Slashdot Mirror


Hardening Linux

r3lody writes "Hardening Linux, by James Turnbull, stands out as an important text that clearly lays out how to make your Linux boxes as secure as possible. Mr. Turnbull has done a noteworthy job in delineating many potential vulnerabilities, and how to mitigate them. Each chapter covers a particular area in depth, with carefully worded and easy-to-follow examples. In the cases where you need to install some other piece of software to provide extra security, Turnbull gives you the step-by-step details, removing the chance of misinterpretation. As you finish each chapter, you will want to apply your newfound knowledge to the machines at your disposal." Read on for r3lody's review. Hardening Linux author James Turnbull pages 584 publisher Apress rating 9/10 reviewer Ray Lodato (rlodato AT yahoo DOT com) ISBN 1590594444 summary In-depth explanations with step-by-step techniques for securing Linux and common applications.

Naturally, the strongest building will collapse if built on a weak foundation, so Turnbull starts by considering what you need to harden a stand-alone Linux host. He discusses what applications to install and how to secure the boot loader (both LILO and GRUB are covered). The init sequences and scripts are covered next, as well as the login screen. Information on securing users and groups using PAM (Pluggable Authentication Modules) comes next, followed by package management and kernel patching. Finally, Turnbull finishes up with how to keep informed on security issues in the future. All of that is contained in chapter 1, and there are ten more to go! Each chapter ends with a list of resources in the form of mailing lists, web sites, books, etc., so you can fill in any blanks Turnbull may have left in.

Current security postures dictate that every network-connected device needs to be secured from the inside out. Turnbull apparently believes the same thing, and covers the Netfilter firewall framework built into the Linux kernel. Once again providing the careful step-by-step procedures, he demonstrates how to use iptables to manipulate Netfilter chains for maximum protection. There are a number of kernel parameters to Netfilter that can be modified using the sysctl command. James describes the more important ones (such as conf/all/accept_redirects, icmp_echo_ignore_broadcasts, and all under the /proc/sys/net/ipv4 pseudo-directory), and how to keep the changes in place across reboots. He also discusses how to log firewall rules, and keep the code updated using Patch-O-Matic.

As each subsequent chapter unfolds, Turnbull carefully explains how to tighten remote administration, files and file systems, mail, ftp, and DNS/BIND. He gives additional information on how to log important information securely and efficiently monitor the data collected. In addition, tools for testing the security of your hosts are described very clearly, from the inside out and the outside in, along with explanations of how to detect penetrations and recover from them.

Writing about securing a computer system can be written on a few different levels, from the general suggestions which apply to just about any program, to the specific which apply to just one. Turnbull picked commonly used programs and provide step-by-step procedures for locking them down. For example, if you are hardening a mail server, you will find descriptions of Sendmail and Postfix, but not of Qmail or Courier. While this might limit the appeal of the book to just those using the more common programs, it allows a depth that would be otherwise unavailable.

The only quibble I have is that his book does not go far enough. While the chosen applications are covered in great depth, some applications are missing. There is no coverage for a web server, such as Apache, or a database server, such as MySQL. I can only hope that a future edition of the book includes chapters on these and other categories of programs.

Hardening Linux by James Turnbull belongs on the shelf of anyone who installs and maintains Linux servers. The information is easy to follow, and will help you configure your systems very securely. The additional insights into why the configurations are important is extremely valuable in its own right."

You can purchase Hardening Linux from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

3 of 137 comments (clear)

  1. OUTGOING by Anonymous Coward · · Score: -1, Flamebait

    HELLO WORLD
    85081 85081
    HELLO WORLD
    07116 07116 56749 56749 89456 89456 47727 47727 35508 35508
    15278 15278 28593 28593 28743 28743 49662 49662 90087 90087
    60018 60018 88632 88632 14674 14674 30260 30260 34516 34516
    60112 60112 20248 20248 62125 62125 90914 90914 36234 36234
    30715 30715 42561 42561 33827 33827 61164 61164 23844 23844
    23038 23038 69521 69521 89839 89839 65412 65412 21484 21484
    43228 43228 98574 98574 60231 60231 66511 66511 69778 69778
    25920 25920 85206 85206 79458 79458 71775 71775 06067 06067
    47501 47501 10703 10703 94904 94904 15189 15189 81676 81676
    28329 28329 40684 40684 07877 07877 68985 68985 60689 60689
    38758 38758 32950 32950 59364 59364 74726 74726 48997 48997
    90426 90426 62426 62426 38548 38548 38857 38857 86427 86427
    89632 89632 43385 43385 76775 76775 33363 33363 84309 84309
    81338 81338 77485 77485 34770 34770 68420 68420 58636 58636
    48544 48544 15783 15783 85697 85697 71506 71506 43286 43286
    72121 72121 54807 54807 84220 84220 40188 40188 18165 18165
    20743 20743 04215 04215 37711 37711 35570 35570 94310 94310
    42261 42261 38988 38988 55711 55711 07347 07347 22651 22651
    51035 51035 72098 72098 98772 98772 11194 11194 43775 43775
    34909 34909 83525 83525 66578 66578 37468 37468 19650 19650
    88952 88952 79424 79424 12999 12999 71243 71243 07176 07176
    70606 70606 66431 66431 16032 16032 12567 12567 46865 46865
    21064 21064 55881 55881 08077 08077 05577 05577 44094 44094
    33759 33759 16574 16574 75614 75614 22063 22063 35822 35822
    36255 36255 60469 60469 85204 85204 55516 55516 06425 06425
    76834 76834 99486 99486 11987 11987 83762 83762 33176 33176
    67411 67411 48026 48026 06657 06657 59112 59112 84427 84427
    61836 61836 23870 23870 40602 40602 38734 38734 22594 22594
    07744 07744 73115 73115 03354 03354 73025 73025 86546 86546
    11134 11134 66604 66604 17804 17804 28766 28766 84533 84533
    32813 32813 59029 59029 86595 86595 19712 19712 39068 39068
    13426 13426 45183 45183 68802 68802 36264 36264 13829 13829
    01757 01757 76044 76044 24541 24541 48097 48097 86564 86564
    45275 45275 79671 79671 18061 18061 87241 87241 20391 20391
    98660 98660 77510 77510 60377 60377 57296 57296 69526 69526
    86433 86433 62618 62618 82710 82710 25094 25094 73021 73021
    60766 60766 67902 67902 32545 32545 71901 71901 99126 99126
    29119 29119 59493 59493 69721 69721 91549 91549 79054 79054
    02742 02742 03473 03473 46287 46287 96626 96626 28080 28080
    22465 22465 90948 90948 89087 89087 09365 09365 60051 60051
    86668 86668 89663 89663 23681 23681 38420 38420 18385 18385
    68504 68504 60121 60121 80127 80127 82329 82329 82269 82269
    18890 18890 21018 21018 41725 41725 16627 16627 95136 95136
    23294 23294 77343 77343 11197 11197 93733 93733 83023 83023
    52683 52683 70741 70741 57163 57163 09877 09877 01457 01457
    08199 08199 46611 46611 89177 89177 20266 20266 14542 14542
    09156 09156 24155 24155 11268 11268 45205 45205 09823 09823
    70201 70201 51953 51953 06340 06340 80416 80416 76784 76784
    98086 98086 97137 97137 06550 06550 60703 60703 01401 01401
    62205 62205 57777 57777 69266 69266 04965 04965 90633 90633
    75090 75090 80938 80938 52734 52734 77253 77253 79387 79387
    34068 34068 12291 12291 98291 98291 99784 99784 48779 48779
    49783 49783 53720 53720 34822 34822 63661 63661 72199 72199
    61507 61507 67745 67745 04972 04972 86136 86136 77722 77722
    01153 01153 36981 36981 45803 45803 68260 68260 80920 80920
    04792 04792 56761 56761 44105 44105 69354 69354 49406 49406
    28221 28221 05219 05219 24845 24845 60300 60300 72883 72883
    97994 97994 12288 12288 63465 63465 10157 10157 17564 17564
    97728 97728 82535 82535 32558 32558 57407 57407 74643 74643
    52587 52587 26980 26980 39833 39833 26926 26926 60256 60256
    86295 86295 38466 38466 02688 02688 23677 23677 61314 61314
    28423 28423 28197 28197 22702 22702 76070 76070 55607 55607
    23072 23072 85837 85837 56816 56816 52801 52801 68063 68063
    98441 98441 68796 68796 05712 05712 12114 12114 28044 28044
    36328 36328 307

  2. Why harden? by Luke · · Score: 0, Flamebait

    When you can use an OS that starts out secure?

  3. Avoid PHP. by CyricZ · · Score: 0, Flamebait

    One of the best things to do, like it or not, is avoid PHP. It has shown to be less than suitable when it comes to security. Indeed, the SpreadFirefox incidents you mention were due to faulty PHP-based systems.

    While it doesn't involve the security of Linux (or any other open-source OS) in any way, the security issues that plague PHP do end up making the entire community look bad. Thus I think the open source community as a whole should put more pressure on the PHP developers to introduce technology that will prevent ill-written scripts from executing.

    One doesn't want to have to hold the hands of experienced developers, but at the same time we can't let the unnecessary and misdirected damage to our reputations continue because of poorly written PHP scripts.

    The Linux and *BSD projects have gone out of their way to make sure that their system is secure, even in the face of inexperienced users. It's time for the PHP team to do the same.

    --
    Cyric Zndovzny at your service.