Hardening Linux

r3lody writes "Hardening Linux, by James Turnbull, stands out as an important text that clearly lays out how to make your Linux boxes as secure as possible. Mr. Turnbull has done a noteworthy job in delineating many potential vulnerabilities, and how to mitigate them. Each chapter covers a particular area in depth, with carefully worded and easy-to-follow examples. In the cases where you need to install some other piece of software to provide extra security, Turnbull gives you the step-by-step details, removing the chance of misinterpretation. As you finish each chapter, you will want to apply your newfound knowledge to the machines at your disposal." Read on for r3lody's review. Hardening Linux author James Turnbull pages 584 publisher Apress rating 9/10 reviewer Ray Lodato (rlodato AT yahoo DOT com) ISBN 1590594444 summary In-depth explanations with step-by-step techniques for securing Linux and common applications.

Naturally, the strongest building will collapse if built on a weak foundation, so Turnbull starts by considering what you need to harden a stand-alone Linux host. He discusses what applications to install and how to secure the boot loader (both LILO and GRUB are covered). The init sequences and scripts are covered next, as well as the login screen. Information on securing users and groups using PAM (Pluggable Authentication Modules) comes next, followed by package management and kernel patching. Finally, Turnbull finishes up with how to keep informed on security issues in the future. All of that is contained in chapter 1, and there are ten more to go! Each chapter ends with a list of resources in the form of mailing lists, web sites, books, etc., so you can fill in any blanks Turnbull may have left in.

Current security postures dictate that every network-connected device needs to be secured from the inside out. Turnbull apparently believes the same thing, and covers the Netfilter firewall framework built into the Linux kernel. Once again providing the careful step-by-step procedures, he demonstrates how to use iptables to manipulate Netfilter chains for maximum protection. There are a number of kernel parameters to Netfilter that can be modified using the sysctl command. James describes the more important ones (such as conf/all/accept_redirects, icmp_echo_ignore_broadcasts, and all under the /proc/sys/net/ipv4 pseudo-directory), and how to keep the changes in place across reboots. He also discusses how to log firewall rules, and keep the code updated using Patch-O-Matic.

As each subsequent chapter unfolds, Turnbull carefully explains how to tighten remote administration, files and file systems, mail, ftp, and DNS/BIND. He gives additional information on how to log important information securely and efficiently monitor the data collected. In addition, tools for testing the security of your hosts are described very clearly, from the inside out and the outside in, along with explanations of how to detect penetrations and recover from them.

Writing about securing a computer system can be written on a few different levels, from the general suggestions which apply to just about any program, to the specific which apply to just one. Turnbull picked commonly used programs and provide step-by-step procedures for locking them down. For example, if you are hardening a mail server, you will find descriptions of Sendmail and Postfix, but not of Qmail or Courier. While this might limit the appeal of the book to just those using the more common programs, it allows a depth that would be otherwise unavailable.

The only quibble I have is that his book does not go far enough. While the chosen applications are covered in great depth, some applications are missing. There is no coverage for a web server, such as Apache, or a database server, such as MySQL. I can only hope that a future edition of the book includes chapters on these and other categories of programs.

Hardening Linux by James Turnbull belongs on the shelf of anyone who installs and maintains Linux servers. The information is easy to follow, and will help you configure your systems very securely. The additional insights into why the configurations are important is extremely valuable in its own right."

You can purchase Hardening Linux from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

A similar book

[ChaserPnk]

I reviewed a similar book with the same title for Linux Journal a few months ago. If you're into security, you might find it interesting.

Shameless

[joeybagadonuts]

Or you can buy it for 23.50 USD at bookpool:
http://www.bookpool.com/sm/1590594444

or for 29.69 at Amazon:
http://www.amazon.com/gp/product/1590594444/002-09 47562-0071223?v=glance&n=283155&n=507846&s=books&v =glance

or you could spend 40.49 at BN:
http://search.barnesandnoble.com/booksearch/isbnIn quiry.asp?userid=ao05LCTCMJ&isbn=1590594444&itm=3


But of course BN is linked in this review.

Part of a "series"?

[DaveK08054]

The reviewer writes:

There is no coverage for a web server, such as Apache

It looks like the publisher already has a book out called "Hardening Apache".

Re:Save (more than) FIFTEEN BUCKS!

[70Bang]

How about prices which include shipping and are less than Amazon's cover price?

(there are online bookstores other than Amazon and B&N)

What about the audits?

[CyricZ]

It's not just about limiting the number of default services. The OpenBSD project has performed years of strenuous code audits. Those have identified, and thus resulted in the fixing, of many bugs.

Then there's the whole emphasis on security in the first place. Code doesn't make its way into OpenBSD without being heavily scrutinized.

OpenBSD is secure because they don't enable potentially dangerous services right off the bat, but also because their development process puts such a heavy emphasis on only including highly secure code.

Re:SELinux?

[Spetiam]

(let alone know where to get it [nsa.gov]?)

Getting SELinux is easy. Some distributions (notably Fedora and CentOS) have it installed and enabled by default, and I suspect that anyone who has done any amount of research into "hardening" their system has heard of SELinux.

Because "better" != "perfect".

[khasim]

Just because Linux is better than Windows does not mean that Linux cannot be improved.

If we could get the average Joe Bob Windows user to read a book about security, I'm sure we'd see a lot fewer Windows security breaches, too.

Maybe, maybe not. There are lots of books on Windows security out there, also. And lots of people buy them. Microsoft even tried to make patching easy. Microsoft even provided a firewall with WinXP-sp2.

All of which just suggests to me that the difference is in the user base (that's a compliment), not the technology.

I don't see it like that.

A good Windows admin can "secure" his system as well as a good Linux "admin". The difference is how much work and effort are required.

I like Ubuntu. By default, Ubuntu installs with no open ports. So, securing Ubuntu against worm attacks takes no effort on a default installation.

But securing Windows against worm attacks requires constantly reading the vulnerability disclosures. Or adding an additional layer that requires a different skill set.

It's only when you get beyond the default installation that admin skills become important. The current problem is that there are so many older versions of Windows out there were sold with a very open default installation that are still vulnerable.

Re:IDS

[r3lody]

Chapter 6 (Using Tools for Security Testing) goes into NMAP and Nessus in depth, then mentions a few additional tools at the end. dsniff, Ethereal, Ettercap, LIDS, Netcat, SARA, Snort, tcpdump, and Titan each have a one-paragraph writeup, with links to the websites for the tools.

Re:Sendmail? In a secure system

[51mon]

> Otherwise it will continue to stand to reason that sendmail has just as much place in a secure system today as Qmail.

Compare the security history since both qmail and postfix were released, lets choose January 2003, against sendmail.

CERT Vulnerability note search.

Sendmail 6 vulnerabilities including 4 buffer overflow vulnerabilities, at least one risks a remote root exploit, one was IBM specific and just silly IBM. Many prior ignored.

Postfix one DoS in 2003.

Qmail no hits.

Patching complex systems doesn't meaningfully reduce the number, or scope, of security holes in most cases, you need (re)engineering to do that, or at least rewriting problem areas from scratch. Software doesn't always age gracefully, as any programmer will tell you.

Given the much more extensive feature set of Postfix to Qmail, hey Qmail maybe quite secure, but it doesn't do very much, I choose Postfix. Sure Sendmail is improving, but they would have to release a whole new architecture to attract the security conscious system admins.

Indeed they have just announced a new sendmail with a security architecture that borrows heavily from the Postfix school of thought.

Don't get me wrong I'm just dismantling out last two sendmail servers, and they have done an okay job, but they required a lot more love and attention than Postfix would have to keep them going. Qmail is even easier if you only want what qmail does, otherwise it is patchomatic time, and I don't trust the qmail patches to be as secure as Dans code.

Re:Good advice...

[DumbparameciuM]

"...for when keeping your box in a safe, cut off from the outside world, isn't an option..." Exactly. The most secure box in the world, irregardless of OS or Distro, is the one that hasn't yet, isn't currently, and never will be connected to the internet. But, unfortunatly, that isn't always a practical solution. I'll look out for this one.