Slashdot Mirror
Real World Linux Security, 2nd Edition
Who's behind this book?
The author of this book, Bob Toxen, is one of the 162 recognized developers of Berkeley UNIX. He has more then 28 years of UNIX and 8 years of Linux experience. Trivia from his resume includes that he was one of the four developers who did the initial port of UNIX to Silicon Graphics hardware, that he was an architect of the client/server system used by NASA's Kennedy Space Center and that he wrote the "The Problem Solver" column for popular UNIX Review magazine. Currently he is a president of Fly-By-Day Consulting, Inc. offering Linux security-consulting services.
The cover
The Real World Linux Security cover features Cerberus, the three headed dog that safeguarded the entrance to Hades. Hades is an underground place from Greek mythology where deceased people ended up. Cerberus was there to stop the demons from Hades to escape into our world, and vice-versa - stopping the living people entering the Hades. Mr. Toxen did a metaphor connecting the three headed demon dog to a system administrator. How come? "This is not unlike the security aspects of system administrator's job and it certainly seems to require three heads to keep ahead of the problem," he notes.
Inside the book
From the introduction credits, you can see that this book will be an interesting read. The author has a lot of expertise in Linux/UNIX areas, which gives the credibility to the book's title "Real World Linux Security." Another big plus is that the book has about 800 pages of valuable information, divided into these four interest areas:
- Securing your system
- Preparing for an intrusion
- Detecting an intrusion
- Recovering from an intrusion
- Weak and default passwords
- Open Network ports
- Old software versions
- Insecure and badly configured programs
- Insufficient resources and misplaced priorities
- Stale and unnecessary accounts
- Procrastination
If you are interested in various aspects and details on securing your system, you'll enjoy the first 400 pages of the book as it deals with:
- quick fixes for common problems (shutting down unnecessary services, using quality passwords, limiting access)
- common subsystem hacking (playing with sendmail, POP and IMAP servers, samba etc)
- usual hacker attacks (rootkits, packet spoofing, man in the middle and other common attacks)
- advanced security issues (apache and web server security techniques, buffer overflows)
After securing your system, what should you do as the next step? Well -- secure it even more, of course. The second part of the book continues with hardening the system, which is a must for preparing on a possibility of an intrusion. Possible intrusion must always be on your mind, as no one is safe when connected to the Internet. Vulnerability scanners deployed by crackers don't see the difference between your home computer system, a test e-commerce server or a big consultancy company server -- if you have a vulnerable service running on it, you'll probably get burned. This part introduces you to the world of protecting user sessions with SSH, Virtual Private Networks, PGP/GPG cryptography usage, firewalls and DMZs and preparing your hardware to meet the security readiness. I should especially note a great coverage on iptables with some helpful rule sets both mentioned in the book and placed on the CD.
This publication also bears in mind the situation of your system being compromised. It is noted that probably 10-20 percent of people reading this book will suffer a system break-in. By proactively monitoring your system and keeping up-to-date with security web sites, you can reduce the risk of someone hacking your system to the minimum. As a quality security book should have in mind, Real World Linux Security also deals with the darkest system administrator's moment -- successful compromise. The author explains the steps of regaining the control of your system, finding and repairing the damage, tracking the attacker, and sending him/her/them to prison.
As a notable addition, the author doesn't stay blindly connected with just Linux security. As a true expert in his field, he walks into some areas that aren't closely connected with Linux, but with security in general. One of the examples is a 20 page chapter dealing with security policies. In this mini suggestion to the decision makers, he guides us through the possible policies - from accounts and e-mail to network topology, problem reporting and even policy policies.
Another good part that came from Mr. Toxen's experience is a part called "Case studies." Several stories contained in this area describe some of the actual cases that can be compared with hacking history jewels like "Masters of Deception: The Gang That Ruled Cyberspace" by Slatalla/Quittner and "Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage." Stories here describe old-school playing cat-and-mouse with Berkeley sysadmins back in late seventies and making virtual-machine trojans to the latest issues with easy DNS information changes and Microsoft's Visual Studio .Net getting shipped with Nimda worm.
The CD-ROM
The accompanying CD-ROM contains the author's own software for instantly locking out attackers and alerting system administrators. There are also exclusive iptables and ipchains firewall rules, as well as a collection of tools for monitoring network health, detecting and reporting suspicious activities, securing backups, simplifying recovery etc.
The CD has two main folders: "book" and "net." The "book" folder contains up to 100 files, mostly written by the author especially for the needs of this book. These files include Cracker Trap software, sample iptables and ipchains scripts and various useful programs for doing different security related activities. The other folder contains about 40 MB of security software that the author used as references in this book. The tools from this section contain: crack, firestarter, sniffit, john the ripper, LIDS, netfilter, ntop, samhain, snort and more. As you can see, Mr. Toxen has really worked hard to make this CD a worthy addition to the book.
The verdict
After reading some of the comments on the first edition of this book and briefly taking a look at the chapters of this second edition, I knew it would be a great read. After reading it, I must say that "Real World Linux Security" is even better -- I can even say terrific. In the mentioned 800 pages, this book proves to be pure gold, when we are talking about all aspects of Linux security. Well written, filled with lot of interesting tips and facts about securing the Linux environment, the book can be used both for pumping your knowledge and as a reference in your future security related work.
The release of a second edition of this book was proven to be a good choice, and I am really looking forward to the possible third edition in the future.
An interview with the author is available here.
You can purchase Real World Linux Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Which is the problem, really. Why is this security stuff put on the user/administrator to do? This is OS-level work. The people who really need this book are the Alans and Linii of the world. It's their fault that Linux requires a 600 page book to make it usable, make them fix it.
[1]*cough*debian*cough*
And his book is definitely on my "must buy ASAP" list!
:-)
For more info, refer to this interview on Linux Online and also to this article in UNIX Review.
I mean, the guy was already hacking UNIX systems when Bill Joy was his system administrator!!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Could you please suggest a speed reading course that would allow me to read an 800 page book as fast as the /. book reviewers do?
"Make-Believe Windows Security"
While the review indicates LIDS is included in the CD, it does not mention if it is well covered in the text. I believe a Linux security book could really benefit by including a good discussion of LIDS. I find the available LIDS documents a bit lacking, specifically in relation to applying LIDS to a real system, with real users, running real services.
Anybody know how LIDS is dealt with in this book?
SlashDot must have some deal worked out with BN* since they are recommending you buy reviewed books there when they can be bought much cheaper ($34.99 at Amazon) elsewhere on the web.
* Full dislosure: yes I have a 'deal' worked out with Amazon in the form of their affiliate program, but it seems the typical shopper should care more about how much they are spending rather than where they are spending it.
Work for Change & GET PAID!
If it was windows security it would be 8,000
Real World is not in a geeks vocabulary, do they really think Linux people will buy this?
Note to self: get smarter troll to guard door.
If you're new to Linux security then this book may do you some good, but for those of us who have been around the block this book offers nothing new. It's still good reference, but if you already own one of the hundreds of Linux security books, this one offers no new info, just updated info.
I was going to put that on my list of things to watch out for.
They intend for you to find the person trying to break into your network...and beat them with the 800 page book...
Why call it "Real World Linux Security"? The book sounds more like a book in *NIX security to me. Is this because Linux is pop, or what? Shees. The writer were even a developer of the Berkeley Unix. :-/
I demand the Cone of Silence!
If you run a server and have no idea how to secure it, this book will get you to plug all the obvious holes in short order.
After that it's just a question of how much time and effort you want to expend being safe from the more determined attacks. The strength of this book is that it is organized so you can get the most from your early simpler efforts, but still goes into as much depth as you need if you want to get really serious.
Recommended.
The accompanying CD-ROM contains the author's own software for instantly locking out attackers and alerting system administrators. There are also exclusive iptables and ipchains firewall rules, as well as a collection of tools for monitoring network health, detecting and reporting suspicious activities, securing backups, simplifying recovery etc.
When you say exclusive, I hear closed license. Is that the case? If I get the book, and look at the iptables and ipchains configs provided am I actually allowed to use it on my own firewall box? Am I allowed to recommend them to my friends? My employer?
The review says the author's own software is also included. What sort of license is it provided under? Is there a EULA with proscriptive provisions? Will I only find out about the license/EULA after I have bought the book and loaded the CD?
Work for Change & GET PAID!
Non Sequitur \Non seq"ui*tur\ [L., it does not follow]
n 1: a reply that has no relevance to what preceded it
AutoGoogle
AutoSlashBack
AutoEverything
Is this useful to you? Reply!
LOL, I haven't had that good a laugh in a while.
since, according to this very informed article, Linux is the most insecure OS. Not a troll:)
its called real world linux use, but it will never be release, because i can't vfind and examples
I can't believe B&N would sell this for $47... I guess they are relying on lazyness. A few mouse clicks will generally yield better results.
Wasn't it just a few years ago when I was complaining that there was not enough focus on security? Now there are so many books it is almost annoying. Even casual admins or enthusiasts have that "Hackers Exposed" book.
At 800 pages, they MUST be re-inventing the wheel to some degree. A lot of those bullets in the contents seem like general things you should know about host-based security in general. Boosk like that usually annoy me - sifting through all that to get to the fresh information is tedious. I have an American attention span, damnit!
This book is a very level look on linux / unix security in general for the new admin or even for the god-like admin theres something even for you. the cd contains various utilities which the book explains the usage of. So you know how to setup a linux box and webserver eh? secure it! great read ... so far
sgi has strong fast hardware I wish I could say
the same about IRIX
Who's behind this book?
The author of this book, Bob Toxen, is one of the 162 recognized developers of Berkeley UNIX. He has more then 28 years of UNIX and 8 years of Linux experience. Trivia from his resume includes that he was one of the four developers who did the initial port of UNIX to Silicon Graphics hardware, that he was an architect of the client/server system used by NASA's Kennedy Space Center and that he wrote the "The Problem Solver" column for popular UNIX Review magazine. Currently he is a president of Fly-By-Day Consulting, Inc. offering Linux security-consulting services.
Yes, yes -- but is he qualified?
why run from Vincenzo?
Imagine how many pages would a Windows security book would take.
RAID 1 reading: get a bunch of reviewers and make them read different chapters from different copies
RAID 0 reading: split the book in several parts and get a bunch of reviewers and make them read different chapters
Promise reading: get a reader read the odd line numbers and other the even ones
bookpool
Suncoast Linux - Sarasota, FL
The Cyberstreet Worm Test
If you want to cheat Theo out of his hard earned money you can even ftp it (but that would be cheating).
Take that, Linux Goonies...
I had the 1st edition of RWLS and got the second (you can never have too many security books) but found that the 2nd suffered the same problems as the first. There is a lot of space wasted on stuff that's old and doesn't affect any linux machine from the last few years, because the author keeps going on about his hayday years of bsd - things that aren't relevant today.
There is a lot of stuff on the cd, but it seems like he's just plopped in stuff
that he wrote for clients, whithout making it obvious where it is appropriate on my machine. I think he would do much better to avoid trying to be an authority on everything and point to texts where they are covered in better detail. rather than writing a half-assed iptables stuff, he should point to the ziegler "linux firewalls" book, which is the true authority, where it hasenough time to get
real coverage needed.
WHat I noticed about the new editions of both books is that HLE took out stuff that's no longer relevant and/or put it online instead, while RWLS just added (often repetitive) stuff. You get a much better bang for your buck with hacking linux.
Also, hacking linux is donating any money they make from sales to the EFF. See their site for more info.
http://online.securityfocus.com/archive/98/301300/ 2002-11-24/2002-11-30/0
I was watching this thread a while back that started out as "Are Bad developer libraries the problem with M$ software" and evolved into "Security Education in the Workplace".
Last night, i was wearing my defcon shirt while doing some christmas shopping, and the kid behind the counter at Bookman's commented on it. Well, he turned out to be a THIRD year C.S student from ASU...he bitched how ASU and his last professor stressed (crammed down his throat, he said) security, so now he doesn't care about writing with security in mind. No, he said he would never write code with security in mind.
He said he'd write the code but never personally use it.
I really lost all respect for him, and at first i was pissed, but then again, that can't be such a Bad thing.
I'm competing against the likes of him, and he just lowered the bar.
As the threads mentioned above point out, it's really about programmers and the entire IT infrastructure being educated about security. At least, our CTO and CIOs should be aware about security, and have the knowledge to know that the kid from ASU would be a liability to a company and their clients.
That's the second half of the problem. The second half is just lazy developers who just copy structures blindly or move strings blindly without any checks.
Ben, you've become an UberGeek! Take me as your padawan!!!
You can publish absurdly great books on computer security, but as long as the bean counters won't spend enough money training everyone from end users to sys admins about security, big companies and our private data will be at risk.
I wish I could say I had a solution to this problem (and no, converting the world to Linux won't help), but I don't.
Other Linux security book authors, on the other hand, clearly are in it for more than just books. Brian Hatch of hacking linux exposed writes a free hacking newsletter every week (archives)
as well as Security Focus stuff. Michael Bauer of
Building Secure Servers with Linux writes articles for O'Reilly and is the security editor for Linux Journal.
Especially in the area of Linux, I expect to have experts. I've read RWLS 1, and was very dissapointed in the amount of fear mongering vs useful security info.
Copyright is probably not as far reaching as you believe - there are two causes why his scripts might not even be protected by copyright, which is the base of any special licence agreement.
In fact there are two causes why it is probably not protected by copyright:
- To simple: In most countries, copyright requires a certain amount of "creativity". A simple firewall script as it is shown in hundreds of tutorials may not fulfil this requirement.
- You won't copy it: Copyright protects not an idea (as patents do) but a concrete piece of code. If you catch the "idea" from his example code and do your own script (you should do this anyway), there's no problem with copyrights or licences.
It seems like the only obstacles in complete Linux security are the current slew of buggy user-land software that grant such. I use mostly LinuxFromScratch on a 164UX Alpha computer and install software the ol'-fassioned way by only downloading, building, and installing archived sources. I beleive debian's Apt and RedHat's RPM are much too monologous within their simple user-land methodologies. To properly manage the software and security installed on any given workstation, it will require somthing much more sophisticated than Palladium. Now would be a good time to discuss Unix software as a whole in attempt to build a more reliant and secure user interface as well as the secondary goal of preventing Microsoft and the United States (government) from using contracts and intellectual property to defer freedom and/or security on their whim. A kernel-based real-time, on-demand, file auditing routine would make this possible. By any chance, would it be possible to filter binary code into a parsable markup language to filter for any exploits or do we still have a long ways to go and need to consider MONO? But I still degress, the user-land tools and their common-practice installation without fine-grained permissions is what kills many secure systems. All someone needs to do to exploit a system is telnet or ssh with a valid account name and password and the intruder has all the options of the system to their disposal. We have User, Group, Other, what else? I am thinking of a hundred security measures possible with dnyamic symbolic linking of userland applications based on user and group permissions, but it looks much too difficult to implement because anything that breaks today's userland software is what determines the life of an operating system. Exception to Microsoft, they can change whatever they want and all the application programmers just release a patch because that's who they chose their "big daddy" to be: Microsoft.
But I'm sure you already Gnu that.
In vanilla 2.2 and 2.4 kernels, you don't have any additional kernel level controls (not counting filesystem controls, such as ext2/ext3's extended attributes, (chattr +i filename to make filename unchangeable, even by root, for example)) but you are effectively correct. However there are user-level tools you can use, such as libsafe and stackguard that can prevent many common attacks such as generic buffer overflows.
However there are various patches to the kernel that can provide much more finely tuned control of software. LIDS, GRSecurity, SELinux, and more can allow you to say exactly what a process can or can not do. By creating good rules for the software you need, you can effectively make root no more special than any other user. Only Apache can bind port 80, and no other port. Only ntpd can change the system time - not even root using 'date'. When you create an explicit list of what can do what (easiest by locking everything down and then adding permissions back in where needed) you will have a machine where a piece of software that is compromised only means it can function as it was built to - it has no new functionality it can abuse.
Now kernel patching is intimidating for many, whic h keeps them from trying these advanced security measures. However a new infrastructure is under development which can make this much simpler to use. LSM, the Linux Security Module, has been accepted into linux 2.5 kernel, and it allows you to load or unload advanced linux kernel security systems at run time without the need for kernel recompilation. (This requires that an LSM version of the patch exists, which is the case with LIDS, GRSecurity, SELinux and friends.)
As these are more visible, they will become more mainstream. Debian has an SELinux installer, for example, which can let you boot a very secure version without compiling anything on your own.
Advanced linux security is here today if you want it.
I have the first edition and the licese boils down to purchasers of the book may use it on up to 10 machines that the purchaser admin's. There is an email address if you are interested in using it under on other machines or without purchasing a book.
By the way it's a really good read and I'd recommend it.
- chuck
The licence says people who buy the book can use his software without any problems...
I guess it depends on what they mean by exclusive. A search on dictionary.com yeilds
several definitions for the word exclusive.
exclusive adj.
1. Excluding or tending to exclude
Yeah, pretty much sums up a firewall ruleset. Unless your FW ruleset is
designed to allow everything, they do tend to exclude.
But my favorite definition is:
8. Catering to a wealthy clientele; expensive
Perhaps they are catering to the wealthy people who can afford to purchase the book and read the license agreement on the CDROM?
"The Real World Linux Security cover features Cerberus, the three headed dog that safeguarded the entrance to Hades. Hades is an underground place from Greek mythology where deceased people ended up."
Please correct me if I'm wrong but I believe that Cerberus is the Latin spelling and Kerberos (the security framework we all know and love... or not) is the Greek spelling.
It's very appropriate that a beast that guards something is a icon for security, and at the same time ironic that what it's guarding (one's network) is "where deceased people ended up". I know /.'ers have particular attitudes about their users, but give me a break!
Ha ha, Some punk kid who got moderator privleges couldn't
handle the truth in your statement and modded you down.
'Real World' original agitator (well from the SF series). You think he hacks linux between avoiding cars as a bike messenger?
Thank you for the info!
+1, knows how to use a dictionary
To begin with, I got a lot of useful information out of this book. Bob Toxen knows his stuff, and he does a reasonable, if not superb, job of explaining it.
However...
Had it been on any other subject, I probably would have put it away and went looking for a better book not long after buying it. The only reason it was as useful as it was to me was that at the time, it was the only Linux-specific security book I could find. While there is good information, it is incredibly badly organized. The various tips seem to be haphazardly scattered around the book rather than carefully organized into any coherent scheme; and what's worse, it's redundant. Badly redundant. As I recall, many passages and some paragraphs are repeated word-for-word at different places in the book. Security issues are sometimes covered twice over in different parts of the book, artificially inflating the content. Toxen also comes across as someone who thinks of himself as a real bad-ass cowboy of the UNIX world, which contrasts poorly with the proffessional, occasionally wry tone of the classic O'Reilly UNIX books to which this book must naturally be compared.
Basicaly, the first edition was a good collection of tips and tricks, although no more so than your typical top-teir UNIX security website offers. What it badly needed was the hand of a competent editor to clean up the writing and the organization. Hopefully this second edition recuieved such a treatment.
--
CPAN rules. - Guido van Rossum
They're just his preferred scripts, etc. The 1st Edition had most of it under GPL or BSD licenses; the remainder were under a "free for personal use" licence as long as the original author is acknowledged. Most of the configs and scripts were printed verbatim in the text also.
C|N>K
Have you bought any books from this place? The prices look great!
-- I speak only for myself.
If you're trying to fault him for an allegiance to BSD instead of Linux, consider that his BSD work was 15 years before Linux even existed!
Doh!
I went to U.C. Berkeley with the author and have a very similar history to his (look for me in the book ;-). We both specialize
in Linux these days, not BSD.
And yes, the book is about Linux.
What, you think that maybe if you open it, it would be all about BSD security despite the title??? Why comment about what you don't know and haven't bothered to check? Bizarre.
Professional Wild-Eyed Visionary
maybe because your mouth is busy full o' cock gobblin'.
Thanks for putting up the link to the article
I wrote with Bob for Unix Review; browsing
it really brings back nostalgic memories.
Professional Wild-Eyed Visionary
Damn, that's funny, I wish I had some mod points.
Some day I will have mod points, so add me to your friends.
Thus, I give advice on how to recover a compromised system quickly. Other books say "re-install from scratch" or "recover from backup". If one has production data on it, these suggestions from (from other Linux security books) would cause loss of that data. My techniques will save the data.
One Linux security book says not to remotely manage Linux firewalls because of the risk of locking oneself out or briefly opening up insecure access. I explain how to remotely manage Linux firewalls without the risk of locking oneself out or having even a nanosecond of insecurity. My techniques have worked well for my managing clients' firewalls around the world for three years.
I start with quick fixes for common problems that everyone can benefit from, especially those new to Linux security. Then I get into increased security in different areas, such as desktop systems, mail servers, web servers, etc.
Bob Toxen, Author, Real World Linux Security, 2nd Ed.
Security Consulting,
The book's author answered a direct question here...someone please mod this up to at least a 2 or 3 so that it stands out from the background (currently it's just a 1).
Professional Wild-Eyed Visionary
However, Aberdeen's analysis is flawed because it failed to weight each according to its severity (whether it offers a remote root or remote non-root vulnerability, what percentage of the installed base is vulnerable, etc.)
The reality is that many Windows vulnerabilities are the equivalent of a Linux "remote root" vulnerability and affect either every Windows system running IE or every Windows system that runs IIS. Most Linux vulnerabilities are not remotely exploitable and most of those that are affect only a small percentage of systems.
Using a valid analysis, a Linux system deployed for the same purpose as a Windows system (e.g., as a desktop system, web server, file server, mail server, or whatever) is far less likely to be violated, in my opinion.
Bob Toxen, Author, Real World Linux Security, 2nd Ed.
Security Consulting,
Regarding "ages old" stories in RWLS 2/e, my discussion of Microsoft's Korean version of .Net having shipped with Nimda was based on a June 2002 report. I then explain nine lessons that can be learned to avoid repeating Microsoft's mistake. For those who actually have read the book, this case study begins on page 387.
Bob Toxen, Author, Real World Linux Security, 2nd Ed.
Security Consulting,
Almost every issue discussed in the book can affect the newest Linux versions. Most of the problems of BSD that I discuss are in the category of "Those who fail to learn from history are doomed to repeat it".
Most of my original code on the CD was written for the book. While some of it, such as my substantially enhanced versions of Logcheck and Arpwatch were written for clients, these are of general interest and I have sent my enhancements back to the authors for including in their next versions if they desire. The use of each of my programs is discussed in detail in the book. Logcheck and Arpwatch each get about 5 pages under the obscure titles of "Using Logcheck to Check Log Files You Never Check" and "Using Arpwatch..."
RWLS 2/e covers many aspects of IP Tables that Ziegler's book does not. This includes how to safely debug a firewall remotely (Zieger says not to bother), a detailed comparison of Tables to Chains for those considering switching, and tips and techniques for working with IP Tables or Chains.
RWLS's CD contains a complete IP Tables-based firewall rules script that does not need configuration, not even specifying one's external IP address because it figures it out automatically. Ziegler does not provide a CD.
Bob Toxen, Author, Real World Linux Security, 2nd Ed.
Security Consulting,
I just thought I would mention that this book will likely be on Oreilly Safari since the Rev. 1 is already there. I'm a big fan of Safari since I: rarely read a tech book cover to cover, I have a shelf of outdated tech books and I like their search features. [disclaimer] I have no affiliation with Oreilly Safari other than I subscribe to the service [/disclaimer]
What I meant was that different subjects mentioned in the post (like sendmail, Apache, SSH etc.) are quite the same in other *NIXes, like BSDs.
Even the "ideas" behind the firewall rulesets could be ported to other firewalls.
So even if some parts are particulary Linux, I got the impression based on the post that the 800 pages include information, that could be usefull to all *NIX admins. So I tought calling it UNIX security would broaden the reader community. :)
They are not _that_ different after all. :)
I demand the Cone of Silence!
Good Book, But... I Think Some Of Us Are Still Waitng For The Hackers Bible "part2" Some call it the new hackers testament... That And A New Version Of Project Blue Book Unedited -Right?...