APACHE. SECURITY. The Complete Guide to Securing. Your Apache Web Server. Ivan Ristić. Last update: Wed Apr 27 BST (build ). Formats: PDF, EPUB, Kindle, Online This all-purpose guide for locking down Apache arms readers with all the information they need to Ivan Ristić is a security researcher, engineer, and author, known especially for his contributions to the. You are here: Home / Library / Apache Security. Apache Security. By Ivan Ristić Please sign in or register to download this book in PDF, EPUB, and Kindle.
|Language:||English, Spanish, Hindi|
|Genre:||Fiction & Literature|
|Distribution:||Free* [*Registration needed]|
secure deployment of multiple servers, configuration of firewall ”demilita- rized zones” and 1 Introduction. This is the companion paper to the ApacheCon session Hardening Enterprise ..  Ivan Ristic. Apache Security. Basic principles of Apache security Security-related Apache configuration directives .. “Apache Security”, Ivan Ristic, O'Reilly, I have made the PHP chapter from Apache Security available for free keep them up-to-date, and publish them as PDF and as HTML. But not.
However, the trend is clear. Notes: The list begins with a number of strong TLS 1.
The main 2 suites for the current browsers, most of which do not support TLS 1. Opera before version 15 is one such browser. Firefox as shipped on Red Hat systems another.
And possibly IE6, but I have not tested for it. Same comment as above for Firefox on Red Hat systems.
RC4-SHA to the configuration. It is impossible to guarantee consistent results across such a large user base. It supports a wide range of desktop browsers including older versions. However, do note that the support for mobile devices is not very good at the moment. Configuring OpenSSL can be tricky. Covers the basics well, but some of his recommendations are unusual. Security modules. He presents a tool and sample output, but doesn't discuss the implications of the warnings issued by the tool.
WASC web security threat classification. The Web Application Security Consortium enumerates and classifies threats to a webserver. This useful chapter presents an exhaustive list of threat types, together with countermeasures available to an Apache admin.
Protecting a buggy application. Training for security professionals includes practical sessions with web applications known to be buggy. You can be either attacking or defending the application, and it's a controlled simulation of the real-life job.
This chapter describes attacking and defending a buggy application, and illustrates both what's right and wrong with this book. The information he gains as an attacker from innocuous-looking bugs is a real eye-opener.
But his remedies are nasty hacks and almost as scary as the bugs!
Open proxy honeypot. Barnett describes deploying a web honeypot, to gather real-time information on the threats he's dealing with. This presents a very practical approach to knowing your enemy, and being in a position to react promptly when a threat arises.
Putting it all together.
Takes a scenario from his regular job, and applies techniques from the book "for real". Ristic writes very well, though I find his style dryer and less engaging than Barnett's.
As a manual, Ristic is the more thorough of the two by a clear margin, both in range of core server administration topics and depth of technical detail. Authentication and Authorization Ristic, like Barnett, puts security ahead of performance.
He does discuss performance issues, but it is not his strongest point. But scanning incoming or outgoing bodies with it gets very, very expensive as the size grows. Neither author is clear on this important distinction.
Chapters A brief look at the principles of security: what needs to be accomplished. The remainder of the book describes how to accomplish it.
Installation and configuration. Setting up PHP for security. Cryptography, starting with an exposition of the theory, and moving on to applying it in Apache. Denial of Service attacks, and how to mitigate them. Configuring a server for multiple users, as in a hosting company.
Apache's access control mechanisms. This chapter is now in part outdated, so it will have to be taken in conjunction with Apache's own manual. Logging, starting with details of Apache's standard logging, then moves on to techniques for logging more information to detect threats, and managing large volumes of data.