Great Apache security book

Discussion in 'The Lounge - Off Topic' started by ffreeloader, Mar 12, 2008.

  1. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I've been studying Apache security lately and ran across a very good book on it written by Ryan Barnett called "Preventing Web Attacks with Apache". I am really impressed with this book that was published in 2006. Barnett covers things that I didn't even know existed in Apache before I started reading this.

    I have the O'Rielly book "Apache Security" and have to say that this book so far outstrips the O'Rielly book that it isn't even funny. To be fair "Apache Security" doesn't cover much to do with web application security, and the Barnett book covers it in depth.

    Barnett starts off with foundational security by showing what to lock down in your server's OS including things such as the TCP/IP stack, and then moves on to 3rd party Apache modules. From there he begins touching on all the different types of attacks used against web applications. For each type of attack and vulnerability that he describes, and he describes many different attacks and vulnerabilities, he gives further reading information on each or this 550+ page book would be more than a 1000 pages. He gives as many as 8 or 10 outside references for each section of vulnerability and attack identification.

    Barnett also goes into how and why types of intrusion detection systems can fail and how to minimize their weaknesses. Also included are sections on how to use some of the web server security tools such as Nessus and Nikto and how to defend against them.

    If there is such a thing as a Swiss Army knife of web security books this book has to be it. If you're new to Apache and want to know how to secure your server this is a wonderful starting point. You won't learn everything in this book in a day or two. This is a book that will introduce you to subjects and give you references for further study. It seems to be to be designed to give a newcomer a thorough introduction to web application security. So far I've spent a week on it and I'm less than half way through it. I haven't even gotten to the example he gives of how to lock down an example web site.

    Some of the tools he introduces such as the mod_security module for Apache have a steep learning curve all of their own, but are indispensable in locking down your web site/web application. Just the default application of this one tool changed the returns from the Nikto security scanner of a lab web site I have from approximately 80 instances of undesirable leakage of information to none.

    If you're running Apache this is a must-have book.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  2. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Since you value it so highly, it must be good. I thought I'd fill out a few details and turn this into a more formal book review:

    Title: Preventing Web Attacks with Apache
    Author: Ryan C Barnett
    Paperback: 624 pages
    Publisher: Addison-Wesley Professional (February 6, 2006)
    Language: English
    ISBN-10: 0321321286
    ISBN-13: 978-0321321282

    Can be found at Amazon (US) or Amazon (UK).
     
    Certifications: A+ and Network+
  3. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,286
    85
    152
    Thanks for sharing freddy have logged it in favs in case someone needs it down the road.
     
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  4. fortch

    fortch Kilobyte Poster

    408
    21
    35
    Nice find, Freddy! I've used Apache several times, but only with n00bish knowledge -- enough to get a site up and running. None were ever hacked, nor were they turned into SMTP relays or zombies, but that's probably only because the sites were very small, on a tiny pipe, and hard to find. Worked for its purpose, though. Apache is a nice, fast platform... which is evident by its widespread use. I found a lot of good resouces on the net, but having a book would make it a one-stop shop. Cool.

    Now, for the obligatory jab -- what, you mean there's that many vulnerabilities? That's impossible, it runs on Linux, right? That makes everything secure! :p
     
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.