To be honest I have only made it perhaps 1/3 of the way into this book. I found it to be interesting, but what had not been clear or even mentioned in the book description was that the book seems to assume you are running Apache on Linux. For the rest of us, that is a huge bummer. I'm sure I will plow on, but the enthusiasm is somewhat gone, I wish authors or publishers would mention that sort of thing in the writeups.

Thanks a lot, we are very happy to have this book in our library!

Hardening Apache by Tony Mobily is a book for server administrators who want to learn how to secure the Apache web server. On 260 pages, in a loosely howto-like fashion, the author covers all aspects of keeping intruders out of your web server.

In constrast to other books which appear to but usually fail in covering all aspects of Unix/Linux security, this volume explicitly takes on one program only: the Apache web server. After discussing installation and configuration as well as covering common attacks on the server, Mobily introduces logging and its security issues, and he presents some very interesting ideas for solutions. XSS is given its own chapter as are the Apache security modules: half a dozen server modules are described.

Apache goes to jail in chapter 6. Here the author describes setting up a chroot environment for the server and details how to get both Perl & PHP to work. The last chapter presents a number of useful shell scripts that can help a systems administrator to keep a watchful eye on her servers.

Together with the Apache documentation this book is an essential eye-opener for anybody who puts up an Apache web server to face a public network. I will be applying some of what I learnt from the book to our servers very quickly indeed! Even though it was published in 2004, Hardening Apache goes on my list of recommended books.

Computer security is hard, very hard. Any reasonable attempt to make a system secure has to involve more than a choice between {none, some security features, unusable}. There are so many different things that we want to do with our software and there are probably just as many ways in which it can be attacked. In order to be able to fend off attacks, it is necessary to know what kind of attacks can occur. Finally, many security procedures must be automated, which requires generic defense strategies that are capable of recognizing an attack when it differs slightly from one that has already been planned for.
This book about the Apache server does all of that, starting with which version to use and how to install it with security enabled at the appropriate level. After these topics are covered in chapter one, Mobily moves on to descriptions of the most common attacks in chapter two and logging the interesting events in chapter three. If you are versed in security, most of the material in chapter two will be familiar, but it is hard to overstate the importance of chapter three. Being able to read an account of what has happened on a system is the only way to prove that your security measures are working and the only way to learn when you are successfully attacked. Mobily also shows you the critical steps in testing to determine if your log system is actually working properly.
Chapter four is devoted to explanations of cross-site scripting attacks (XSS). This is an attack where a web page is designed to accept input, but that input may be used to drive erroneous results. A simple, yet excellent demonstration of how this can be done is presented. While it is not sophisticated, it demonstrates how careful you must be when accepting even the most basic of inputs from a web page.
Chapters five and six deal specifically with security in the Apache server. Five explains the security modules available in Apache and six describes how you can lock down Apache by "putting it in jail." These specifics, of which there are many, should be required reading for anyone who has any hand in managing an Apache server. The last chapter shows you how to automate the security functions, clearly necessary if you are ever to get any sleep.
There is a great deal of source code used to describe how the features are implemented. Demo code is in Perl, but XML, HTML and database access commands are used when appropriate.
All around this country, companies and organizations are quietly paying out large sums of money to settle issues when their computer security was lax. Sometimes that payment is through the legal system, but the vast majority does not appear on the books. Reduced efficiency of the server, dropped and misplaced orders and greater effort by the staff are just some of the consequences of security problems. This book should be mandatory reading for all people who manage an Apache server, at $29.99 a copy it will probably pay for itself in less than 24 hours.

Understanding how to configure Apache from a security standpoint properly is not easy since the related information is sparse and fragmented. This could be the reason why many web administrators are pretty clueless when it comes to Apache security and why so many web servers are vulnerable.

In this sense I think this book fills a huge gap, providing web administrators with a concise and yet complete guide aimed at taking them from the very beginning of the installation process through to the final steps of server configuration.

Information throughout the book is very well focused and is presented with a clean and friendly writing style. The book provides a clear and detailed walkthrough of the process of securing an Apache installation, covering both versions 1.3.x and 2.x and thus providing long lasting information. The book has lots of references and pointers to resources on the web, and - more importantly - instructions on how to read them.

Sure enough, the book requires some familiarity with Unix and Apache - this is not the kind of book you would buy to learn the very basics of *nix and web site administration.

I totally agree with what I've read before: every serious system administrator should have this book.

I am not a server admin, but a web applications developer, so my opinion on this book has a very specific bias. I really enjoyed it, especially because similar material available on-line is usually scattered across a multitude of different sources. Most content is interesting even for application developers and I especially liked the chapters covering different security related modules.
The chapter on automation, being totally based around Bash scripts was almost useless to me (but then, again, I am biased). The book is 100% Unix centric, it's somewhat of a shame, especially since Apache 2 on Windows is a viable option, but it's a choice I can understand

Apache is still by far the most common web server on the Internet. However, when the purpose of your computer is to allow access to your webpages by anyone on the Internet security needs to be a primary concern. If you are serious about hardening your Apache server you will want to have this book.

Author Tony Mobily examines Apache security in detail all the way from making sure the initial installation package has not been hacked at the primary web server site through configuration and installation of security modules. The book has seven chapters that cover configuration, common attacks, logging, scripting attacks, security modules, using a jail, and automating security with scripts.

While the book does cover Apache on the various operating systems the focus is on a Linux install, which is appropriate since that is the most common place to install Apache. This is not a book that I would suggest for someone who is totally new to Apache or Linux, but if you have a passing familiarity with them then you will find this to be the missing information from other Apache books. No matter which Apache book you get to learn Apache, your library will be incomplete if it doesn't include "Hardening Apache".

It's quite rare that I get to review a book by a fellow Sandgroper (ie. person from Western Australia). The last time was for "Man Kzin Wars X" by Larry Niven and Hal Colepatch, with Colepatch being from WA.

So what is there to say about this book? Well, Mobily has brought under one cover various methods to strengthen Apache against incursions. There are several excellent books on computer security, but as a rule, they tend to survey the entire field. So if they mention Apache, space considerations if nothing else preclude extensive coverage. Here Mobily has made that a non issue.

Why Apache? It is probably the most common web server in use, edging out all proprietary rivals. Linux boxes run it by default. But it has also been ported to every other major operating system. So certainly Mobily has chosen a vital application to support.

How useful is this book? If you are a systems administrator and have been managing Apache for several years, you probably already know, or should know, the bulk of this book. But a lot of your Apache security experience may have been garnered in bits and pieces over this period, using information from disparate sources. Suppose instead you are installing it for the first time. The actual installation should be trivial. It is the multiple security issues that you have to get right.

Which is this book's virtue. It centralises the issues into an easily accessible form. PLus it is not dependent on the latest version of Apache. Barring a fundamental rewrite, which is unlikely because it is stable and well tested, Mobily's suggestions should stay fresh for several years.