Mastering FreeBSD and OpenBSD Security

Larger Cover

By Yanek Korff, Paco Hope, Bruce Potter

Publisher: O'Reilly Media

Released: March 2005

Pages: 464

FreeBSD and OpenBSD are increasingly gaining traction in educational institutions, non-profits, and corporations worldwide because they provide significant security advantages over Linux. Although a lot can be said for the robustness, clean organization, and stability of the BSD operating systems, security is one of the main reasons system administrators use these two platforms.

There are plenty of books to help you get a FreeBSD or OpenBSD system off the ground, and all of them touch on security to some extent, usually dedicating a chapter to the subject. But, as security is commonly named as the key concern for today's system administrators, a single chapter on the subject can't provide the depth of information you need to keep your systems secure.

FreeBSD and OpenBSD are rife with security "building blocks" that you can put to use, and Mastering FreeBSD and OpenBSD Security shows you how. Both operating systems have kernel options and filesystem features that go well beyond traditional Unix permissions and controls. This power and flexibility is valuable, but the colossal range of possibilities need to be tackled one step at a time. This book walks you through the installation of a hardened operating system, the installation and configuration of critical services, and ongoing maintenance of your FreeBSD and OpenBSD systems.

Using an application-specific approach that builds on your existing knowledge, the book provides sound technical information on FreeBSD and Open-BSD security with plenty of real-world examples to help you configure and deploy a secure system. By imparting a solid technical foundation as well as practical know-how, it enables administrators to push their server's security to the next level. Even administrators in other environments--like Linux and Solaris--can find useful paradigms to emulate.

Written by security professionals with two decades of operating system experience, Mastering FreeBSD and OpenBSD Security features broad and deep explanations of how how to secure your most critical systems. Where other books on BSD systems help you achieve functionality, this book will help you more thoroughly secure your deployments.

Security Foundation
1. Chapter 1 The Big Picture
  1. What Is System Security?
  2. Identifying Risks
  3. Responding to Risk
  4. Security Process and Principles
  5. System Security Principles
  6. Wrapping Up
  7. Resources
2. Chapter 2 BSD Security Building Blocks
  1. Filesystem Protections
  2. Tweaking a Running Kernel: sysctl
  3. The Basic Sandbox: chroot
  4. Jail: Beyond chroot
  5. Inherent Protections
  6. OS Tuning
  7. Wrapping Up
  8. Resources
3. Chapter 3 Secure Installation and Hardening
  1. General Concerns
  2. Installing FreeBSD
  3. FreeBSD Hardening: Your First Steps
  4. Installing OpenBSD
  5. OpenBSD Hardening: Your First Steps
  6. Post-Upgrade Hardening
  7. Wrapping Up
  8. Resources
4. Chapter 4 Secure Administration Techniques
  1. Access Control
  2. Security in Everyday Tasks
  3. Upgrading
  4. Security Vulnerability Response
  5. Network Service Security
  6. Monitoring System Health
  7. Wrapping Up
  8. Resources
Deployment Situations
1. Chapter 5 Creating a Secure DNS Server
  1. The Criticality of DNS
  2. DNS Software
  3. Installing BIND
  4. Installing djbdns
  5. Operating BIND
  6. Operating djbdns
  7. Wrapping Up
  8. Resources
2. Chapter 6 Building Secure Mail Servers
  1. Mail Server Attacks
  2. Mail Architecture
  3. Mail and DNS
  4. SMTP
  5. Mail Server Configurations
  6. Sendmail
  7. Postfix
  8. qmail
  9. Mail Access
  10. Wrapping Up
  11. Resources
3. Chapter 7 Building a Secure Web Server
  1. Web Server Attacks
  2. Web Architecture
  3. Apache
  4. thttpd
  5. Advanced Web Servers with Jails
  6. Wrapping Up
  7. Resources
4. Chapter 8 Firewalls
  1. Firewall Architectures
  2. Host Lockdown
  3. The Options: IPFW Versus PF
  4. Basic IPFW Configuration
  5. Basic PF Configuration
  6. Handling Failure
  7. Wrapping Up
  8. Resources
5. Chapter 9 Intrusion Detection
  1. No Magic Bullets
  2. IDS Architectures
  3. NIDS on BSD
  4. Snort
  5. ACID
  6. HIDS on BSD
  7. Wrapping Up
  8. Resources
Auditing and Incident Response
1. Chapter 10 Managing the Audit Trails
  1. System Logging
  2. Logging via syslogd
  3. Securing a Loghost
  4. logfile Management
  5. Automated Log Monitoring
  6. Automated Auditing Scripts
  7. Wrapping Up
  8. Resources
2. Chapter 11 Incident Response and Forensics
  1. Incident Response
  2. Forensics on BSD
  3. Digging Deeper with the Sleuth Kit
  4. Wrapping Up
  5. Resources

Colophon

Title:

Mastering FreeBSD and OpenBSD Security

By:

Yanek Korff, Paco Hope, Bruce Potter

Publisher:

O'Reilly Media

Formats:

Print
Safari Books Online

Print:

March 2005

Pages:

464

Print ISBN:

978-0-596-00626-6

| ISBN 10:

0-596-00626-8

Yanek Korff

Yanek Korff graduated with a Bachelor's degree in Computer Science from the College of William and Mary and is currently a Certified Information Systems Security Professional (CISSP). Mr. Korff joined Bell Atlantic as a Systems Engineer where he played a major role in the strategy, design, and deployment of a key Northern Virginia test facility. He later joined Cigital, Inc., a software quality management company, where he played a central role in the design of their systems infrastructure. He is now an essential member of the Information Security division at America Online. During his career, Mr. Korff has been able to identify and mitigate information security risks particularly relating to host-based BSD security. By leveraging his experience, he has been able to apply security fundamentals to influence business and industry practices.

View Yanek Korff's full profile page.
Paco Hope

Paco Hope is a Technical Manager with Cigital. His areas of expertise software security, security testing, and casino gaming. He specializes in analyzing the security of software, software systems, and software development processes. Paco frequently speaks at conferences such as the Better Software Conference, STAR East, and STAR West. He conducts training on risk-based security testing, writing security requirements, and software security fundamentals. He can be reached at paco@cigital.com.

View Paco Hope's full profile page.
Bruce Potter

Bruce Potter is the Manager of Network and Security Operations for VeriSign's Mass Market's division. He manages the security for over a hundred network devices and several hundred servers. He's the founder of the Shmoo Group (www.shmoo.com), a web site for security, cryptography, and privacy professionals, and NoVAWireless (www.novawireless.org), a community-based wireless network project in Northern Virginia.

View Bruce Potter's full profile page.

Colophon

Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects. The image on the cover of Mastering FreeBSD and OpenBSD Security depicts fencers. Whether used for sport or for war, the art of fencing can be traced back to some of the earliest known civilizations. For example, fencers entertained Pharaohs in ancient Engypt. The Greeks and Romans, meanwhile, had systems of martial arts that included swordsmanship. The modern sport of fencing originated in the first Olympic Games, in 1896, and consists of three different weapons: foil, épée, and sabre. The lightest of these weapons is the foil. A foil fencer can only score hits by landing thrusts to the trunk of the body. A modern electrical scoring apparatus,worn by the fencer, will record a hit for any blow landed with a force of at least 4.90 newtons. Less flexible and heavier than the foil, the épée usually has a large hand guard. This bell-shaped guard is important because the épée fencer is not as limited in her targets--the entire body, including the hand, is considered a valid target to score hits. An épée fencer registers a hit with 7.35 newtons of force. The sabre differs from these first two swords in that it is an edge, rather than a point, weapon. A sabre fencer may land points to any part of the upper body (head, torso, and arms). A touch with the point, flat, or edge of the sword will register a hit. Adam Witwer was the production editor, and Nancy Reinhardt was the copyeditor for Mastering FreeBSD and OpenBSD Security. Linley Dolby proofread the text. Sarah Sherman and Claire Cloutier provided quality control. Lucie Haskins wrote the index.

Emma Colby designed the cover of this book, based on a series design by Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Karen Montgomery produced the cover layout with Adobe InDesign CS using Adobe's ITC Garamond font.

David Futato designed the interior layout. This book was converted by Judy Hoer to FrameMaker 5.5.6 with a format conversion tool created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano, Jessamyn Read, and Lesley Borash using Macromedia FreeHand MX and Adobe Photoshop CS. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Adam Witwer.

Description

Table of Contents

Product Details

About the Author

Colophon

Recommended for You

Recently Viewed

Excel Hacks

100 Industrial Strength Tips and Tools

By David Hawley, Raina Hawley

March 2004

Ebook: $19.99

Java Examples in a Nutshell, 3rd Edition

By David Flanagan

January 2004

Ebook: $39.99

Print & Ebook: $43.95

Print: $39.95

Windows XP Power Hound

Teach Yourself New Tricks

By Preston Gralla

September 2004

Ebook: $19.99

Print & Ebook: $27.45

Print: $24.95

Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews

oreilly Mastering FreeBSD and OpenBSD Security

4.0

(based on 1 review)

Reviews

Reviewed by 1 customer

Displaying review 1

5/15/2005

(1 of 1 customers found this review helpful)

4.0

Congrats on a much needed *BSD security book

By Lloyd R.

from Undisclosed

Comments about oreilly Mastering FreeBSD and OpenBSD Security:

Mastering FreeBSD and OpenBSD Security

By Yanek Korff, Paco Hope, Bruce Potter

First Edition March 2005

ISBN: 0-596-00626-8

464 pages, $49.95 US

http://www.oreilly.com/catalog/mfreeopenbsd/

This book has been long awaited as the *BSD community has been lacking the number of security geared books compared to the Linux and Windows communities. I found that this book is almost the equal of "Linux Server Security", but for OpenBSD and FreeBSD. With OpenBSD being said to be one of the most secure operating systems, you would think there would be more books about the security other than the normal online documentation.

I'm glad O'Reilly finally put out this book as it covers a broad area of security within OpenBSD and FreeBSD.

This covers *BSD basics, initial install and hardening of the specific OS, security practices, running secure servers (DNS, Mail, Web), firewall, intrusion detection, system audits, incident response, and forensics. This is a broad coverage of security, but I wish on some of the specifics they would have went into detail discussing.

Some points I wish were added in detail was coverage on OpenNTPD's security and/or atleast mentioning that it is contained within OpenBSD. Another would be more coverage of Qmail on FreeBSD/OpenBSD as there really wasn't much more than a mention of Qmail and basic information. Compared to the details given to Sendmail and Postfix, Qmail info was really slacking. The last point I would like to mention that I found lacking was possibly a more in-depth guide to CARP and what it's capable of doing. The main thing dealing with CARP that I would have liked to see would be about load balancing firewalls using CARP and PFSYNC.

Other than these few minor lacking areas, I found this book to be great addition to other security books based around general Linux and BSD servers. I almost wish this book would have waited a little while longer before releasing or hope they plan an update soon as OpenBSD 3.7 is scheduled for release on May 19th and this book mainly just covers versions 3.5/3.6 for OpenBSD. Along with the new version of OpenBSD releasing, FreeBSD 5.4 was released not long after this book was published.

Even lacking the parts that it does, I enjoyed reading the sections about DJBDNS comparison to BIND with details of the specifics. On top of this, there is enough information to get anyone with general *nix knowledge going with a OpenBSD/FreeBSD firewall or secure server. By no means is this book the answer to first time OpenBSD/FreeBSD system administrators to learn the basics from, but seems to be more geared for those atleast somewhat familiar with the *BSD feel of things and aware of what's going on inside their machine. In the beginning of the book it mentions this book was written "by system administrators for system administrators". For someone just getting started with OpenBSD I'd recommend this book, but also would recommend picking up Absolute OpenBSD (http://www.oreilly.com/catalog/1886411999/) for more coverage of the basics. Otherwise, it will be difficult picking up on what they are saying in this book. Also, on the FreeBSD side of things I'd recommend Absolute BSD (http://www.oreilly.com/catalog/1886411743/index.html) or The Complete FreeBSD (http://www.oreilly.com/catalog/cfreebsd/index.html). If your new to *BSD this book will help but a book to compliment it will help even more. Atleast once you learn the basics, you will get a detailed bit of information on securing your new *BSD box.

I believe the writers met their goal of creating a book to solely cover the security features of OpenBSD and FreeBSD aswell as the types of servers run on those platforms. I'm glad this book arrived and look forward to seeing if they release a 2nd edition that is updated and possibly covers the parts that seem to be missing or lacking in detail. Congrats to O'Reilly and the writers.

Lloyd Randall

Pensacola Linux User's Group