Сообщение

Ristić Ivan - Apache Security [2005, PDF, ENG]

Сообщение Солнышко » 05 фев 2018, 22:04

Apache Security
Год издания: 2005
Автор: Ristić Ivan
Жанр или тематика: Хакинг и безопасность
Издательство: Feisty Duck Digital
Язык: Английский
Формат: PDF/EPUB/MOBI
Качество: Издательский макет или текст (eBook)
Интерактивное оглавление: Да
Количество страниц: 436
Описание: The complete guide to securing your Apache web server
This all-purpose guide for locking down Apache arms readers with all the information they need to securely deploy applications. Administrators and programmers alike will benefit from a concise introduction to the theory of securing Apache, plus a wealth of practical advice and real-life examples. Topics covered include installation, server sharing, logging and monitoring, web applications, PHP and SSL/TLS, and more.
“The single best Apache security book in print”
Richard Bejtlich, author of The Tao of Network Security Monitoring: Beyond Intrusion Detection and Extrusion Detection: Security Monitoring for Internal Intrusions
“Everyone running Apache needs this book”
Rich Bowen, author of Apache Administrator's Handbook and coauthor of Apache Cookbook
Preface to Digital Reprint xi
Preface xiii
Audience xiii
Scope xiv
Contents of This Book xv
Online Companion xvii
Conventions Used in This Book xvii
Programming Conventions xviii
Typesetting Conventions xviii
Using Code Examples xviii
Acknowledgments xix
1. Apache Security Principles 1
1.1. Security Definitions 1
1.1.1. Essential Security Principles 2
1.1.2. Common Security Vocabulary 4
1.1.3. Security Process Steps 4
1.1.4. Threat Modeling 5
1.1.5. System-Hardening Matrix 7
1.1.6. Calculating Risk 10
1.2. Web Application Architecture Blueprints 10
1.2.1. User View 11
1.2.2. Network View 12
1.2.3. Apache View 13
2. Installation and Configuration 15
2.1. Installation 16
2.1.1. Source or Binary 16
2.1.2. Static Binary or Dynamic Modules 19
2.1.3. Folder Locations 20
2.1.4. Installation Instructions 21
2.2. Configuration and Hardening 26
2.2.1. Setting Up the Server User Account 27
2.2.2. Setting Apache Binary File Permissions 27
2.2.3. Configuring Secure Defaults 28
2.2.4. Enabling CGI Scripts 31
2.2.5. Logging 32
2.2.6. Setting Server Configuration Limits 33
2.2.7. Preventing Information Leaks 35
2.3. Changing Web Server Identity 37
2.3.1. Changing the Server Header Field 38
2.3.2. Removing Default Content 40
2.4. Putting Apache in Jail 41
2.4.1. Tools of the chroot Trade 43
2.4.2. Using chroot to Put Apache in Jail 46
2.4.3. Using the chroot(2) Patch 50
2.4.4. Using mod_security or mod_chroot 51
3. PHP 55
3.1. Installation 55
3.1.1. Using PHP as a Module 55
3.1.2. Using PHP as a CGI 57
3.1.3. Choosing Modules 58
3.2. Configuration 59
3.2.1. Disabling Undesirable Options 59
3.2.2. Disabling Functions and Classes 62
3.2.3. Restricting Filesystem Access 62
3.2.4. Setting Logging Options 63
3.2.5. Setting Limits 64
3.2.6. Controlling File Uploads 65
3.2.7. Increasing Session Security 66
3.2.8. Setting Safe Mode Options 67
3.3. Advanced PHP Hardening 69
3.3.1. PHP 5 SAPI Input Hooks 70
3.3.2. Hardened-PHP 70
4. SSL and TLS 73
4.1. Cryptography 74
4.1.1. Symmetric Encryption 75
4.1.2. Asymmetric Encryption 77
4.1.3. One-Way Encryption 78
4.1.4. Public-Key Infrastructure 79
4.1.5. How It All Falls into Place 82
4.2. SSL 83
4.2.1. SSL Communication Summary 84
4.2.2. Is SSL Secure? 84
4.3. OpenSSL 87
4.4. Apache and SSL 90
4.4.1. Installing mod_ssl 90
4.4.2. Generating Keys 91
4.4.3. Generating a Certificate Signing Request 92
4.4.4. Signing Your Own Certificate 93
4.4.5. Getting a Certificate Signed by a CA 94
4.4.6. Configuring SSL 95
4.5. Setting Up a Certificate Authority 97
4.5.1. Preparing the CA Certificate for Distribution 100
4.5.2. Issuing Server Certificates 101
4.5.3. Issuing Client Certificates 102
4.5.4. Revoking Certificates 103
4.5.5. Using Client Certificates 103
4.6. Performance Considerations 104
4.6.1. OpenSSL Benchmark Script 104
4.6.2. Hardware Acceleration 106
5. Denial of Service Attacks 107
5.1. Network Attacks 109
5.1.1. Malformed Traffic 109
5.1.2. Brute-Force Attacks 109
5.1.3. SYN Flood Attacks 110
5.1.4. Source Address Spoofing 112
5.1.5. Distributed Denial of Service Attacks 112
5.1.6. Reflection DoS Attacks 113
5.2. Self-Inflicted Attacks 114
5.2.1. Badly Configured Apache 114
5.2.2. Poorly Designed Web Applications 116
5.2.3. Real-Life Client Problems 118
5.3. Traffic Spikes 119
5.3.1. Content Compression 119
5.3.2. Bandwidth Attacks 119
5.3.3. Cyber-Activism 120
5.3.4. The Slashdot Effect 120
5.4. Attacks on Apache 121
5.4.1. Apache Vulnerabilities 121
5.4.2. Brute-Force Attacks 122
5.4.3. Programming Model Attacks 123
5.5. Local Attacks 124
5.5.1. Process Limits 125
5.5.2. Process Accounting 126
5.5.3. Kernel Auditing 126
5.6. Traffic-Shaping Modules 127
5.7. DoS Defense Strategy 128
6. Sharing Servers 129
6.1. Sharing Problems 129
6.1.1. File Permission Problems 130
6.1.2. Dynamic-Content Problems 132
6.1.3. Sharing Resources 137
6.1.4. Same Domain Name Problems 137
6.1.5. Information Leaks on Execution Boundaries 139
6.2. Distributing Configuration Data 142
6.3. Securing Dynamic Requests 144
6.3.1. Enabling Script Execution 144
6.3.2. Setting CGI Script Limits 146
6.3.3. Using suEXEC 146
6.3.4. FastCGI 153
6.3.5. Running PHP as a Module 155
6.4. Working with Large Numbers of Users 155
6.4.1. Web Shells 156
6.4.2. Dangerous Binaries 156
7. Access Control 159
7.1. Overview 159
7.2. Authentication Methods 161
7.2.1. Basic Authentication 161
7.2.2. Digest Authentication 163
7.2.3. Form-Based Authentication 164
7.3. Access Control in Apache 166
7.3.1. Basic Authentication Using Plaintext Files 166
7.3.2. Basic Authentication Using DBM Files 168
7.3.3. Digest Authentication 169
7.3.4. Certificate-Based Access Control 169
7.3.5. Network Access Control 170
7.3.6. Proxy Access Control 172
7.3.7. Final Access Control Notes 174
7.4. Single Sign-on 178
7.4.1. Web Single Sign-on 179
7.4.2. Simple Apache-Only Single Sign-on 180
8. Logging and Monitoring 183
8.1. Apache Logging Facilities 183
8.1.1. Request Logging 184
8.1.2. Error Logging 188
8.1.3. Special Logging Modules 190
8.1.4. Audit Log 192
8.1.5. Performance Measurement 194
8.1.6. File Upload Interception 195
8.1.7. Application Logs 195
8.1.8. Logging as Much as Possible 196
8.2. Log Manipulation 200
8.2.1. Piped Logging 200
8.2.2. Log Rotation 202
8.2.3. Issues with Log Distribution 204
8.3. Remote Logging 205
8.3.1. Manual Centralization 205
8.3.2. Syslog Logging 206
8.3.3. Database Logging 208
8.3.4. Distributed Logging with the Spread Toolkit 209
8.4. Logging Strategies 211
8.5. Log Analysis 212
8.6. Monitoring 214
8.6.1. File Integrity 214
8.6.2. Event Monitoring 214
8.6.3. Web Server Status 220
9. Infrastructure 231
9.1. Application Isolation Strategies 232
9.1.1. Isolating Applications from Servers 232
9.1.2. Isolating Application Modules 232
9.1.3. Utilizing Virtual Servers 233
9.2. Host Security 234
9.2.1. Restricting and Securing User Access 234
9.2.2. Deploying Minimal Services 235
9.2.3. Gathering Information and Monitoring Events 236
9.2.4. Securing Network Access 237
9.2.5. Advanced Hardening 239
9.2.6. Keeping Up to Date 240
9.3. Network Security 240
9.3.1. Firewall Usage 241
9.3.2. Centralized Logging 241
9.3.3. Network Monitoring 242
9.3.4. External Monitoring 243
9.4. Using a Reverse Proxy 244
9.4.1. Apache Reverse Proxy 245
9.4.2. Reverse Proxy by Network Design 248
9.4.3. Reverse Proxy by Redirecting Network Traffic 248
9.5. Network Design 249
9.5.1. Reverse Proxy Patterns 250
9.5.2. Advanced Architectures 254
10. Web Application Security 265
10.1. Session Management Attacks 267
10.1.1. Cookies 267
10.1.2. Session Management Concepts 269
10.1.3. Keeping in Touch with Clients 269
10.1.4. Session Tokens 270
10.1.5. Session Attacks 270
10.1.6. Good Practices 272
10.2. Attacks on Clients 273
10.2.1. Typical Client Attack Targets 273
10.2.2. Phishing 273
10.3. Application Logic Flaws 275
10.3.1. Cookies and Hidden Fields 275
10.3.2. POST Method 276
10.3.3. Referrer Check Flaws 277
10.3.4. Process State Management 277
10.3.5. Client-Side Validation 278
10.4. Information Disclosure 278
10.4.1. HTML Source Code 278
10.4.2. Directory Listings 279
10.4.3. Verbose Error Messages 281
10.4.4. Debug Messages 282
10.5. File Disclosure 283
10.5.1. Path Traversal 283
10.5.2. Application Download Flaws 283
10.5.3. Source Code Disclosure 284
10.5.4. Predictable File Locations 285
10.6. Injection Flaws 287
10.6.1. SQL Injection 288
10.6.2. Cross-Site Scripting 293
10.6.3. Command Execution 297
10.6.4. Code Execution 298
10.6.5. Preventing Injection Attacks 299
10.7. Buffer Overflows 300
10.8. Evasion Techniques 301
10.8.1. Simple Evasion Techniques 301
10.8.2. Path Obfuscation 302
10.8.3. URL Encoding 303
10.8.4. Unicode Encoding 304
10.8.5. Null-Byte Attacks 305
10.8.6. SQL Evasion 307
10.9. Web Application Security Resources 307
10.9.1. General Resources 307
10.9.2. Web Application Security Resources 308
11. Web Security Assessment 309
11.1. Black-Box Testing 310
11.1.1. Information Gathering 311
11.1.2. Web Server Analysis 322
11.1.3. Web Application Analysis 330
11.1.4. Attacks Against Access Control 332
11.1.5. Vulnerability Probing 333
11.2. White-Box Testing 334
11.2.1. Architecture Review 335
11.2.2. Configuration Review 336
11.2.3. Functional Review 340
11.3. Gray-Box Testing 343
12. Web Intrusion Detection 345
12.1. Evolution of Web Intrusion Detection 345
12.1.1. Is Intrusion Detection the Right Approach? 347
12.1.2. Log-Based Web Intrusion Detection 347
12.1.3. Real-Time Web Intrusion Detection 348
12.1.4. Web Intrusion Detection Features 348
12.2. Using mod_security 352
12.2.1. Introduction 353
12.2.2. More Configuration Advice 363
12.2.3. Deployment Guidelines 366
12.2.4. Detecting Common Attacks 369
12.2.5. Advanced Topics 374
A. Tools 381
A.1. Learning Environments 381
A.1.1. WebMaven 382
A.1.2. WebGoat 383
A.2. Information-Gathering Tools 385
A.2.1. Online Tools at TechnicalInfo 385
A.2.2. Netcraft 385
A.2.3. Sam Spade 386
A.2.4. SiteDigger 387
A.2.5. SSLDigger 388
A.2.6. Httprint 389
A.3. Network-Level Tools 390
A.3.1. Netcat 390
A.3.2. Stunnel 391
A.3.3. Curl 392
A.3.4. Network-Sniffing Tools 393
A.3.5. SSLDump 393
A.4. Web Security Scanners 394
A.4.1. Nikto 394
A.4.2. Nessus 395
A.5. Web Application Security Tools 396
A.5.1. Paros 396
A.5.2. Commercial Web Security Tools 397
A.6. HTTP Programming Libraries 398
Index 401
Доп. информация: First published in March 2005. Digital reprint published in April 2010.

Постеры

Соцсети

 

Статистика

Автор: Солнышко
Добавлен: 05 фев 2018, 22:04
Размер: 7.69 МБ
Размер: 8 067 659 байт
Сидеров: 0
Личеров: 0
Скачали: 0
Здоровье: 0%
Скорость скачивания: 0 байт/сек
Скорость раздачи: 0 байт/сек
Последний сидер: Нет
Последний личер: Нет
Приватный: Нет (DHT включён)
Сеть и безопасность Скачать торрент
Скачать торрент
[ Размер 10.28 КБ / Просмотров 0 ]

Поделиться



  • Похожие торренты
    Ответы
    Просмотры
    Последнее сообщение

Вернуться в Сеть и безопасность