Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best Linux Security Books?

Posted by Cliff on from the resources-for-locking-down-Linux dept.

RyuMaou asks: "I'm about to move a small company from an old, ailing Windows server to some flavor of Linux and I want to make sure they're proprietary information is safe. Here's the problem: I've only run Linux as an application server, behind the firewall, in a Novell environment. Time is short and I have limited resources and want to read at least one really great book on Linux security, then follow that up with some good reinforcement. I know the information is mostly available on the Internet for free, but I like reading actual books, not printouts. So, if you had to pick five books, or fewer, on Linux security, what would you read?"

33 comments

  1. There, Their, They're by Saeed+al-Sahaf · · Score: 1, Offtopic
    ...I want to make sure they're proprietary information is safe...

    There - "There is something wrong with the grammar in the story."
    Their - "It's their problem they don't know any better."
    They're - "They're going to go down to the pub after installing Linux."

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    1. Re:There, Their, They're by BladeMelbourne · · Score: 0, Troll

      I was going to suggest picking up a dictionary with the Linux Security books, but you beat me to it. Nicely done :-)

    2. Re:There, Their, They're by phishtrader · · Score: 1

      So, somebody asks for advice on Linux security books and you jokers give him a spelling and grammer lesson. Good job.

    3. Re:There, Their, They're by RyuMaou · · Score: 1

      Thank you.

      But, to be honest, I'm terribly embarassed by that mistake. I suppose that's what I get for submitting stories late at night, past my bedtime!

      --
      Oh, the trials and tribulations of a network geek! Read about them at: http://www.ryumaou.com/hoffman/netgeek/
  2. Scary by PhiznTRG · · Score: 4, Insightful
    This type of question always scares me - if this guy was attempting to work on my network, the last thing I would want him to do is move to Linux "just because".
    Why are you moving the server to a platform you are not familiar enough with? Because you have used it in an unrelated application? Is there something wrong with the Windows server (besides being old and the typical Windows bashing?)

    I'm all for trying things out but is it right to do this with a clients "proprietary" data? What is your backup plan? Will the server store the information as well as act as the firewall? Why Linux and not a flavor of BSD?

    After all of that, whlie a book may feel nice - you will get much better and more up to date information on the 'net.

    1. Re:Scary by RyuMaou · · Score: 1

      Sorry, I missed this story even being posted until today. For some reason, it never showed up in my notifications.

      I'm not moving to Linux "just because". I'm moving to Linux because the boss wants to do it and currently they run Windows NT on a dying server. I've worked with Linux, primarily as an application server as opposed to a file server, for about four years and I've worked with other flavors of Unix as an operator. I was primarily concerned with properly securing the fileserver, being able to monitor security on it and explain it to the poor sucker who will eventually replace me.
      To answer your questions, which weren't actually relavent to the question, as far as I'm concerned; we have a separate firewall appliance, I'll be using Syncsort to backup to removable drives, and Linux because I've never touched BSD. And, yes, I know the most up to date info is on the web somewhere, but, as I said, I like having an actual book to read.

      Thanks for your input though.
      Jim aka RyuMaou

      --
      Oh, the trials and tribulations of a network geek! Read about them at: http://www.ryumaou.com/hoffman/netgeek/
  3. Use Gentoo by jmazzi · · Score: 0, Offtopic

    Although I don't have a book to recommend, I can offer this advice. Use Gentoo. It's model is pretty secure to start with. You only install what you need, not what the distro thinks you need.

  4. Does it have to be Linux? by nocomment · · Score: 4, Informative

    Linux is ok, but iptables is a mess if you are going to be doing firewalling[1].

    Why not use OpenBSD? I might recomend using Absolute OpenBSD, Secure Architectures with OpenBSD, and Building Firewalls with OpenBSD and PF. Of course the OpenBSD man pages are superb. You also have access to CARP (rather an implementation that works as expected), plus you get the benefit of not having to update very often (I've only had to patch SSH and FTPD in the last 2 or 3 years).


    [1]Shorewall does make this easier though.

    --
    /* oops I accidentally made a comment, sorry */
    /* http://allyourbasearebelongto.us */
    1. Re:Does it have to be Linux? by Gherald · · Score: 1

      What really bothers me about the OpenBSD man pages is that a "/" search doesn't highlight the matches!

      Is there a way to make it behave more like GNU man ?

      --
      The unofficial /. digest
    2. Re:Does it have to be Linux? by ehvoy · · Score: 4, Insightful

      Minimize services

      1. Install distribution

      2. Comment out all services running via /etc/inetd.conf and run "killall -HUP inetd" (if inetd is running at all).

      3. For services you want running, determine which ones are only needed by the machine actually running the services and research how to get them listening on 127.0.0.1 only. Implement. smtp is usually the one I do this for so I can send emails but don't have to worry about external abuse.

      4. determine your default runlevel by opening "/etc/inittab" and looking for a line like "id:n:initdefault:". The number is your default runlevel.

      5. run netstat -tunap to get a list of services listening on the machine. Browse /etc/init.d to get their startup script names.

      6. Open /etc/rcn.d and delete the files representing services you do not want to start up based on result of step 5. Or just uninstall them with distribution's installer software.

      7. install logcheck/some kind of log auditing software that can email you hourly errors/warnings.

      8. forward root's email via /root/.forward file or /etc/aliases.

      Patch if needed. Subscribe to distribution security mailing list, subscribe to bugtraq, check for new patches every week via distribution's upgrade/patching tool, if a patch is not available for a particular vulnerability, think of ways to survive if server is compromised.

      Partially there. Now just need some nice slashdotter to confirm I am on the right track, correct me where I am wrong and offer other options or a book that continues beyond this.

  5. Real World Linux Security by jimpop · · Score: 5, Informative

    I recommend Bob Toxen's Real World Linux Security, it's a year or two old but still chock-full of goodness.

  6. Get a good overview by Anonymous Coward · · Score: 4, Informative
    Don't focus on security books. Get a thorough overview of UNIX. Security books are only useful once you know where to look for problems. Get your head around the network, user privileges, etc before you worry about specifics.

    I'm a huge advocate of McKusick's Kernel Internals course. It's essential for anyone serious about understanding the core components of the OS. The videos are like a grand, but you can find it free in a lot of libraries, or you might be lucky to catch a copy on half.com.

    1. Re:Get a good overview by Anonymous Coward · · Score: 0

      My set on eBay

  7. Dude, get with the times by Anonymous Coward · · Score: 1, Funny

    The current slashbot cheer is "use Ubuntu!"

    Example usage:

    Your mom: "When are you going to move out of our basement so your dad and I can build a sex dungeon down there?"

    You: "Use Ubuntu!"

    You're on the right track, though. This article had absolutely nothing to do with distribution selection and yet you felt compelled to get out your pom-poms and cheer for the flavor of the month. The only thing you did wrong was select last month's flavor.

    Kudos to you, slashbot. Keep reaching for that rainbow!

    1. Re:Dude, get with the times by WhatAmIDoingHere · · Score: 1

      If he's a slashbot, what does that make you?

      You're a guy who sits around reading /. comments looking for things to make fun of people for.. If he's a loser slashbot, what exactly are you?

      --
      Not a Twitter sockpuppet... but I wish I was.
  8. My bookshelf... by HexaByte · · Score: 3, Informative

    Has a 5 year old copy of "Maximum Linux Security" from Sam's Publishing.

    It's really only slightly dated, and I have no idea if an updated version is available, but it's a good start.

    --
    HexaByte - he's a square and a half!
    1. Re:My bookshelf... by 286 · · Score: 2, Interesting

      I would seriously think twice before buying a five year old book on security. Linux security tools have changed. Maximum Linux Security will have you setting up ipchains!

      I would take `jimpop' advice and go with Bob Toxen's "Real World Linux Security" if you must have a linux book. Besides he is a really nice guy.

      Maximum Linux Security was written by anonymous author(s) who couldn't be bothered to sign there name to their work.

      Your best bet is to grab "Absolute OpenBSD: UNIX for the Practical Paranoid" by Michael W. Lucas.
      You can't beat OpenBSD with a stick... not without physical access to the box at least. ;P

  9. A homogay? by Anonymous Coward · · Score: 0

    Is that the answer you're looking for?

    Are you prejudiced?

    Seriously, though, he's a slashbot for responding with "I don't have anything to say about the actual topic, but use my distro of choice." It's a very botish thing to say.

    I'm a jerk for pointing out what a butthole he is, sure. At least I'm not the kind of high-and-mighty jackass like yourself who comes down from their ivory tower of righteousness to defend such a moron from an obviously superior intellect.

  10. Try looking at Benchmarks by Jim+Robinson+Jr. · · Score: 5, Informative

    While books are good, you will have to wade through a lot of verbiage to find the gems. Although they won't provide the historical and technical backgrounds, you should seriously consider beginning with industry benchmarks rather than trying to make up your own.

    Try these for starters:

    Center for Internet Security
    http://www.cisecurity.org/

    SANS Step-By-Step Guides
    https://store.sans.org/store_category.php?category =stepxstep&portal=d3e56294b582309b0d88a6990e8621ce

    Both will provide you with a checklist to secure your systems, and although neither will be "all inclusive" they will give you a foundation to build your security program on.

    In large enterprises subject to regulatory oversight and external auditing they use these as a starting point.

    Hope this helps,

    Jim Robinson Jr., CISSP

    1. Re:Try looking at Benchmarks by RyuMaou · · Score: 1

      It was quite helpful, actually. I especially appreciate the link to the SANS literature. I wasn't aware that you could get that without taking their courses, for which I have neither the time nor the funds.

      Thank you!

      --
      Oh, the trials and tribulations of a network geek! Read about them at: http://www.ryumaou.com/hoffman/netgeek/
  11. SELinux by macemoneta · · Score: 4, Informative

    I've found Bill McCarty's SELinux book particularly useful for understanding the implementation of mandatory access controls on Linux.

    --

    Can You Say Linux? I Knew That You Could.

    1. Re:SELinux by PaxTech · · Score: 1

      The O'Reilly SELinux book is good, but it's pretty outdated now. It deals mostly with SELinux as implemented in Fedora Core 2, and the latest FC4 versions are quite different.

      The book's good for a grounding in the theory of SELinux and MAC, but as far as implementation specifics it's a bit expired. Unfortunately, there aren't any other SELinux books that are more up-to-date.

      --
      All movements for social change begin as missions, evolve into businesses, and end up as rackets.
  12. doh.. by Gherald · · Score: 1

    should have thought a little harder before asking:

    export MANPAGER=less ..in one of your environment/shell startup files

    much better!

    --
    The unofficial /. digest
  13. Negative suggestion by DrMorris · · Score: 1

    This may be not that a good suggestion, but please don't chose the book (written in german) "Praxisbuch Sicherheit für Linux-Server und -Netze", it's a piece of crap. OK, that's hard, but i think it's really doesn't worth the money. It covers half theory and half of the practical side, but the "practical" things are mostly [better] explained on some internet ressources.

  14. Absolute OpenBSD & iptables... by robw810 · · Score: 1

    Regardless of whether you intend to actually use OpenBSD, I strongly recommend reading Absolute OpenBSD anyway - it's good reading for administering *any* UNIX-like server.

    As the original poster stated, netfilter/iptables isn't the easiest thing to figure out, but it's not so bad once you get there. To help, I recommend reading Robert Zeigler's "Linux Firewalls" (second edition) - you can probably find it on Amazon.com for less than $20 (US).

    Regardless of what you decide, good luck!

    RW

  15. Books? by mnmn · · Score: 1

    Why would you need books anyway?

    The first step towards security is to reduce the services and access to only what you need and what you understand. If you see the service in.inetd, and have no clue what it does, or what needs it, kill it.

    The second step is to read peoples experiences on how they got hacked and what did they do wrong. Skim over cert advisories.

    Lastly keep the system patched up depending on the OS. Windows should be automatically updated between 10pm and 7am, dont make all machines DDOS your firewall. Linux needs patches depending on the distro and the BSDs rarely need patching at all (esp OpenBSD).

    Different people have differing ideas on how to achieve security nirvana. My plan is to simply understand what does what, so I can monitor and keep things simple. And if there is a popular daemon that runs like bind or sendmail, keep it patched, and chrooted if possible.

    Apart from that of course, the usual. Keep tough passwords, tighten the ACLs, block all irrelevant ports, chroot whatever is possible, keep a DMZ etc.

    Theres your book.

    --
    "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
  16. Not a replacement for a book... by Mad+Merlin · · Score: 2, Informative

    I was surprised to see that nobody had mentioned Nessus and/or Nmap yet. They're excellent at showing you what you're exposing to the outside world. I should however caution you that they're merely a companion on your journey to security, not the path.

    --
    Game! - Where the stick is mightier than the sword!
  17. Simple rules by cowbutt · · Score: 2, Informative
    1) Stop and uninstall network servers that you will never need (e.g. rpm -e)
    2) Stop and Disable network servers that you do not need right now (e.g. chkconfig --del)
    3) Restrict access to the rest using built in ACLs, tcp_wrappers (i.e. hosts.allow/hosts.deny) and/or iptables/netfilter.
    4) Set strong passwords where applicable.
    5) Keep patched up-to-date.
    6) If your distribution includes SELinux, consider enabling it. Test thoroughly before moving to production status.
    7) Perform regular backups.
    8) Test your backups and your backup hardware.
    9) Monitor log files.

    To do anything more than that requires fairly extreme justification, and will increase costs due to administrative overhead. Doing the above will probably render your site a less attractive target than 90-something percent of sites. If you and a friend are running away from a tiger, you don't need to outrun the tiger - just your friend. :-)

  18. My recommendation by Kevin+Burtch · · Score: 1


    Linux System Security - The Administrator's Guide to Open Source Security Tools

    I am very pleased with this book... and just check out the (5 star average) reviews on Amazon above.

    --
    - Preferences: Solaris 10 (servers), Ubuntu (desktops), Solaris 11 (personal servers) -
  19. Re:roffle by PhotoJim · · Score: 1

    Actually, Ethiopian cooking is pretty tasty. Those who have the means to eat tend to eat some pretty good-tasting food. The problem with computer security books, of course, is that they become obsolete before the ink is dry.

  20. Clearly by sheldon · · Score: 0, Troll

    He really doesn't need a book, because Linux is 100% secure right out of the box... which is his reasoning for moving to it.

    Right?

    Oh dear.