BN.com Gift Guide

Preventing Web Attacks with Apache

Paperback (Print)
Buy Used
Buy Used from BN.com
$32.35
(Save 41%)
Item is in good condition but packaging may have signs of shelf wear/aging or torn packaging.
Condition: Used – Good details
Used and New from Other Sellers
Used and New from Other Sellers
from $2.26
Usually ships in 1-2 business days
(Save 95%)
Other sellers (Paperback)
  • All (12) from $2.26   
  • New (5) from $32.82   
  • Used (7) from $2.26   

Overview

“Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information.”

–Stephen Northcutt, The SANS Institute

The only end-to-end guide to securing Apache Web servers and Web applications

Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won’t protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you’ll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.

Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.

Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured “in the wild.”

For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.

With this book, you will learn to

  • Address the OS-related flaws most likely to compromise Web server security
  • Perform security-related tasks needed to safely download, configure, and install Apache
  • Lock down your Apache httpd.conf file and install essential Apache security modules
  • Test security with the CIS Apache Benchmark Scoring Tool
  • Use the WASC Web Security Threat Classification to identify and mitigate application threats
  • Test Apache mitigation settings against the Buggy Bank Web application
  • Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers
  • Master advanced techniques for detecting and preventing intrusions
Read More Show Less

Product Details

  • ISBN-13: 9780321321282
  • Publisher: Addison-Wesley
  • Publication date: 2/7/2006
  • Pages: 624
  • Product dimensions: 6.92 (w) x 9.40 (h) x 1.14 (d)

Meet the Author

Ryan C. Barnett is a chief security officer for EDS. He currently leads both Operations Security and Incident Response Teams for a government bureau in Washington, DC. In addition to his nine-to-five job, Ryan is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security, Top 20 Vulnerabilities team member, and local mentor for the SANS Track 4, “Hacker Techniques, Exploits, and Incident Handling,” course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX), and Security Essentials (GSEC). In addition to the SANS Institute, he is also the team lead for the Center for Internet Security Apache Benchmark Project and a member of the Web Application Security Consortium.

Read More Show Less

Read an Excerpt

ForewordForeword

Ryan Barnett recently asked if I'd write the foreword to his book. I was delighted to even be considered because Ryan is an exceptional security professional and the honor could have easily gone to anyone in the industry. Ryan has a background as someone who actively defends government web sites. He's the person who led the effort to create the Apache Benchmark standard for the Center for Internet Security (CIS). He's a co-author of the Web Security Threat Classification for the Web Application Security Consortium (WASC), and has more certifications than I knew existed. Ryan is also a SANS Instructor for Apache Security. There's quite a bit more, but suffice it to say Ryan has to be one of the most-qualified experts to write Preventing Web Attacks with Apache.

A foreword is an opportunity to express why a particular topic is important and describe what role the information plays in a broader context. Even though I've been part of the web application security field for a really long time (back before there was a term to describe what we do), more research was in order. I fired up Firefox and headed on over to Google for some investigation. Netcraft, the WASC, the CIS, the Open Source Vulnerability Database (OSVDB), SecurityFocus, and Wikipedia are incredible resources for collecting security information. While I was taking notes and saving bookmarks, it suddenly occurred to me that during my research, I must have crossed paths with hundreds of Apache web servers without realizing it. What a perfect way to describe the importance of Apache security!

According to Netcraft's Web Server Survey (September 2005), Apacheaccounts for roughly 70 percent of the Internet's web servers. Through our tiny browser window, it's difficult to imagine the global hum of 72 million web servers, the keyboard chatter of over 800 million international netizens, wading through a sea of 8 billion web pages. Apache is a fundamental part of our daily online lives—so much so, it's become a transparent artifact in the architecture of the web. When we shop for books, reserve plane tickets, read the news, check our bank account, bid in an auction, or do anything else with a web browser, the odds are there's an Apache web server involved. How's that for important?

The web has become bigger and more powerful than we ever imagined. 24x7x365, web sites carry out mission-critical business processes, exchanging even the most sensitive forms of information including names, addresses, phone numbers, social security numbers, financial records, medical history, birth dates, business contacts, and more. Web sites may also supply access to source code, intellectual property, customer lists, payroll data, HR data, routers, and servers. If a particular computer system or business process isn't web-enabled today, bet that it will be tomorrow. Anything a cyber-criminal would ever want is available somewhere on a web site. With all the great things we can do on the web, one must temper the benefits with the risk that any information available on or behind a web site is also a target for identify theft, industrial espionage, extortion, and fraud. It should come as no surprise that the attack trends we're witnessing are migrating from the network layer up to the web application layer.

Here's where things get interesting and scary at the same time. Firewalls, anti-virus scanners, and Secure Sockets Layer (SSL) do not help secure a web site. Let me say that again. Firewalls, anti-virus scanners, and SSL do not help secure a web site. When you visit any web site, we don't see any of these things because they functionally don't exist at the web layer. On the web, there's nothing standing between a hacker, your web server, your web applications, and your database. With something as pervasive as Apache, the knowledge of how to prevent web attacks is vital.

A martial arts black belt is a suitable analogy. It might take someone years to acquire the knowledge required to proficiently react to a given security scenario. Both Ryan and myself have experience defending extremely large and public web-enabled systems. We've witnessed the sophisticated and voluminous attacks that inundate our web servers. From Brute-Force or Cross-Site Scripting to Denial of Service or SQL Injection and Worms, the attacks are varied and pervasive. A single day of monitoring web server log files is enough to appreciate how much skill is required to thwart the ever-growing security threats.

Ryan has done a remarkable job combining his years of personal experience with the collective knowledge of a community of experts. Readers will be well served by this material for as long as there are web servers. I'll finish up with a famous quote I feel captures the essence of Preventing Web Attacks with Apache.

"The significant problems we face cannot be solved at the same level of thinking we were at when we created them."

—Albert Einstein (1879-1955)

We must be diligent, we must keep learning, we will prevail.

Jeremiah Grossman
Founder and CTO of WhiteHat Security
Cofounder of the Web Application Security Consortium (WASC)
September, 2005

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

About the Author xix

Foreword xxi

Acknowledgments xxv

Introduction xxvii

Chapter 1 Web Insecurity Contributing Factors 1

A Typical Morning 1

Why Web Security Is Important 3

Web Insecurity Contributing Factors 4

Managerial/Procedural Issues 4

Management and the Bottom Line 4

Selling Loaded Guns 5

The Two-Minute Drill 5

Development Environment Versus Production Environment 6

Firefighting Approach to Web Security (Reacting to Fires) 7

Technical Misconceptions Regarding Web Security 7

“We have our web server in a Demilitarized Zone (DMZ).” 8

“We have a firewall.” 9

“We have a Network-Based Intrusion Detection System.” 9

“We have a Host-Based Intrusion Detection System.” 11

“We are using Secure Socket Layer (SSL).” 11

Summary 11

Chapter 2 CIS Apache Benchmark 13

CIS Apache Benchmark for UNIX: OS-Level Issues 13

Minimize/Patch Non-HTTP Services 13

Example Service Attack: 7350wu–FTP Exploit 19

Vulnerable Services’ Impact on Apache’s Security 22

Apply Vendor OS Patches 23

Tune the IP Stack 24

Denial of Service Attacks 25

Create the Web Groups and User Account 28

Lock Down the Web Server User Account 31

Implementing Disk Quotas 32

Accessing OS-Level Commands 35

Update the Ownership and Permissions of System Commands 39

Traditional Chroot 40

Chroot Setup Warning 41

Mod_Security Chroot 41

Chroot Setup 41

Summary 50

Chapter 3 Downloading and Installing Apache 53

Apache 1.3 Versus 2.0 53

Using Pre-Compiled Binary Versus Source Code 54

Downloading the Apache Source Code 56

Why Verify with MD5 and PGP? 56

Uncompress and Open: Gunzip and Untar 63

Patches–Get ’em While They’re Hot! 64

Monitoring for Vulnerabilities and Patches 66

What Modules Should I Use? 70

Summary 80

Chapter 4 Configuring the httpd.conf File 81

CIS Apache Benchmark Settings 84

The httpd.conf File 85

Disable Un-Needed Modules 86

Directives 86

Server-Oriented Directives 87

Multi-Processing Modules (MPMs) 87

Listen 88

ServerName 88

ServerRoot 89

DocumentRoot 89

HostnameLookups 89

User-Oriented Directives 90

User 90

Group 91

ServerAdmin 91

Denial of Service (DoS) Protective Directives 92

Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration 92

TimeOut 94

KeepAlive 95

KeepAliveTimeout 95

MaxKeepAliveRequests 95

StartServers 96

MinSpareServers and MaxSpareServers 96

ListenBacklog 96

MaxClients and ServerLimit 97

Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration 97

Forward Reference 99

Software Obfuscation Directives 99

ServerTokens 99

ServerSignature 101

ErrorDocument 102

Directory Functionality Directives 104

All 104

ExecCGI 104

FollowSymLinks and SymLinksIfOwnerMatch 105

Includes and IncludesNoExec 105

Indexes 106

AllowOverride 106

Multiviews 107

Access Control Directives 107

Authentication Setup 108

Authorization 109

Order 110

Order deny, allow 110

Order allow, deny 110

Access Control: Where Clients Come From 111

Hostname or Domain 111

IP Address and IP Range 112

Client Request ENV 112

Protecting the Root Directory 113

Limiting HTTP Request Methods 114

Logging General Directives 114

LogLevel 114

ErrorLog 115

LogFormat 115

CustomLog 115

Removing Default/Sample Files 116

Apache Source Code Files 116

Default HTML Files 116

Sample CGIs 117

Webserv User Files 118

Updating Ownership and Permissions 118

Server Configuration Files 119

DocumentRoot Files 119

CGI-Bin 119

Logs 120

Bin 120

Updating the Apachectl Script 120

Nikto Scan After Updates 122

Summary 122

Chapter 5 Essential Security Modules for Apache 125

Secure Socket Layer (SSL) 125

Why Should I Use SSL? 126

How Does SSL Work? 128

Software Requirements 132

Installing SSL 133

Creating an SSL Certificate 133

Testing the Initial Configuration 134

Configuring mod_ssl 137

SSL Summary 144

Mod_Rewrite 144

Enabling Mod_Rewrite 145

Mod_Rewrite Summary 147

Mod_Log_Forensic 147

Mod_Dosevasive 149

What Is Mod_Dosevasive? 149

Installing Mod_Dosevasive 149

How Does Mod_Dosevasive Work? 150

Configuration 151

Mod_Dosevasive Summary 155

Mod_Security 155

Installing Mod_Security 156

Mod_Security Overview 156

Features and Capabilities of Mod_Security 157

Anti-Evasion Techniques 158

Special Built-In Checks 159

Filtering Rules 162

Actions 164

Wait, There’s Even More! 168

Summary 169

Chapter 6 Using the Center for Internet Security Apache Benchmark Scoring Tool 171

Downloading, Unpacking, and Running the Scoring Tool 171

Unpacking the Archive 173

Running the Tool 174

Summary 180

Chapter 7 Mitigating the WASC Web Security Threat Classification with Apache 181

Contributors 182

Web Security Threat Classification Description 182

Goals 183

Documentation Uses 183

Overview 183

Background 184

Classes of Attack 184

Threat Format 186

Authentication 186

Brute Force 187

Insufficient Authentication 191

Weak Password Recovery Validation 192

Authorization 195

Credential/Session Prediction 195

Insufficient Authorization 198

Insufficient Session Expiration 199

Session Fixation 201

Client-Side Attacks 205

Content Spoofing 205

Cross-Site Scripting 207

Command Execution 210

Buffer Overflow 210

Format String Attack 215

LDAP Injection 218

OS Commanding 220

SQL Injection 223

SSI Injection 228

XPath Injection 230

Information Disclosure 232

Directory Indexing 232

Information Leakage 236

Path Traversal 239

Predictable Resource Location 242

Logical Attacks 243

Abuse of Functionality 244

Denial of Service 246

Insufficient Anti-Automation 250

Insufficient Process Validation 251

Summary 253

Chapter 8 Protecting a Flawed Web Application: Buggy Bank 255

Installing Buggy Bank 256

Buggy Bank Files 257

Turn Off Security Settings 258

Testing the Installation 258

Functionality 261

Login Accounts 262

Assessment Methodology 262

General Questions 262

Tools Used 263

Configuring Burp Proxy 263

Buggy Bank Vulnerabilities 266

Comments in HTML 266

Enumerating Account Numbers 267

How Much Entropy? 270

Brute Forcing the Account Numbers 270

Enumerating PIN Numbers 273

Account Unlocked 274

Account Locked 274

Brute Forcing the PIN Numbers 276

Command Injection 277

Injecting Netstat 278

SQL Injection 282

SQL Injection Mitigation 285

Cross-Site Scripting (XSS) 287

Mitigations 289

Balance Transfer Logic Flaw 290

Mitigation 292

Summary 293

Chapter 9 Prevention and Countermeasures 295

Why Firewalls Fail to Protect Web Servers/Applications 296

Why Intrusion Detection Systems Fail as Well 299

Deep Packet Inspection Firewalls, Inline IDS, and Web Application Firewalls 304

Deep Packet Inspection Firewall 304

Inline IDS 305

Web Application Firewall (WAF) 307

Web Intrusion Detection Concepts 309

Signature-Based 309

Positive Policy Enforcement (White-Listing) 314

Header-Based Inspection 325

Protocol-Based Inspection 329

Uniform Resource Identifier (URI) Inspection 336

Heuristic-Based Inspection 339

Anomaly-Based Inspection 340

Web IDS Evasion Techniques and Countermeasures 342

HTTP IDS Evasion Options 342

Anti-Evasion Mechanisms 347

Evasion by Abusing Apache Functionality 348

Identifying Probes and Blocking Well-Known Offenders 352

Worm Probes 352

Blocking Well-Known Offenders 354

Nmap Ident Scan 357

Nmap Version Scanning 358

Why Change the Server Banner Information? 359

Masking the Server Banner Information 361

HTTP Fingerprinting 363

Implementation Differences of the HTTP Protocol 364

Banner Grabbing 370

Advanced Web Server Fingerprinting 370

HTTPrint 371

Web Server Fingerprinting Defensive Recommendations 373

Bad Bots, Curious Clients, and Super Scanners 379

Bad Bots and Curious Clients 379

Super Scanners 381

Reacting to DoS, Brute Force, and Web Defacement Attacks 388

DoS Attacks 388

Brute Force Attacks 389

Web Defacements 392

Defacement Countermeasures 397

Alert Notification and Tracking Attackers 399

Setting Up Variables 402

Creating Historical Knowledge 403

Filtering Out Noise and Thresholding Emails 403

Request Snapshot and Attacker Tracking Links 403

Send Alert to Pager 404

Crude Pause Feature 404

Send the HTML 404

Example Email Alerts 404

Log Monitoring and Analysis 412

Real-Time Monitoring with SWATCH 413

Heuristic/Statistical Log Monitoring with SIDS 417

Honeypot Options 424

Sticky Honeypot 424

Fake PHF 425

OS Commanding Trap and Trace 427

Mod_Rewrite (2.1) to the Rescue 428

Summary 429

Chapter 10 Open Web Proxy Honeypot 431

Why Deploy an Open Web Proxy Honeypot? 431

Lack of Knowledge That an Attack Even Occurred 432

Lack of Verbose/Adequate Logging of HTTP Transactions 432

Lack of Interest in Public Disclosure of the Attack 432

What Are Proxy Servers? 433

Open Proxy Background 434

Open Web Proxy Honeypot 435

Linksys Router/Firewall 435

Turn Off Un-Needed Network Services 436

Configure Apache for Proxy 436

Data Control 439

Mod_Dosevasive 439

Mod_Security 439

Utilizing Snort Signatures 441

Brute Force Attacks 441

Data Capture 442

Real-Time Monitoring with Webspy 444

Honeynet Project’s Scan of the Month Challenge #31 444

The Challenge 445

Initial Steps 446

Question: How Do You Think the Attackers Found the Honeyproxy? 447

Question: What Different Types of Attacks Can You Identify? For Each Category, Provide Just One Log Example and Detail as Much Info About the Attack as Possible (Such as CERT/CVE/Anti-Virus ID Numbers). How Many Can You Find? 448

Search Logs for Mod_Security-Message 449

Utilization of the AllowCONNECT Proxying Capabilities 450

Search Logs for Abnormal HTTP Status Codes 451

Abnormal HTTP Request Methods 454

Non-HTTP Compliant Requests 455

Attack Category–SPAMMERS 457

Attack Category–Brute Force Authentication 459

Attack Category–Vulnerability Scans 459

Attack Category–Web-Based Worms 465

Attack Category–Banner/Click-Thru Fraud 468

Attack Category–IRC Connections 469

Question: Do Attackers Target Secure Socket Layer (SSL)-Enabled Web Servers? 470

Did They Target SSL on Our Honeyproxy? 471

Why Would They Want to Use SSL? 472

Why Didn’t They Use SSL Exclusively? 472

Question: Are There Any Indications of Attackers Chaining Through Other Proxy Servers? Describe How You Identified This Activity. List Other Proxy Servers Identified. Can You Confirm That These Are Indeed Proxy Servers? 473

Identifying the Activity 473

Confirming the Proxy Servers 475

Targeting Specific Open Proxies 479

Targeting Specific Destination Servers 480

Question: Identify the Different Brute Force Authentication Attack Methods. Can You Obtain the Clear-Text Username/Password Credentials? Describe Your Methods. 481

HTTP GET Requests 481

HTTP POST Requests 482

HTTP Basic Authentication 483

Obtaining the Cleartext Authorization Credentials 485

Distributed Brute Force Scan Against Yahoo Accounts 486

Forward and Reverse Scanning 487

Question: What Does the Mod_Security Error Message “Invalid Character Detected” Mean? What Were the Attackers Trying to Accomplish? 493

SecFilterCheckURLEncoding–URL-Encoding Validation 493

SecFilterCheckUnicodeEncoding–Unicode-Encoding Validation 494

SecFilterForceByteRange–Byte Range Check 494

SOCKS Proxy Scan 494

Code Red/NIMDA Worm Attacks 495

Question: Several Attackers Tried to Send SPAM by Accessing the Following URL: http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They Tried to Send Email with an HTML Attachment (Files Listed in the /upload Directory). What Does the SPAM Web Page Say? Who Are the SPAM Recipients? 496

SPAM Recipients 497

Question: Provide Some High-Level Statistics. 498

Top Ten Attacker IP Addresses 498

Top Ten Targets 500

Top User-Agents (Any Weird/Fake Agent Strings?) 500

Attacker Correlation from DShield and Other Sources? 501

Bonus Question: Why Do You Think the Attackers Were Targeting Pornography Web sites for Brute Force Attacks? (Besides the Obvious Physical Gratification Scenarios.) 502

Even Though the Proxypot’s IP/Hostname Was Obfuscated from the Logs, Can You Still Determine the Probable Network Block Owner? 504

Summary 506

Chapter 11 Putting It All Together 509

Example Vulnerability Alert 509

Verify the Software Version 510

Patch Availability 510

Vulnerability Details 511

Creating a Mod_Security Vulnerability Filter 514

Testing the Vulnerability Filter 515

First Aid Versus a Hospital 516

Web Security: Beyond the Web Server 517

Domain Hijacking 517

DNS Cache Poisoning 517

Caching Proxy Defacement 519

Banner Ad Defacement 520

News Ticker Manipulations 521

Defacement or No Defacement? 521

Summary 522

Appendix A Web Application Security Consortium Glossary 523

Appendix B Apache Module Listing 533

Appendix C Example httpd.conf File 549

Index 561

Read More Show Less

Preface

Foreword

Ryan Barnett recently asked if I'd write the foreword to his book. I was delighted to even be considered because Ryan is an exceptional security professional and the honor could have easily gone to anyone in the industry. Ryan has a background as someone who actively defends government web sites. He's the person who led the effort to create the Apache Benchmark standard for the Center for Internet Security (CIS). He's a co-author of the Web Security Threat Classification for the Web Application Security Consortium (WASC), and has more certifications than I knew existed. Ryan is also a SANS Instructor for Apache Security. There's quite a bit more, but suffice it to say Ryan has to be one of the most-qualified experts to write Preventing Web Attacks with Apache.

A foreword is an opportunity to express why a particular topic is important and describe what role the information plays in a broader context. Even though I've been part of the web application security field for a really long time (back before there was a term to describe what we do), more research was in order. I fired up Firefox and headed on over to Google for some investigation. Netcraft, the WASC, the CIS, the Open Source Vulnerability Database (OSVDB), SecurityFocus, and Wikipedia are incredible resources for collecting security information. While I was taking notes and saving bookmarks, it suddenly occurred to me that during my research, I must have crossed paths with hundreds of Apache web servers without realizing it. What a perfect way to describe the importance of Apache security!

According to Netcraft's Web Server Survey (September 2005), Apache accounts for roughly 70 percent of the Internet's web servers. Through our tiny browser window, it's difficult to imagine the global hum of 72 million web servers, the keyboard chatter of over 800 million international netizens, wading through a sea of 8 billion web pages. Apache is a fundamental part of our daily online lives—so much so, it's become a transparent artifact in the architecture of the web. When we shop for books, reserve plane tickets, read the news, check our bank account, bid in an auction, or do anything else with a web browser, the odds are there's an Apache web server involved. How's that for important?

The web has become bigger and more powerful than we ever imagined. 24x7x365, web sites carry out mission-critical business processes, exchanging even the most sensitive forms of information including names, addresses, phone numbers, social security numbers, financial records, medical history, birth dates, business contacts, and more. Web sites may also supply access to source code, intellectual property, customer lists, payroll data, HR data, routers, and servers. If a particular computer system or business process isn't web-enabled today, bet that it will be tomorrow. Anything a cyber-criminal would ever want is available somewhere on a web site. With all the great things we can do on the web, one must temper the benefits with the risk that any information available on or behind a web site is also a target for identify theft, industrial espionage, extortion, and fraud. It should come as no surprise that the attack trends we're witnessing are migrating from the network layer up to the web application layer.

Here's where things get interesting and scary at the same time. Firewalls, anti-virus scanners, and Secure Sockets Layer (SSL) do not help secure a web site. Let me say that again. Firewalls, anti-virus scanners, and SSL do not help secure a web site. When you visit any web site, we don't see any of these things because they functionally don't exist at the web layer. On the web, there's nothing standing between a hacker, your web server, your web applications, and your database. With something as pervasive as Apache, the knowledge of how to prevent web attacks is vital.

A martial arts black belt is a suitable analogy. It might take someone years to acquire the knowledge required to proficiently react to a given security scenario. Both Ryan and myself have experience defending extremely large and public web-enabled systems. We've witnessed the sophisticated and voluminous attacks that inundate our web servers. From Brute-Force or Cross-Site Scripting to Denial of Service or SQL Injection and Worms, the attacks are varied and pervasive. A single day of monitoring web server log files is enough to appreciate how much skill is required to thwart the ever-growing security threats.

Ryan has done a remarkable job combining his years of personal experience with the collective knowledge of a community of experts. Readers will be well served by this material for as long as there are web servers. I'll finish up with a famous quote I feel captures the essence of Preventing Web Attacks with Apache.

"The significant problems we face cannot be solved at the same level of thinking we were at when we created them."

—Albert Einstein (1879-1955)

We must be diligent, we must keep learning, we will prevail.

Jeremiah Grossman
Founder and CTO of WhiteHat Security
Cofounder of the Web Application Security Consortium (WASC)
September, 2005

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star

(1)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted March 6, 2006

    bolt down your Apache

    Apache is the most common web server out there. It has been heavily built up in functionality by volunteer programmers. Naturally, there are numerous books detailing all that you can do with it. Very versatile. Unfortunately, that is one of the problems! As many commercial websites use Apache, there is a huge incentive for crackers to subvert it in various fashions. Perhaps to get at the back end SQL database. In which might be stored useful information like people's names and credit card data. Barnett offers inoculation. You can read this book as the sysadmin's manual to installing and running Apache. Where the overriding priority is to bolt down any known weaknesses from the get go. There is a comprehensive list of attacks. Some might not necessarily be directed against Apache per se, but against any web server. But there are others that might scan for particular versions of Apache or the operating system, if these have bugs that can be exploited. The text suggests possibly providing disinformation. In an earlier, more innocent time, a web server might write its name and version at the bottom of a page that it publishes, for example. Now, you are shown how Apache can suppress this. Better yet, you can tell Apache to pretend to be another web server. A defensive fib that makes the cracker's job a little harder. Buffer overflows, cross site scripting and SQL injection are possibly the most dangerous attacks explained. For each attack, examples are usually given. Followed by Apache countermeasures. Tangentially, you also get to cast scrutiny at your database and at the entire way your multitier server system is arranged. The book is a sad but necessary commentary on the times we live in.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)