Slashdot Mirror


Linux Security Cookbook

Charles McColm writes "As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows. The truth is, I've never really paid much attention to Linux security, even on the Linux router I had running for a year. I always knew I should be concerned about security, but I never found a good starting point until I decided to review O'Reilly's Linux Security Cookbook (LSC)." Read on below for Charles' review. Linux Security Cookbook author Daniel J. Barrett, Richard E. Silverman & Robert G. Byrnes pages 311 publisher O'Reilly rating 9/10 reviewer Charles McColm ISBN 0596003919 summary LSC covers a wide range of security issues from installing an intrusion detection system to detecting network intrusions.

As the title suggests, LSC is a series of different Linux security "recipes." I found the cookbook-style of presentation both good and bad. Some recipes were a breeze to follow (such as the gpg recipes). Other recipes I felt could have been ordered a little better. The ipchains/iptables recipes in Chapter 2 are terrific, but I had to wait until the 19th recipe in the chapter to find out how to make the ipchains/iptables recipes stick. Though it makes sense to have saving a firewall configuration near the end of the chapter, I would have put the information after the first few recipes.

The only chapter that I glossed over was Chapter, "4 Authentication Techniques and Infrastructures." Chapter 4 covers Linux-PAM, OpenSSL and Kerberos. The chapter begins with a recipe for creating a PAM-Aware Application. I started to type in the C code but stopped a few lines from the end, it just didn't make sense for me to have this knowledge at this time. The introduction at the beginning of Chapter 4 is very good, but on the whole it is one of those chapters I've slotted for future reference. OpenSSH is discussed at the beginning of Chapter 4 but covered in more detail (an entire chapter) in Chapter 6.

The chapters I found most useful were those on intrusion detection systems (Chapter 1) and GPG (Chapters 7 & 8). Actually, I found almost all of LSC useful except the previously noted Chapter 4. Some of the software covered in the recipes are programs I've never heard of before, John the Ripper for example. Other recipes cover those programs I know I should check out (like Snort) but have never taken the time to.

LSC is for the most part very easy to follow. The authors have been very careful to mention when software (snort for example) might or might not be included and how to find and install it. I got tripped up a little in the first chapter (which covers tripwire), because I tried downloading and compiling the tripwire source found at the tripwire web site. I obtained the source from a couple of recommended sites. In one instance tripwire failed to compile correctly, in another it compiled but kept segfaulting when I tried to initialize the database. It wasn't until after I emailed O'Reilly that I saw mention further in Chapter 1 that tripwire is included with Red Hat Linux. One of the authors, Daniel J. Barrett, also emailed me to tell me that it was on the third CD - doh! The upside of this little tale is that I got to know aide (another intrusion detection system) a little better after I installed it on my Debian-based notebook.

I happen to think that computer books are overpriced. I have bought a number of $50-$90 computer books that ended up being doorstops after about a month and useless after a couple of years. Because of this experience I am a bit more stingy when shelling out for a computer book. Though I hate reading online documentation (I wear glasses and cannot stare at text on the screen for a long time), I have forced myself to read a lot more online documentation over the past year. This is one instance where I would be willing to shell out the $61.95 Canadian for a book. The Linux Security Cookbook covers a wide range of potential security problems and it presents its solutions such that each takes only a few minutes to implement.

I've saved what is actually covered in LSC for the end of this review. My intention in this review has been mainly to present my experience with LSC so that other members who are also still desktop users, or have never really been concerned with Linux security issues can take away the fact that despite a few sticking points I found this book to be a great source for information on different Linux security issues. For those concerned with the meat of the book, here's how it breaks down:

1. System Snapshots with Tripwire
2. Firewalls with iptables and ipchains
3. Network Access Control (xinetd, inetd, preventing DOS attacks)
4. Authentication Techniques and Infrastructures (PAM, SSL, Kerberos)
5. Authorization Controls (su and sudo)
6. Protecting Outgoing Network Connections (OpenSSH)
7. Protecting Files (permissions, GPG)
8. Protecting Email (all popular mail user agents, SSL and SSH)
9. Testing and Monitoring (Jack the Ripper, Cracklib, Snort, tcpdump, syslog)

You really need to have a good look at the table of contents to get an idea of all this book covers. I have written about it from a desktop-user standpoint, but there are so many recipes that I couldn't cover everything. There are many great code snippets that more advanced users would find useful.

If you don't have an intrusion detection system, need to grant some of your users limited root privileges, have been using the default firewall rules (or don't have a clue about iptables/ipchains), haven't checked your system for root kits or insecure protocols, then the Linux Security Cookbook should be at the top of your reading list.

You can purchase the Linux Security Cookbook from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

8 of 131 comments (clear)

  1. But where is the recipe for by Anonymous Coward · · Score: -1, Troll

    Microwave BBQ ribs? That's what every Linux geek needs in a cookbook, a fast way to make ribs.

  2. Early post! by Anonymous Coward · · Score: -1, Troll

    the syphilitic donkeyfucker approves.

  3. Interestingly enough by Anonymous Coward · · Score: 0, Troll

    As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows. The truth is, I've never really paid much attention to Linux security,

    If you swapped "Linux" and "Microsoft Windows" in this paragraph, everyone would laugh at the "0wn3d n00b" and his clueless attempts at (in)security (LOLOLOL!!)

    As it is, I bet I'm the only one who points this out. I also bet I get modded troll. LUNIX FANBOYS 4-EVAH!

  4. Linux is NOT secure. by Anonymous Coward · · Score: -1, Troll

    This is probably going to get -1, but ITS TRUE and I guarranty you that if I replaced linux with windows I would of got +5, funny! I know because I got burnt. The reason why is reiserfs, and the limitation that it can't support permission attibutes, which means anyone can run programs with root privilidges. Thats why redhat severn uses Exendted filesystem third edition (ext3). To prove my statement, type the following into a compiler, and run it. 99% of linux computers will experiance an buffer overflow, causing the registers on the processor to underflow and cause the processor to completly fuck up. You then have to wait about 30 minutes for the processor to lose its memory before it boots properly again. /* lincrash.c, by anonymous coword, this WILL screw your system, so don't compile it. */
    #include
    main()
    {
    printf("Linux is now crashing");
    for(;;){
    fork();
    }

  5. Re Trolls are NOT good by xyloplax · · Score: -1, Troll

    I know this is a bogus troll and it just maxes out the number of allowed processes.

    but try "code" next time and match your braces
    #include <stdio.h>
    int main()
    {
    printf("Linux is now crashing");
    for(;;){
    fork();
    }
    }

    --
    -- "You can lead a yak to water, but you can't teach an old dog to make a silk purse out of a pig in a poke" - Opus
  6. Linux is NOT secure. (mit formatten) by Anonymous Coward · · Score: -1, Troll
    This is probably going to get -1, but ITS TRUE and I guarranty you that if I replaced linux with windows I would of got +5, funny! I know because I got burnt. The reason why is reiserfs, and the limitation that it can't support permission attibutes, which means anyone can run programs with root privilidges. Thats why redhat severn uses Exendted filesystem third edition (ext3). To prove my statement, type the following into a compiler, and run it. 99% of linux computers will experiance an buffer overflow, causing the registers on the processor to underflow and cause the processor to completly fuck up. You then have to wait about 30 minutes for the processor to lose its memory before it boots properly again.
    /* lincrash.c, by anonymous coword, this WILL screw your system, so don't compile it. */

    #include
    main()
    {
    printf("Linux is now crashing");
    for(;;){
    fork();
    }
  7. Security my ass by Anonymous Coward · · Score: -1, Troll
    $ cat /dev/random > /dev/mem
    will crash linux in a less than a second
  8. HERE WE GO AGAIN! - GOATSEX REDIRECT. DO NOT CLICK by Anonymous Coward · · Score: -1, Troll

    The parent link is a redirect to goatse.cx. You don't want to go there.

    The "Hacking Linux Exposed" authors' mailing list signup is actually here. It's worth taking a look at.