Apache’s market share dropped below 50%

Netcraft once again released a web server survey. And for the first time for several years Apache’s market share for active sites dropped below 50%.

Yet again bad news for Apache. While it is still the leader its market share for active sites dropped below 50% according to Netcraft. To underline the development with Netcraft’s words:

While that’s still a considerable lead, Apache had a 33.4% advantage at this time last July, meaning Microsoft has cut its deficit in half in the past 12 months.

I already asked about the reasons behind this on-going development – and got many insightful answers.
And these answers indicate that this is an ongoing development which will not change for the near future. It has nothing to do with the GoDaddy move or the Google web server analysis change btw., but it has a lot to do with integrated tools, languages and services, market strategies and user friendliness.

Usually I would not have any problem if there are competing products and if one product gains market share in favour of another. However, the only web server really gaining market share is the IIS, and Microsoft yet has to prove that there will not be another “Browser war” with closed source expansions only Microsoft’s products can handle. The web is one of the few places which Microsoft failed to pollute with proprietary stuff. It would be a pity if that would change.

Anyway, I still wonder if the Apache guys are actually reacting to this development in any way – or if they just remain calm and hope that this development will cease sometime somehow. I really hope that they come up with a good counter-strategy. It couldn’t hurt anyway…

Application-wise network filtering on Linux? [2. Update]

Recently I was asked if Linux supports application-wise network filters. Despite the debatable sense behind such a function I was interested in the technical possibilities and current implementations. It turned out that there is no currently active project atm.

Background

Application-wise network filtering is a controversial topic: in Windows such frameworks are quite common (ZoneAlarm, Norton Internet Security) and are the nightmare of every Help Desk. Additionally they are designed to interact with the user who most often has no idea – and they tend to spread fear among the users to show how “effective” they are while there is nothing to fear.

For Linux it was often mentioned that application-wise network filters are not needed since Linux cannot be infected as easily as Windows. However, I could imagine other tasks: think for example of computers you offer to your children or to customers, locked down with programs like KDE’s Kiosk. In such cases you would also like to make sure that no one can simply copy an executable and try to launch it to access the Internet somehow. And there the possibility of application-wise network filtering would come in handy.

User friendly solutions

So I searched a bit for existing implementations. It turned out there are three projects which once tried to implement this task together with a handy GUI: Systrace, Tuxguardian and Program Guard.

While the scope and the technical details of all attempts vary, they all share that an additional kernel module is needed to get them running. Together with the module you also get a user space program which lets you control which application is allowed to access the Internet and which is not. So they all fulfil the mentioned needs.
However, all these projects seem to be dead more or less – no one of the mentioned programs had any update in the last 12 months, meaning that they are very like abandoned. It is unlikely that you can compile the over a year old modules on today’s kernels, making these programs useless.

Theoretical solutions

But at least in theory there is also another way: I was told that a application-wise network filtering can also be achieved with SELinux. It does require a certain amount of own work (creating new policies and so on), but it is possible. Also there is work ongoing to make it easier to easily close down a system in this regard.
So while it is supposed to be possible it cannot be compared in terms of user friendliness to the already mentioned solutions in any way.

AppArmor, another well known security solution for Linux, can only block programs it was configured for before. Therefore any new application can do what it want. But yet again there are at least some thoughts that it would be nice to have only “trusted” applications to access the Internet.

The last program I found was LIDS – as SELinux it is also an implementation of a Mandatory access control and therefore should be able to lock down a computer appropriate.
But while there is a LIDS patch available for the kernel 2.6.21 the documentation is outdated and I wasn’t able to figure out if LIDS can really be used for the mentioned filtering.

Conclusion

So the bottom line is that there is currently no easy way to implement application-wise network filtering afaik. It can be discussed how useful it is anyway, but from the technical point of view this is sad.

Update:
Many users responded to the here raised question. The most notable comments are:

• Kai mentioned that iptables can filter by commands, but also pointed out that this feature was dropped.
• SMP also suggested iptables, this time pointing to the possibility of filtering by UID as a workaround.
• Chad Sellers posted a link to Tresys which offer a solution based on SELinux.

Thanks for all these helpful and interesting comments, I really appreciate that.

2. Update:
Two other ways of filtering were proposed:

• A possible solution could be a system monitoring the PIDs and UIDs dynamically to create iptables filter rules related to the appropriate PID.
• Marian suggested NuFW, a Netfilter/Iptables based filter extension which requires a user to authenticate and therefore is capable of filtering based on different users and protocols. NuFW is more designed for corporate environments but nevertheless is an interesting solution.

Special thanks for insightful and helpful comments to blackhole, SM and SMP!