Linux and Unix Security Portable Reference

celloguy writes: "HackNotes Linux and Unix Security Portable Reference is a great security reference for IT professionals. It presents information in a clear, concise, easy-to-digest manner and sticks to facts and practical approaches to security." Read on for the rest of celloguy's review. (And maybe some grumpy readers can elaborate more on this book's flaws, since celloguy didn't find many.) HackNotes Linux and Unix Security Portable Reference author Nitesh Dhanjani pages 224 publisher McGraw-Hill Osborne Media rating 9 reviewer Michael Reynolds ISBN 0072227869 summary HackNotes(tm) Linux and Unix Security Portable Reference is a great security reference for IT professionals.

The intended audience for this book is primarily IT professionals who have some experience in systems administration and security. The book is organized into logical sections: Part 1 deals with hacking techniques and defenses, Part 2 deals with host hardening, and Part 3 contains special topics. Each part is divided into chapters that follow a logical progression.

Part 1 starts with footprinting, which includes basic information gathering about potential targets. The chapters then proceed further into the stages of an attack (port scanning, obtaining a shell, privilege escalation) and finishes by discussing some of the techniques hackers use to cover their tracks. The services covered in this section include FTP, Telnet, SSH, SMTP, HTTP, HTTPS, R-services, NFS, Samba, POP, IMAP, MySQL, X, and VNC. An interesting point here is that these services are listed in ascending order with respect to their port numbers.

Part 2, Host Hardening, examines some vulnerabilities common to most systems and includes remedies. Choosing good passwords is discussed, as well as how to set password policies. Though the author warns of the dangers of weak passwords, I would have liked to see a more thorough explanation of how to choose passwords. The section goes on to explain how to disable unnecessary services and harden remote services. At the end of this section are chapter on good practices related to user and system privileges, as well as logging.

Part 3 contains some interesting material, including a whole chapter on the Nessus Attack Scripting Language (NASL), wireless hacking, hacking with the Sharp Zaurus PDA. The section on wireless networks contains some fairly standard material (WEP is insecure, using AirSnort, etc.) but nevertheless serves as a good reminder to use caution when deploying wireless networks. The final chapter, Hacking with the Sharp Zaurus PDA, is especially interesting and details all sorts of fun things you can do with this handheld device, including scanning for wireless networks, connecting to remote machines via SSH, and using VNC to control remote machines.

The Good

This book does an excellent job of presenting information in a clear and easy-to-understand manner. It avoids theories and concepts and delivers just the facts that a systems administrator needs to evaluate and protect a Unix or Linux system. It also makes use of helpful icons throughout the book which draw attention to key points. For example, hacking techniques have a sword icon next to them while defense techniques are listed with a shield. This visual feedback makes it easy to focus in on specific techniques and helps organize the material in a more usable manner. The content of the book is especially good, and the author does a thorough job of covering the basic hacking techniques as well as methods of defense against these techniques.

Another great feature of this book is the inclusion of a reference center in the middle of the book. This section, marked by easy-to-find blue pages, contains a wealth of relevant reference information, such as common commands, common ports, IP addressing, online resources, useful netcat commands, an ascii table, HTTP codes, and important files.

Suggestions

It's hard to find much wrong with this book. However, I felt that a few things were glossed over. For example, the section on passwords was extremely brief and gave no suggestions for choosing good passwords or for how long to set password expirations. In addition to the discussion on TCP Wrappers, I would have also liked to see some mention of using iptables for creating a software firewall.

Summary

HackNotes(tm) Linux and Unix Security Portable Reference is an excellent security reference for IT professionals and systems administrators. The clear, concise presentation of the book makes it easy to digest and use as a practical resource. It is well-organized and thorough and covers a wide range of situations. If you maintain one or more Unix or Linux machines, this book belongs on your shelf.

You can purchase HackNotes Linux and Unix Security Portable Reference from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Flaws with the book

[SeanTobin]

On behalf of all grumpy readers, I would like to elaborate more on this book's flaws.

First, lets start with the title. "HackNotes Linux and Unix Security Portable Refrence." The title is far too long. A much nicer title would have been an unpronounceable vowelless abbreviation such as HNLUSPR. Also the title is ambiguous - Is hacknotes the author/publisher or is it a description of what the book is about? And if you ask your local B&N service rep for books by HackNotes, is it one word or two?

Now, more on to the book. It is far from portable. Sure, you can move it around but don't try sticking it in your pocket. Perhaps they should have included a handle on the spline.

The book is also missing GNU/'s all over the place. I mean, what is linux? I've always been severely beaten with a UNIX manual by a guy with a huge beard everytime I said linux without a GNU/ infront of it. And yes, you *MUST* pronounce the /.

The advice the book gives is fairly standard. Close all ports, don't use windows etc... Not too special for a "pocket" guide. A far more usefull guide would have included all ports to forward for games. I can't count the times I've had to research what ports a game uses in order to get it to work through my NAT.

Now, more about the book itself. Its made of paper! I attempted to test its easy-to-digestness but gave up around chapter 3. I seriously doubt that this is production quality digestableness. However, the copy I received may have been a pre-release so that might not apply to the final book.

The book itself is strewn with DMCA violations as well. In the forward, the editors openly admit to using the shift key while writing it -- a known security circumvention device. Also, the authors signature on the back jacket appears to be made with a Sharpie marker. Don't be supprised if the FBI raids your local bookstore. (Disclaimer: all uppercase letters in this post were made with the CAPS LOCK key. All extended characters such as * and () were made with thier ASCII code equivilants.)

All in all, this book doesn't live up to the hype. It will most likely be placed on the same shelf with all the other security guides. However if it will end up on the Unix or GNU/Linux shelf still remains a mystery.

Portable?

I guess the full sized one is too fucking heavy...

save $9 on this book

Ref: Amazon has this book for $9 less than bn.
Spend $4 more to get free shipping.

Re:save $9 on this book

[inteller]

is there an e-book format somewhere? save a tree and welcome to the 21st century.

Re:save $9 on this book

[RonBurk]

• $20.99 + shipping www.amazon.com
• $29.99 + shipping www.bn.com
• $18.89 + shipping www.walmart.com
• $17.69 + shipping www.overstock.com

Conclusion: price depends on your individual shipping and sales tax charges, but Amazon is likely not the best price unless you are buying something else to get free shipping.

Re:save $9 on this book

Way to sneak in your Amazon Associate ID

:P

Re:save $9 on this book

It's not sneaking in...it clearly says Ref: indicating a referral link

Re:save $9 on this book

And bookpool.com lists it for $18.50 (although it's not in stock).

Grumpy

[Luigi30]

Roar, I'm grumpy. This book makes me grumpy, cause it has no flaws! Grr.

Easy

[nurb432]

Its beacuse people like you DONT use it.. :)

Re:Security?

[pair-a-noyd]

What makes it more secure than Windows?

<flame>The simple fact that it is NOT windows makes it more secure than windows.</flame>

For a topic such as this

[phaetonic]

Why wouldn't a PDF/eBook be available that allows me to quickly search for a command or page number? I don't think the cost factor is to blame, is it?

Re:For a topic such as this

[I8TheWorm]

I can't find the article I read last week, but I did find this at least. I remember a publisher in the article saying for a book that sells 40,000 copies, they generally sell about 400 ebook versions. So to them, it's not cost effective. That really sucks though.. I have a huge library of (actually purchased) eBooks that I reference all the time.

What?

You tell us "the good", so does that mean that there is no "the bad" or even "the ugly" ?

If there is no "the bad", does this imply the book is twice "the good"?

Please help me, as simple algebra is failing me. I need to sit down and think about this...

Re:Security?

[Schreckgestalt]

Linux being secure is quite a common misconception. Windows is not that much more insecure than Linux (or GNU/Linux, if you want). The only thing is that the technically-gifted amongst us tend to choose Windows as their target, that for several reasons:

* They want to tell the world that Linux is more secure.
* They want to target 'the world', because the world is actually using Windows rather than Linux.
* The default Windows-user is not aware of what security risks are involved with having a PC 'on the net'.

So why should they target Linux boxen?

Passwords

[ellem]

However, I felt that a few things were glossed over. For example, the section on passwords was extremely brief and gave no suggestions for choosing good passwords or for how long to set password expirations


Translation:

Despite years of reading that everyone needs alpha numeric and special characters, phrases not words, at least 8 characters, mandatory changes every 30 minutes, etc... I still feel someone should tell me all that USELESS shit again.

Make people's passwords hard to remember and they will write them on their monitors.

Re:Passwords

[spyder913]

"Make people's passwords hard to remember and they will write them on their monitors."

But teach them to how to remember more complex passwords and they can eat for life!

(i.e. complex passwords like "slash^#$dot" which aren't hard to remember)

Re:Passwords

[kfg]

My monitor came with my password already written on it. Is that convienient or what?

KFG

Re:Passwords

And I thought I was the only one!

"Iiyama" is also less suceptible to dictionary attack than many.

Note - I've now changed it to something totally random now I'm on DSL.

--
m.

Re:Passwords

[cmacb]

One problem with giving TOO much advice on password selection is that some people that read such advice have absolutely no common sense. A government agency I was associated with a while back took away password setting rights from its users and ASSIGNED everyone passwords of the form CVC99CVC (V=vowel, C=consonant, 9=digit). I figured out which of the MCSEs had come up with this nonsense and (pretending not to know) explained to him how easy such passwords were to crack. The policy got changed real quick and nobody got fired. There are of course programs that will force users to come up with good passwords and I think such systems aught to be in place by default for both Windows and Unix systems.

Other than that, any specific advice on what a good password should look like may simply serve as a formula for some dunce to apply to all his users to create passwords worse than just using their pets name.

Re:Passwords

[ellem]

Or as an old Novell admin... I can't tell you the number f novell 3.XX & 4.XX systems there are out there with novell as the password! freakin' CNE courses!

Other Hacknotes + Sample Chapter

[sbot5000]

Sample Chapter:ch03-enumeration(pdf)
(3) Other Hacknotes titles
Disclosure: I am not a paid endorser for hacknotes products.

I hacked your title - U is a vowel

[192939495969798999]

Well, U is a vowel, so I just hacked your title. However, your points are well taken.

..clear, concise, easy-to-digest manner ...

[burgburgburg]

As an MCSE, I have to ask: Are there pictures? Are there ducks in the pictures? Will we be tested on how many ducks there are in the pictures? How many chances do we have to guess the correct number of ducks in the pictures? Can I go nap now?

Re:..clear, concise, easy-to-digest manner ...

[tuffy]

As an MCSE, I have to ask: Are there pictures? Are there ducks in the pictures?

You're thinking of a different technical reference book.

Re:..clear, concise, easy-to-digest manner ...

[rifter]

You're thinking of a different technical reference book.

That's the super secret MCSE networking class textbook!

Grumpy old man!

Yes, Most linux boxes ARE insecure! Don't belive me? Press alt+print screen+b at the same time!

Re:Grumpy old man!

pardon me for being a clueless newbie, but Nothing happens on my my RH8 server, My RH9 Linux box, or on the RH9 laptop when I do that.

Maybe you are using hardware that is not in the HCL.

Or is this some obscure Windows NT thing that I missed by being a Linux user since RH 5.2??

Re:Grumpy old man!

[dzelenka]

For god-knows-what reason I fired up a generic Debian box by my desk and typed alt-printscreen-b and guess what? Nothing happened except for a "b". What the hell are you talking about? Somebody mod this guy into oblivion!

Re:Grumpy old man!

Enable "Magic SysRq" in your kernel and try again :)

Re:Grumpy old man!

[ajakk]

Not to feed the troll, but the command he mentions does reboot the machine without syncing the disks if you have enabled the SysRq key. Of course this doesn't make the system insecure in any way, but gotta give the troll props for getting people to do something which could have hosed their boxes because they wouldn't even look up what it does on google first. You can read more about it here

Re:Grumpy old man!

Actually I looked it up first, but my first hit talked about doing it on a MAC... Hence the HCL comment.

With Ext3 the disks don't get hosed when the power goes out.
YMMV

Re:Grumpy old man!

[bumper314]

Well that's a mean little joke. For all you who are still curious, it will reboot your system on the spot, without syncing .
http://www.djcj.org/LAU/guide/sysreq.html

This reminds me of the fun I used to have in TFC or Counter Strike when someone named "Player" would always ask "I pressed Windows key, how do I get my sound to work again?". I would tell them, "alt+F4 should do the trick". "Player has left the game" would flash across my screen much to my satisfaction. Sure I feel bad about that now =), but it did get them there sound back.

Re:Grumpy old man!

[farrellj]

Even more fun, some lamer came on this IRC channel at one point, and asked for some 0day warez, someone pointed him at the best cache at ftp://127.0.0.1...this should have been the end of it, but they "kid" (I am assuming) came back a little later and said it was a lame site since he already had all the warez there!

Re:Grumpy old man!

LOL!

Re:The Linux cover

I didn't realize it was halloween already... time flies

which portable is it talking about?

portable adj.

1. Carried or moved with ease: a portable typewriter; a portable generator.
2. Capable of being transferred from one employer to another. Used of an employee benefit.
3. Computer Science. Relating to or being software that can run on two or more kinds of computers or with two or more kinds of operating systems.
4. Obsolete. Bearable; endurable

Sys Admin Robots

It avoids theories and concepts and delivers just the facts that a systems administrator needs to evaluate and protect a Unix or Linux system.

Great! We can now admin Unix and Linux as mindlessly as MCSE's do MS Windows.

Theories? We don't need no stinkin' theories!

Re:Sys Admin Robots

[0racle]

Not to insult anyone, but this is true, I saw that as a flaw

Anything *new* in this book?

Why is it that everyone wants to write a security book nowadays without any regard to whether the book actually adds anything to the realm of infosec? Do the authors prize the idea of being viewed as subject matter experts so they will get invited to speak at cons, thereby further inflating their reputations/egos?

The whole review spoke of shit I have in half a dozen other books already. If I pick up a security book and it has crypto basics or passwd basics in it I'm tempted to just toss it right then and there, especially since most of these tomes are >$40.

Very few security books find their way to my shelf nowadays since most are redundant. Awesome exceptions include:
Incident Response (McGraw Hill)
Practical Unix & Internet Security (OReilly...like you didn't know)
Network Intrusion Detection (New Rider)
Building Internet FWs (OReilly)

There are others of course but these all share the characteristic of actually *adding knowledge to the field*.

Re:Anything *new* in this book?

[oren_ishii]

Great set of books. However, have you even _read_ this one? I have read most of the above in addition to the Hacknotes series. This hacknotes books gives me the same info in 200 pages that other books give me in 450 pages or more. So, before you go out and list other books that you like, try reading the one being reviewed first.

Re:Security?

[eblum]

Basically it is because of its design philosophies.

You can check this old slashdot news.
http://slashdot.org/article.pl?sid=03/10/06 /214225 7&mode=nested&tid=106&tid=126&tid=172&tid=185&tid= 190&tid=201

or the original link: http://www.theregister.co.uk/content/56/33226.html

It is about virus, but virus problems are a big X when talking about security.

Ernesto.

More?

[supabeast!]

"Though the author warns of the dangers of weak passwords, I would have liked to see a more thorough explanation of how to choose passwords."

Am I the only person sick of security books having yet another diatribe about password quality? How about a two page summary of recommended settings and the appropriate configuration files/menus? Security theory is nice, but dammit, if I had time to worry about the theories, I'd just read "Practical UNIX and Internet Security" and "Secrets and Lies," before writing a custom script to lock all of my systems down right after I finish with those kickstart/jumpstart scripts.

Just give me a chapter-by-chapter list of exactly what should be locked down, how to do it, and a VERY CONCISE explanation of why?

Re:More?

Security theory is nice

It sure is. Otherwise you won't understand what you're doing or why, and you're likely to do something idiotic for someone who comes after you to clean up. According to the review, though, the book "avoids theories and concepts and delivers just the facts," so you should be safe from any of the superfluous workload and responsibility of understanding.

Just want to push some buttons without having to think too hard? That's all right. I don't think you really need root then.

Good Explaination

[Fuzzy_The_Quantum_Du]

There was an article in the The Register last week that was mentioned here that does a really good job of answering your question.

Cheers,
Fuzzy The Quantum Duck

=0)

Hacking Exposed Linux much much much better.

[Destimony]

My big question is why this book is out there at all? It's published by McGraw-Hill, who is the same company that published Hacking Exposed Linux, 2nd Edition. HEL (or HLE, or whatever) is very comprehensive. It covers all the topics in this book, but with enough space that you can actually learn from it and apply it today. This book is a half-hearted attempt at a security book. It reads more like someone started to write a book, realized they'd bitten off more than they could chew, and tried to get out as fast as possible.

I strongly suggest that you don't waste your money. Go with Hacking Linux Exposed. Same publisher, better book.

All prevention no response...

[nuckfuts]

is tantamount to wishful thinking.

Looking back at the number and severity of vulnerabilities exposed in the past 18 months or so (across many platforms) I am becoming increasingly pessimistic about the effectiveness of preventative measures. The rate at which I need to be patching/updating software to plug the holes has become simply unmanageable. Meanwhile, crackers have access to increasingly effective tools like the new Nmap with version detection.

I'm beginning to question whether the amount of time I spend on prevention would be better spent simply preparing for rapid recovery/response in the event of getting hit. I'm leaning toward reliance on packet filtering at the network edge (ingress AND egress) while treating the internal machines hard drives as disposable devices. How about some information on tools for imaging entire system drives? Rapid recovery methods? Forensics? What works well? What doesn't?

I want more than just a user's guide. I want a repair manual for when things don't go as planned.

Re:All prevention no response...

Well that's your choice, I guess. Personally, I don't want to deal with recovery unless a natural disaster hits. I try to focus my efforts on avoiding getting compromised. It's not that difficult to setup a hardened server these days. We have nicely designed softwares like qmail, djbdns, vsftpd, etc. that were all designed with security in mind from the get-go (incidentally you'll notice that these softwares I listed have very small codebases, and that's no coincidence...) There are also nice kernel patches (frex: grsecurity.net), that make the would-be-hacker's like very difficult. Unless your machines have nothing important on them, it's a shame if you don't use such a kernel patch (with properly configured least-privilege ACL's). A firewall is a good thing, but if you're depending on that for security, I think you're bound to keep getting hacked. There's a saying that goes something like "hackers love networks with hard crunchy outside and soft chewy inside", and that's how a lot of networks are setup even today... The firewall is good, but it should only be one of the layers of defense... just something to prevent IP spoofing and to make sure the packets that hit your apps are well-formed. I wouldn't rely on it too much more than that. Well you can use it to fuck with the scanners a bit too, like in this setup.

Re:Security?

[H0ek]

So why should they target Linux boxen?

Well, I can think of a few reasons a Linux system is more desirable.

1. GNU/Linux tends to be a challenge that script-kiddies who describe systems as 'boxen' find too difficult and end up targeting pre-scripted Windows vulnerabilities.
2. Due mostly to the already-described difficulty, those who target GNU/Linux are usually also able to provide a fix (and are usually responsible enough to do so).
3. There's a certain level of prestige among those that are willing to find and fix vulnerabilities within GNU/Linux. At least, prestige among people who matter in the industry.

Of course, these are personal opinions. I'm sure those who find satisfaction downloading and compiling the lastest Microsoft RPC exploit have plenty of respect as an 3733t h4x0r among their community.

Re:Security?

[josephgrossberg]

other reasons not mentioned by H0ek:

* it's more of a challenge (ergo more prestige)
* most web servers run Apache
* they want to be different for its own sake

Re:Security?

[im+a+fucking+coward]

Oh man, do you ever have flamebait written on your chest. I'll be kinder.

* They want to tell the world that Linux is more secure.
It's clear you think this can't be true. Okay, here's a test I performed: Load one RH 9 server with Apache, and throw it raw on the net (no firewalls, that would be cheating!). Load one 2000 boxen with IIS, dump on the net. How long did it take the Linux server to get hacked? Didn't happen within one month. Ended test. Windows? Three hours before the box was compromised. To be fair I'm not sure how they did it, it was so fsck'ed up I couldn't login, admin password reset, etc.

I could be wrong, maybe some hacker wannabe just got lucky. Still, it's pretty strong proof to me that MS is a long way from being just a 'little less insecure' than Linux. Don't take my word for it, try it yourself.

BTW, if linux is anywhere near as insecure as Windows, why don't they base routers and switches on your OS? The certainly do on Linux.

Print + Security Reference?

[Lord+Ender]

I'm sorry, but in this field, nothing is ever printed because it is out of date so quickly. The thought of carrying around a paper reference book when doing security work is, well, futile.

Bullshit

[oren_ishii]

Hacking Exposed Linux is good but if you want to spend reading 10 fucking pages telling you how to do a simple portscan, then thats fine. I have the entire hacknotes series of books that I picked up at a security conference, and yeah I like them. They are to the point and dont waste your time dicking around with stupid page fillers. I own both the books, and they are from the same publisher, so what? I hate it when people dont even fucking read the books and want to talk like they have.

Great new features

The review states "Each part is divided into chapters that follow a logical progression."

Is this something to brag about, shouldn't I already have assumed this? Or is it some new format of book writing?

Re:Security?

[spacecowboy16739]

GNU/Linux or BSD/Unix certainly IS secure... If you have a 30-character password. "Enter any 11-digit prime number to continue: __"

Re:Security?

Windows is not that much more insecure than Linux

On what do you base this claim? Most published security research emphatically suggests otherwise.

Further on, you seem to be suggesting that being "on the net" is the real problem. I see. So when not connected to the net, a Windows system is about as secure as a Linux system? Okay, I can believe that.

I bet you haven't even read this one

[oren_ishii]

Good job finding flaws with a book you probably even have read yet. Moron.

Re:I bet you haven't even read this one

You are one of those people that don't know what to do when someone says "knock, knock" right?

You cheated at the Security test

[solprovider]

Um, you cheated.

MSWindows2000 was released on February 17, 2000.
RedHat 9.0 was released on March 31, 2003 (All release dates for RedHat are from this link.)

So Redhat had over 3 years to fix holes in the distribution, while crackers had 3 more years to find holes in MSWindows2000. If you want to play fair,
- use Windows2003 released April 24, 2003 and RedHat9.0 (24 days between the releases), or
- use RedHat 6.2 (released March 8, 2000) (19 days difference from MSWindows2000) or maybe RedHat 7.0 (released August 28, 2000).

If you want to compare RedHat9.0 and MSWindows2000 today, you should fully patch both of them.

I believe RedHat will still win any of the fair tests, but if you use unpatched RH6.2, it will get cracked. It will just take longer because there are tons of script kiddies just sending easy URL cracks at every web server hoping it is running MSWindows.

Re:You cheated at the Security test

[im+a+fucking+coward]

So Redhat had over 3 years to fix holes in the distribution, while crackers had 3 more years to find holes in MSWindows2000. If you want to play fair,

Excellent point, I hadn't even considered that. Man, what slop on my part.

Well, I'll rerun the test on 2003 server with most recent IIS version. I didn't have the license, but will go ahead and splurge.

Thanks for keeping me honest!

/dev/random -> base64

[Pan+T.+Hose]

This is how I usually choose passwords: I get 12 to 24 bytes from /dev/random (depanding on how much entropy and how large keyspace do I really need) and just use its base64 representation as a password. It's quite hard to guess and after few years I have little problem in remembering the short (96 bits of entropy) ones. The secret is that I don't have to remember them for long, as I change it weekly anyway. This is what I always tell my lusers to use. Once they get used to it, they stop complaining. It's easier to remember if you make a sentence with words starting from those letters and it can be actually fun (e.g. you can write a poem, a song, etc.).

Re:/dev/random - base64

Are you serious? Can you really remember such passwords? Don't they look like "PGY6xzGyP1xFvOJy"? Am I right?

Yes

[Pan+T.+Hose]

Are you serious? Can you really remember such passwords? Don't they look like "PGY6xzGyP1xFvOJy"? Am I right?

Yes, yes, yes and yes.