Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Apache Security
Preface
Audience
Scope
Contents of This Book
Online Companion
Conventions Used in This Book
Programming Conventions
Typesetting Conventions
Using Code Examples
We'd Like to Hear from You
Safari Enabled
Acknowledgments
1. Apache Security Principles
1.1. Security Definitions
1.1.1. Essential Security Principles
1.1.2. Common Security Vocabulary
1.1.3. Security Process Steps
1.1.4. Threat Modeling
1.1.5. System-Hardening Matrix
1.1.6. Calculating Risk
1.2. Web Application Architecture Blueprints
1.2.1. User View
1.2.2. Network View
1.2.3. Apache View
2. Installation and Configuration
2.1. Installation
2.1.1. Source or Binary
2.1.1.1. Downloading the source code
2.1.1.2. Downloading patches
2.1.2. Static Binary or Dynamic Modules
2.1.3. Folder Locations
2.1.4. Installation Instructions
2.1.4.1. Testing the installation
2.1.4.2. Selecting modules to install
2.2. Configuration and Hardening
2.2.1. Setting Up the Server User Account
2.2.2. Setting Apache Binary File Permissions
2.2.3. Configuring Secure Defaults
2.2.3.1. Options directive
2.2.3.2. AllowOverride directive
2.2.4. Enabling CGI Scripts
2.2.5. Logging
2.2.6. Setting Server Configuration Limits
2.2.7. Preventing Information Leaks
2.3. Changing Web Server Identity
2.3.1. Changing the Server Header Field
2.3.1.1. Changing the name in the source code
2.3.1.2. Changing the name using mod_security
2.3.1.3. Changing the name using mod_headers with Apache 2
2.3.2. Removing Default Content
2.4. Putting Apache in Jail
2.4.1. Tools of the chroot Trade
2.4.1.1. Sample use of the chroot binary
2.4.1.2. Using ldd to discover dependencies
2.4.1.3. Using strace to see inside processes
2.4.2. Using chroot to Put Apache in Jail
2.4.2.1. Putting user, group, and name resolution files in jail
2.4.2.2. Finishing touches for Apache jail preparation
2.4.2.3. Preparing PHP to work in jail
2.4.2.4. Preparing Perl to work in jail
2.4.2.5. Taking care of small jail problems
2.4.3. Using the chroot(2) Patch
2.4.4. Using mod_security or mod_chroot
2.4.4.1. Apache 1
2.4.4.2. Apache 2
3. PHP
3.1. Installation
3.1.1. Using PHP as a Module
3.1.2. Using PHP as a CGI
3.1.3. Choosing Modules
3.2. Configuration
3.2.1. Disabling Undesirable Options
3.2.1.1. register_globals and allow_url_fopen
3.2.1.2. Dynamic module loading
3.2.1.3. Display of information about PHP
3.2.2. Disabling Functions and Classes
3.2.3. Restricting Filesystem Access
3.2.4. Setting Logging Options
3.2.5. Setting Limits
3.2.6. Controlling File Uploads
3.2.7. Increasing Session Security
3.2.8. Setting Safe Mode Options
3.2.8.1. File access restrictions
3.2.8.2. Environment variable restrictions
3.2.8.3. External process execution restrictions
3.2.8.4. Other safe mode restrictions
3.3. Advanced PHP Hardening
3.3.1. PHP 5 SAPI Input Hooks
3.3.2. Hardened-PHP
4. SSL and TLS
4.1. Cryptography
4.1.1. Symmetric Encryption
4.1.2. Asymmetric Encryption
4.1.3. One-Way Encryption
4.1.4. Public-Key Infrastructure
4.1.4.1. Digital certificates
4.1.4.2. Certificate authorities
4.1.4.3. Web of trust
4.1.5. How It All Falls into Place
4.2. SSL
4.2.1. SSL Communication Summary
4.2.2. Is SSL Secure?
4.2.2.1. Man in the middle attacks
4.2.2.2. Nontechnical issues
4.3. OpenSSL
4.4. Apache and SSL
4.4.1. Installing mod_ssl
4.4.2. Generating Keys
4.4.3. Generating a Certificate Signing Request
4.4.4. Signing Your Own Certificate
4.4.5. Getting a Certificate Signed by a CA
4.4.6. Configuring SSL
4.4.6.1. Supporting broken SSL clients
4.4.6.2. Securing the server private key
4.4.6.3. Ensuring reliable SSL startup
4.4.6.4. Preventing configuration mistakes
4.5. Setting Up a Certificate Authority
4.5.1. Preparing the CA Certificate for Distribution
4.5.2. Issuing Server Certificates
4.5.3. Issuing Client Certificates
4.5.4. Revoking Certificates
4.5.5. Using Client Certificates
4.6. Performance Considerations
4.6.1. OpenSSL Benchmark Script
4.6.2. Hardware Acceleration
5. Denial of Service Attacks
5.1. Network Attacks
5.1.1. Malformed Traffic
5.1.2. Brute-Force Attacks
5.1.3. SYN Flood Attacks
5.1.4. Source Address Spoofing
5.1.5. Distributed Denial of Service Attacks
5.1.6. Reflection DoS Attacks
5.2. Self-Inflicted Attacks
5.2.1. Badly Configured Apache
5.2.2. Poorly Designed Web Applications
5.2.3. Real-Life Client Problems
5.3. Traffic Spikes
5.3.1. Content Compression
5.3.2. Bandwidth Attacks
5.3.3. Cyber-Activism
5.3.4. The Slashdot Effect
5.4. Attacks on Apache
5.4.1. Apache Vulnerabilities
5.4.2. Brute-Force Attacks
5.4.3. Programming Model Attacks
5.5. Local Attacks
5.5.1. PAM Limits
5.5.2. Process Accounting
5.5.3. Kernel Auditing
5.6. Traffic-Shaping Modules
5.7. DoS Defense Strategy
6. Sharing Servers
6.1. Sharing Problems
6.1.1. File Permission Problems
6.1.1.1. Keeping permissions correct
6.1.1.2. Virtual filesystems for users
6.1.2. Dynamic-Content Problems
6.1.2.1. Execution wrappers
6.1.2.2. FastCGI
6.1.2.3. Per-request change of Apache identity
6.1.2.4. Perchild MPM and Metux MPM
6.1.2.5. Multiple Apache instances
6.1.3. Sharing Resources
6.1.4. Same Domain Name Problems
6.1.4.1. Fake security realms
6.1.4.2. Cookie namespace collisions
6.1.5. Information Leaks on Execution Boundaries
6.2. Distributing Configuration Data
6.3. Securing Dynamic Requests
6.3.1. Enabling Script Execution
6.3.1.1. ScriptAlias versus script enabling by configuration
6.3.1.2. Server-side includes
6.3.1.3. Assigning handlers, types, or filters
6.3.2. Setting CGI Script Limits
6.3.3. Using suEXEC
6.3.3.1. Using suEXEC outside virtual hosts
6.3.3.2. Using suEXEC for mass virtual hosting
6.3.4. FastCGI
6.3.5. Running PHP as a Module
6.4. Working with Large Numbers of Users
6.4.1. Web Shells
6.4.2. Dangerous Binaries
7. Access Control
7.1. Overview
7.2. Authentication Methods
7.2.1. Basic Authentication
7.2.2. Digest Authentication
7.2.3. Form-Based Authentication
7.3. Access Control in Apache
7.3.1. Basic Authentication Using Plaintext Files
7.3.1.1. Working with groups
7.3.2. Basic Authentication Using DBM Files
7.3.3. Digest Authentication
7.3.4. Certificate-Based Access Control
7.3.5. Network Access Control
7.3.5.1. Using environment variables
7.3.6. Proxy Access Control
7.3.6.1. Reverse proxies
7.3.7. Final Access Control Notes
7.3.7.1. Limiting request methods
7.3.7.2. Combining authentication with network access control
7.3.7.3. Combining multiple authentication modules
7.4. Single Sign-on
7.4.1. Web Single Sign-on
7.4.2. Simple Apache-Only Single Sign-on
8. Logging and Monitoring
8.1. Apache Logging Facilities
8.1.1. Request Logging
8.1.1.1. LogFormat
8.1.1.2. TransferLog
8.1.1.3. CustomLog
8.1.2. Error Logging
8.1.3. Special Logging Modules
8.1.4. Audit Log
8.1.5. Performance Measurement
8.1.6. File Upload Interception
8.1.7. Application Logs
8.1.8. Logging as Much as Possible
8.1.8.1. Using HTTP status codes
8.1.8.2. Integration with PHP
8.1.8.3. Recommended log format
8.1.8.4. Alternative integration method
8.2. Log Manipulation
8.2.1. Piped Logging
8.2.2. Log Rotation
8.2.2.1. Periodic rotation
8.2.2.2. Real-time rotation
8.2.3. Issues with Log Distribution
8.3. Remote Logging
8.3.1. Manual Centralization
8.3.2. Syslog Logging
8.3.3. Database Logging
8.3.4. Distributed Logging with the Spread Toolkit
8.4. Logging Strategies
8.5. Log Analysis
8.6. Monitoring
8.6.1. File Integrity
8.6.2. Event Monitoring
8.6.2.1. Periodic reporting
8.6.2.2. Swatch
8.6.2.3. Simple Event Correlator
8.6.3. Web Server Status
8.6.3.1. Fetching and storing statistics
8.6.3.2. Graphing
8.6.3.3. Using the scripts
8.6.3.4. mod_watch
9. Infrastructure
9.1. Application Isolation Strategies
9.1.1. Isolating Applications from Servers
9.1.2. Isolating Application Modules
9.1.3. Utilizing Virtual Servers
9.2. Host Security
9.2.1. Restricting and Securing User Access
9.2.2. Deploying Minimal Services
9.2.3. Gathering Information and Monitoring Events
9.2.4. Securing Network Access
9.2.5. Advanced Hardening
9.2.6. Keeping Up to Date
9.3. Network Security
9.3.1. Firewall Usage
9.3.2. Centralized Logging
9.3.3. Network Monitoring
9.3.3.1. Intrusion detection and HTTP
9.3.4. External Monitoring
9.4. Using a Reverse Proxy
9.4.1. Apache Reverse Proxy
9.4.1.1. Setting up the reverse proxy
9.4.1.2. mod_proxy_html
9.4.2. Reverse Proxy by Network Design
9.4.3. Reverse Proxy by Redirecting Network Traffic
9.5. Network Design
9.5.1. Reverse Proxy Patterns
9.5.1.1. Front door
9.5.1.2. Integration reverse proxy
9.5.1.3. Protection reverse proxy
9.5.1.4. Performance reverse proxy
9.5.2. Advanced Architectures
9.5.2.1. No load balancing, no high availability
9.5.2.2. High availability
9.5.2.3. Manual load balancing
9.5.2.4. DNS Round Robin (DNSRR) load balancing
9.5.2.5. Management node clusters
9.5.2.6. Reverse proxy clusters
10. Web Application Security
10.1. Session Management Attacks
10.1.1. Cookies
10.1.2. Session Management Concepts
10.1.3. Keeping in Touch with Clients
10.1.4. Session Tokens
10.1.5. Session Attacks
10.1.5.1. Session hijacking
10.1.5.2. Brute-force attacks
10.1.6. Good Practices
10.2. Attacks on Clients
10.2.1. Typical Client Attack Targets
10.2.2. Phishing
10.3. Application Logic Flaws
10.3.1. Cookies and Hidden Fields
10.3.2. POST Method
10.3.3. Referrer Check Flaws
10.3.4. Process State Management
10.3.5. Client-Side Validation
10.4. Information Disclosure
10.4.1. HTML Source Code
10.4.2. Directory Listings
10.4.2.1. WebDAV
10.4.3. Verbose Error Messages
10.4.4. Debug Messages
10.5. File Disclosure
10.5.1. Path Traversal
10.5.2. Application Download Flaws
10.5.3. Source Code Disclosure
10.5.4. Predictable File Locations
10.6. Injection Flaws
10.6.1. SQL Injection
10.6.1.1. A working example
10.6.1.2. Union
10.6.1.3. Multiple statements in a query
10.6.1.4. Special database features
10.6.1.5. SQL injection attack resources
10.6.2. Cross-Site Scripting
10.6.2.1. XSS attack resources
10.6.3. Command Execution
10.6.4. Code Execution
10.6.5. Preventing Injection Attacks
10.7. Buffer Overflows
10.8. Evasion Techniques
10.8.1. Simple Evasion Techniques
10.8.2. Path Obfuscation
10.8.3. URL Encoding
10.8.4. Unicode Encoding
10.8.5. Null-Byte Attacks
10.8.6. SQL Evasion
10.9. Web Application Security Resources
10.9.1. General Resources
10.9.2. Web Application Security Resources
11. Web Security Assessment
11.1. Black-Box Testing
11.1.1. Information Gathering
11.1.1.1. Organizational information
11.1.1.2. Domain name registration
11.1.1.3. Domain name system
11.1.1.4. Regional Internet Registries
11.1.1.5. Search engines
11.1.1.6. Social engineering
11.1.1.7. Connectivity
11.1.1.8. Port scanning
11.1.2. Web Server Analysis
11.1.2.1. Testing SSL
11.1.2.2. Identifying the web server
11.1.2.3. Identifying the application server
11.1.2.4. Examining default locations
11.1.2.5. Probing for common configuration problems
11.1.2.6. Examining responses to exceptional requests
11.1.2.7. Probing for known vulnerabilities
11.1.2.8. Enumerating applications
11.1.2.9. Assessing the execution environment
11.1.3. Web Application Analysis
11.1.3.1. Using a spider to map out the application structure
11.1.3.2. Examining page elements
11.1.3.3. Enumerating pages with parameters
11.1.3.4. Examining well-known locations
11.1.4. Attacks Against Access Control
11.1.5. Vulnerability Probing
11.2. White-Box Testing
11.2.1. Architecture Review
11.2.2. Configuration Review
11.2.2.1. Preparing a storage area for review files
11.2.2.2. Preparing a file listing and initial notes
11.2.2.3. Reviewing the web server configuration
11.2.2.4. Reviewing the application configuration
11.2.2.5. Reviewing file permissions
11.2.2.6. Reviewing the files
11.2.3. Functional Review
11.2.3.1. Basic application review
11.2.3.2. Application infrastructure review
11.2.3.3. Hot spot review
11.3. Gray-Box Testing
12. Web Intrusion Detection
12.1. Evolution of Web Intrusion Detection
12.1.1. Is Intrusion Detection the Right Approach?
12.1.2. Log-Based Web Intrusion Detection
12.1.3. Real-Time Web Intrusion Detection
12.1.4. Web Intrusion Detection Features
12.1.4.1. Protocol anomaly detection
12.1.4.2. Negative versus positive security models
12.1.4.3. Rule-based versus anomaly-based protection
12.1.4.4. Enforcing input validation
12.1.4.5. State management
12.1.4.6. Anti-evasion techniques
12.1.4.7. Response monitoring and information leak prevention
12.2. Using mod_security
12.2.1. Introduction
12.2.1.1. Installation and basic configuration
12.2.1.2. Processing order
12.2.1.3. Anti-evasion features
12.2.1.4. Encoding validation features
12.2.1.5. Rules
12.2.1.6. Actions
12.2.1.7. Logging
12.2.2. More Configuration Advice
12.2.2.1. Activation time
12.2.2.2. Performance impact
12.2.2.3. Memory consumption
12.2.2.4. Per-context configuration
12.2.2.5. Tight Apache integration
12.2.2.6. Event monitoring
12.2.3. Deployment Guidelines
12.2.3.1. Reasonable configuration starting point
12.2.4. Detecting Common Attacks
12.2.4.1. Database attacks
12.2.4.2. Cross-site scripting attacks
12.2.4.3. Command execution and file disclosure
12.2.5. Advanced Topics
12.2.5.1. Complex configuration scenarios
12.2.5.2. Byte-range restriction
12.2.5.3. File upload interception and validation
12.2.5.4. Restricting mod_security to process dynamic requests only
12.2.5.5. Request body monitoring
12.2.5.6. Response body monitoring
12.2.5.7. Deploying positive security model protection
A. Tools
A.1. Learning Environments
A.1.1. WebMaven
A.1.2. WebGoat
A.2. Information-Gathering Tools
A.2.1. Online Tools at TechnicalInfo
A.2.2. Netcraft
A.2.3. Sam Spade
A.2.4. SiteDigger
A.2.5. SSLDigger
A.2.6. Httprint
A.3. Network-Level Tools
A.3.1. Netcat
A.3.2. Stunnel
A.3.3. Curl
A.3.4. Network-Sniffing Tools
A.3.5. SSLDump
A.4. Web Security Scanners
A.4.1. Nikto
A.4.2. Nessus
A.5. Web Application Security Tools
A.5.1. Paros
A.5.2. Commercial Web Security Tools
A.6. HTTP Programming Libraries
Index
About the Author
Colophon
← Prev
Back
Next →
← Prev
Back
Next →