Developers: Learn a New Programming Language or App Development with Deitel LiveLessons Videos!
s
menu
menu
Login  |  Register  |  Media Kit  |  Press  |  Contact Us  |   Twitter Become a Deitel Fan on Facebook  
Custom Search
Apache Software Foundation (ASF) Resource Center

Apache Web Server Security
Common Sense Guide to Apache Security
http://bignosebird.com/apache/a11.shtml
Article: "Common Sense Guide to Apache Security," from BigNoseBird.com. Discusses several ways in which you can protect your web site including not running your server as root, backing up, ways to back up, the use of server side includes, passing unchecked CGI input to the UNIC command line, off site execution of your CGI scripts, checking scripts, and additional links to security information.
Securing Apache: Step-By-Step
http://www.securityfocus.com/infocus/1694
Article: "Securing Apache: Step-By-Step," by Artur Maj. Discusses functionality, security assumptions, installing the operating system, preparing the software, Apache's modules, compiling the software, chrooting the server, and configuring Apache.
Security and Apache: An Essential Primer
http://www.linuxplanet.com/linuxplanet/tutorials/1527/1/

Tutorial: “Security and Apache: An Essential Primer,” by Ken Coar. Discusses mandatory vs. discretionary access control, authentication vs. authorization,  areas of access control, the client/server authentication handshake, Apache security processing phases, basic authentication vs. digest Auth, mixing mandatory and discretionary controls, the safety directive, restricting by IP address, restricting by user credentials, labeling, inheritance, specific user names, standard Apache security modules, using your system password file, which database is authoritative, htpasswd utility, htdigest utility, dbmmanage utility, location of your authentication database, and sources for more information.

Securing Your Web Pages with Apache
http://apache-server.com/tutorials/LPauth1.html
Tutorial: “Securing Your Web Pages with Apache,” by Ken Coar. Discusses what Apache security will not help, voluntary vs. involuntary access control, authentication vs. authorization, realms (areas of controlled access), the client/server authentication handshake, Apache security processing phases, Basic authentication vs. digest auth, the satisfy directive, restricting by IP address, restricting by user credentials, labeling, conditionalising by method, inheritance, requiring a specific user name, standard Apache security modules, allowing users to control access to their own documents, using the passwd file; the htpasswd, htdigest, and dbmmanage utilities, location of your authentication database, and FAQs and their answers.
Preventing Image Theft
http://apache-server.com/tutorials/ATimage-theft.html
Tutorial: “Preventing Image Theft,” by Ken Coar. Discusses identifying the files to protect, the referrer header field, using SetEnvIf to tag images, using envariables in access control, and logging snitch-attempt requests.
Using User Authentication
http://www.apacheweek.com/features/userauth
Tutorial: “Using User Authentication,” from ApacheWeek. Discusses creating a user database, using htpasswd, configuring the server, using groups, problems with large numbers of users, ways of sorting user details, limiting methods, restricting by host or user name, how WWW Authentication works, and security and digest authentication.
DBM User Authentication
http://www.apacheweek.com/features/dbmauth
Tutorial: “DBM User Authentication,” from ApacheWeek. Discusses what is DBM, preparing Apache for DBM files, creating a DBM users file, restricting a directory, using groups, and custom management of DBM files.
Apache Security Tips Newsgroup
http://groups.google.com/group/apache-security-tips?lnk=gschg
Apache security tips newsgroup.
Apache-SSL secure web server
http://www.apache-ssl.org/
The Apache-SSL secure web server features 128-bit encryption, client authentication, full source code and a modular extension API. Check out the site for downloads, bug fixes, FAQ, mailing lists, commercial support information and more.
Apache httpd Tools
http://www.apachesecurity.net/tools/
Apache httpd tools is a set of administrative and security tools.
Sample chapter: "Installation and Configuration"
http://www.apachesecurity.net/download/apachesecurity-ch02.pdf
Sample chapter: "Installation and Configuration," from Apache Security: The Complete Guide to Securing Your Apache Web Server , by Ivan Ristic. Walks you through the installation and set-up of the Apache web server on Linux.
Apache Server Security Tips
http://httpd.apache.org/docs/1.3/misc/security_tips.html
Apache server security tips including permissions on ServerRoot directories, server side includes, non-script aliased CGI, script aliased CGI, CGI in general, other sources of dynamic content, protecting system settings, and protecting server files by default.
Book: Apache Security
http://www.amazon.com/gp/explorer/0596007248/2/ref=pd_lpo_ase/102-4277854-4955350?ie=UTF8

Book: Apache Security, March 2005, by Ivan Ristic. Discusses security definitions, Web application architecture blueprints, installation and configuration, changing Web server identity, PHP installation and configuration, symmetric encryption, asymmetric encryption, one-way encryption, public key infrastructure, SSL, Apache and SSL, setting up a certificate authority, performance considerations, network attacks, self-inflicted attacks, traffic spikes, attacks on Apache, local attacks, traffic-shaping modules, DoS defense strategy, sharing servers, sharing problems, distributing configuration data, securing dynamic requests, working with large numbers of users, access control, authentication methods, access control in Apache, single sing-on, logging and monitoring, Apache logging facilities, log manipulation, remote logging, logging strategies, log analysis, infrastructure, application isolation strategies, host security, network security, using a reverse proxy, network design, web application security, session management attacks, attacks on clients, application logic flaws, information disclosure, file disclosure, injection flaws, buffer overflows, evasion techniques, web application security resources, web security assessment, black-box testing, white-box testing, gray-box testing, web intrusion detection, evolution of web intrusion detection, and using mod_security.

Sample Chapter: "Installation and Configuration"
http://www.oreilly.com/catalog/apachesc/chapter/ch02.pdf
Sample chapter: "Installation and Configuration," from Apache Security, March 2005, by Ivan Ristic. Discusses installation, source or binary, downloading the source code, downloading patches, static binary or dynamic modules, folder locations, installation instructions, testing the installation, selecting modules to install, configuration and hardening, setting up the server user account, setting Apache binary file permissions, configuring secure defaults, AllowOverride directive, enabling CGI scripts, logging, setting server configuration limits, preventing information leaks, changing web server identity, changing the server header field, changing the name in the source code, changing the name using mod_security, changing the name using mod_headers with Apache 2, removing default content, putting Apache in jail, tools of the chroot trade, using ldd to discover dependencies, using strace to see inside processes, using chroot to put Apache in jail; putting user, group, and name resolution files in jail, finishing touches for Apache jail preparation, preparing PHP to work in jail, taking care of small jail problems, using the chroot(2) patch, using mod_security or mod_chroot, and Apache 2.
Sample Chapter: "PHP," from Apache Security
http://www.apachesecurity.net/download/apachesecurity-ch03.pdf
Sample chapter: "PHP," from Apache Security, March 2005, by Ivan Ristic. Discusses installation, using PHP as a module, using PHP as a CGI, choosing modules, configuration, disabling undesirable options, dynamic module loading, display of information about PHP, disabling functions and classes, restricting filesystem access, setting logging options, setting limits, controlling file uploads, increasing session security, setting safe mode options, file access restrictions, environment variable restrictions, external process execution restrictions, other safe mode restrictions, advanced PHP hardening, PHP 5 SAPI input hooks, and hardened-PHP.
Security Report: Apache Features Bug Fixes.
http://www.apacheweek.com/issues/02-06-21#security
Security Report for ApacheWeek. Lists several versions of Apache, their features and bug fixes.
Security Report: mod_rewrite Canonicalisation
http://www.apacheweek.com/issues/02-02-01#security
Security report from ApacheWeek. Discusses mod_rewrite canonicalisation.
Security Report: Vulnerabilities Found in PHP
http://www.apacheweek.com/issues/02-03-01#security
Security report from ApacheWeek. Discusses vulnerabilities found in PHP.
Preventing Web Attacks with Apache
http://www.amazon.com/gp/explorer/0321321286/2/ref=pd_lpo_ase/002-8525151-1868062?ie=UTF8
Book: Maximum Apache Security," May 2002. Discusses how Apache handles security, creating a secure Apache host server, cracking Apache, establishing minimum server security, Apache and your operating system, hacking Apache's configuration, Apache versions and security, version 2.0 IPv6 support, general administration, Apache logging facilities, runtime Apache security, network access control, authentication, hacking secure code client and server sides, open source and security, Apache/SSL, firewalls, ciphers, and hacking homegrown Apache modules.
Apache Security Updates
http://www.linuxdevcenter.com/pub/a/linux/2003/04/07/insecurities.html
Article: "Apache Security Updates," by Noel Davis. Discusses Apache 2.0.45, sendmail, Balsa, libsmtp, NetPBM, eye of GNOME, passlogd, progress database, lpr-ppd, Red Hat Linux 9 vsftpd daemon, and Solaris dtsession.
Apache Security Secrets: Revealed
http://www.awe.com/mark/talks/tu04-handout.pdf
"Apache Security Secrets: Revealed," by Mark J. Cox, presented at ApacheCon 2002, Las Vegas. Discusses the Apache slapper worm, commercial vs. open source, keeping your system up to date, security policy, alert phase, analysis phase, Apache and CVE, what you need to find out, what are you running, dependencies, response phase, maintenance phase, vendor versions of Apache, backporting, is open source more secure, understand common issues, denial of service, getting directory listings in the document root, reading files from the system, remote arbitrary code execution, mitigating against remote exploits, chroot jail, local privilege escalation, remote root exploit, cross site scripting, how to stop cross site scripting attacks, mod_rewrite canonicalisation (CVE-2001-1072), attacks and exploits, and worms.

Discounts on SafariBooksOnline.com subscriptions

foot
Update :: December 18, 2017