Linux Security Cookbook 131
Linux Security Cookbook | |
author | Daniel J. Barrett, Richard E. Silverman & Robert G. Byrnes |
pages | 311 |
publisher | O'Reilly |
rating | 9/10 |
reviewer | Charles McColm |
ISBN | 0596003919 |
summary | LSC covers a wide range of security issues from installing an intrusion detection system to detecting network intrusions. |
As the title suggests, LSC is a series of different Linux security "recipes." I found the cookbook-style of presentation both good and bad. Some recipes were a breeze to follow (such as the gpg recipes). Other recipes I felt could have been ordered a little better. The ipchains/iptables recipes in Chapter 2 are terrific, but I had to wait until the 19th recipe in the chapter to find out how to make the ipchains/iptables recipes stick. Though it makes sense to have saving a firewall configuration near the end of the chapter, I would have put the information after the first few recipes.
The only chapter that I glossed over was Chapter, "4 Authentication Techniques and Infrastructures." Chapter 4 covers Linux-PAM, OpenSSL and Kerberos. The chapter begins with a recipe for creating a PAM-Aware Application. I started to type in the C code but stopped a few lines from the end, it just didn't make sense for me to have this knowledge at this time. The introduction at the beginning of Chapter 4 is very good, but on the whole it is one of those chapters I've slotted for future reference. OpenSSH is discussed at the beginning of Chapter 4 but covered in more detail (an entire chapter) in Chapter 6.
The chapters I found most useful were those on intrusion detection systems (Chapter 1) and GPG (Chapters 7 & 8). Actually, I found almost all of LSC useful except the previously noted Chapter 4. Some of the software covered in the recipes are programs I've never heard of before, John the Ripper for example. Other recipes cover those programs I know I should check out (like Snort) but have never taken the time to.
LSC is for the most part very easy to follow. The authors have been very careful to mention when software (snort for example) might or might not be included and how to find and install it. I got tripped up a little in the first chapter (which covers tripwire), because I tried downloading and compiling the tripwire source found at the tripwire web site. I obtained the source from a couple of recommended sites. In one instance tripwire failed to compile correctly, in another it compiled but kept segfaulting when I tried to initialize the database. It wasn't until after I emailed O'Reilly that I saw mention further in Chapter 1 that tripwire is included with Red Hat Linux. One of the authors, Daniel J. Barrett, also emailed me to tell me that it was on the third CD - doh! The upside of this little tale is that I got to know aide (another intrusion detection system) a little better after I installed it on my Debian-based notebook.
I happen to think that computer books are overpriced. I have bought a number of $50-$90 computer books that ended up being doorstops after about a month and useless after a couple of years. Because of this experience I am a bit more stingy when shelling out for a computer book. Though I hate reading online documentation (I wear glasses and cannot stare at text on the screen for a long time), I have forced myself to read a lot more online documentation over the past year. This is one instance where I would be willing to shell out the $61.95 Canadian for a book. The Linux Security Cookbook covers a wide range of potential security problems and it presents its solutions such that each takes only a few minutes to implement.
I've saved what is actually covered in LSC for the end of this review. My intention in this review has been mainly to present my experience with LSC so that other members who are also still desktop users, or have never really been concerned with Linux security issues can take away the fact that despite a few sticking points I found this book to be a great source for information on different Linux security issues. For those concerned with the meat of the book, here's how it breaks down:
1. System Snapshots with Tripwire
2. Firewalls with iptables and ipchains
3. Network Access Control (xinetd, inetd, preventing DOS attacks)
4. Authentication Techniques and Infrastructures (PAM, SSL, Kerberos)
5. Authorization Controls (su and sudo)
6. Protecting Outgoing Network Connections (OpenSSH)
7. Protecting Files (permissions, GPG)
8. Protecting Email (all popular mail user agents, SSL and SSH)
9. Testing and Monitoring (Jack the Ripper, Cracklib, Snort, tcpdump, syslog)
You really need to have a good look at the table of contents to get an idea of all this book covers. I have written about it from a desktop-user standpoint, but there are so many recipes that I couldn't cover everything. There are many great code snippets that more advanced users would find useful.
If you don't have an intrusion detection system, need to grant some of your users limited root privileges, have been using the default firewall rules (or don't have a clue about iptables/ipchains), haven't checked your system for root kits or insecure protocols, then the Linux Security Cookbook should be at the top of your reading list.
You can purchase the Linux Security Cookbook from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
For more info (Score:5, Informative)
Info (Score:5, Informative)
Expert Recipes to Bolster Security
O'Reilly Releases "Linux Security Cookbook"
Sebastopol, CA--Recipes for security? The mere suggestion would raise a
few skeptical eyebrows among security experts. For computer security is
not a simple matter; it is, rather, an ongoing process, a relentless
contest between system administrators and intruders. A good
administrator needs to stay one step ahead of any adversaries, which
often involves a continuing process of education. But if you're well
grounded in the basics of security, you won't necessarily want a
complete treatise on the subject each time you pick up a book.
Sometimes you'll want to get straight to the point. That's exactly what
the new "Linux Security Cookbook" by Daniel J. Barrett, Richard E.
Silverman, and Robert G. Byrnes (O'Reilly, US $39.95) will help readers
do. Rather than provide a total security solution for Linux computers,
the authors present a series of easy-to-follow recipes--short, focused
pieces of code that administrators can use to improve security and
perform common tasks securely.
The "Linux Security Cookbook" is a repository of useful and important
recipes to be used within a well thought-out security policy. "Security
tools often have numerous options, configuration parameters, and so
forth, requiring the reader to dig through documentation," notes
coauthor Barrett. "The cookbook format provides a shortcut, presenting
the precise syntax needed for common, important security tasks."
"The 'Linux Security Cookbook' is accessible, without being simplistic,
which would be especially dangerous for security," adds Byrnes. "The
effectiveness of a security solution is only as good as the weakest
link.
"There's a vast literature dedicated to computer security, but that can
be daunting for anyone who is trying to find a way to get started,"
Byrnes adds. "There are also a lot of products that purport to offer
'security in a box,' but those never work because you can't just set up
a firewall or intrusion detection system and think that your security
problems are over. We offer specific recipes that are useful as both
standard operating procedure as well a learning tools, and we tell
people how to learn more."
The "Linux Security Cookbook" includes real solutions to a wide range
of targeted problems, such as sending encrypted email within Emacs,
restricting access to network services at particular times of day,
firewalling a web server, preventing IP spoofing, setting up key-based
SSH authentication, and much more. With more than 150 ready-to-use
scripts and configuration files, this unique book helps administrators
secure their systems without having to look up specific syntax.
The book begins with recipes devised to establish a secure system, then
moves on to secure day-to-day practices, and concludes with techniques
to help a system stay secure.
Some of the recipes in the "Linux Security Cookbook" are:
-Controlling access to your system at various levels, from your
firewall down to individual services, using iptables, ipchains, xinetd,
inetd, and more
-Monitoring your network with ethereal, dsniff, netstat, and other
tools
-Protecting network connections with SSH and SSL
-Detecting intrusions with tripwire, snort, tcpdump, logwatch, and more
-Securing authentication with cryptographic keys, Kerberos, and PAM,
and authorizing root privileges with sudo
-Encrypting files and email messages with GnuPG
-Probing your own security with password crackers, nmap, and handy
scripts
This cookbook's proven techniques are derived from hard-won experience.
Whether readers are responsible for security on a home Linux system or
for a large corporation, or somewhere in between, they'll find
valuable, to-the-point, practical recipes for dealing with everyday
security issues.
Praise for the "Linux Security Cookbook":
"An outsta
an ok book (Score:5, Informative)
Subscribe to list too (Score:5, Informative)
You can subscribe at here [onsight.com].
Re:Security isn't something you "cook" (Score:5, Informative)
Before you can stay up to date, you have to get up to date. This book helps.
and UNDERSTANDING the software you run,
So far I've found the explanations very thorough. You haven't read the book, I take it.
in addition to watching security related mailing lists and newsgroups.
This will let you know about holes in your software, but if your software isn't configured securely in the first place, it won't help you that much. Start with this book.
System administration isn't easy, that's why they make big dollars.
Hopefully the economy will recover soon, and that will be true again. In the mean time, there are a lot of talented sysadmins waiting tables because their unemployment benefits have run out.
Userlimits can stop this attack. (Score:3, Informative)
Paranoia (Score:3, Informative)
Notice the reminder at the end about physical security - generally you think of a box without network connections as being unhackable, but they were careful not to say that.
There will be some sections of the book I'll be skipping. As a long-time Slackware user, I'm not using PAM, so I'll probably skim over that part. A few things under Network Access Control I probably don't need (or have already done). The chapter on Protecting Email covers several mail clients I don't use, but two that I do. Most of the rest of the book looks VERY useful. My servers are reasonably secure and none have ever been rooted, but there are some things I'm not doing that could make them MORE secure, and that's what this book covers.
Re:Security isn't something you "cook" (Score:2, Informative)
BTW, I'm one of the authors. We would never claim that all of computer security can be reduced to a bunch of recipes, and because of this, we carefully set the scope of the book. Every security-related operation you perform should be consistent with a carefully-thought-out security policy.
Free chapters online (Score:4, Informative)
Re:bastille script More info and link (Score:3, Informative)
There is also some info out at Bastille-Linux Scripts to Secure Linux and HP-UX [sans.org]
Bastille + books better (Score:5, Informative)
If you want to do it right, you want to learn about how to secure your machine yourself. That means not being scared by coniguration files, and knowing how to use netstat on the command line to find the servers you're running, knowing what inetd or xinetd do, etc. bastille won't teach you that.
(I'm not dissing Bastille - it does exactly what it is supposed to do, but it's not a teacher, it's a tool.)
The only linux security books out there that are worth their salt are hacking linux exposed, 2nd edition [hackinglinuxexposed.com], followed by the Linux Firewalls, 2nd edition [linux-firewall-tools.com] book. The former doesn't have enough space to cover firewalls in enough depth, while the later fills that need perfectly.
If you want a lot of disjointed hacks, the recent O'Reilly hacks books are good fun. I learned a lot from the google hacks book, for example. However they are far from comprehensive (that's not their mandate) and this cookbook really should have been in the *hacks line. Their building secure servers with linux book falls into the same hole - it was based on linux journal entries, and is not a comprehensive security book.
If you want to learn about linux security in a complete fashion, HLE and LF are the only contenders.
(I'd also vote for the Linux Security [hackinglinuxexposed.com] newsletter which was meantioned below by an AC. Very good. Of course, it falls into the small tidbits of wisdom camp, rather than being a complete solution/education, but that's what you expect in a mailing list.)
Re:$50 for solid security... (Score:3, Informative)
But the sad fact is, security is the obverse of convenience. Security is going to be inconvenient in terms of hassles, time, or money. For the newbie or lazy, take the inconvenient spend-some-money route, and buy a good router. It's not perfect (nothing is), but it's a heck of a lot better than nothing. Personally I'm using a DLink router. (I'm not relying on it though).
Re:Did they show netstat? (Score:3, Informative)
Though more Linux-centric, I like
Nothing you couldn't get with netstat/ps, but it gives all the info I need in one location. Make sure you run it as root -- normal users won't have enough access rights to see all the processes otherwise.--Phil (I love jobs that let me indulge my paranoia)