A recent Netcraft survey found that approximately 67% of websites (two-thirds of the entire internet!) are served with Apache. With such a large number of administrators using Apache on their servers it stands to reason that a large number of crackers will focus their attentions on cracking it. That’s where “Hardening Apache”, a book by Free Software Magazine’s own excellent and keen-eyed Editor In Chief, Tony Mobily, comes in (it was just a little plug). The book lists ways to make your server more secure, and how to keep good server administration habits that will keep your server protected.

Hardening Apache

The contents

This book is very in-depth and technical, it shows that Tony has researched this subject very well. Everything an administrator would need to get their Apache server nailed down is discussed; with specifics on what to do, and why to do it. This isn’t just a reference to the Apache documentation, it’s a all-out reference manual unto its own. Topics such as GnuPG, compiling Apache, editing the Apache configuration, installing modules, and security modules are discussed. This book let’s you jump right on in, extensively detailing the information administrators will need.

Ken Coar himself wrote the foreword and sums up why this book is so in need:

Despite the foregoing and the popularity of the Apache web server, there is a surprising dearth of authoritative and complete documents providing instructions for making an Apache installation as secure as possible… Enter “Hardening Apache”—Ken Coar (Apache Software Foundation)

Tony Mobily pulls together the critical parts of Apache security information and puts them all in one compact book. This is a must for all Apache administrators, and will probably be for some time to come

This 270 page book is separated into seven chapters. In the first chapter installation and configuration are discussed. The second chapter outlines some common attacks against Apache and how to prevent them. The third chapter describes both local and remote logging and various scripts that can make your server logging easier. The entire fourth chapter deals with cross-site scripting attacks (aka. XSS) and methods of preventing them. Chapters five and six deal with Apache security modules and running Apache in a jail, respectively. Finally, in the seventh chapter, several bash automation scripts you can use to track your server are introduced.

On top of all that there are also three appendices that outline Apache resources and explain how Apache interacts with the “web” in general. There’s also a list of all the “checkpoints” from the chapters so you can make sure you’re up to speed on your security. That’s quite a lot packed into one book!

Who’s this book for?

This book is ideal for all *nix system administrators. Even if you think you know all there is about Apache security, you need this book! This book would be a perfect addition to any administrator’s bookshelf, just the time-saving Bash scripts alone make this book a worthwhile addition (or gift) for administrators or part time hobbyists (you know who you are).

Relevance to free software

This book describes the hows and whys of Apache, and since Apache itself is free software, this book inherits that. For those that want to use the Apache free software server, this is for you! A proprietary module is described, although the great majority of the modules described are considered under the realm of free software.

Pros

Tony Mobily pulls together the critical parts of Apache security information and puts them all in one compact book. This will be a must for all Apache administrators, and will probably be for some time to come. Just for the sake of making absolutely sure your server is secure, you’ll want this book!

Cons

It’s very in-depth and technical, and probably won’t be helpful to those not familiar with the Apache server software. New administrators should probably read an introduction to Apache and then start on this book. This book is also directed mainly toward *nix based systems, so Windows and Mac users may find the examples and suggestions won’t work on their operating system.

In short