Hardening Linux / Edition 1by James Turnbull
Pub. Date: 01/31/2005
Hardening" is the process of protecting a system and its applications against unknown threats. Hardening Linux identifies many of the risks of running Linux hosts and applications and provides practical examples and methods to minimize those risks. The book is written for Linux/UNIX administrators who do not necessarily have in-depth knowledge of security but need to know how to secure their networks.
In this book, you'll learn how to secure:
- The base operating system and firewall with iptables
- Connections to your hosts
- Fie systems and files
- Email servers
- IMAP and POP servers
- FTP servers
A quick reference of the procedures discussed in each chapter are summarized in Appendix C.
Table of Contents
Most Helpful Customer Reviews
See all customer reviews
Hardening Linux by James Turnbull, stands out in my mind as a vitally important text that clearly lays out how to make your Linux boxes as secure as possible. Mr. Turnbull has done a remarkable job in delineating the potential vulnerabilities, and how to mitigate them. Each chapter covers a particular focus area in depth, with carefully worded and easy-to-follow examples. In the cases where you need to install some other piece of software to provide the extra security, he gives you the step-by-step details, leaving nothing for misinterpretation. This is one of those books that, as you finish each chapter, you¿ll want to apply your new-found knowledge to the machines at your disposal. As each subsequent chapter unfolds, James explains very carefully how to tighten remote administration, files and file systems, mail, ftp, and DNS/BIND. Additional information is given on how to log important information securely, and efficiently monitor the data collected. In addition, tools for testing the security of your hosts is described very clearly, from the inside-out and the outside-in, along with explanations of how to detect penetrations and recover from them. Writing about securing a computer system can be written on a few different levels, from the general suggestions which apply to just about any program, to the specific which apply to just one. Mr. Turnbull has chosen to pick commonly used programs and provide step-by-step procedures for locking them down. For example, if you are hardening a mail server, you will find descriptions of Sendmail and Postfix, but not of Qmail or Courier. While this might limit the appeal of the book to just those using the more common programs, it allows a depth that would be otherwise unavailable. The only quibble I have is that his book does not go far enough. While the chosen types of applications are covered in great depth, some applications are missing. There is no coverage for a web server, such as Apache, or a database server, such as MySQL. I can only hope that a future edition of the book includes chapters on these and other categories of programs. I definitely recommend Hardening Linux by James Turnbull to anyone who installs and maintains Linux servers. The information packed in this book is easy to follow, and will help you configure your systems very securely. The additional insights into why the configurations are important is extremely valuable in its own right. This book belongs on any Linux sysadmin's bookshelf.
With the onslaught of malware in all its deviant forms, securing your linux machine should be a high priority. Linux now has a plethora of tools and procedures to aid in this. But where can you start? Perhaps here. Turnbull tries to help you make sense of what you can do, where hopefully you already have some linux sysadmin experience. He goes into considerable detail about many potential weaknesses. Consider, for example, having compilers on your machine. These are usually installed by default and available to any user. But if your users never compile, then it's worth removing the compilers, or restricting their usage to you alone. This is one of the crucial preventive steps recommended in the book. There are others. Though his description of immutable files is a trifle overstated. They 'cannot be written to by any user, even by the root user, regardless of their file permissions'. Immediately contradicted by the book showing how to change this attribute on a file. Thence, you as root can certainly alter or even delete it. The discussion of antispam methods is outdated. The descriptions of some do not go into their limitations. Like for Postfix, it is possible to check the Subject line of an email against a list of regular expressions, and reject any matches. This is a first generation antispam method, circa 1998. It has proved virtually useless against spammers. The problem is that a spammer can craft a Subject line so that the recipient (who is wetware) can recognise the meaning, while making it very hard for software, which has rigid rules, to detect it. There are two problems with the book mentioning the regexp filter. Firstly, you can waste a lot of your time, writing those regexps to try to detect as much spam as possible. Plus the time to maintain and adding more such rules, when your first tries prove inadequate. Secondly, there is the run time cost. The clock cycles spent on applying this filter are largely wasted. If you get a lot of messages, this can affect the performance of your mail server. Remember that the more rules you have, the longer it takes, because you usually have to apply all of them to each message's header. Also, blacklists are discussed as another antispam method, for both sendmail and Postfix. But the application of the blacklists is limited and outdated. More powerful usages of blacklists now exist. And there is no description of using milter filters with sendmail, to fight spam. This has been a recent important enhancement of sendmail.