Apache was originally the NCSA httpd. However this server languished, and people had patches around to extend httpd to do what they needed or to fix bugs. Eventually a group of people got together and collated all the patches into one server which was "a patchy server", hence "Apache".
Apache is one of the critical components of LAMP (Linux/Apache/MySQL/PHP).
Apache recently featured in a list of security problems (
http://isc.sans.org/top20.html). Apache is no more inherently insecure than any other web-based application, however in can been installed and configured to be insecure. Points to note when installing, configuring and mantaining Apache include:
CGI scripts are probably the biggest problem. Upload and CGI directories need to be distinct (so people can't upload improved CGI scripts and as small as possible.
Apache2 makes it easier to run different scripts as different users, rather than as the user that apache is running as.
Chroot prisons limit the damage than can be done should an application be compromised. See chroot(2) for details. Apache2 has better support for this.
See also: HowToSecureProgramsHOWTO?, HowToSecurityQuickstartHOWTO?, HowToSecurityHOWTO? and http://httpd.apache.org/docs/misc/security_tips.html
If you're going to compile and install apache from source, use http://www.apachetoolbox.com/
You probably should firewall the apache user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your website. The same idea can be applied to other services.
iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG
2 pages link to ApacheNotes:
