control 11.1.5. Vulnerability Probing 11.2. White-Box Testing 11.2.1. Architecture Review 11.2.2. Configuration Review 11.2.3. Functional Review 11.3. Gray-Box Testing 12. Web Intrusion Detection 12.1. Evolution of Web Intrusion Detection 12.1.1. Is Intrusion Detection the Right Approach? 12.1.2. Log-Based Web Intrusion Detection 12.1.3. Real-Time Web Intrusion Detection 12.1.4. Web Intrusion Detection Features 12.2. Using mod_security 12.2.1. Introduction 12.2.2. More Configuration Advice 12.2.3. Deployment Guidelines 12.2.4. Detecting Common Attacks 12.2.5. Advanced Topics A. Tools A.1. Learning Environments A.1.1. WebMaven A.1.2. WebGoat A.2. Information-Gathering Tools A.2.1. Online Tools at TechnicalInfo A.2.2. Netcraft A.2.3. Sam Spade A.2.4. SiteDigger A.2.5. SSLDigger A.2.6. Httprint A.3. Network-Level Tools A.3.1. Netcat A.3.2. Stunnel A.3.3. Curl A.3.4. Network-Sniffing Tools A.3.5. SSLDump A.4. Web Security Scanners A.4.1. Nikto A.4.2. Nessus A.5. Web Application Security Tools A.5.1. Paros A.5.2. Commercial Web Security Tools A.6. HTTP Programming Libraries Index SPECIAL OFFER: Upgrade this ebook with O’Reilly Apache Security Ivan Ristic Editor Allison Randal Editor Tatiana Apandi Copyright © 2009 O'Reilly Media, Inc. O'Reilly Media
Description: