Maximum Apache Security

Anonymous is a self-described Unix and Perl fanatic who lives in southern California. He currently runs an Internet security consulting company, and is at work building one of the worldÕs largest computer security archives. He also moonlights doing contract programming for several Fortune 500 firms. Anonymous is also the author of the acclaimed Maximum Security and Maximum Linux Security books.

(NOTE: Each chapter concludes with a Summary.)

Introduction.


Why Did I Write This Book? What This Book Will Tell You. System Requirements. This Book's Organization. About Examples in This Book.

I. GETTING STARTED.

1. How Apache Handles Security.


Generic HTTP Security Considerations. Apache Security Facilities. Apache Extensibility. Things Apache Can't Defend Against.

II. CREATING A SECURE APACHE HOST SERVER.

2. The Risks: Cracking Apache.


Inherent Risks of Running a Web Server. Sobering Statistics to Consider. How Security Disasters Develop.

3. Establishing Minimum Server Security.


Physical Security Concepts. Server Location and Physical Access. Network Topology. BIOS and Console Passwords. Media and Boot Security. Anti-Theft Devices.

4. Environmental Hazards: Apache and Your Operating System.


Apache and Your Underlying Operating System. Environmental Risks Common to Unix. Environmental Risks Common to Windows. Other Environmental Risks.

5. Apache, Databases, and Security.


Apache Database Support. Apache and Proprietary Databases. Apache and MySQL. PostgreSQL. Apache and Commercial SQL Packages. General Database Security Measures.

III. HACKING APACHE'S CONFIGURATION.

6. Apache Versions and Security.


Brief History of Apache Versions. Security Issues Common to Apache Releases. Patch Maintenance and Other Measures.

7. Version 2.0 IPv6 Support.


What Is IPv6? IPv6 and Security. Why Does Apache Support IPv6? Apache and IPv6 Addressing. IPv6 Address Issues in Development. Listen, NameVirtualHost, and VirtualHost. IPv6 Implementations.

8. Overlording Apache Server: General Administration.


Permissions and Apache Server. URL Mapping and Security. Resource Usage. Apache Server Tools.

9. Spotting Crackers: Apache Logging Facilities.


What Is Logging, Exactly? How Apache Handles Logging. httpd Logs. Some Security Caveats About Logs. Piped Logs. The SetEnvIf Directive and Conditional Logging. Other Interesting Apache-Related Logging Tools. Other Interesting Logging Tools Not Specific to Apache.

IV. RUNTIME APACHE SECURITY.

10. Apache Network Access Control.


What Is Network Access Control? How Apache Handles Network Access Control: Introducing mod_access. Using Network Access Control in Apache (httpd.conf). Virtual Hosts and Network Access Control.

11. Apache and Authentication: Who Goes There?


What Is Authentication? How Apache Handles Basic Authentication: Introducing mod_auth. Htpasswd. Weaknesses in Basic HTTP Authentication. DBM File-Based Authentication: Introducing mod_auth_dbm. HTTP and Cryptographic Authentication. SSL-Based Authentication. Other Tools for Extending Apache's Authentication. Holes in Apache Authentication: Historical Perspective.

12. Hacking Secure Code: Apache at Server Side.


Apache Language Support. What Is Server-Side Programming? General CGI Security Issues. Spawning Shells. Buffer Overruns. Paths, Directories, and Files. PHP. Interesting Security Programming and Testing Tools. Other Online Resources.

13. Hacking Secure Code: Apache at Client Side.


What Is Client-Side Programming? General Client-Side Security Issues. JavaScript. VBScript.

V. ADVANCED APACHE.

14. Apache Under the Hood: Open Source and Security.


Security Contexts in Apache's Source Tree. Files That Deal with Passwords. Files That Deal with General Security. Key Apache C Source Files and What They Do. Include File Cross-Reference.

15. Apache/SSL.


What Is SSL? How Secure Is SSL? mod_ssl. What is Apache-SSL? Installing Apache-SSL. Certificate Authorities. Commercial SSL Packages.

16. Apache and Firewalls.


What Is a Firewall? Apache as a Proxy Server. Other Network Access Control Tools. tcpd: TCP Wrappers. IP Filtering in Windows. Proxy Tools That Work with Apache. Commercial Firewalls.

17. Apache and Ciphers.


What Is a Cipher? MD5. SSL. Other Ciphers.

18. Hacking Homegrown Apache Modules.


Your Process Model. mod_fortress: An Example. mod_auth_ip: Another Example. mod_random. mod_python. Module Development Considerations.

VI. APPENDIXES.

Appendix A. Apache Security-Related Modules and Directives.


. . . AccessFileName. AllowOverride. Anonymous. Anonymous_Authoritative. Anonymous_LogEmail. Anonymous_MustGiveEmail. Anonymous_NoUserID. Anonymous_VerifyEmail. AuthAuthoritative. AuthDBMAuthoritative. AuthDBMUserFile. AuthDBUserFile. AuthGroupFile. AuthLDAPAuthoritative. AuthName. AuthType. AuthUserFile. CookieExpires. CookieLog. CookieTracking. CustomLog. IdentityCheck. LimitRequestBody. LimitRequestFields. LimitRequestFieldsize. LimitRequestLine. LimitXMLRequestBody. LockFile. LogFormat. mod_access. mod_auth. mod_auth_anon. mod_auth_db. mod_auth_dbm. mod_auth_digest. mod_auth_ldap. mod_cgi. mod_cgid. mod_env. mod_include. mod_log_config. mod_suexec. mod_unique_id. mod_user_track. PassEnv. PidFile. ProxyBlock. ProxyDomain. ProxyReceiveBufferSize. ProxyRemote. ProxyRequests. ProxyVia. ServerAdmin. ServerAlias. ServerName. ServerPath. ServerRoot. ServerSignature. User. UserDir.

Appendix B. Apache Security Advisories and Bugs.


Apache Security Issues. Bug Report Structure. The Critical Listings.

Appendix C. Apache Security Resources.
Appendix D. Apache API Quick Reference.


Anatomy of an Apache Transaction. Configuration. Handlers. Resource Allocation. Apache API Constants.

Appendix E. Glossary.
Index.