Preventing Web Attacks With Apache
by Ryan Barnett
ISBN 0-321-32128-6. $49.99, 582 pages, index, three appendices
Reviewed by Bob Bruen May 17, 2006
If the software developers are not going to provide us with secure software, then we have to protect our web sites with as secure a web server as we can get.
We know that all software has problems because, well, because it is software. The key measurements are how many, how often and how serious. In terms of fixing problems, we worry about discovery, turn around time and pray that nothing else fails after the patch is applied. In all cases the quality matters. Apache is the web server of choice, not perfect, but as good as it gets. It is a quality product, relatively easy to get running and is reliable. Just running it helps.
Of course, this is not enough. With some extra effort, Apache can also be used to increase security for your web site. This more than just making your installation more secure, but actually using Apache and other Apache-related tools. In 2005 Ivan Ristic's book Apache Security was published giving us an excellent guide to securing Apache itself. It cannot be helped that products like Apache tend to get more complicated over time. New functions are added, more tools are put together to assist and better methods are developed. What was once a small tool becomes a major career path. My suggestion is you should read Apache, the Definitive Guide by the Lauries, Ristic's book, and then this one. Barnett does a great job introducing Apache, but quickly ramps up to real mission of the book. If you are already conversant in Apache and its security, then you will not be bogged down in the introductory material.
There is an extensive list and discussion on "Essential Security Modules for Apache" (chapter 5). The only caveat is the the section on Mod_Doevasive from Jonathan Zdziarski at www.nuclearelephant.com suffered from the problem of "things change after you write it down." The download file now appears to be called mod_evasive. The three versions, one for Apache 1.3, one for 2.0 and one for for SunOne (NSAPI) are in one tar file. It is one of the cool tools in this chapter, with a mission to react to HTTP Denial of Service Attacks and Brute Force Attacks. Mod_evasive looks for three main activities, 1) Requesting the same page more than a few times per second, 2) Making more than 50 concurrent requests on the same child process per second ad 3) Making any requests while temporarily blacklisted.
Barnett also covers the now standard mod_security, which should be used as a matter of standard operating procedure, mod_rewrite and mod_log_forensic all of which extend the security value of Apache. Mod_rewrite likely came with your Apache installation, but mod_log_forensic will need to be installed as does mod_evasive. Mod_log_forensic generates more useful log entries than Apache does, for example when a child process seg faults.
The rest of the book is chock full of very helpful material. If you run a web server, you need to read this book and use the expertise provided. If you are not running Apache, switch, then apply the lessons provided by Barnett. This is a highly recommended book.