Joined: 18 Apr 2002
|Posted: Mon Nov 10, 2003 8:30 pm Post subject: Book Review - Building Secure Servers with Linux
Building Secure Servers with Linux
Author(s): Michael D. Bauer
Book Specifications: Soft-Cover, 448 pages
Category: Linux Security
Suggested Publisher Price: $$44.95 US, $69.95 CA, £31.95 UK
Amazon.co.uk: Building Secure Servers with Linux
Amazon.co.uk: Building Secure Servers with Linux
Info from Back: "Building Secure Servers with Linux will help you master the principles of reliable system and network security by combining practical advice with a firm knowledge of the technical tools needed to ensure security. The book focuses on the most common use of Linux--as a hub offering services to an organization or the larger Internet--and shows readers how to harden their hosts against attacks.
Author Mick Bauer, a security consultant, network architect, and lead author of the popular Paranoid Penguin column in Linux Journal, carefully outlines the security risks, defines precautions that can minimize those risks, and offers recipes for robust security. The book does not cover firewalls, but covers the more common situation where an organization protects its hub using other systems as firewalls, often proprietary firewalls.”
I was eager to read this book for both personal reasons, running a slackware distribution at home and in my corporate workplace, for a web facing server running apache/php/openSSL.
After installing the most recent versions of any daemons and patches, and running full scans using the likes of nmap and nessus, no vulnerabilities were found, only very minor issues which were corrected. I was keen to learn more preventative steps to take locking down individual services aswell as perimeter security.
Secure Servers covers OS hardening, OpenSSH, Stunnel and OpenSSL, DNS, Sendmail and Postfix, Apache, FTP, syslog (and syslog-ng), Tripwire and Snort. The "Hardening Linux" section describes removing unused services, restricting privileges, setting up a firewall with IPtables, nmap, Nessus and the Bastille Linux hardening script
- Threat Modeling and Risk Management
- Designing Perimeter Networks
- Hardening Linux
- Secure Remote Administration
- Securing Domain Name Services (DNS)
- Securing Internet Email
- Securing Web Services
- Securing File Services
- System Log Management and Monitoring
- Simple Intrusion Detection Techniques
This is a complete chapter list (without subsections), a full Table of Contents can be found HERE and there is a sample chapter on System Log Management and Monitoring.
After opening the first chapter I was firstly a little disappointed to see a modelling, theory and risk management section. Although these are important they seem to crop up again and again, and the threats aren't neccessarily *nix specific more security in general. This isnt to say this was a bad chapter, I particularly liked the estimated costs on the 'attack tree', is that really the going rate to bribe an Admin at an ISP ?
The next chapter is based around the perimeter networks, which gives an overview of DMZ architectures and best practices which flows into the third, 'hardening the OS'. This relates to removing unnecessary services & software, keeping up to date and around 10 pages on iptables. It then goes on to the testing of any rulesets with nmap and automated hardening using bastille.
Chapter 4 & 5 are comprehensive sections on secure remote administration and tunnelling detailing locking down SSHD, TCP port forwarding over SSH and openSSL. Chapter 6 & 7 contain information on securing both BIND and djbdns, unfortunately in the context of this review, the server I am securing does not run DNS and is managed by an ISP so I did not put these into practice. Having previously being responsible for a nameserver this was still interesting reading, with sections on provisioning a chroot jail and securing zone files & transfers.
Next up is securing internet mail which starts with general MTA security then focuses in on sendmail and postfix.
The area I was most interested in was securing web services, which is arguably another topic in its own right. This starts with file structures and ownership through to cgi/php.
Chapter 9 starts with securing file services, and ftp security. There are 20 pages talking about securing proftpd but the book itself earlier recommends not using ftp and using SCP or similar. Since I am using SCP and SFTP to move files to my host, and an ftp daemon is not running I skipped this section. It finally mentions the unencrypted rsync but gives a secure method of tunneling this over SSH.
The final chapters cover log management and monitoring, and to help automate these tasks using swatch. It then gives a detailed section on configuring tripwire then snort both for sniffing and as an IDS.
Style and Detail
The book was very concise and clear and broken down with code examples and useful scripts. The book gives both the syntax and methods for hardening the service and in places gives corresponding methods for checking for any vulnerabilities.
I firstly used the book for reference for the specific area's I was looking into and reading the individual chapters, but then read the book from cover to cover as it presented well and progressively deals with both the external factors, the OS, services and the maintenance & prevention.
After initially skipping through the first 'theory' chapters, I read them throughly at a later point. The risk analysis and the perimeter security measures are equally as important as the machine itself and this is enforced throughout.
I enjoyed reading the book and found it to be be both informative and well writen
The book was published in october 2002, so is now a year old. A lot of the underlying principles discussed here are the same although I did notice some of my distributions have the more secure settings 'out of the box' so the references helped awareness but did not achieve any additional security.
Recommend for both users to Linux and security in general and also those looking to tighten existing systems.
If there is one thing I would like to see more of would be extracts from actual logs where attacks have been successful or denied for each of the secured services, although the log management and intrusion sections are comprehensive enough to help the automation for notification of malicious requests
A solid 7/10.
Keywords for this post: Securing linux Secure LINUX Servers OReilly O'Reilly
This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.