Forgot your password?
typodupeerror
Security Books Media Software Book Reviews Linux

Linux Security Cookbook 131

Posted by timothy
from the paranoid-naked-chef dept.
Charles McColm writes "As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows. The truth is, I've never really paid much attention to Linux security, even on the Linux router I had running for a year. I always knew I should be concerned about security, but I never found a good starting point until I decided to review O'Reilly's Linux Security Cookbook (LSC)." Read on below for Charles' review.
Linux Security Cookbook
author Daniel J. Barrett, Richard E. Silverman & Robert G. Byrnes
pages 311
publisher O'Reilly
rating 9/10
reviewer Charles McColm
ISBN 0596003919
summary LSC covers a wide range of security issues from installing an intrusion detection system to detecting network intrusions.

As the title suggests, LSC is a series of different Linux security "recipes." I found the cookbook-style of presentation both good and bad. Some recipes were a breeze to follow (such as the gpg recipes). Other recipes I felt could have been ordered a little better. The ipchains/iptables recipes in Chapter 2 are terrific, but I had to wait until the 19th recipe in the chapter to find out how to make the ipchains/iptables recipes stick. Though it makes sense to have saving a firewall configuration near the end of the chapter, I would have put the information after the first few recipes.

The only chapter that I glossed over was Chapter, "4 Authentication Techniques and Infrastructures." Chapter 4 covers Linux-PAM, OpenSSL and Kerberos. The chapter begins with a recipe for creating a PAM-Aware Application. I started to type in the C code but stopped a few lines from the end, it just didn't make sense for me to have this knowledge at this time. The introduction at the beginning of Chapter 4 is very good, but on the whole it is one of those chapters I've slotted for future reference. OpenSSH is discussed at the beginning of Chapter 4 but covered in more detail (an entire chapter) in Chapter 6.

The chapters I found most useful were those on intrusion detection systems (Chapter 1) and GPG (Chapters 7 & 8). Actually, I found almost all of LSC useful except the previously noted Chapter 4. Some of the software covered in the recipes are programs I've never heard of before, John the Ripper for example. Other recipes cover those programs I know I should check out (like Snort) but have never taken the time to.

LSC is for the most part very easy to follow. The authors have been very careful to mention when software (snort for example) might or might not be included and how to find and install it. I got tripped up a little in the first chapter (which covers tripwire), because I tried downloading and compiling the tripwire source found at the tripwire web site. I obtained the source from a couple of recommended sites. In one instance tripwire failed to compile correctly, in another it compiled but kept segfaulting when I tried to initialize the database. It wasn't until after I emailed O'Reilly that I saw mention further in Chapter 1 that tripwire is included with Red Hat Linux. One of the authors, Daniel J. Barrett, also emailed me to tell me that it was on the third CD - doh! The upside of this little tale is that I got to know aide (another intrusion detection system) a little better after I installed it on my Debian-based notebook.

I happen to think that computer books are overpriced. I have bought a number of $50-$90 computer books that ended up being doorstops after about a month and useless after a couple of years. Because of this experience I am a bit more stingy when shelling out for a computer book. Though I hate reading online documentation (I wear glasses and cannot stare at text on the screen for a long time), I have forced myself to read a lot more online documentation over the past year. This is one instance where I would be willing to shell out the $61.95 Canadian for a book. The Linux Security Cookbook covers a wide range of potential security problems and it presents its solutions such that each takes only a few minutes to implement.

I've saved what is actually covered in LSC for the end of this review. My intention in this review has been mainly to present my experience with LSC so that other members who are also still desktop users, or have never really been concerned with Linux security issues can take away the fact that despite a few sticking points I found this book to be a great source for information on different Linux security issues. For those concerned with the meat of the book, here's how it breaks down:

1. System Snapshots with Tripwire
2. Firewalls with iptables and ipchains
3. Network Access Control (xinetd, inetd, preventing DOS attacks)
4. Authentication Techniques and Infrastructures (PAM, SSL, Kerberos)
5. Authorization Controls (su and sudo)
6. Protecting Outgoing Network Connections (OpenSSH)
7. Protecting Files (permissions, GPG)
8. Protecting Email (all popular mail user agents, SSL and SSH)
9. Testing and Monitoring (Jack the Ripper, Cracklib, Snort, tcpdump, syslog)

You really need to have a good look at the table of contents to get an idea of all this book covers. I have written about it from a desktop-user standpoint, but there are so many recipes that I couldn't cover everything. There are many great code snippets that more advanced users would find useful.

If you don't have an intrusion detection system, need to grant some of your users limited root privileges, have been using the default firewall rules (or don't have a clue about iptables/ipchains), haven't checked your system for root kits or insecure protocols, then the Linux Security Cookbook should be at the top of your reading list.


You can purchase the Linux Security Cookbook from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Linux Security Cookbook

Comments Filter:
  • bastille script (Score:5, Interesting)

    by stonebeat.org (562495) on Tuesday July 22, 2003 @01:36PM (#6501415) Homepage
    if you really wanna learn about securing linux, looking at the bastille script for securing linux is a good idea. you can go through the scrit and see what checks are being performed and things like that.
    • For those of you who aren't familiar with Bastille, check out it site at Bastille Linux site [bastille-linux.org] They have links for Redhat, Debian distors as well as HP-UX and Mac OS X.
      There is also some info out at Bastille-Linux Scripts to Secure Linux and HP-UX [sans.org]
    • by Ubl (663671) on Tuesday July 22, 2003 @03:03PM (#6502339)
      Bastille is a great tool, but it's no match for understanding what you're doing. It has really nice explanations of all the things it could do, but it doesn't actuall yshow you how to do them. Also, it doesn't do well with non-recent installs, and if you end up installing software later that could have been modified by bastille, it's too late to change the config.

      If you want to do it right, you want to learn about how to secure your machine yourself. That means not being scared by coniguration files, and knowing how to use netstat on the command line to find the servers you're running, knowing what inetd or xinetd do, etc. bastille won't teach you that.

      (I'm not dissing Bastille - it does exactly what it is supposed to do, but it's not a teacher, it's a tool.)

      The only linux security books out there that are worth their salt are hacking linux exposed, 2nd edition [hackinglinuxexposed.com], followed by the Linux Firewalls, 2nd edition [linux-firewall-tools.com] book. The former doesn't have enough space to cover firewalls in enough depth, while the later fills that need perfectly.

      If you want a lot of disjointed hacks, the recent O'Reilly hacks books are good fun. I learned a lot from the google hacks book, for example. However they are far from comprehensive (that's not their mandate) and this cookbook really should have been in the *hacks line. Their building secure servers with linux book falls into the same hole - it was based on linux journal entries, and is not a comprehensive security book.

      If you want to learn about linux security in a complete fashion, HLE and LF are the only contenders.

      (I'd also vote for the Linux Security [hackinglinuxexposed.com] newsletter which was meantioned below by an AC. Very good. Of course, it falls into the small tidbits of wisdom camp, rather than being a complete solution/education, but that's what you expect in a mailing list.)

  • by cxreg (44671) on Tuesday July 22, 2003 @01:38PM (#6501429) Homepage Journal
    Sure you can learn a few tricks about current versions of software, but that's no substitute for staying up to date and UNDERSTANDING the software you run, in addition to watching security related mailing lists and newsgroups.

    System administration isn't easy, that's why they make big dollars.
    • I think that you mean "security consultants" by "system administration" because the admins who work for a fixed company do not make that much money.
    • by Mu*puppy (464254) on Tuesday July 22, 2003 @01:57PM (#6501649)
      System administration isn't easy, that's why they make big dollars.

      Tell that to my IT manager, my wallet sure doesn't agree... ;)

      So long as everything's going well, you're 'not doing anything productive' by searching around the web checking said mailing lists and newsgroups, so you get pulled off to work on Pet Project Y for Manager T. Then, when the shit hits the fan, suddenly it's 'Well, why weren't we prepared for each and everything that could possibly happen??' Go fig'.

      But hey, at least I don't have to do end-user tech support any more...

    • by Phroggy (441) * <slashdot3&phroggy,com> on Tuesday July 22, 2003 @02:03PM (#6501717) Homepage
      Sure you can learn a few tricks about current versions of software, but that's no substitute for staying up to date

      Before you can stay up to date, you have to get up to date. This book helps.

      and UNDERSTANDING the software you run,

      So far I've found the explanations very thorough. You haven't read the book, I take it.

      in addition to watching security related mailing lists and newsgroups.

      This will let you know about holes in your software, but if your software isn't configured securely in the first place, it won't help you that much. Start with this book.

      System administration isn't easy, that's why they make big dollars.

      Hopefully the economy will recover soon, and that will be true again. In the mean time, there are a lot of talented sysadmins waiting tables because their unemployment benefits have run out.
    • You're right that security itself is not a cookbook topic. However, there are many security-related tasks that can indeed be written as recipes: generating a public/private key pair, setting up Emacs to use mailcrypt for encrypted email, locating local user accounts that have no password, running dsniff, etc. These tasks are the focus of the book, from the simple to the complex, and this philosophy is spelled out in the Preface (and on the back cover).

      BTW, I'm one of the authors. We would never claim that

    • I don't think system administrators are the target audience of this book. I don't have the time, inclination, or skill to become a system administrator - does that mean I shouldn't think about security at all, or hire a system administrator to secure my 3-computer home network? Although I don't have this book, I have a few like it - and they serve their purpose; allowing me to set up a home network and prevent script kiddies from running eggdrop off my DSL connection (which is the rude awakening I got in
    • I totally agree, and so do the authors of this book:

      "Let's get one thing straight: this book is absolutely not a total security solution for your Linux computers. Don't even think it."

      "....this book won't teach you security, but it will demonstrate helpful solutions to targeted problems, guiding you to close common security holes, and saving you the trouble of looking up specific syntax."
  • For more info (Score:5, Informative)

    by dr_dank (472072) on Tuesday July 22, 2003 @01:39PM (#6501438) Homepage Journal
    Check out Hacking Linux Exposed [amazon.com]. Its well worth the read and makes an excellent reference.
  • by packethead (322873) on Tuesday July 22, 2003 @01:41PM (#6501456)
    All you need to do is disable telnet in inetd, right?

    If they can't log in, you're fine.... Matthew Broderick would have never been asked to "play a Game" if they'd just locked down telnet.

  • Info (Score:5, Informative)

    by vasqzr (619165) <vasqzr@nets c a p e .net> on Tuesday July 22, 2003 @01:43PM (#6501475)

    Expert Recipes to Bolster Security
    O'Reilly Releases "Linux Security Cookbook"

    Sebastopol, CA--Recipes for security? The mere suggestion would raise a
    few skeptical eyebrows among security experts. For computer security is
    not a simple matter; it is, rather, an ongoing process, a relentless
    contest between system administrators and intruders. A good
    administrator needs to stay one step ahead of any adversaries, which
    often involves a continuing process of education. But if you're well
    grounded in the basics of security, you won't necessarily want a
    complete treatise on the subject each time you pick up a book.
    Sometimes you'll want to get straight to the point. That's exactly what
    the new "Linux Security Cookbook" by Daniel J. Barrett, Richard E.
    Silverman, and Robert G. Byrnes (O'Reilly, US $39.95) will help readers
    do. Rather than provide a total security solution for Linux computers,
    the authors present a series of easy-to-follow recipes--short, focused
    pieces of code that administrators can use to improve security and
    perform common tasks securely.

    The "Linux Security Cookbook" is a repository of useful and important
    recipes to be used within a well thought-out security policy. "Security
    tools often have numerous options, configuration parameters, and so
    forth, requiring the reader to dig through documentation," notes
    coauthor Barrett. "The cookbook format provides a shortcut, presenting
    the precise syntax needed for common, important security tasks."

    "The 'Linux Security Cookbook' is accessible, without being simplistic,
    which would be especially dangerous for security," adds Byrnes. "The
    effectiveness of a security solution is only as good as the weakest
    link.

    "There's a vast literature dedicated to computer security, but that can
    be daunting for anyone who is trying to find a way to get started,"
    Byrnes adds. "There are also a lot of products that purport to offer
    'security in a box,' but those never work because you can't just set up
    a firewall or intrusion detection system and think that your security
    problems are over. We offer specific recipes that are useful as both
    standard operating procedure as well a learning tools, and we tell
    people how to learn more."

    The "Linux Security Cookbook" includes real solutions to a wide range
    of targeted problems, such as sending encrypted email within Emacs,
    restricting access to network services at particular times of day,
    firewalling a web server, preventing IP spoofing, setting up key-based
    SSH authentication, and much more. With more than 150 ready-to-use
    scripts and configuration files, this unique book helps administrators
    secure their systems without having to look up specific syntax.

    The book begins with recipes devised to establish a secure system, then
    moves on to secure day-to-day practices, and concludes with techniques
    to help a system stay secure.

    Some of the recipes in the "Linux Security Cookbook" are:

    -Controlling access to your system at various levels, from your
    firewall down to individual services, using iptables, ipchains, xinetd,
    inetd, and more
    -Monitoring your network with ethereal, dsniff, netstat, and other
    tools
    -Protecting network connections with SSH and SSL
    -Detecting intrusions with tripwire, snort, tcpdump, logwatch, and more
    -Securing authentication with cryptographic keys, Kerberos, and PAM,
    and authorizing root privileges with sudo
    -Encrypting files and email messages with GnuPG
    -Probing your own security with password crackers, nmap, and handy
    scripts

    This cookbook's proven techniques are derived from hard-won experience.
    Whether readers are responsible for security on a home Linux system or
    for a large corporation, or somewhere in between, they'll find
    valuable, to-the-point, practical recipes for dealing with everyday
    security issues.

    Praise for the "Linux Security Cookbook":

    "An outsta
  • an ok book (Score:5, Informative)

    by xyloplax (607967) on Tuesday July 22, 2003 @01:46PM (#6501518)
    LSC is okay as security books go, but there are other options of course. My favorite security manual (though distro-specific) has been the Debian security manual [debian.org] as it is both comprehensive, informative and relatively easy to follow; the author of that should consider writing a more general book. The various Maximum ______ Security by Anonymous are pretty good too. The O'Reilly yellow series is great. However, nothing beats those plus reading RFCs, subscribing to security lists, chatting on IRC with security folks (of any hat color), reading usenet, and analyzing packet dumps and Snort rulesets yourself.
  • Syslog (Score:3, Insightful)

    by HogGeek (456673) on Tuesday July 22, 2003 @01:48PM (#6501548)
    While the syslog() facitlity is an important tool in security, not to mention system administration, the syslog program leaves a lot to be desired.

    I wish these type of books, and other SA topical publications would start introducing the users to Syslog-ng [balabit.hu]

    Of course, that's just my opinion. I could be wrong...

  • by GillBates0 (664202) on Tuesday July 22, 2003 @01:51PM (#6501579) Homepage Journal
    The only chapter that I glossed over was Chapter, ... The chapter begins with a recipe for creating a PAM-Aware Application. I started to type in the C code but stopped a few lines from the end, it just didn't make sense for me to have this knowledge at this time.

    You were right in taking the material with a pinch of salt.

    LSC is for the most part very easy to follow.

    In other words, it was a piece of cake.

    Because of this experience I am a bit more stingy when shelling out for a computer book. This is one instance where I would be willing to shell out the $61.95 Canadian for a book.

    You obviously knew which side your bread was buttered on.

    The Linux Security Cookbook covers a wide range of potential security problems and it presents its solutions such that each takes only a few minutes to implement.I found this book to be a great source for information on different Linux security issues.

    So all in all, you cut the cake and ate it too.

  • by photon317 (208409) on Tuesday July 22, 2003 @01:51PM (#6501580)

    I'd think before you even start messing with all the other things you say they do, the most fundamental step in securing your linux box is to type "netstat -anp|grep LISTEN", and be able to account for every line you see. Know what process is listening to what ports on what interfaces, and why, and ask yourself whether the ones which seem to be facing the broader internet should be. Disable various services from your startup scripts and/or modify config files as neccesary until it you get it down to where it should be. This is the most basic of security measures against network-based attacks, and one often not even looked at by people who try many other more complicated methods of securing the system.
    • by Anonymous Coward
      Just hope your netstat binary isn't tainted.
    • Hey, you just reverse-engineered recipe 9.14, "Examining Local Network Activities," page 226. I'm going to have to tell O'Reilly to sue you under the DMCA. :-)
    • Though more Linux-centric, I like

      lsof -i | grep LISTEN
      Nothing you couldn't get with netstat/ps, but it gives all the info I need in one location. Make sure you run it as root -- normal users won't have enough access rights to see all the processes otherwise.

      --Phil (I love jobs that let me indulge my paranoia)
  • n00bs? (Score:4, Interesting)

    by niko9 (315647) on Tuesday July 22, 2003 @01:51PM (#6501588)
    Is this book a good start for a newbie???

    If not, any suggestions?
  • by xtrucial (674445) on Tuesday July 22, 2003 @01:53PM (#6501614)
    When I installed Gentoo awhile back, it left two or three ports open, and everything else was sealed. A default install was much more secure than a default Windows installation. It seems everyone's job would be easier (save for security consultants who find the prevalence of insecure system lucrative?) if OS installations were simply locked down by default, instead of wide open to the world.
    • MS did this in Windows 2003 Server. Everything is off by default and you have to turn it on to get stuff to work.
    • also, Gentoo's security howto is very easy to understand, if you need to do more than the default. I know this is not a thread for Gentoo (I already yanked my own karma bonus so no need to mod me offtopic), but it is the best thing I've found for the semi-Linux-literate who just want to run an all purpose SOHO server with web-serving capability and not wrench around on it constantly. Gentoo's ports system makes it way easy to keep the patches for services running on outside-accessible ports up 100% to dat
  • But... (Score:2, Funny)

    by xNoLaNx (653172)
    ..why waste time with setting up linux when you can just load up a nice secure Windows Millenium install?
    • WinMe actually is very secure, there is so little time between blue screens that it's near impossible for anyone to get in.
  • by Joey Vegetables (686525) on Tuesday July 22, 2003 @02:06PM (#6501743) Journal

    As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows. The truth is, I've never really paid much attention to Linux security

    Linux is more secure than Windows in many ways, but no operating system is inherently secure, especially if you don't pay much attention to security.

    Picture this: you're on a private subnet, behind a firewall that allows only outbound connections, and NAT to boot. You run no services, so there's no way for a cracker to reach you. Right?

    BZZT!!! Unbeknownst to you, someone found a hole in your IRC client. When you went online, they 0wned your box and quickly installed a rootkit that "phones home" when your router's dynamic IP address decides to change. Your machine now serves warez and kiddie porn, but you didn't know that. Of course, the FBI doesn't believe you, and sends you to federal "pound me in the ass" prison.

    Sound far-fetched?

    Every single one of those things has happened.

    Using Linux just makes it a little harder for the crackers. Not impossible. And it can't make it impossible, because even if Linux itself were perfect, a single remote root exploit in any piece of network client software is all it takes.

    If you own or use a computer that is at least sometimes connected to the Internet, or to a local network, security is your job.

  • Slackware (Score:4, Interesting)

    by fudgefactor7 (581449) on Tuesday July 22, 2003 @02:11PM (#6501786)
    For us Slack users, although this is a bit old, it's still pretty valuable, check this [c2i2.com] out. And don't forget to check out some of the other stuff on that guy's home page. [c2i2.com]
    • I really need to finish the one for 9.0. There are not too many changes (line numbers in the rc.scripts, logrotate, etc), but verifying everything else is time consuming. Eventually I'll get around to finishing documenting the whole thing. I'm about a third of the way through it now. My only problem is I hate to write. ;)

      I taught an Installing and Using Linux class at a community college over the summer. The last class I did was on security. I spent the last half hour explaining what I do in that do

  • Nobody mentioned the great value of nmap [insecure.org] yet? Geez, yer all getting sloppy.
  • So Useless? (Score:1, Funny)

    by Anonymous Coward
    "I have bought a number of $50-$90 computer books that ended up being doorstops after about a month and useless after a couple of years."

    Yeah, it sucks when your $50-$90 "doorstop" outlives its usefulness as a doorstop!
  • Paranoia (Score:3, Informative)

    by Phroggy (441) * <slashdot3&phroggy,com> on Tuesday July 22, 2003 @02:33PM (#6502013) Homepage
    I've only just started reading this book, but one of the things I appreciate in the first chapter (about Tripwire) is the way they discuss various levels of paranoia - with each level being more secure, but more cumbersome or expensive to implement. Seeing all these different example setups, and the reasons WHY you might want to do it that way, definitely got me thinking.

    1.8: Expensive, Ultra-Paranoid Security Checking

    Problem
    You want highly secure integrity checks and are willing to shell out additional money for them.

    Solution
    Store your files on a dual-ported disk array. Mount the disk array read-only on a second, trusted machine that has no network connection. Run your Tripwire scans on the second machine.

    Discussion
    A dual-ported disk array permits two machines to access the same physical disk. If you've got money to spare for increased security, this might be a reasonable approach to securing Tripwire.

    Once again, let trippy be your machine in need of Tripwire scans. trusty is a highly secure second machine, built directly from trusted source or binary packages with all necessary security patches applied, that has no network connection and never has been accessible to third parties.

    trippy's primary storage is kept on a dual-ported disk array. Mount this array in trusty read-only. Perform all Tripwire-related operations on trusty: initializing the database, running integrity checks, and so forth. The Tripwire database, binaries, keys, policy, and configuration are likewise kept on trusty. Since trusty is inaccessible via any network, your Tripwire checks will be as reliable as the physical security of trusty.


    Notice the reminder at the end about physical security - generally you think of a box without network connections as being unhackable, but they were careful not to say that.

    There will be some sections of the book I'll be skipping. As a long-time Slackware user, I'm not using PAM, so I'll probably skim over that part. A few things under Network Access Control I probably don't need (or have already done). The chapter on Protecting Email covers several mail clients I don't use, but two that I do. Most of the rest of the book looks VERY useful. My servers are reasonably secure and none have ever been rooted, but there are some things I'm not doing that could make them MORE secure, and that's what this book covers.
  • by Junks Jerzey (54586) on Tuesday July 22, 2003 @02:45PM (#6502160)
    As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows

    If you have someone who is paranoid about security in charge of a system, then that system will inherently be more secure than one run by someone who doesn't think as much about it. With so many Linux users blindly downloading sofware and installing it as root...now there's a massive security hole in itself. If security is your angle, you avoid that as much as possible.
  • Free chapters online (Score:4, Informative)

    by maiden_taiwan (516943) on Tuesday July 22, 2003 @02:46PM (#6502185)
    Free recipes from Linux Security Cookbook are online:

  • Bad assumption (Score:4, Insightful)

    by jpmorgan (517966) on Tuesday July 22, 2003 @03:00PM (#6502321) Homepage
    As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows.

    While this may have been true 5 or so years ago, it's not anymore (in some technical respects the reverse is arguable - see ACLs, access control to kernel objects, trusted path/trusted computing base, etc...), these days security in Linux and Windows is all about process and mindset, as is true of any complex system.

    This really is the kind of attitude that is going to really hurt the Linux community in the future. If/when we start to see a sizable number of people using Linux on the desktop, this assumption that Linux is 'inherantly' secure (totally false) could lead to almost the same kind of security nightmare that we saw in Windows-land until recently (arguably, we're still seeing it:).

    • While this may have been true 5 or so years ago,

      It wasn't even true 5 years ago. Then I was running RH4 and NT boxen with "security through obscurity" (eg. trusting defaults) and the first thing hacked was Apache on Red Hat. My NT never was.

      • I would suggest that in the situation you describe, both were probably hacked if they were available via public networks. It is often easier to determine that the unix-like box has been broken into because care and feeding of a unix-like machine requires a more intimate interaction with the machine. Also the abundance of logging available in unix-like systems makes an intrusion easier to detect.

        A windows box might function perfectly normally after it has been comprmised. It is very easy to miss a wrom w

  • Starts with 'format c:' and ends with http://www.openbsd.org/ [openbsd.org]

    - Mod me down, I dare you, geek...

  • ..is a nice Linksys router.

    Open only the ports you need and make sure the software running on them is secure.

    Ben
    • A lot of people seem to think that no one should be administering a machine unless they are experts at it. Unfortunately, anyone who runs a computer at home is the administrator, like it or not. So security needs to be made simple enough for your mom to do. Especially if you decided to be l33t and gave her a Walmart special with Lindows preinstalled.

      But the sad fact is, security is the obverse of convenience. Security is going to be inconvenient in terms of hassles, time, or money. For the newbie or lazy,
    • a nice Linksys router.

      Open only the ports you need and make sure the software running on them is secure.


      This is a naive and misleading suggestion. First, you cannot "make sure" any software is "secure." Second, this does not address the myriad vulnerabilities inherent in the software people run every day which are not network servers: mail readers vulnerable to viruses, web browsers vulnerable to many kinds of malicious content, etc. For both these reasons and more, security must be a multi-level, ong
    • ... and don't forget to change the 'Admin' password :)
  • ...I have always taken it for granted that Linux is inherently more secure than Microsoft Windows. The truth is, I've never really paid much attention to Linux security...

    Man if that doesnt sum up the joe slashdot attitude.

  • that claim to know about "plenty of Linux and Solaris boxes get hacked because of incompetent or uncaring IT people".

    If they are really so knowledgeable, why don't they use their names? And why must anybody that disagrees with thier opinion be a zealot?

    Linux is inherently more secure. Thats a fact.

    Windows is inherently easier to use. Thats a fact. (think about it...windows is generated for the absolute lowest common denominator. They are designed for idiots. Microsoft wants an idiot to be able t

  • the topics covered in this book are typical and there is not much new unique material inside.. it is more valuable (not to mention free) to spend a few days reading linux security howtos, mailing lists and manpages.

COBOL is for morons. -- E.W. Dijkstra

Working...