Slashdot Mirror
Hacking Linux Exposed, Second Edition
HLE on the other hand was much more like a good textbook -- it taught you how to think about security, to see how each problem was caused and how to combat them. As the years went by, my copy of HLE was still as useful as it was the day I got it. For this reason, I was skeptical what they could put into a second edition -- the first seemed to stand the passage of time just fine.
Nonetheless, I bought it, and was surprised to find that the second edition is even stronger than the first, yet they have made it still work on its own -- you don't need to buy the first edition to have a complete understanding of Linux security. You should probably read their reviews page which has links to reviews of the original, as well as the Slashdot review from last time which have detailed breakdowns of what you'll find. I'll concentrate on the changes in this review.
The new edition deprecates or cuts a lot of old material that is no longer applicable -- the emphasis is on OpenSSH configuration vulnerabilities, rather than RLogin/RSH/etc, for example, which is fine since no Linux system comes with Rlogin installed by default any more. The second edition is 100 actual pages longer, but due to the condensing of old material, it's effectively 200 pages longer at least. They took out some of the material that isn't needed in the paper copy and put it online too, which was a great idea.
So, from my perspective, here are the noticeable differences:
- More tools are covered in detail -- Exim gets equal play with Sendmail and friends, DJBDNS gets covered as much as BIND. (For configuration, that is. Nothing can match BIND for vulnerabilities.)
- There's a whole new Denial and Distributed Denial of Service chapter, that covers the gamut - much more than just your simple TCP-connect floods.
- There are three new chapters about post-system-compromise tricks the crackers will play on you, showing you exactly what kind of things you'll need to clean up if they get in. This stuff was absolutely amazing, and the authors could probably write a whole book on this if they wanted to.
- More distribution-specific information.
- Step-by-step instructions on how to patch and rebuild your kernel using the existing kernel configuration parameters, detailed enough that any newbie could do it. They have specific variants for Red Hat and Debian as well.
- The best discussion of network-based attacks (ARP spoofing, Man-in-the-middle, session hijacking, etc) in any book, anywhere. You could easily use the stuff in this chapter to take over Windows machines too.
- More custom tools and code than before.
- Just passing references to things like the Morris worm, the Ping of death, ipfwadm, and other hacks and tools that are so old and irrelevant today that they shouldn't be discussed in depth any more. They get their nod, but the authors spend quality time with things of current relevance only, rather than wasting the space just to make the book look thick.
- Even more integration with the website.
That last one needs a bit of explanation. Brian Hatch, the lead author of HLE, has a weekly security newsletter called Linux Security: Tips, Tricks, and Hackery. (You can read the article archives or subscribe.) These often have very detailed implementation instructions, such as installing DJBDNS and migrating away from BIND, using /proc to investigate cracker activities, and occasionally has contests too.
The nice thing is that Hatch has built up a body of free online instructions, and thus rather than copy and pasting them into HLE, he can point to the online articles from within the book. This saves lots of paper, and keeps you focused on the goal of the book -- to learn attack methodologies and how to stop them.
One thing that these guys prove in their book is that "code is speech." Rather than having wordy passages such as "The user then needs to run the command 'nc client-ip-address 80' on server 'freddie' from the /etc/ directory where client-ip-address is the actual ip address of the target, and type ..." they show it all through a command-line view, embedding this extra location and user information in the prompts and formatting (bold/italics/etc) like this
jdoe@freddie:/etc$ nc client_ip 80
GET /some/web/page
<head><title>This is some web page</title>
...
They always show you what's actually going on behind the scenes -- an actual SMTP or POP conversation for example -- so you know how things really work, rather than living in a black box where Nessus says "vulnerable" and you don't know how to determine it on your own.
Here's a very quick table of contents:
- Part I: Linux Security Overview
- Chapter 1 -- Linux Security Overview
- Chapter 2 -- Proactive Security Measures
- Chapter 3 -- Mapping Your Machine and Network
- Part II: Breaking In from the Outside
- Chapter 4 -- Social Engineering, Trojans, and Other Cracker Trickery
- Chapter 5 -- Physical Attacks
- Chapter 6 -- Attacking over the Network
- Chapter 7 -- Advanced Network Attacks
- Part III: Local User Attacks
- Chapter 8 -- Elevating User Privileges
- Chapter 9 -- Linux Authentication
- Part IV: Server Issues
- Chapter 10 -- Mail Security
- Chapter 11 -- File Transfer Protocol Security
- Chapter 12 -- Web Servers and Dynamic Content
- Chapter 13 -- Access Control and Firewalls
- Chapter 14 -- Denial of Service Attacks
- Part V: After a Break-In
- Chapter 15 -- Covert Access
- Chapter 16 -- Back Doors
- Chapter 17 -- Advanced System Abuse
- Part VI: Appendixes
- Appendix A -- Discovering and Recovering from an Attack
- Appendix B -- Keeping Your Programs Current
- Appendix C -- Turning Off Unneeded Software
- Appendix D -- Case Studies
The other nice thing is the authors have put all their source code, tools, and example cracks online for free download, released under the GPL. You may notice that you need to type a password to get in, but if you have half a hacking cell in your body, you'll find that the authors think a password requirement is stupid as we do.
If I could change one thing about this book, it would be the risk ratings. These are the dumbest things I've seen. These are little boxes at the beginning of each 'Attack' that list three values: "Popularity", "Simplicity" and "Impact." It then averages these and comes up with a risk rating. Since all the Hacking Exposed books have them, I can only assume it was a requirement of the publisher -- I don't know if Hatch and Lee care for them one bit, but I can tell you I find them useless. (Of course, I give this book a 10 in spite of this fact.)
These numbers are presented as quantitative, but it can't possibly be. I can argue giving many different values in each category, so what does this actually tell us? For example take open X11 servers. Impact could be 10 because you could type a root password that's intercepted, or it could be 7 because it only gives you user-level access. Popularity could be 3 if you say most people don't set it up this way, or you could say it's 9 because many crackers look for open servers. I'd rather they just used impact, gave it a scale of 1-10 and were done with it. The popularity and simplicity factors override the impact in too many cases to make the final value anything but specious.
Aside from that drawback, which is easily ignored, the book is absolutely solid.
When I was about to buy my copy, I noticed that the authors are donating all online proceeds to the Electronic Frontier Foundation, so you should order through their website, regardless what the Slashdot link may be. ;-)
In my opinion, there's no Linux user who should be without this book. It's 720 pages of answers you need to keep yourself secure from the blackhats, or 720 pages of ways to become a blackhat yourself, depending on your ethical alignment. Either way, you won't be able to put it down, except to type as you follow along.
If David did not convince you otherwise, you can purchase Hacking Linux Exposed, Second Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I was planning on doing a review of Hackin Linux 2nd edition, but obviously was too late. The one above is accurate, but not helpful if you didn't read the first ed. Here's my more descriptive review of the book's contents:
.tgz packages, discuss both inetd and xinetd, and even svscan/supervise. They are extreemly complete.
Hacking Linux comes in six parts, each of which is worth the price of the book in whole. Part one: security overview covers all the basics like file permissions, setuserid problems, buffer overflows/format string attacks, tools to use before you go online, and mapping tools like nmap. Part two comes in from more of the hacker angle with social engineering and trojans, attacks from the console, and then concludes with two excellent chapters about netowrk attacks and TCP/IP vulnerabilities.
All the stuff to this point assumes the hacker is on the outside. Part three takes over and shows you what the hacker will do once they've gotten on, such as attacking other local users including root, and cracking passwords. It becomes obvious that you need to protect things from insiders as much as from the outsider, because the outsider will usually get in as a normal user first, and if you can prevent him or her from getting root access, the damage cannot be nearly as severe. A lot of books don't cover this angle at all, and it's done superbly here.
Part four covers common problems in internet services. First they discuss mail servers. Sendmail, Qmail, Postfix, and Exim each get covered in detail - it's nice to see more than just Sendmail discussed in a security book. Of course, it'd be even nicer to see something other than Sendmail installed on a Linux machine by default. Next they cover problems with FTP software and problems with the FTP protocol. I'd never seen "beneath the hood" and realized how wierd FTP really was, and why it's not supported by firewalls very well, and the authors show you the inner workings of it so anyone can understand the problems. They continue with Apache and CGI/mod_perl/PHP/etc problems, both from a coding standpoint and how to secure against outsiders and your own web developers. Next it's on to Firewalls (iptables and TCP wrappers) and lastly (distributed) denial of service attacks. The countermeasures for the DOS problems are excellent, and a must for anyone with a server.
Part five covers everything a hacker can do once they've broken in. They describe trojan programs, trojan kernel modules, and configuration changes that can be used to keep root access, or hide the hacker activity, or let them get back in should the computer be partially fixed. This was not only complete, but scary in how many different things they showed. It works both as a blueprint for what you need to defend against, how to clean up after a hacker has gotten in, and also how you could back door a machine if you get in. I'll leave the ethics up to you.
Lastly we have part six, which is the appendicies. While most times I ignore appendicies, these are really an integral part of the book, and are referenced throughout the book all over. (This very good, because it keeps the book from having too much repeated countermeasures.) They discuss post-breakin cleanup, updating your software and kernel, and turning off daemons (both local and network ones) and a new case study. The book is good about covering Linux from a distribution-agnostic standpoint (it doesn't assume you use RedHat, unlike everything else out there) but in these appendicies they cover the differences you may encounter. They show you how to use dpkg/apt-get as much as RPM as much as
Hacking Linux Exposed 2nd Edition is required reading for anyone with a Linux machine, period.
This is a good series for a person with an average level of experience to get some form of understanding what sort of expoits are out there. Many of these computer security type books go a little too much for the hype (watch out for the 31337 haX0rz!) and not enough stepping you simply through why and how an expoit works. Someone new to Linux admining will pick up more about Linux security reading this book than they will many others. It contains a good list of the most popular expoits. Of course your box won't be entirely secure if you read this book (security is a process) and to a seasoned sysadmin much of this will be old hat. It will however mean that your system is probably less hackable than some other administrators who has a similar level of experience but hasn't read this book.
This series Windows 2000 offering is very good as well - not a lot of hype but tends to get down to the brass tacks of how to start to secure an out of the box installation.
The only problem with these books is how quickly they do become dated. You won't get an amazing amount of use out of them in 5 years time except for as some sort of historical perspective. Not a lot of depth into the methodology of locating exploits - just more a list of exploits and how to understand their use.
For a quick bulleted list:
The only exceptions to this rule are the front and back cover, on which we were either overruled, or gave up the good fight.
The HLE authors have a Windows vs Linux Security Challenge where they want to have a Linux security team and a Windows security team install and secure a Linux and Windows machine at the same time, documenting what they do and how long their machines are vulnerable. I'd love to see this. It'd be a great way to see exactly how bad Windows machines for both generic installation (imagine counting the number of reboots for one vs the other as you update service pack after service pack, a reboot after installing IIS, another when you change your password ;-) and security (locking down the machine so that IIS doesn't have a billion holes from the default installation).
I'd pay good money to see this.
I would recommend "Securing and Optimizing Redhat Linux," which goes into great detail, down to recompiling packages for greater security, exactly what permissions to set on specific files, etc. Its only drawbacks are: it's specific to Redhat, and only covers versions up to 6.2. Still, there's some good general advice that is applicable to other distributions.
For the last quarter I think we got $150 from Amazon and about $10 from B&N which we'll be sending to EFF. Not much, but it's a good way to funnel money their way. I particularly like the irony of having Amazon, creators of some pretty questionable patents, paying EFF.
An even better way to support the EFF is for you to find the cheepest copy of HLEv2 you can get at a local book store (save on shipping) and then donate the difference to EFF directly. Or don't get HLEv2 and send the whole schebang to EFF.
Become an EFF member or donate at www.eff.org.
No, I'm not affiliated with them, other than being a paying member, but I endorse them. And some day I may need them to defend me, given that HLEv2 can be considered a tool that could be illegal under the DMCA.
In actuality, there are about 200 new pages, since we cut out a lot of older stuff, condensed things that are not as relevant that still deserve a good nod, and put the original three case studies online instead.
Chapter 10 grew to be three chapters all told. Chapter 11 needed to be split because it was too big for both Mail and FTP in one chapter. We covered many new attack methods and tools. Everything grew substantially, in spite of trimming out the old and tightening up what we had.
And we fixed a bunch of errors and added completely new ones.
Everything in HLEv1 is still valid. If you own the first, I'd suggest you compare the contents of the two books to decide if you want it or not. Or browse it at the store. Unfortunately, the sample chapter is again chapter 1, which is one of the least modified chapters, so it doesn't give you the best indication of what's new.
This is my best stab at a response. I am so much not a marketing guy, I'm a geek.