Apache Security - Ivan Ristic [123]
* * *
mod_watch
mod_status was designed to allow for web server monitoring. If you need more granularity, you will have to turn to mod_watch, a third-party module available from http://www.snert.com/mod_watch/. This module can provide information for an unlimited number of contexts, where each context can be one of the following:
Virtual host
File owner
Remote IP address
Directory
Location
Web server
For each context, mod_watch provides the following values:
Bytes in
Bytes out
Number of requests
Number of documents
Number of active connections
Average transfer rate in the last five minutes
Since this module comes with utility scripts to integrate it with MRTG (a monitoring and graphing tool described at http://people.ee.ethz.ch/~oetiker/webtools/mrtg/), it can be of great value if MRTG has been deployed.
Chapter 9. Infrastructure
In this chapter, we take a step back from a single Apache server to discuss the infrastructure and the architecture of the system as a whole. Topics include:
Application isolation strategies
Host security
Network security
Use of a reverse proxy, including use of web application firewalls
Network design
We want to make each element of the infrastructure as secure as it can be and design it to work securely as if the others did not exist. We must do the following:
Do everything to keep attackers out.
Design the system to minimize the damage of break in.
Detect compromises as they occur.
Some sections of this chapter (the ones on host security and network security) discuss issues that not only relate to Apache, but also could be applied to running any service. I will mention them briefly so you know you need to take care of them. If you wish to explore these other issues, I recommend of the following books:
Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, and Alan Schwartz (O'Reilly)
Internet Site Security by Erik Schetina, Ken Green, and Jacob Carlson (Addison-Wesley)
Linux Server Security by Michael D. Bauer (O'Reilly)
Network Security Hacks by Andrew Lockhart (O'Reilly)
Network Security Hacks is particularly useful because it is concise and allows you to find an answer quickly. If you need to do something, you look up the hack in the table of contents, and a couple of pages later you have the problem solved.
Application Isolation Strategies
Choosing a correct application isolation strategy can have a significant effect on a project's security. Ideally, a strategy will be selected early in the project's life, as a joint decision of the administration and the development team. Delaying the decision may result in the inability to deploy certain configurations.
Isolating Applications from Servers
Your goal should be to keep each application separated from the operating system it resides on. It is simple to do when deploying the application and will help in the future. The following rules of thumb apply:
Store the web application into a single folder on disk. An application that occupies a single folder is easy to back up, move to another server, or install onto a freshly installed server. When disaster strikes, you will need to act quickly and you do not want anything slowing you down.
If the application requires a complex installation (for example, third-party Apache modules or specific PHP configuration), treat Apache and its modules as part of the application. This will make the application easy to move from one server to another.
Keep the application-specific configuration data close to the application, referencing such data