Apache Security - Ivan Ristic [0]
Table of Contents
Preface
Audience
Scope
Contents of This Book
Online Companion
Conventions Used in This Book
Programming Conventions
Typesetting Conventions
Using Code Examples
We'd Like to Hear from You
Safari Enabled
Acknowledgments
1. Apache Security Principles
1.1. Security Definitions
1.1.1. Essential Security Principles
1.1.2. Common Security Vocabulary
1.1.3. Security Process Steps
1.1.4. Threat Modeling
1.1.5. System-Hardening Matrix
1.1.6. Calculating Risk
1.2. Web Application Architecture Blueprints
1.2.1. User View
1.2.2. Network View
1.2.3. Apache View
2. Installation and Configuration
2.1. Installation
2.1.1. Source or Binary
2.1.2. Static Binary or Dynamic Modules
2.1.3. Folder Locations
2.1.4. Installation Instructions
2.2. Configuration and Hardening
2.2.1. Setting Up the Server User Account
2.2.2. Setting Apache Binary File Permissions
2.2.3. Configuring Secure Defaults
2.2.4. Enabling CGI Scripts
2.2.5. Logging
2.2.6. Setting Server Configuration Limits
2.2.7. Preventing Information Leaks
2.3. Changing Web Server Identity
2.3.1. Changing the Server Header Field
2.3.2. Removing Default Content
2.4. Putting Apache in Jail
2.4.1. Tools of the chroot Trade
2.4.2. Using chroot to Put Apache in Jail
2.4.3. Using the chroot(2) Patch
2.4.4. Using mod_security or mod_chroot
3. PHP
3.1. Installation
3.1.1. Using PHP as a Module
3.1.2. Using PHP as a CGI
3.1.3. Choosing Modules
3.2. Configuration
3.2.1. Disabling Undesirable Options
3.2.2. Disabling Functions and Classes
3.2.3. Restricting Filesystem Access
3.2.4. Setting Logging Options
3.2.5. Setting Limits
3.2.6. Controlling File Uploads
3.2.7. Increasing Session Security
3.2.8. Setting Safe Mode Options
3.3. Advanced PHP Hardening
3.3.1. PHP 5 SAPI Input Hooks
3.3.2. Hardened-PHP
4. SSL and TLS
4.1. Cryptography
4.1.1. Symmetric Encryption
4.1.2. Asymmetric Encryption
4.1.3. One-Way Encryption
4.1.4. Public-Key Infrastructure
4.1.5. How It All Falls into Place
4.2. SSL
4.2.1. SSL Communication Summary
4.2.2. Is SSL Secure?
4.3. OpenSSL
4.4. Apache and SSL
4.4.1. Installing mod_ssl
4.4.2. Generating Keys
4.4.3. Generating a Certificate Signing Request
4.4.4. Signing Your Own Certificate
4.4.5. Getting a Certificate Signed by a CA
4.4.6. Configuring SSL
4.5. Setting Up a Certificate Authority
4.5.1. Preparing the CA Certificate for Distribution
4.5.2. Issuing Server Certificates
4.5.3. Issuing Client Certificates
4.5.4. Revoking Certificates
4.5.5. Using Client Certificates
4.6. Performance Considerations
4.6.1. OpenSSL Benchmark Script
4.6.2. Hardware Acceleration
5. Denial of Service Attacks
5.1. Network Attacks
5.1.1. Malformed Traffic
5.1.2. Brute-Force Attacks
5.1.3. SYN Flood Attacks
5.1.4. Source Address Spoofing
5.1.5. Distributed Denial of Service Attacks
5.1.6. Reflection DoS Attacks
5.2. Self-Inflicted Attacks
5.2.1. Badly Configured Apache
5.2.2. Poorly Designed Web Applications
5.2.3. Real-Life Client Problems
5.3. Traffic Spikes
5.3.1. Content Compression
5.3.2. Bandwidth Attacks
5.3.3. Cyber-Activism
5.3.4. The Slashdot Effect
5.4. Attacks on Apache
5.4.1. Apache Vulnerabilities
5.4.2. Brute-Force Attacks
5.4.3. Programming Model Attacks
5.5. Local Attacks
5.5.1. PAM Limits
5.5.2. Process Accounting
5.5.3. Kernel Auditing
5.6. Traffic-Shaping Modules
5.7. DoS Defense Strategy
6. Sharing Servers
6.1. Sharing Problems
6.1.1. File Permission Problems
6.1.2. Dynamic-Content Problems
6.1.3. Sharing Resources
6.1.4. Same Domain Name Problems
6.1.5. Information Leaks on Execution Boundaries
6.2. Distributing Configuration Data
6.3. Securing Dynamic Requests
6.3.1. Enabling Script Execution
6.3.2. Setting CGI Script Limits
6.3.3. Using suEXEC
6.3.4. FastCGI
6.3.5. Running PHP as a Module
6.4. Working with Large Numbers of Users
6.4.1. Web Shells
6.4.2. Dangerous Binaries
7. Access Control
7.1. Overview
7.2. Authentication Methods
7.2.1. Basic