[CaLViN]

Apache Security Review




Apache is the most popular web server being used
worlwide today. There's so much information about
installing the basics but nothing about the meat and
potatoes of the most important issues like security.




Publisher: O'Reilly
Author: Ivan Ristic
ISBN: 0-595-00724-8
Cost US: $34.95
Cost CAN: $48.95
Pages: Nearly 400
Author's Website: Apache Security - The Complete Guide to Securing Your Apache Web Server


I recently heard about a new book out that is just about Apache Security written by Ivan Ristic. I haven't ever really found many books on this topic and wondered why since its such a widely popular web server. Ivan Ristic is well known for being the single man behind an invaluable tool for web servers called mod_security.


So many security related books are very expensive and thousands of pages long, which is great if you have lots of time but no system admin does. Apache Security is both thorough and quick to get through while walking you through the most imporant issues you'll encounter or never thought about until now.

First off go buy the book, don't bother to read this
review. It's really that good. I use it on a daily
basis and keep a copy at the office and at home. I
advise anyone that owns a server or works with Apache
to get this book, you won't be disappointed. It's not
for somoene that's completely a newbie to web servers,
I recommend it more for someone with a bit of
experience or advanced user of Linux. Since this isn't
a book on dummy installations but about security so
you need a basic understanding of file permissions and
so on.



The book is well written and easy to follow. I really
like how its organized. There are sections on
everything from PHP, SSL, Denial of Service Attacks,
Monitoring, Logging, Sessions, different types of
attacks and defences and much more.

It explains issues you face on a daily basis and the
pro's and cons of different methods and solutions to
work with the problem . So if you don't know what code
execution means then it explains it first hand and why
you need to be aware of it. Then it goes into detail
about how attackers can take advantage of certain
configurations to their benefit and what you should
consider as a solution.


This isn't a book that has thousands of lines of code
you need to try and understand but easy to follow
written explinations of issues and ways to resolve it,
usually with a link to a tool to solve the problem as
well so you can read up on it. Ivan uses real
examples of SQL injections of before and after queries
that attackers are trying to use on web servers right
now and what it means to you. The things like that
matter to a system admin.


My favourite section is actually that of mod_security
on page 336. It covers configuring it, things to watch
out for and common attacks, logging and reacting to
events. But I also enjoyed the section of Load
Balancing and different methods to keep systems online
such as round robin DNS and of course different ways
to help secure Apache and PHP. I personally find PHP a
big pain these days, there's a lot that needs to be
done to ensure its secure and sometimes that's not
enough especially in a shared hosting environment.

For those who are wondering what else can be done to
secure their web server I highly recommend Apache
Security. It's a must have book to add to your daily
coffee and fight against an ever growing number of
script kiddies, scam artists, social engineering and
hackers.



I'd also like to say Thank You to Ivan Ristic for
putting up with my emails but for helping so many
other admins out there with this gem and for giving
the community mod_security, I love it and fine it an
essential part of my Apache server.


Thanks to S. Leggett