Starting in 1843, a steady progression of emigrants began travelling the Oregon Trail. Thousands came west. Some said it was Manifest Destiny and the will of God that America should expand from sea to sea. Others saw it as opportunity. The 2000 miles trail was not without its trials – confused mapmakers and wheelbarrows that put human endurance to test. The domination of Linux in the server market (73% of Web Servers run Linux, at last count), and its en route saga, in many ways draw a striking semblance to the Oregon Trail. And much like the Oregon Trail, its path has been ridden with perils (read Security) that were partly shielded by Mormon handcarts and caravans. O'Reilly deserves credit for capturing on the cover, a typical family caravan on the Oregon Trail. So, does the book end up teaching you how to put together a typical caravan or a hack-free Mormon handcart? Read the rest of this review to find out.
Linux system vulnerabilities have amplified in monstrous proportion, with perfunctory probes and break-in attempts occurring at regular frequencies. In times where patching itself needs to make good progress, this title from O’Reilly offers some insightful tools and techniques to prevent your Linux server from being compromised. The book effortlessly takes you from the fundamental security issues that govern networking and operating systems, to tightening your Web server configuration and enhancing scripting language security.
Chapter Overview
Threat modeling is comprised of three high-level steps: understanding the attacker’s perspective, characterizing the security of the system, and determining threats. Chapter 1 tackles all these steps, along with a primer on risk management.
Securing a network from being attacked by a compromised system in the same network is a challenge for today’s Linux server administrator. Chapter 2 navigates you through robust perimeter designing techniques with special emphasis on placement strategies for firewalls and bastion hosts. The General firewall configuration guidelines are a set of must-read hardening guidelines for system administrators. This chapter could have benefited with a step-by-step example of a script/program that you could write to protect the network.
Chapter 3 offers putty for operating system level security holes, along with informational discussions on nmap and Nessus port scans, replete with installation instructions. I was particularly impressed with the guidelines on an issue that has lead even the most experienced system administrator to vacillate – 'Should I Always Update?' If you belong to the 'There’s More Than One Way to Do It' ilk, you will appreciate the intelligence of Bastille Linux that is covered in good measure.
For the budding Linux user with a bare security quotient, Chapter 4 races through the fundamentals of encryption, along with coverage of secure logins, including ssh. The book even manages to squeeze in text demonstrating how to use OpenSSL in a particular context, via Stunnnel. Chapter 5 tackles issues that are oft requested on several security forums – setting up a Certificate Authority (CA) and creating Virtual Private Networks (VPN). If you thought securing BIND was all about running it with nonroot privileges in a sandpit, Chapter 6 has a treasure trove of additional information, including a discussion on the most popular alternative, djbdns.
Chapter 7 dives into fine tuning LDAP configurations and introduces the ubiquitous OpenLDAP, explaining its place in user authentication. Armed with this primer, the book demonstrates how you can realise the power and flexibility of LDAP by using it to authenticate IMAPS e-mail retrieval, in Chapter 9. Chapters 8, 10 and 11, are devoted to securing Internet e-mail, Web Servers and File Services, respectively.
The syslog-ng daemon is difficult to configure for those not experienced with the syslog-ng.conf configuration file. Chapter 11 offers the right set of instructions for your logging endeavors, but falls short of examples that show how to configure and run syslog-ng in a variety of situations. I would also have liked to see a network overview diagram illustrating various hosts discussed in the proposed examples. No book on Linux Server Security can be complete without a discussion of the popular network intrusion detection systems, Tripwire and Snort. The book wraps up with a useful appendix that features two complete iptables Startup Scripts, providing models for creating firewalls.
The Lowdown
So, does this book teach you how to create a hack-free Mormon Handcart? Undoubtedly, yes! But one that is approximately 10 feet long and 4 feet wide. Just like the Caravan on the Oregon Trail, enough to accommodate a large supply of food, clothing, and household necessities. To cover a topic as vast and dynamic as Linux Server Security you’d have to knock down a few hundred more trees. Having said that, in the space provided, this book offers valuable practical advice that will not only harden your Servers, but also your resolve to be a proactive Linux administrator.
Dilip Thomas
print
save
email
comment
Copyright @ 2004 Software & Support Media
Powered By Media Teknologi Informasi Corp.
Privacy PolicyTerms of Use
