Practical Unix & Internet Security

Charles McColm writes "At just under 1,000 pages the 3rd edition of Practical Unix & Internet Security might look intimidating on the shelf, but a quick glance through the pages reveals that it is both practical and entertaining. With Slammer and Blaster making their way into the news it seemed like a good time to brush up on security. Already considered a classic reference, the 3rd edition of the book provides extensive updated information about topics like PAM (Pluggable Authentication Modules), LDAP, forensics, intrusion detection, wireless devices, and cryptography." Read on for the rest of McColm's impressions of the book. Practical Unix & Internet Security author Simson Garfinkel, Gene Spafford & Alan Schwartz pages 954 publisher O'Reilly & Associates rating 8/10 reviewer Charles McColm ISBN 0596003234 summary The 3rd edition of Practical Unix & Internet Security adds much-needed updated information to an already classic security text. It's very comprehensive but a little dry in parts.

Practical Unix & Internet Security is divided up into six sections:

The first section covers the basics of computer security, tracing the history of Unix and security, as well as providing details of what should be in a good security policy.

The second section covers the building blocks of security, authentication, users and groups, filesystems, cryptography, physical security for servers, and personnel security.

Network and Internet security are focused on in the third section, with emphasis on modems and dialup security, TCP/IP networks, securing TCP and UDP services, Sun RPC, NIS, Kerberos, LDAP, NFS, and SAMBA, and finishing up with a chapter dedicated to secure programming techniques.

Day-to-day operations are the focus of the fourth section. Keeping up to date, making backups, defending accounts, using integrity checking tools, and auditing, logging, and forensics are all expanded upon in detail over five chapters.

The fifth section rounds off the main part of the book by describing how to handle security incidents. Special focus is given to discovering a break-in, protecting against programmed threats, Denial of Service Attacks (& DDoS), legal options, and a chapter on who you can trust.

The Appendixes make up the sixth and final section. Not a spot is wasted in the appendixes, which begin with a Unix security checklist, and then outline Unix processes, provide extensive links to both paper and electronic resources, and conclude with a sub-section on security organizations.

Among the topics I found most interesting were: Access Control Lists (ACL), Pluggable Authentication Modules (PAM), the section about 128-bit keys and dictionary-based passwords, connection laundering, honeypots, the false syslog example, and the example detailing a call to Microsoft's anti-piracy help line. The real-life examples scattered throughout Practical Unix & Internet Security keep the security sections from seeming overwhelming. This is one of the few books that I've found ever chapter of the appendix useful, so don't overlook them as simple reference pages.

Normally one-liners are reserved for movie discussions but for those who've already delved into Practical Unix & Internet Security here are a few of my favorite one-liners:

• "...we do believe that making files readable and writable by everyone leads to many evil deeds." - talking about the octal mode 666.

• "Humidity is your computer's friend." - just before static discharge kills your entire system.

• "Beware of Key Employees." - warning against making one person so key that their departure could cause your company irreparable harm.

• "You mean, you don't really have a copy? [of Windows 98]" - the last part of a conversation with Microsoft's Anti-Piracy line. The company which called Microsoft's was tracing some intruders who had uploaded a copy of Windows 98 to the company's web site and was using the site to peddle warez. Microsoft was just about to launch Windows 98. The example shows just how clueless some help desks can be.

There are a few spelling mistakes and grammatical flaws but not enough to take away from the bulk of the information and no glaring omissions. UUCP coverage was dumped because UUCP simply is not a practical anymore now that more advanced alternatives like sendmail exist. I started glazing over material by the middle of the NIS chapter, but it probably had more to do with the fact that I was thinking about the other 400 or so pages I had to read before I finished the main section of the book rather than the topic itself.

One of the great things about Practical Unix & Internet Security is that it is appropriate for a wide audience. There is relevant material for system administrators, security, company decision makers, even the guy sitting at the accounting terminal. Despite its massive size Practical Unix & Internet Security is entertaining enough to be read cover to cover. (It's good for the arm muscles too.) Though it is easy to read, beginners should probably reread their system manual before plunging headlong into this book. All in all Practical Unix & Internet Security continues to be one of those must-have books for any Linux user.

You can purchase Practical Unix & Internet Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Practical UNIX...

The companion book seems, uh, interesting too. :)

Re:Practical UNIX...

[mav[LAG]]

I prefer the older, more direct edition.

the thing i always want to know

[Transient0]

when talking about computer books is:

What does this book offer that I can't easily find by asking google or google groups?

Re:the thing i always want to know

[Dr+Caleb]

What does this book offer that I can't easily find by asking google or google groups?

No power requirements and need to connect to the Internet. Very handy feature.

Re:the thing i always want to know

[hether]

Most of the time the answer is not a lot, but that it sometimes a lot easier/quicker to find the information you need in a book and you can bring it with you, say on a plane, to use when you don't have an internet connection. But hey, if you want to use Google for everything go right ahead.

Re:the thing i always want to know

[SuperguyA1]

Sometimes people like to read, ph33r, offline.

Re:the thing i always want to know

[Transient0]

which is the reason I specified "computer books." Of course, I could use the internet for word definitions as well, but I'm not always at the computer when I need them, so I own a dictionary.

Perhaps I should have been more specific and said "networking books." When the topic is Internet Security, chances are pretty good you have a network connection available to you at the time when you are asking the questions.

Re:the thing i always want to know

portability regardless of connectivity.

most laptop batteries won't last as long as a full session on the shitter either

Re:the thing i always want to know

[fireboy1919]

Well, you can't use google or google groups to prop up your missing desk leg, and it won't help you reach that highest shelf to get your old physics book.

It's also not nearly as impressive for that geek-babe you've had your eye on to catch you searching google as to catch you reading this.

Re:the thing i always want to know

[Kenterlogic]

While you make a good point about the power of google (see Thomas Friedman opinion on June 29). There is always falibility in the system to uncover results that are legitimate-- though always seemingly relevant. A book, and a longwinded one at that, is only good for putting everything in one place in this situation.

That having been said, Linux security is pretty well documented and easy to search on google. If only Windows had a bit of security, then M$ could have a book of its own as well. Sadly, Windows and security contradict one another.

Re:the thing i always want to know

[budcub]

Google can't help you if you don't know what to ask it.

Re:the thing i always want to know

[Torp]

Well, a book may help when you're trying to make your computer reach google groups :)

Re:the thing i always want to know

[Creepy+Crawler]

And then I can assume that things determined too dangerous for "Consumers" will be banned from google.

One centralised Corporation makes it REAL easy to control the flow of knowledge.

For now, it's some urban exploration and scientology. Wonder what it'll be tomorrow?

Re:the thing i always want to know

[xanadu-xtroot.com]

Sometimes people like to read, ph33r, offline.

What's this "offline" thing you mention? I've never heard of it.

What's their website?

Re:the thing i always want to know

[l4X]

quality of information on one support outside your screen over overwhelming quantity in split up places ?

Re:the thing i always want to know

[kfg]

What does this book offer that I can't easily find by asking google or google groups?

A book.

KFG

Re:the thing i always want to know

[KillerHamster]

http://www.offline.org/

Re:the thing i always want to know

Grandparent has "funny" written all over him. Parent has "nutsack".

Thanks.

Get for just $27!

Thanks to froogle price check

Re:Get for just $27!

except that when you click the link it says that is not found...

Re:Get for just $27!

[BladeRider]

Barnes & Noble have the second edition available on CD as part of the CD Networking Bookshelf package for $14. Includes the DNS and Bind book, 3rd Ed. in hardcopy.

viruses

[K_Bomb]

one thing unix doesnt really have to worry about is viruses..

except when the virus has a brain and the users choose weak passwords

Re:viruses

[Medievalist]

one thing unix doesnt really have to worry about is viruses..

I'm not so sure.

Since people frequently use tools like NIS, rdist, rsync/ssh, and LDAP to create single authentication domains that span multiple physical boxen, somebody could use one of the usual social engineering tricks to get root on a single box and then load a boot-sector infector into the .profile in root's home dir. Then, every time root logs in on any particular physical box, that box get the boot-sector virus loaded.

Best that *nix sysadmins remain on guard, regardless.

Re:viruses

[jdludlow]

boot-sector infector

Sounds like a nerd garage band.

Re:viruses

[Eric+Ass+Raymond]

Here I am. sitting at work listening to Husker Du, and I just realize that I wasted my youth - I never started a nerd garage band.

Re:viruses

[rutledjw]

somebody could use one of the usual social engineering tricks to...

Not with the facist-nazi SAs I have in my group. Root should really never be handed out. "sudo" may not be perfect, but it's a far better alternative. The only reason we give root out is for very specific servers and for limited amounts of time.

The other thing is that your trusted server had better not be loading .profile from remote boxes anyway, certianly not for root. Even our everyday users have scripts they have to run to set up specific environment variables that need to change. If they don't change _WE_ put them in .profile.

Examples of what would change is CATALINA_BASE if you have multiple tomcat instances running, or maybe JAVA_HOME if they're testing the latest JDK. But I want them EXPLICITLY running a script to set those variables. It helps them avoid confusion and reduces noise on my end.

Other than that, we try to keep the environment pretty "pure".

Remember "social engineering" only works on people with social skills! We read BOFH articles in the same way as "HOW-TO" documents! ;)

Re:viruses

[jonadab]

> Remember "social engineering" only works on people with social
> skills! We read BOFH articles in the same way as "HOW-TO" documents!

User: I'm having a little trouble starting up Notepad...
BOFH: That's because we're standardising everyone on two text
editors, to maintain consistency across the network. We
upgraded the Windows systems from Notepad to EDLIN last
night during overnight processing.
User: But I don't know how to use EDLIN!
BOFH: Whose fault is that?
User: You said two text editors. What's the other one?
BOFH: The Unix systems all have sed. You wouldn't believe
the whining we got from the vim nerds and Emacs geeks,
but they'll get over it.

sec

[XshadowstarX]

I think a few new books on Windows security will be coming out soon to take advantage of the latest worms. But its the nature of the open-source community to continually test each other that ultimately leads to security excellence.

At least you have your health!

How does one glance quickly through a 1000-page book without straining something important? ;-D

But can we patch...

[linuxislandsucks]

But can we patch OpenServer(UnixWare) with it?

Had to ask since SCO can not seem to patch OpenServer

Re:But can we patch...

[packethead]

OpenServer is SCO5

UnixWare is UnixWare.

ah, both suck anyway.

UUCP

[Medievalist]

UUCP coverage was dumped because UUCP simply is not a practical anymore now that more advanced alternatives like sendmail exist.

Um, I think you meant "UUCP is not necessary anymore now that PPP, NNTP and SMTP are widely supported".

Sendmail (a program) is not an alternative to UUCP (a protocol). Even if you are talking about the UUCP software and not the protocol, the alternative is pppd, not sendmail.

Sendmail still supports UUCP, but most distros do not enable that support, and hardly anyone uses UUCP anymore.

Re:UUCP

I agree, for the most part, that UUCP is a dead protocol. I have seen it used in enviroments that want to close off port 25 (and all ports for that matter). That is, have a external UUCP server queue the organizations mail, then have it delivered via UUCP to the end users. The users see no difference, and you no longer have to keep port 25 open. Basically, UUCP over TCP/IP. This was a while back. Wonder if you could make UUCP over TCP/IP work over a SSL tunnel ... Shouldn't be hard.

Re:UUCP

[Medievalist]

If you really enjoy pointless configuration tasks, you can run UUCP over anything that can simulate a serial line.

But the main selling point of UUCP was to be able to handle scheduled intermittent connections.

This was useful before the Internet got its mojo on, when Email was delivered in batches in a fido-style bucket brigade. "This Email is for California, dial up Chicago at midnight and have them pass it on".

Usenet also started on UUCP (yes, Usenet existed before the Internet) but migrated to NNTP over IP just as Email has migrated to SMTP over IP.

Today, you'd use pppd, a daemon that implements the Point-to-Point protocol. PPP has compression and authentication features that UUCP lacks, but does everything else that UUCP does.

Re:UUCP

[philfr]

Actually, UUCP over TCP is probably the only sensible way to operate a full-featured mail server on a dynamic IP address or on an intermittent connection. Even people with dialup connections can have at home a full MTA serving multiple domains connected through UUCP to their (nice) provider. Other solutions (ETRN on SMTP, maildrop on POP3) are broken somewhere. UUCP is a generic store-and-forward protocol, supporting binary file transfer and custom commands, not only mail or news. UUCP mail transport can be easily customized, to add compression (third world countries have used that over slow dialup links), encryption, and of course it works over SSH (using the port forwarding features), SSL (with Stunnel). Even if it was designed for serial lines, its later protocol variants were optimized for TCP (full-duplex, no need for error correction...) Only people who don't know UUCP say that UUCP is obsolete. Alas, most ISPs don't know UUCP.

Re:UUCP

[Medievalist]

I didn't say it was obsolete, I said it was unnecessary.

Sendmail and fetchmail's queueing functions implement store-and-forward quite nicely... and in any case, I have been helping to run a full MTA (sendmail) for three domains on a dynamic IP *without* the co-operation of the (completely evil and un-nice) provider for three years now, so I have to say you're mistaken about the need for UUCP.

Dynamic DNS is a simple solution that works fine for me and hundreds of other people with DHCP-assigned IP addresses.

I can accomplish anything UUCP can accomplish without using UUCP. Thus, while not obsolete, it is unnecessary.

Re:UUCP

[philfr]

The store and forward feature of UUCP is quite different to SMTP's. If your final destination host can be off-line for, say, two weeks (vacation maybe ?), and you don't want mail to be bounced back, you have to tweak the retry configuration of the relaying MTA.

UUCP will instead consider this mail delivered once it is in an intermediate spool. I have a cable ISP that forbids me to run an SMTP server (on port 25 anyway) and changes my IP address regularly.

Dynamic DNS allows my remote UUCP host to contact me anytime on a non-standard port of my choice, but could not allow me to run a standard SMTP server, nor to be off-line for more than a few days.

Re:UUCP

[Ian+Lance+Taylor]

Certainly UUCP is not necessary. But for laptop users it is more convenient than something like fetchmail. It operates as a push protocol--when new mail comes in, it is immediately sent to the laptop if the laptop is on-line, otherwise it is queued until the laptop comes on-line. I've been using it this way for years.

Re:UUCP

Actually, its both a protocol and a program (or suite of programs). The old versions of the book discuss securing the programs. This is not a network security book, but a OS security book. The emphasis is on securing programs, not protocols.

Re:UUCP

[Medievalist]

Very true. I'm not trying to start a technical definition war here, I just pointed out a bug in the original article and things rolled downhill...

Capitalization is usually used to define which thing you're writing about: UUCP is a protocol, and uucp is a suite of programs.

I think some implementations used the name uucpd for the daemon and uucp for the uid it ran under, but older versions ran as root and were named uucp. (Don't trust this last comment, though, it's based on my foggy recollections of using UUCP for mail delivery two decades ago.)

Re:UUCP

[Medievalist]

That's pretty clever! But I use IMAPS, personally, because I don't like push protocols and I want to leave my mail spools on my SMTP node... where my valuable communcation is on a RAID5 device that gets backed up, and is less likely to be stolen than a laptop.

Re:UUCP

[Medievalist]

You're still requiring a co-operative node outside the restrictions of your ISP. Using UUCP to communicate between that node and your cable node is just one way to do it.

I'm not trying to say you shouldn't use UUCP, use whatever you want. I'm saying UUCP is no longer an indispensible part of a *nix system, because it does not perform any tasks that can't be accomplished in other ways.

Using almost any standard linux distribution, you could probably come up with a dozen ways to do what you need - having an external friendly node makes the whole problem fairly trivial. Solving the same problem without any external assistance, now that'd be a tricky thing.

Simson Garfinkel...

[ravind]

...I love their music :D

Re:Simson Garfinkel...

I used to think Simon and Garfunkel were the cartoons not the singers....DOH!

Whats new?

Glaring omission from the article,

Besides UUCP, what else has changed from part 2 to part 3 of this series?

this vs. Robert Slade in comp.risks

[ansak]

For more book reviews, especially on computer security, watch for Robert Slade's regular contributions to comp.risks. It doesn't look as though Robert has reviewed this one yet so I'll look forward to reading and comparing. His praise for a former edition seems uncharacteristically positive -- compare reviews of Secrets of a Super Hacker or Computer Security Basics -- so I'll be surprised if he doesn't praise this one, too...

cheers...ank

is there a digital copy with the book?

[phaetonic]

my newest requirement is to have the book in PDF format so I can simply search for keywords, saving time, and hassle. having the PDF on a few different computers and storing the book away after skimming through it works better than having thousands and thousands of pages take up my precious 500 sq ft. apartment

Re:is there a digital copy with the book?

[TCM]

Yes, ed2k link please!

Re:is there a digital copy with the book?

[prostoalex]

Not PDF, but online in html.

Re:is there a digital copy with the book?

[LinuxHam]

Being a good IBMer, here are a couple. :) But seriously, many people tend to miss IBM's publishing arm, and never even realize that all of their books are published as freely downloadable PDF's. Granted, there's an IBM slant to most of it, but there are some really good, get-to-the-good-stuff, hands-on tasty morsels in there. In fact, this book on AIX is currently $117 at Amazon. Take the PDF to OfficeMax and get a book bound with comb binding (so it opens flat) for 1/3rd the price, and you can put the CD you burned the PDF onto inside the back cover :)

If you [have|want] to manage large quantities of Linux servers, pay closer attention to the Linux on zSeries materials since its customary to run hundreds of virtual Linux servers at a time, and they still need to be managed. Same goes for HPC clusters. Since these books are written by different people, its neat to hear the tack they've each taken to managing large-scale communities. One book even touches on configuring a Linux virtual server on a zbox with LEAF to serve as a software firewall for the remaining machines.

You laugh!

Re:1000 pages

[BoomerSooner]

This book is excellent. It's the best I've read on the subject and it has surprisingly good content where you're not bored out of your mind.

Real World Linux Security

and also importantly...

[spamchang]

what about social engineering? or do they trust management and sysadmins to be socially mobile, compatible, and perceptive? i think humans are one of the weaker links in the security chain.

Re:and also importantly...

[pauly_thumbs]

Social engineering? working on computers assures that I never have any human contact ever again and any chance of social engineering fails miserably! I have to try a new approach yelling into the phone "WHAT'S YOUR PASSWORD!!!!!111!!" is not working as well as it would seems --- *SIGH* alas I an not a suave slashdotter like all of the social engineers out there using up mod points and tackling "Issues"

Re:and also importantly...

[alansz]

Actually, we did spend some time on that.

- Alan (one of the co-authors)

Hey...

[blueforce]

One of the great things about Practical Unix & Internet Security is that it is appropriate for a wide audience

I resemble that remark.

Re:Hey...

[delorean]

you forgot something:
I resemble that remark you insensitive clod!

Re:Hey...

[HolyCrapSCOsux]

I tried reading Oreilly's Unix Power tools, I then decided to read the man page for every command in /bin. I then wiped my Linux install with a badly formatted shred command. Now I am going to try LFS. Is it appropriate for me? Hmmmm.

HP-sUX still needs UUCP

Because the uucp uid still owns all the serial port hardware. You need UUCP so that your modems will work, even though they are not running the UUCP protocol.

One MORE reason why HP-UX is the most GODAWFUL WORST *NIX on the FUCKING PLANET!

Re:HP-sUX still needs UUCP

[rifter]

Because the uucp uid still owns all the serial port hardware. You need UUCP so that your modems will work, even though they are not running the UUCP protocol.

This is irrational. Presumably you could create any user/group you wanted and give it access to this hardware, so long as the users that the programs that need access to this hardware run as are also part of that group/that user. BUt why mess with perfection? If it works, there is no reason to change it. There is nothing magic about the name uucp. It just happens to be the name chosen by convention.

Re:HP-sUX still needs UUCP

This is irrational.

I presume, sir, that you refer to HP-UX, in which case I agree.

If you change the username associated with the hardware on an HP system you should say goodbye to any hope you might have of using HP's software maintenance and system administration systems.

That, of course, means that you won't be able to easily load the "depot" patches that HP issues six months after a security hole is discovered and spread all over the Internet.

Re:HP-sUX still needs UUCP

Hit me with your clue stick!
Hit me slow, hit me quick!

(with apologies to Ian Dury and the Blockheads)

I'd be interested to know why you dislike HP-UX so much. Having mainted a 600 workstation site with roughly equal numbers of Sun, HP and SGI machines, IRIX accounted for at least of the OS related issues we experienced with HP-UX and Solaris accounting for equall(y low) numbers of issues.

You seem to have confused UUCP software with the uucp uid.

Re:HP-sUX still needs UUCP

I'd be interested to know why you dislike HP-UX so much.

Can't speak for the previous poster, BUT:

Because it's so antique. I mean, for chrissakes, vi pops out of insert mode if you backspace past a leading tab on a line! I think Bill Joy fixed that bug decades ago, didn't he? The HP-distributed sed, awk, grep and korn shell are all neolithic and extremely pathetic when compared to modern implementations like those of the FSF.

And because it's so non-standard... the bdf command as one trivial example. sd for another, although I admit sd has its uses in a very large shop.

And because it is so poorly thought out - the directory hierarchy has program binaries that are scattered everywhere, log files likewise, and the HP software does *not* follow the rules that HP themselves say apply to locations of software (specifically, what belongs in /opt, /contrib, /etc, and /usr/local)!

And because the patches come out so incredibly slow - I think the sendmail fixes that came out last month were fixed by Allman & company nearly six months ago (it might be worse that that, actually, but anyway the patches are slow and it's extremely noticeable with their sendmail and ftp implementations).

Because it costs too much. Why charge so much for a hardware-bound implementation of a 30-year old OS? You're already getting raped for the hardware costs, but at least there the raw performance is good.

I have not had the (dis?)pleasure of working with IRIX, I've only adminned AIX, linux, Ultrix, and Solaris/SunOS (as well as MVS, OS/400, VMS and Novell). Please don't tell me Silly Graphics is even worse than HP, I might have an embolism.

Re:HP-sUX still needs UUCP

No, uucp uid is part of HP UUCP package and anyway fucking stupid buggy SAM chowns ports without warning when you do unrelatted stuff.

Re:HP-sUX still needs UUCP

[jonadab]

> One MORE reason why HP-UX is the most GODAWFUL WORST *NIX

Are you certain you don't have it confused with XENIX?

This sounds like something I want on my shelf...

[John+Seminal]

I know that many computer users do not ever look at computer security, they just plug it in and go. At the best, some of my friends will block ports, but that is about it. They do not check logs, or anything. And how many people out there have a second PC attached by serial cable to log intrusion data? I think if more people secured their systems, then everyones security would increase because there would be less places to launch attacks from. What we need is someone at the major distros to write a program which, when executed, will secure a system. Something which is point and click "easy".

This book is overkill for slammer/blaster

[SpaFF]

With Slammer and Blaster making their way into the news it seemed like a good time to brush up on security.

You don't need a 1000 page book on security to patch your systems against worms; you need a 1 page book on common sense.

Re:This book is overkill for slammer/blaster

> (Score:2, Flamebait)

Moderators on crack, film at 11.

Re:Now there's an oxymoren if I ever saw one

A funny Savatte post... now there's an oxymoron.

Re:Mode 666?

777

And executable

Re:Mode 666?

that would be read/write/executable you unfunny newbie.

A suggestion to maintain the 'net experience

Get a yellow sticky note that says RTFM, Newb! and move it to whatever page you're reading, obscuring the info you need. It may help to maintain your comfort level with the online *nix help experience. :)

Sample Chapters

Sample chapters of the book can be found here and here. I read this first one (the one on TCP/IP) and found that it was an excellent introducation to it. The other is on "secure programming techniques." Gotta read that.

Here's my book

[LittleLebowskiUrbanA]

Using thisduring my install of an OpenBSD firewall taught me a quite a bit.

Re:$5.50 CHEAPER and FREE SHIPPING

[Eric+Ass+Raymond]

Excellent point.

This silly "let's pretend Amazon with its cheaper prices does not exist" farce really should stop already.

When will Cliff Notes be available?

[djeaux]

The sysadmins are known in our organization as the "illiterati". What we are not sure about is whether it's can't read or won't read, but we know for sure they don't read...

I thought about audio books, but the sysadmins don't listen, either. <SIGH^2>

To the topic: All the manuals in the world, no matter how thorough & thoughtfully written, are of no use if the people who need to read them are busier worrying about their golf game. And the doubly sad thing, is that these guys "know it all" & therefore don't think they need any "practical" manuals.

Re:When will Cliff Notes be available?

[kfuq]

vcd/svcd/dvd ?

Practical Unix Security?

[_Sharp'r_]

Sounds practical, alright.

Now if I could only find a good off-shore haven...

Re:Funny true story...

That story was neither funny nor true.

It was, however, gay and offtopic.

Please be more careful in the future.

Re:Mode 666?

ummmm...back to unix school for you...

777 is rwxrwxrwx : Read, Write & Excutable for all

666 is rw-rw-rw- : Read, Write for all

remember octal? r=4; w=2; x=1

r + w = 4 + 2 = 6

rho

Passwords are a bad idea

Passwords are security through obscurity. Passwords are good only when they are sufficiently random -- and humans can't create or memorize true random passwords. Passwords can also be stolen by watching somebody's fingers.

True security can't depend on humans entering passwords. We need physical keys that can do challenge-response. After all, it's physical keys that get you in the building and in the server room.

Re:Passwords are a bad idea

[duffbeer703]

Keys are also security by obscurity.

The only secure system is an open system that allows the public to find out what is going on. The open source bazaar will take care of the rest.

Good Companion Reading...

While this book does an excellent job in detailing how to implement a solid security environment, it falls short of providing how to test the security of an environment.

There is an open source project methodology that would be a great additional read for the purpose of testing the security of your environment. Go check out the Open Source Security Testing Methodology Manual (OSSTMM). They just released the 2.1 version of it as described here.

Re:This sounds like something I want on my shelf..

[John+Seminal]

To me, security is a sound backup and restoration plan, and not keeping all of my personal info in a file called "my banking stuff.doc"

You must not have met my parents, or many people who are not that computer literate. To many, many people a computer is just a tool they use to make life easier. It should not be a full time job to administer.

The problem is with all the hackers, port sniffers, crackers, and the like. I want to see some harsh penalties which send people to jail just for looking.

1000 page?

[pixelgeek]

Why can't book publishers provide these tomes in multiple volumes so you don't have to break your wrists trying to read through the book?

My RSI is bad enough as it is.

A book like this borders on being unreadable because of its size. And its especially irritating to have to man-handle the book if you just want to look at the material in a single section or chapter.

Re:1000 page?

Hmmm... I never seem to have that problem. I think it might be because I'm not an asshole.

It also helps that I get to buy the book all at once, rather than in serveral pieces that would probably each cost about the same as the whole book does now.

Re:1000 pages

[Nermal]

I second that, mostly. I've been thinking about doing a review of it here, actually.

Basically, my only gripe about it is the case studies, which were one of the reasons that I bought it. They're all what he and his buddies did during the 70s to academic systems that they already had physical access to. Duh. Oh, that and him using a 'case study' to bitch about MCI.

He's also the first person I've ever read advocating the use of active blocking software, though he makes a good case for his (pretty kludgey) own system.

Anyway, yeah. It's a pretty good book. Worth reading through for any tips one might have missed, but probably not a replacement for something more thorough like the ORA guide (not that I'm assuming you suggested that).

Re:Sheesh.

[rifter]

What the world needs is a book on WINDOWS security. Not YABOUS.

This is the answer to your Windows security problem.

good book for beginners

[stonebeat.org]

After reading the sample chapter @ oreilly, it seems like a good book fo beginners. I if you have involved in sysadmin/sys security, this book might be too basic for you. Just my thoughts.
www.xml-dev.com

Re:good book for beginners

[LinuxHam]

Yes, an older edition of this book did help me back when I was a beginner. But, its also one of the books that taught me that by the time something is in print, it's already out of date.

I learned all the great stuff about TCP Wrappers and how it was revolutionizing inetd. When I went to my Slackware box to try to implement, it was already done! Same for shadow passwords. Its funny in that, even being a 7 year user and an RHCE, it still seems like commercial UNIX was in the dark ages until the early 90's just based on those two features alone. Not to say MS was any better (my god no), but to require applications to have root privs to bind to a low port and have world-readable password hashes just seems like something from a million years ago. Different times, those were.

I *still* have to instruct local UNIX pros on the virtues of ssh over telnet. If the X forwarding over ssh doesn't sell them on it, password collectors like ettercap will, every time ;)

Re:good book for beginners

[swordgeek]

Well thank you for judging the depth of the book based on one sample chapter.

Seriously, the chapter given (11), was more of a prelude and background to chapter 12, which is securing TCP and UDP services. Don't be too misled.

Re:Funny true story...

I'll send you the eaten pages.

Celebrity Endorsement

[beowulf_26]

FYI, Fyodor of nmap fame endorsed this book in his earlier (and quite thorough) slashdot interview.

If it's good enough for him, it's good enough for me. That spurred me to read it, and I've found it to be quite an interesting read. It also has a good history section, detailing the "family-tree" of all the unices.

Second opinion(s)

[Music+of+the+Spheres]

I have this book. It's very good. What I would be interested in are any comments from any old hands at UNIX security who also have it and noticed anything wrong with or ommited from it. For myself, a UNIX developer with average network experience, I'd like to learn what flaws there are that I can't see.

Re:Second opinion(s)

[alansz]

I'm a co-author of this book, and I can tell you two things that were omitted. We don't spend a lot of time on web application security, because the other ORA book, Web Security, Privacy, and Commerce focuses exclusively on that. And we don't do much about 802.11 wireless security beyond noting that WEP isn't enough, because again, there's a whole book on this and the field is changing very quickly.

Of course, I still think it's a great book, but that's to be expected. :)

Re:Mode 666?

[ehiris]

Octal is one way to learn it but considering you know how to count in binary, I find the binary way more effective.

_u___g__o
rwx rwx rwx = 111 111 111

rw- rw- rw- = 110 110 110

110 in binary is 6 in decimal.

Sounds silly...

[cnelzie]

While I have thought of setting up such a configuration for regular user authentication, I had always just 'felt' that I shouldn't do that with the root accounts on the various machines under my control.

I never have known why I felt that way, just that it is something that didn't seem right to me. So, when I do get that all slapped together on the network I am running, I will make certain to work it in such a way as to keep root out of the chain.

I already use a different root password on every server on the network, even though I synchronize the passwd files for the user passwords to remain the same across the systems.

Almost considered buying this book

[WebMasterJoe]

I almost considered buying this book, but then I remembered that season 3 of The Simpsons just came out today. Guess I won't be reading for a while... :) And the DVD set comes with a bottle opener. Guess I'm going to be drinking tonight... :)

Or get it for just $21.47 used...

[Saeger]

...from Amazon, thanks to AddAll.com's price comparison.

Froogle isn't anywhere near as good as addall.com for books, or pricegrabber.com & pricewatch.com for tech.

--

Re:This sounds like something I want on my shelf..

[stratjakt]

Unless your parents are exceptionally stupid, and I mean helmet and drool cup stupid, I'm sure they can comprehend the principles of "make two copies of important stuff in case your computer breaks".

Or save some bucks by ordering from Bookpool

[hrath]

Price at BN: $43.96, price at http://www.bookpool.com : $33.50 and possible free shipping if you order more than $40.

Disclaimer: I'm not affiliated with Bookpool and receive no kickbacks. I've been a happy customer with BP and just don't like to pay too much for books.

regards,

Heiko

Re:$5.50 CHEAPER and FREE SHIPPING

Dammit, I told you yesterday about this. Yes, Amazon has cheaper stuff. STOP POSTING REFERRAL LINKS WITHOUT SAYING THEY'RE REFERRAL LINKS. Otherwise I think you're trying to con me, and I won't use the link.

Do you really make any money doing this? Every book review that comes along you post a damn referral link. How high are those penny stacks by now? Is it worth it?

Re:Mode 666?

[HR]

here is the quote:

we do believe that making files readable and writable by everyone leads to many evil deeds." - talking about the octal mode 666

that IS 666, NOT 777. a lot of damage can be done merely by writing to config files.

Re:Mode 666?

[1nsane0ne]

Doh! Good call, thats what I get for thinking. Thanks for correcting me. /me runs off to slap head against wall

Re:$5.50 CHEAPER and FREE SHIPPING

see the earlier posting... just for you...