Linux Server Security
Tools and Best Practices for Bastion Hosts
1st Edition
Published on 18. January 2005
542 pages
978-0-596-51799-1 (ISBN)
Description
Linux consistently appears high up in the list of popular Internet servers, whether it's for the Web, anonymous FTP, or general services such as DNS and delivering mail. But security is the foremost concern of anyone providing such a service. Any server experiences casual probe attempts dozens of time a day, and serious break-in attempts with some frequency as well.This highly regarded book, originally titled Building Secure Servers with Linux, combines practical advice with a firm knowledge of the technical tools needed to ensure security. The book focuses on the most common use of Linux--as a hub offering services to an organization or the Internet--and shows readers how to harden their hosts against attacks. An all-inclusive resource for Linux users who wish to harden their systems, Linux Server Security covers general security such as intrusion detection and firewalling a hub, as well as key services such as DNS, the Apache Web server, mail, and secure shell.Author Michael D. Bauer, a security consultant, network architect, and lead author of the popular Paranoid Penguin column in the Linux Journal, carefully outlines the security risks, defines precautions that can minimize those risks, and offers recipes for robust security. He is joined on several chapters by administrator and developer Bill Lubanovic.A number of new security topics have been added for this edition, including:Database security, with a focus on MySQLUsing OpenLDAP for authenticationAn introduction to email encryptionThe Cyrus IMAP service, a popular mail delivery agentThe vsftpd FTP serverGeared toward Linux users with little security expertise, the author explains security concepts and techniques in clear language, beginning with the fundamentals. Linux Server Security with Linux provides a unique balance of "e;big picture"e; principles that transcend specific software packages and version numbers, and very clear procedures on securing some of those software packages on several popular distributions. With this book in hand, you'll have both the expertise and the tools to comprehensively secure your Linux system.
More details
Other editions
Additional editions
Michael D. Bauer
Linux Server Security
Book
02/2005
2nd Edition
O'Reilly
€42.00
Shipment within 10-20 days
Content
- Intro
- Table of Contents
- Preface
- What This Book Is About
- The Paranoid Penguin Connection
- The Second Edition
- Audience
- What This Book Doesn't Cover
- Assumptions This Book Makes
- Organization of This Book
- Conventions Used in This Book
- Safari® Enabled
- How to Contact Us
- Using Code Examples
- Acknowledgments
- Threat Modeling and Risk Management
- Components of Risk
- Assets
- Security Goals
- Data confidentiality
- Data integrity
- System integrity
- System/network availability
- Threats
- Motives
- Financial motives
- Political motives
- Personal/psychological motives
- Vulnerabilities and Attacks Against Them
- Simple Risk Analysis: ALEs
- An Alternative: Attack Trees
- Defenses
- Asset Devaluation
- Vulnerability Mitigation
- Attack Mitigation
- Conclusion
- Resources
- Designing Perimeter Networks
- Some Terminology
- Types of Firewall and DMZ Architectures
- The "Inside Versus Outside" Architecture
- The "Three-Homed Firewall" DMZ Architecture
- A Weak Screened-Subnet Architecture
- A Strong Screened-Subnet Architecture
- Deciding What Should Reside on the DMZ
- Allocating Resources in the DMZ
- The Firewall
- Types of Firewall
- Simple packet filters
- Stateful packet filtering
- Stateful Inspection
- Application-layer proxies
- Selecting a Firewall
- General Firewall Configuration Guidelines
- Harden your firewall's OS
- Configure anti-IP-spoofing rules
- Deny by default
- Strictly limit incoming traffic
- Strictly limit all traffic out of the DMZ
- Don't give internal systems unrestricted outbound access
- If you have the means, use an application-gateway firewall
- Don't be complacent about host security
- Hardening Linux and Using iptables
- OS Hardening Principles
- Installing/Running Only Necessary Software
- Commonly unnecessary packages
- Disabling services in Red Hat and related distributions
- Disabling services in SUSE
- Disabling services in Debian 3.0
- Disabling services in other Linux distributions
- Keeping Software Up to Date
- Distribution (global) updates versus per-package updates
- Whither X-based updates?
- How to be notified of and obtain security updates: Red Hat
- RPM updates for the extremely cautious
- Yum: a free alternative to up2date
- How to be notified of and obtain security updates: SUSE
- SUSE's online-update feature
- How to be notified of and obtain security updates: Debian
- Deleting Unnecessary User Accounts and Restricting Shell Access
- Restricting Access to Known Users
- Running Services in chrooted Filesystems
- Minimizing Use of SUID root
- Identifying and dealing with SUID root files
- Using su and sudo
- Using su
- Using sudo
- Configuring, Managing, and Monitoring Logs
- Every System Can Be Its Own Firewall: Using iptables for Local Security
- Using iptables: Preparatory steps
- How netfilter works
- Using iptables
- Checking Your Work with Scanners
- Types of scans and their uses
- Why we (good guys) scan
- nmap, world champion port scanner
- Getting and installing nmap
- Using nmap
- Some simple port scans
- Nessus, a full-featured security scanner
- Security scanners explained
- Nessus's architecture
- Getting and installing Nessus
- Nessus clients
- Performing security scans with Nessus
- Understanding and Using Available Security Features
- Documenting Bastion Hosts' Configurations
- Automated Hardening with Bastille Linux
- Background
- How Bastille came to be
- Obtaining and Installing Bastille
- Running Bastille
- Some Notes on InteractiveBastille
- Bastille's Logs
- Hooray! I'm Completely Secure Now! Or Am I?
- Secure Remote Administration
- Why It's Time to Retire Cleartext Admin Tools
- Secure Shell Background and Basic Use
- How SSH Works
- Getting and Installing OpenSSH
- SSH Quick Start
- Using sftp and scp for Encrypted File Transfers
- Digging into SSH Configuration
- Configuring and Running sshd, the Secure Shell Daemon
- Intermediate and Advanced SSH
- Public-Key Cryptography
- Advanced SSH Theory: How SSH Uses PK Crypto
- Setting Up and Using RSA and DSA Authentication
- Minimizing Passphrase Typing with ssh-agent
- Passphrase-Less Keys for Maximum Scriptability
- Using SSH to Execute Remote Commands
- TCP Port Forwarding with SSH: VPN for the Masses!
- OpenSSL and Stunnel
- Stunnel and OpenSSL: Concepts
- OpenSSL
- What a Certificate Authority does and why you might need one
- How to become a small-time CA
- Creating CA-signed certificates
- Creating self-signed certificates
- Client certificates
- Using Stunnel
- A quick Stunnel example
- Explanation of the example stunnel.conf settings
- Some security-enhancing global settings
- Another method for using Stunnel on the server
- Using Certificate Authentication
- X.509 authentication example
- Using Stunnel on the Server and Other SSL Applications on the Clients
- Other Tunneling Tools
- Resources
- Securing Domain Name Services (DNS)
- DNS Basics
- DNS Security Principles
- Selecting a DNS Software Package
- Securing BIND
- Making Sense out of BIND Versions
- Obtaining and Installing BIND
- Preparing to Run BIND (or, Furnishing the Cell)
- Provisioning a chroot jail for BIND v8
- Provisioning a chroot jail for BIND v9
- Invoking named
- Securing named.conf
- acl{} sections
- Global options: The options{} section
- Logging
- zone{} sections
- Split DNS and BIND v9
- Zone File Security
- Advanced BIND Security: TSIGS and DNSSEC
- Transaction Signatures (TSIGs)
- Additional uses for TSIGs
- Sources of BIND (and IS Security) Information
- djbdns
- What Is djbdns?
- Why not BIND?
- Choosing djbdns Services
- How djbdns Works
- Installing djbdns
- Installing the service manager: daemontools
- Installing djbdns itself
- Installing an internal cache: dnscache
- Installing an "external" cache: dnscachex
- Installing an "external" forwarding cache
- Split horizon
- Installing a DNS server: tinydns
- Running tinydns
- Helper applications
- The tinydns-data format
- tinydns-data reference
- Running djbdns client programs
- Coexisting with BIND
- Installing ucspi-tcp
- Running axfr-get
- Installing axfrdns
- Running axfrdns
- Encrypting Zone Transfers with rsync and ssh
- Migrating from BIND
- Resources
- General DNS Security Resources
- Some DNS-related RFCs (available at http://www.rfc-editor.org)
- Some DNS/BIND security advisories (available at http://www.cert.org)
- BIND Resources
- djbdns Resources
- Using LDAP for Authentication
- LDAP Basics
- Directory-Services Protocols
- Hierarchies and Naming Conventions
- Setting Up the Server
- Getting and Installing OpenLDAP
- Configuring and Starting slapd
- TLS for Secure LDAP Transactions
- slapd Startup Options for TLS
- Testing
- LDAP Schema
- Creating Your First LDAP Record
- LDAP Database Management
- Database Structure
- Schema and user records
- Building and Adding Records
- Creating Passwords
- Access Controls
- Conclusions
- Resources
- Database Security
- Types of Security Problems
- Server Location
- Secure Remote Administration
- VPN to the server
- ssh to the server
- Tunneling a local port to the server
- Using the Web
- Server Installation
- Choosing a Version
- Installing and Configuring the Server and Clients
- Files
- Setting the MySQL root User Password
- Deleting Anonymous Users and Test Databases
- Creating MySQL User Accounts and Privileges
- Checking Your Server
- The MySQL Configuration File
- Database Operation
- MySQL Table Types
- Loading Datafiles
- Writing Data to Files
- Viewing Database Threads
- Killing Database Threads
- Stopping the Server
- Backups
- Logging
- Replication
- Queries
- SQL Injection
- Resources
- Securing Internet Email
- Background: MTA and SMTP Security
- Email Architecture: SMTP Gateways and DMZ Networks
- SMTP Security
- Unsolicited Commercial Email
- SMTP AUTH
- Using SMTP Commands to Troubleshoot and Test SMTP Servers
- Securing Your MTA
- Sendmail
- Sendmail Pros and Cons
- Sendmail Architecture
- Obtaining and Installing Sendmail
- Sendmail on SUSE
- Red Hat Sendmail preparation
- Debian Sendmail preparation
- Configuring Sendmail: Overview
- Configuring sendmail.mc
- Some sendmail.mc m4 variable definitions
- Configuring Sendmail to Run Semichrooted
- Feature directives and databases
- Masquerading
- Applying your new configuration
- Configuring Sendmail's Maps and Other Files
- local-host-names
- Configuring the mailertable
- Configuring the access database
- Configuring virtusers
- Defining aliases
- Sendmail and SMTP AUTH
- Versions of Sendmail that support SMTP AUTH
- Obtaining Cyrus SASL
- Configuring SASL for server-server authentication
- Configuring SASL for client-server authentication
- Configuring Sendmail for server-server authentication
- Configuring Sendmail for client-server authentication
- Sendmail and STARTTLS
- Sendmail support for STARTTLS
- Getting keys and certificates
- Configuring Sendmail to use TLS
- Postfix
- Postfix Architecture
- Getting and Installing Postfix
- Postfix for the Lazy: A Quick-Start Procedure
- Configuring Postfix
- Hiding Internal Email Addresses by Masquerading
- Running Postfix in a chroot Jail
- Postfix Aliases, Revealed
- Keeping Out Unsolicited Commercial Email (UCE)
- Mail Delivery Agents
- Principles of MDA Security
- Which IMAP Server?
- Getting and installing Cyrus IMAP
- Configuring SASL
- Configuring SASL to use LDAP directly
- Configuring SASL to use LDAP via PAM
- Configuring Cyrus IMAP
- Using cyradm to Administer Cyrus IMAP
- Creating mailboxes with cyradm
- Cyrus IMAP ACLs (and Deleting Mailboxes)
- Configuring Postfix to deliver mail to Cyrus IMAP
- Next steps
- A Brief Introduction to Email Encryption
- PGP and GnuPG
- S/MIME
- Which Should You Use?
- Resources
- SMTP Information
- Sendmail Information
- Postfix Information
- IMAP Information
- Securing Web Servers
- Web Security
- What, When, and Where to Secure
- Some Principles
- The Web Server
- Build Time: Installing Apache
- Setting up your firewall
- Checking your Apache version
- Installation methods
- Linking methods
- Securing Apache's file hierarchy
- Logging
- Setup Time: Configuring Apache
- Apache configuration files
- Configuration options
- Robots and Spiders
- Web Content
- Static Content
- Dynamic Content: Server-Side Includes (SSI)
- SSI configuration
- Including files
- Executing commands
- Dynamic Content: Common Gateway Interface (CGI)
- Standalone and built-in CGI interpreters
- suEXEC
- Cgiwrap
- FastCGI
- Specifying CGI programs
- HTTP, URLs, and CGI
- CGI languages
- Web Applications
- Processing Forms
- PHP
- Perl
- Including Files
- PHP
- Perl
- Executing Programs
- PHP
- Perl
- Uploading Files from Forms
- PHP
- Perl
- Accessing Databases
- PHP
- Perl
- Authentication
- Basic authentication
- Digest authentication
- Safer authentication
- Access Control and Authorization
- Host-based access control
- Environment-variable access control
- User-based access control
- Combined access control
- SSL
- Sessions and Cookies
- PHP
- Perl
- Site Management: Uploading Files
- Not-so-good ideas
- Better ideas: ssh, scp, sftp, rsync
- DAV
- XML, Web Services, and REST
- Detecting and Deflecting Attackers
- Caches, Proxies, and Load Balancers
- Layers of Defense
- Resources
- Securing File Services
- FTP Security
- Principles of FTP Security
- Active mode versus passive mode FTP
- The case against nonanonymous FTP
- Tips for securing anonymous FTP
- Using ProFTPD for Anonymous FTP
- Getting ProFTPD
- ProFTPD modules
- Setting up the anonymous FTP account and its chroot jail
- General ProFTPD configuration
- Base-server and global settings
- Anonymous FTP setup
- Virtual-server setup
- Using vsftpd for Anonymous FTP
- Getting and installing vsftpd
- vsftpd's documentation
- Standalone daemon versus inetd/xinetd
- Configuring vsftpd for anonymous FTP
- Virtual servers
- Other File-Sharing Methods
- SFTP and scp
- rsync
- Getting, compiling, and installing rsync
- Running rsync over SSH
- Setting up an rsync server
- Using rsync to connect to an rsync server
- Tunneling rsync with Stunnel
- Resources
- System Log Management and Monitoring
- syslog
- Configuring syslog
- Facilities
- Priorities
- Actions
- More sophisticated selectors
- Running syslogd
- Syslog-ng
- Installing Syslog-ng from Binary Packages
- Replacing syslogd with Syslog-ng on SUSE
- Replacing syslogd with Syslog-ng on Fedora (Vidal's RPMs)
- Compiling and Installing Syslog-ng from Source Code
- Setting Syslog-ng's Startup Parameters
- Building a chroot jail for Syslog-ng
- Where to specify Syslog-ng's startup parameters
- Configuring Syslog-ng
- Global options
- Sources
- Destinations
- Filters
- Log statements
- Advanced Configurations
- Testing System Logging with logger
- Managing System Logfiles with logrotate
- Running logrotate
- Syntax of logrotate.conf and its included scripts
- Running logrotate
- Using Swatch for Automated Log Monitoring
- Installing Swatch
- Swatch Configuration in Brief
- Advanced Swatch Configuration
- Running Swatch
- Fine-Tuning Swatch
- Why You Shouldn't Configure Swatch Once and Forget About It
- Some Simple Log-Reporting Tools
- Resources
- Simple Intrusion Detection Techniques
- Principles of Intrusion Detection Systems
- Host-Based IDSes: Integrity Checkers
- NIDS: Scanning for Signatures Versus Anomalies
- Signature-based systems
- Anomaly-detection systems
- Using Tripwire
- Obtaining, Compiling, and Installing Tripwire
- Building from official source
- Building from patched source
- Installing
- Configuring Tripwire
- Managing the configuration file
- Editing or creating a policy
- Policy file structure and syntax
- Property masks
- Installing the policy file
- Running Tripwire Checks and Updates
- Updating Tripwire's database after violations or system changes
- Changing Tripwire's Policy
- Other Integrity Checkers
- Snort
- Obtaining, Compiling, and Installing Snort
- Getting Snort source code and binaries
- Installing Snort RPMs
- Compiling and installing Snort from source
- Making Snort feel at home after compiling and installing it
- Creating a database for Snort
- Using Snort as a Packet Sniffer
- Using Snort as a Packet Logger
- Configuring and Using Snort as an IDS
- Variable definitions
- Preprocessor plug-in statements
- Output (postprocessor) plug-in statements
- Rules
- Starting snort in IDS mode
- Testing Snort and watching its logs
- Snort analyzers
- Updating Snort's rules automatically
- Resources
- Two Complete iptables Startup Scripts
- Index
