A Survival Guide for Linux Security

8/9/2019 A Survival Guide for Linux Security

1/14

he subtitle says it all: A Survival Guide for Linux Security.

This book is the result of an iterative process of consulting with experts in the field of computer and

network security. The list of contributors includes staff at well-known organizations like the Computer

Emergency Response Team (CERT) and the U.S. Census Bureau, so it is more than just the two main

authors' expertiseit is a collaborative effort of 48 experts.

It is not simply a theoretical book on computer security. First, it details only one Linux distribution, Red

Hat 6.0. Users of other distributions will be able to use the book as well, but they will need to fudge

things according to the differences between their distribution and Red Hat 6.0. Users of Mandrake 6.x

should have no problem; users of Slackware will have to adjust a lot of the information on system

startup. Debian users will probably find themselves scrambling to map all the RPM package names to

Debian package equivalents.

Second, it is a step-by-step walk through the process. The authors don't simply say, remove package

foo; they walk the reader through the process of removing package foo, with the complete command-

line and system response for each command. It may be only one or two steps, but they are there to

show you exactly what to type on the command line and what response to expect from the system.

The book is entirely command-line-oriented. This is good, in that the authors can show exactly what to

do in each step. It also means you get to do a lot of typing and careful checking of your command lines.

If you aren't already familiar with Bash's tab completion, now is a good time to read up on it in the man

page.

Theory is minimal in this book. There is usually a brief discussion of each group of command-line steps.

Then the steps to carry out are shown, interspersed with useful commentary.

The book is organized in a logical manner, starting with step one on security policies, the physical

security of the computer, and a pre-installation check of the BIOS's security-related features (e.g., turn

off the ability to boot from floppy). Each step is divided into sub-steps, so you can easily find an

appropriate sub-step for any aspect of security.


2/14

Step two, which would be chapter two in any other book, deals with the installation of Linux. The

authors cover pre-installation security, where they point out that (for example) an FTP installation from

a public server on the Internet could leave your computer compromised before the installation is

complete. Similarly, they discuss the security implications of partitioning.

It's no surprise that the authors prefer the custom installation of Red Hat over either workstation or

server. Their motto is When in doubt, leave it out, an excellent motto. If it isn't there, it can't be

cracked. The installation step continues with password setup and some recommendations such as

creating a boot diskette. The book then shows how to set system access policies and configure logging.

The next two chapters (excuse mesteps) are about securing a workstation on a network and a server

on a network. The server step includes instructions for installing Secure SHell (SSH) tools, which are far

more secure than the r analogs (rlogin, rsh, etc.), ftp or telnet. Other substeps show how to set upDNS, electronic mail and several other services. The documentation on securing Apache includes

password protection and adding mod_ssl to your Apache dmon.

The process of securing a workstation includes disabling and removing a number of standard

dmons, or limiting access to those dmons.

Step five deals with system tuning and packet firewalls. It gives a brief introduction to IPCHAINS, and

shows how to make, install and test a strong ruleset.

Step six points the reader toward a number of tools for network security, such as the (in)famous SATAN

and its descendants.

Appendix A has an excellent bibliography of Linux security resources on the Internet. Appendix B is the

stock Red Hat 6.0 /etc/inetd.conf. Appendix C is a System V-style startup script for ssh, which fil ls a gap

in at least two of the ssh products out there. Appendix D is a 20-page script for a strong firewall

IPCHAINS ruleset, adapted for the book from David Ranch's highly respected Trinty OS.

Appendix E is a script to modify the permissions of a number of system utilities. The authors recommend

you run it every time you install Linux. It is worth studying to see how insecure the authors find Linux to

be.


3/14

The book is printed in an unusual format. It is spiral-bound, standard (North American) letter-size paper.

The unusual part is that it is printed in landscape layout. The result is you see the book as a 17 x 11-inch

sheet of paper, with the binding across the middle. This makes it possible to have a lot of information in

front of you while working at the keyboard. There is plenty of white space for your notes. The effect wasa bit disconcerting at first, but I found it easy to work with and rather like it.

The steps are wellwritten, and I was able to walk through several of the sub-steps. The only problems I

had were caused by other problems in the system, ones outside the scope of the book. I was able to

install ssh, for example, in minutes because the steps in this book are better than the README file that

came with one of the distributions I tried.

One thing to keep in mind: while the book is a set of step-by-step instructions, you will have to remain

alert to your own situation and local needs.

At first, I thought the scripts, especially the 20-page IPCHAINS ruleset, were not available on the Net.

Well, I am glad to report that they are. The URL is carefully hidden away at the beginning of Appendix A,

which is not where the reader looking for, say, Appendix D is going to look.

I recommend this book to professionals in the field. If you are on the Internet with a firewall or any sort

of server, you should read it and take the steps appropriate to your situation. As you do, check off each

step completed so that you have a permanent record of how you have customized your firewall.

email: [email protected]

Charles Curley ([email protected]) lives in Wyoming, where he rides horses and herds cattle, cats andelectrons. Only the last of those pays well, so he also writes documentation for a small software

company headquartered in Redmond, Washington.

* 1


4/14

* 2

* next

* last

______________________

* Login to save this as favorite

* Delicious

* Digg

* StumbleUpon

* Reddit

* Facebook

* Post to Twitter


5/14

Comments

Post new comment

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *


6/14


7/14

* Allowed HTML tags:

* Lines and paragraphs break automatically.

* Use to create page breaks.

More information about formatting options

Notify me when new comments are posted

All comments

Replies to my comment


8/14


9/14


10/14


11/14


12/14


13/14


14/14

A Survival Guide for Linux Security

Documents

Transcript of A Survival Guide for Linux Security