You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Felix Almeida <Fe...@rci.rogers.com> on 2014/05/30 18:31:22 UTC
[users@httpd] Recommendation for Apache security book
Hello,
I was assigned with the task of preparing a security policy for Apache HTTP servers in my company and, despite I have a few years of experience with it (mostly v2.2), I'd like to have a more formal reference material on which I could base the policy.
Please, is there any good (and not so old) book on Apache security out there that you would recommend?
I know there is a lot of information on this subject on the net, but as far as I could see they only cover the basics like not using privileged ID, locking down the binaries, logs and directories, .htaccess files, not allowing CGI scripts, etc., which I already know. I'm looking for a book that could cover the basics plus more advanced configurations, again mainly for v2.2 and perhaps also for 2.4.
Thank you!!
________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>
Ce message est confidentiel. Notre transmission et r?ception de courriels se fait strictement suivant les modalit?s ?nonc?es dans l'avis publi? ? www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________
Re: [users@httpd] Recommendation for Apache security book
Posted by Steven Siebert <sm...@gmail.com>.
Check out the NIST and DISA checklist and STIG docs, they are good places
to start - their checks are based on industry best practices and Apache
httpd CVEs.
http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip
http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip
Thank the US tax payers =)
Regards,
Steve
On Fri, May 30, 2014 at 12:31 PM, Felix Almeida <
Felix.Almeida@rci.rogers.com> wrote:
> Hello,
>
>
>
> I was assigned with the task of preparing a security policy for Apache
> HTTP servers in my company and, despite I have a few years of experience
> with it (mostly v2.2), I’d like to have a more formal reference material on
> which I could base the policy.
>
>
>
> Please, is there any good (and not so old) book on Apache security out
> there that you would recommend?
>
>
>
> I know there is a lot of information on this subject on the net, but as
> far as I could see they only cover the basics like not using privileged ID,
> locking down the binaries, logs and directories, .htaccess files, not
> allowing CGI scripts, etc., which I already know. I’m looking for a book
> that could cover the basics plus more advanced configurations, again mainly
> for v2.2 and perhaps also for 2.4.
>
>
>
> Thank you!!
>
>
>
>
>
>
> ------------------------------
> This communication is confidential. We only send and receive email on the
> basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels
> se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel
>
> ------------------------------
>