Computer security is an ongoing process, a relentless contest between system administrators and intruders. A good administrator needs to stay one step ahead of any adversaries, which often involves a continuing process of education. If you're grounded in the basics of security, however, you won't necessarily want a complete treatise on the subject each time you pick up a book. Sometimes you want to get straight to the point. That's exactly what the new Linux Security Cookbook does. Rather than provide a total security solution for Linux computers, the authors present a series of easy-to-follow recipes--short, focused pieces of code that administrators can use to improve security and perform common tasks securely.
The Linux Security Cookbook includes real solutions to a wide range of targeted problems, such as sending encrypted email within Emacs, restricting access to network services at particular times of day, firewalling a webserver, preventing IP spoofing, setting up key-based SSH authentication, and much more. With over 150 ready-to-use scripts and configuration files, this unique book helps administrators secure their systems without having to look up specific syntax. The book begins with recipes devised to establish a secure system, then moves on to secure day-to-day practices, and concludes with techniques to help your system stay secure.
Some of the "recipes" you'll find in this book are:
Controlling access to your system from firewalls down to individual services, using iptables, ipchains, xinetd, inetd, and more
Monitoring your network with tcpdump, dsniff, netstat, and other tools
Protecting network connections with Secure Shell (SSH) and stunnel
Safeguarding email sessions with Secure Sockets Layer (SSL)
Encrypting files and email messages with GnuPG
Probing your own security with password crackers, nmap, and handy scripts
This cookbook's proven techniques are derived from hard-won experience. Whether you're responsible for security on a home Linux system or for a large corporation, or somewhere in between, you'll find valuable, to-the-point, practical recipes for dealing with everyday security issues. This book is a system saver.
Chapter 1 System Snapshots with Tripwire
Setting Up Tripwire
Displaying the Policy and Configuration
Modifying the Policy and Configuration
Basic Integrity Checking
Read-Only Integrity Checking
Remote Integrity Checking
Ultra-Paranoid Integrity Checking
Expensive, Ultra-Paranoid Security Checking
Automated Integrity Checking
Printing the Latest Tripwire Report
Updating the Database
Adding Files to the Database
Excluding Files from the Database
Checking Windows VFAT Filesystems
Verifying RPM-Installed Files
Integrity Checking with rsync
Integrity Checking Manually
Chapter 2 Firewalls with iptables and ipchains
Enabling Source Address Verification
Blocking Spoofed Addresses
Blocking All Network Traffic
Blocking Incoming Traffic
Blocking Outgoing Traffic
Blocking Incoming Service Requests
Blocking Access from a Remote Host
Blocking Access to a Remote Host
Blocking Outgoing Access to All Web Servers on a Network
Blocking Remote Access, but Permitting Local
Controlling Access by MAC Address
Permitting SSH Access Only
Prohibiting Outgoing Telnet Connections
Protecting a Dedicated Server
Listing Your Firewall Rules
Deleting Firewall Rules
Inserting Firewall Rules
Saving a Firewall Configuration
Loading a Firewall Configuration
Testing a Firewall Configuration
Building Complex Rule Trees
Chapter 3 Network Access Control
Listing Your Network Interfaces
Starting and Stopping the Network Interface
Enabling/Disabling a Service (xinetd)
Enabling/Disabling a Service (inetd)
Adding a New Service (xinetd)
Adding a New Service (inetd)
Restricting Access by Remote Users
Restricting Access by Remote Hosts (xinetd)
Restricting Access by Remote Hosts (xinetd with libwrap)
Restricting Access by Remote Hosts (xinetd with tcpd)
Restricting Access by Remote Hosts (inetd)
Restricting Access by Time of Day
Restricting Access to an SSH Server by Host
Restricting Access to an SSH Server by Account
Restricting Services to Specific Filesystem Directories
Preventing Denial of Service Attacks
Redirecting to Another Socket
Logging Access to Your Services
Prohibiting root Logins on Terminal Devices
Chapter 4 Authentication Techniques and Infrastructures
Creating a PAM-Aware Application
Enforcing Password Strength with PAM
Creating Access Control Lists with PAM
Validating an SSL Certificate
Decoding an SSL Certificate
Installing a New SSL Certificate
Generating an SSL Certificate Signing Request (CSR)
Creating a Self-Signed SSL Certificate
Setting Up a Certifying Authority
Converting SSL Certificates from DER to PEM
Getting Started with Kerberos
Adding Users to a Kerberos Realm
Adding Hosts to a Kerberos Realm
Using Kerberos with SSH
Using Kerberos with Telnet
Securing IMAP with Kerberos
Using Kerberos with PAM for System-Wide Authentication
Chapter 5 Authorization Controls
Running a root Login Shell
Running X Programs as root
Running Commands as Another User via sudo
Bypassing Password Authentication in sudo
Forcing Password Authentication in sudo
Authorizing per Host in sudo
Granting Privileges to a Group via sudo
Running Any Program in a Directory via sudo
Prohibiting Command Arguments with sudo
Sharing Files Using Groups
Permitting Read-Only Access to a Shared File via sudo
Authorizing Password Changes via sudo
Starting/Stopping Daemons via sudo
Restricting root's Abilities via sudo
Killing Processes via sudo
Listing sudo Invocations
Logging sudo Remotely
Sharing root Privileges via SSH
Running root Commands via SSH
Sharing root Privileges via Kerberos su
Chapter 6 Protecting Outgoing Network Connections
Logging into a Remote Host
Invoking Remote Programs
Copying Files Remotely
Authenticating by Public Key (OpenSSH)
Authenticating by Public Key (OpenSSH Client, SSH2 Server, OpenSSH Key)
Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key)
Authenticating by Public Key (SSH2 Client, OpenSSH Server)
Authenticating by Trusted Host
Authenticating Without a Password (Interactively)
Authenticating in cron Jobs
Terminating an SSH Agent on Logout
Tailoring SSH per Host
Changing SSH Client Defaults
Tunneling Another TCP Session Through SSH
Keeping Track of Passwords
Chapter 7 Protecting Files
Using File Permissions
Securing a Shared Directory
Prohibiting Directory Listings
Encrypting Files with a Password
Setting Up GnuPG for Public-Key Encryption
Listing Your Keyring
Setting a Default Key
Sharing Public Keys
Adding Keys to Your Keyring
Encrypting Files for Others
Signing a Text File
Signing and Encrypting Files
Creating a Detached Signature File
Checking a Signature
Printing Public Keys
Backing Up a Private Key
Adding Your Key to a Keyserver
Uploading New Signatures to a Keyserver
Obtaining Keys from a Keyserver
Revoking a Key
Maintaining Encrypted Files with Emacs
Maintaining Encrypted Files with vim
Using PGP Keys with GnuPG
Chapter 8 Protecting Email
Encrypted Mail with Emacs
Encrypted Mail with vim
Encrypted Mail with Pine
Encrypted Mail with Mozilla
Encrypted Mail with Evolution
Encrypted Mail with mutt
Encrypted Mail with elm
Encrypted Mail with MH
Running a POP/IMAP Mail Server with SSL
Testing an SSL Mail Connection
Securing POP/IMAP with SSL and Pine
Securing POP/IMAP with SSL and mutt
Securing POP/IMAP with SSL and Evolution
Securing POP/IMAP with stunnel and SSL
Securing POP/IMAP with SSH
Securing POP/IMAP with SSH and Pine
Receiving Mail Without a Visible Server
Using an SMTP Server from Arbitrary Clients
Chapter 9 Testing and Monitoring
Testing Login Passwords (John the Ripper)
Testing Login Passwords (CrackLib)
Finding Accounts with No Password
Finding Superuser Accounts
Checking for Suspicious Account Use
Checking for Suspicious Account Use, Multiple Systems
Dan Barrett has been immersed in Internet technology since 1985. Currently working as a software engineer, Dan has also been a heavy metal singer, Unix system administrator, university lecturer, web designer, and humorist. He has written several O'Reilly books, as well as monthly columns for Compute! and Keyboard Magazine. Dan and his family reside in Boston.
Richard E. Silverman has a B.A. in computer science and an M.A. in pure mathematics. Richard has worked in the fields of networking, formal methods in software development, public-key infrastructure, routing security, and Unix systems administration. He is the co-author of SSH, The Secure Shell: The Definitive Guide.
Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects. Jane Ellin was the production editor and copyeditor for Linux Security Cookbook. Phil Dangler and Mary Brady provided quality control. Jaime Peppard provided production support. Ellen Troutman-Zaig wrote the index.
Hanna Dyer designed the cover of this book, based on a series design by herself and Edie Freedman. The cover image of a campfire scene is a 19th-century engraving from American West. Emma Colby produced the cover layout with QuarkXPress 4.1 using Adobe's ITC Garamond font.
David Futato designed the interior layout. Robert Romano chose the chapter opening images, which are from the Dover Pictorial Archive, Marvels of the New West: A Vivid Portrayal of the Stupendous Marvels in the Vast Wonderland West of the Missouri River, by William Thayer (The Henry Bill Publishing Co., 1888), and The Pioneer History of America: A Popular Account of the Heroes and Adventures, by Augustus Lynch Mason, A.M. (The Jones Brothers Publishing Company, 1884). This book was prepared in FrameMaker 5.5.6 by Andrew Savikas. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano and Jessamyn Read using Macromedia FreeHand 9 and Adobe Photoshop 6. The tip and warning icons were drawn by Christopher Bing.
Security, one of the most important words in computing today. A standard install of a modern distro is relatively secure "out of the box". With all the bad guys out there, certain extra steps should be taken towards increasing the security of your Linux box. There is also a fine line between good enough, too strict, convenience, and other variables. The authors have taken all this into consideration. The situations encountered by the home desktop user all the way to the veteran System Admin are covered. Be sure to read the Preface to this book. It could be a real eye-opener.
Linux Security Cookbook will not teach you everything you need to know about security. In the tradition of the cookbook format, the authors have provided concise, bloat free, and easy to understand recipes. The pros and cons of each recipe are carefully explained. With over 150 file configurations and scripts, there is something for everyone.
In Chapter 1 the focus is on system security and Tripwire, one of the best known system integrity checkers. Tripwire takes a snapshot of you system files that can be compared to the current state of the system. You'll learn how to setup the policy and database, and how to keep Tripwire itself from being compromised.
Chapters 2, 3, and 4 cover internet and network security from firewalls, to network authorisation, to user policies, authentication, and permissions. you will also learn how to protect your email and web site.
Chapters 5 and 6 give a more indepth treatment of user permissions regarding sudo, file sharing, SSH, and associated tools.
Chapters 7 and 8 should be given special consideration by home users. The main topics coverd in the two chapters are email and file security. You will learn about setting the correct permissions and encrypting files and email using GPG. There are also some great recipes for securing several different email clients.
Chapter 9 should be paid careful attention by every user. Now that you have secured your Linux box and network, you should regularly monitor and test it. Tools and techniques in the following areas are covered: logins and passwords, filesystems, networking, and logging. This chapter finishes with information on recovering a hacked system and filing a incident report with the appropriate authorities. Chapter 9 can be downloaded as a PDF file: http://www.oreilly.com/catalog/linuxsckbk/chapter/ch09.pdf The authors have done a great job providing security recipes covering a wide range of tools and techniques. In today's computing environment securing your system and network is a must. The Linux Security Cookbook is highly recommended and once you obtain a copy it will become your standard reference for security matters.
Many thanks to O'Reilly for providing a copy of Linux Security Cookbook to USALUG's Book Review Group.
Originally Posted: http://usalug.org/phpBB2/viewtopic.php?t=5281
The Linux Security Cookbook is a good hands-on guide to the major aspects of securing your Linux box. This book offers many quick reference guides to pieces of software for securing or testing your system and goes through many different means of fortifying your box including:
-controlling system access with firewalls
-monitoring your network
-using SSH and SSL
-intrusion detection systems
-authentication and cryptographic keys
-encrypting files and email messages
-system security probing
The recipes in this book allows administrators to learn quick and easy ways to secure their systems including over 150 ready-to-use scripts and configuration files without having to look up or research specific syntax.
This book is definitely a quick hands-on guide to securing and monitoring your system and would recommend it to anyone looking for a good source of guides and ready-to-use scripts and configurations.
Linux Security Cookbook has so much to offer: from setting up Tripwire to simple authentication, to setting up Linux firewall such as the popular ipchain or iptable, to using IDS snort for monitoring, this book has plenty of examples. In addition to the tips on how to encrypt files with GuPgP, it also shows our readers how to set up openSSH for remote access, as well as how to make email secure with IMAP/POP with SSL.
Not only does this book provide readers with an overview of what Linux security has to offer, it also provides readers with a very practical hands-on implementation. I also liked about this book is that the authors will tell you about which packages come with SuSE Linux but not with Red Hat Linux, as an example. This helps the reader a lot when you need to decide what features to implement, or settle on what Linux distributions to use.
Linux Security Cookbook is a very useful book for quick reference. It covers a wide range of security topics and issues related to not just Linux but most Unices. The recipes provided here are well written and ready to use. I have found many tips related to sudo, SSH, xinetd, encryption and network security extremely useful. Some of the recipes show the true hacker spirit in the authors - they teach how to be creative, rather than merely explaining facts and methodologies. Full credit to the authors for bringing out such a comprehensive book on Linux Security.
As the title suggests, LSC is a series of different Linux security "recipes." I found the cookbook-style of presentation both good and bad. Some recipes were a breeze to follow (such as the gpg recipes). Other recipes were a bit more challenging in part because of my lack of experience and because they are designed to be implemented on systems larger than my 2 node network.
As a "desktop" Linux user who only administers a desktop machine and notebook the chapters I found most useful were those on intrusion detection systems (Chapter 1) and GPG (Chapters 7 & 8). That said, LSC contains dozens of useful recipes for administrators from PAM authentication to monitoring who is doing what on your system. Some of the programs covered are programs I've never heard of before, John the Ripper for example. Other recipes cover those programs I know I should check out, like Snort, but have never taken the time to. LSC isn't distribution-specific but contains some useful hints for particular distributions.
LSC is easy to follow. The authors have been very careful to mention when software may or may not be included in a distribution and how to find and install it. I got tripped up a little in the first chapter (which covers tripwire), because I tried downloading and compiling the tripwire source found at the tripwire web site. I obtained the source from a couple of recommended sites. In one instance tripwire failed to compile correctly, in another it compiled but kept segfaulting when I tried to initialize the database. It wasn't until after I emailed O'Reilly that I saw mention further in Chapter 1 that tripwire is included with Red Hat Linux. One of the authors, Daniel J. Barrett, also emailed me to tell me that it was on the third CD – doh! The upside of this little tale is that I got to know aide (another intrusion detection system) a little better after I installed it on my Debian-based notebook.
LSC is certainly money well spent. I now use gpg and check my systems for intrusions on a regular basis. I've also finally found a spring board for learning more about Linux security. Reading O'Reilly's LSC made it easier to follow the ipchains-HOWTO and learn more about Linux security from other sources. If you're new to Linux security LSC is a great springboard for learning about a wide range of Linux security issues.
I've saved what is actually covered in LSC for the end of this review. My intention in this review has been mainly to present my experience with LSC so that other Linux users who are also still desktop users, or have never really been concerned with Linux security issues can take away the fact that despite a few sticking points I found this book to be a great source for information on different Linux security issues. For those concerned with the meat of the book, here's how it breaks down:
1. System Snapshots with Tripwire
2. Firewalls with iptables and ipchains
3. Network Access Control (xinetd, inetd, preventing DOS attacks)
4. Authentication Techniques and Infrastructures (PAM, SSL, Kerberos)
8. Protecting Email (all popular mail user agents, SSL and SSH)
9. Testing and Monitoring (Jack the Ripper, Cracklib, Snort, tcpdump, syslog)
You really need to have a good look at the table of contents to get an idea of all this book covers. I have written about it from a desktop-user standpoint, but there are so many recipes that I couldn't cover everything. There are many great code snippets that more advanced users would find useful.
If you don't have an intrusion detection system, need to grant some of your users limited root privileges, have been using the default firewall rules (or don't have a clue about iptables/ipchains), haven't checked your system for root kits or insecure protocols, then the Linux Security Cookbook should be at the top of your reading list.