book

Building Secure Servers with Linux

Name: Building Secure Servers with Linux
Author: Michael D. Bauer
ISBN: 9780596002176

by Michael D. Bauer

October 2002

Intermediate to advanced

448 pages

14h 54m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Building Secure Servers with Linux
Preface
What This Book Is About
The Paranoid Penguin Connection
Audience
What This Book Doesn’t Cover
Assumptions This Book Makes
Conventions Used in This Book
Request for Comments
Acknowledgments
1. Threat Modeling and Risk Management
Components of RiskAssetsSecurity GoalsData confidentialityData integritySystem integritySystem/network availabilityThreatsMotivesFinancial motivesPolitical motivesPersonal/psychological motivesVulnerabilities and Attacks Against Them

Simple Risk Analysis: ALEs
An Alternative: Attack Trees
Defenses
Asset DevaluationVulnerability MitigationAttack Mitigation
Conclusion
Resources
2. Designing Perimeter Networks
Some Terminology
Types of Firewall and DMZ Architectures
The “Inside Versus Outside” ArchitectureThe “Three-Homed Firewall” DMZ ArchitectureA Weak Screened-Subnet ArchitectureA Strong Screened-Subnet Architecture
Deciding What Should Reside on the DMZ
Allocating Resources in the DMZ
The Firewall
Types of FirewallSimple packet-filtersStateful packet-filteringStateful InspectionApplication-layer proxiesSelecting a FirewallGeneral Firewall Configuration GuidelinesHarden your firewall’s OSConfigure anti-IP-spoofing rulesDeny by defaultStrictly limit incoming trafficStrictly limit all traffic out of the DMZDon’t give internal systems unrestricted outbound accessIf you have the means, use an application-Gateway firewallDon’t be complacent about host security
3. Hardening Linux
OS Hardening PrinciplesInstalling/Running Only Necessary SoftwareCommonly unnecessary packagesDisabling services without uninstalling themKeeping Software Up to DateDistribution (global) updates versus per-package updatesWhither X-based updates?How to be notified of and obtain security updates: Red HatRPM updates for the extremely cautiousHow to be notified of and obtain security updates: SuSESuSE’s online-update featureHow to be notified of and obtain security updates: DebianDeleting Unnecessary User Accounts and Restricting Shell AccessRestricting Access to Known UsersRunning Services in chrooted FilesystemsMinimizing Use of SUID=rootIdentifying and dealing with SUID=root filesConfiguring, Managing, and Monitoring LogsEvery System Can Be Its Own Firewall: Using iptables for Local SecurityUsing iptables: preparatory stepsHow netfilter worksUsing iptablesChecking Your Work with ScannersTypes of scans and their usesWhy we (good guys) scannmap, world champion port scannerGetting and installing nmapUsing nmapSome simple port scansNessus, a full-featured security scannerSecurity Scanners ExplainedNessus’ architectureGetting and installing NessusNessus clientsRunning and maintaining nessusdPerforming security scans with NessusUnderstanding and Using Available Security FeaturesDocumenting Bastion Hosts’ Configurations
Automated Hardening with Bastille Linux
BackgroundHow Bastille came to beObtaining and Installing BastilleRunning BastilleSome Notes on InteractiveBastilleBastille’s LogsHooray! I’m Completely Secure Now! Or Am I?
4. Secure Remote Administration
Why It’s Time to Retire Clear-Text Admin Tools
Secure Shell Background and Basic Use
How SSH WorksGetting and Installing OpenSSHSSH Quick StartUsing sftp and scp for Encrypted File TransfersDigging into SSH ConfigurationConfiguring and Running sshd, the Secure Shell Daemon
Intermediate and Advanced SSH
Public-Key CryptographyAdvanced SSH Theory: How SSH Uses PK CryptoSetting Up and Using RSA and DSA AuthenticationMinimizing Passphrase Typing with ssh-agentPassphrase-less Keys for Maximum ScriptabilityUsing SSH to Execute Remote CommandsTCP Port Forwarding with SSH: VPN for the Masses!
Other Handy Tools
What’s Wrong with Being root?susudo
5. Tunneling
Stunnel and OpenSSL: ConceptsOpenSSLWhat a Certificate Authority does and why you might need oneHow to become a small-time CAGenerating and signing certificatesClient certificatesUsing StunnelA quick Stunnel exampleThe quick example, explained less quicklyAnother method for using Stunnel on the serverUsing Certificate Authenticationx.509 authentication exampleUsing Stunnel on the Server and Other SSL Applications on the ClientsOne final pointer on Stunnel: chrooting itOther Tunneling Tools
6. Securing Domain Name Services (DNS)
DNS Basics
DNS Security Principles
Selecting a DNS Software Package
Securing BIND
Making Sense out of BIND VersionsObtaining and Installing BINDPreparing to Run BIND (or, Furnishing the Cell)Provisioning a chroot jail for BIND v8Provisioning a chroot jail for BIND v9Invoking namedSecuring named.confacl{} sectionsGlobal options: The options{} sectionLoggingzone{} sectionsSplit DNS and BIND v9Zone File SecurityAdvanced BIND Security: TSIGS and DNSSECTransaction Signatures (TSIGs)Additional uses for TSIGsSources of BIND (and IS Security) Information
djbdns
What Is djbdns?Why not BIND?Choosing djbdns ServicesHow djbdns WorksInstalling djbdnsInstalling the service manager: daemontoolsInstalling djbdns itselfInstalling an internal cache: dnscacheInstalling an external cache: dnscachexInstalling a DNS server: tinydnsRunning tinydnsHelper applicationsThe tinydns-data formattinydns data referenceRunning djbdns client programsCoexisting with BINDInstalling ucspi-tcpRunning axfr-getInstalling axfrdnsRunning axfrdnsEncrypting Zone Transfers with rsync and sshMigrating from BIND
Resources
General DNS Security ResourcesSome DNS-related RFCs (available at )Some DNS/BIND security advisories (available at http://www.cert.org)BIND Resourcesdjbdns Resources
7. Securing Internet Email
Background: MTA and SMTP SecurityEmail Architecture: SMTP Gateways and DMZ NetworksSMTP SecurityUnsolicited Commercial EmailSMTP AUTH
Using SMTP Commands to Troubleshoot and Test SMTP Servers
Securing Your MTA
Sendmail
Sendmail Pros and ConsSendmail ArchitectureObtaining and Installing SendmailSuSE Sendmail preparationRed Hat Sendmail preparationDebian Sendmail preparationConfiguring Sendmail: OverviewConfiguring sendmail.mcSome sendmail.mc m4 variable definitionsConfiguring Sendmail to Run SemichrootedFeature directivesMasqueradingApplying your new configurationConfiguring Sendmail’s Maps and Other Fileslocal-host-namesConfiguring the mailertableConfiguring the access databaseConfiguring virtusersDefining aliasesSendmail and SMTP AUTHVersions of Sendmail that support SMTP AUTHObtaining Cyrus SASLConfiguring SASL for server-server authenticationConfiguring SASL for client-server authenticationConfiguring Sendmail for server-server authenticationConfiguring Sendmail for client-server authenticationSendmail and STARTTLSVersions of Sendmail that support STARTTLSGetting keys and certificatesConfiguring Sendmail to Use TLS
Postfix
Postfix ArchitectureGetting and Installing PostfixPostfix for the Lazy: A Quick-Start ProcedureConfiguring PostfixHiding Internal Email Addresses by MasqueradingRunning Postfix in a chroot JailPostfix Aliases, RevealedKeeping out Unsolicited Commercial Email (UCE)
Resources
SMTP InformationSendmail InformationPostfix Information
8. Securing Web Services
Web Server SecurityProblems and GoalsWhat, When, and Where to SecureSome Principles
Build Time: Installing Apache
Starting InstallationSetting up Your firewallChecking Your Apache versionInstallation MethodsRPM installationSource installationLinking methodsSecuring Apache’s File Hierarchy
Setup Time: Configuring Apache
Apache Configuration FilesConfiguration OptionsUser and groupFiles and directoriesListenContainers: Directory, Location, and FilesOptionsResource limitsUser directoriesStatic ContentDynamic Content: Server-Side Includes (SSI)SSI configurationIncluding filesExecuting commandsDynamic Content: Common Gateway Interface (CGI)Standalone and built-in CGI interpretersSpecifying CGI programssuEXECFastCGI
Runtime: Securing CGI Scripts
HTTP, URLs, and CGIHEAD methodOPTIONS methodGET methodPOST methodPUT methodCGI LanguagesPHPPerlProcessing Form DataPHPPerlIncluding FilesPHPPerlExecuting ProgramsPHPPerlUploading Files from FormsPHPPerlAccessing DatabasesPHPPerlChecking Other ScriptsContinuing Care
Special Topics
AuthenticationBasic authenticationDigest authenticationSafer authenticationAccess Control and AuthorizationHost-based access controlEnvironment-variable access controlUser-based access controlCombined access controlSSLSessions and CookiesPHPPerlSite Management: Uploading FilesNot-so-good ideasBetter ideas: ssh, scp, sftp, rsyncWebDAVNew Frameworks: SOAP, Web Services, and RESTRobots and SpidersDetecting and Deflecting AttackersCaches, Proxies, and Load BalancersLogging
Other Servers and Web Security
Web ServersApplication Servers
9. Securing File Services
FTP SecurityPrinciples of FTP SecurityActive mode versus passive mode FTPThe case against nonanonymous FTPTips for securing anonymous FTPUsing ProFTPD for Anonymous FTPGetting ProFTPDInetd/Xinetd Versus standalone modeProFTPD modulesSetting up the anonymous FTP account and its chroot jailGeneral ProFTPD configurationBase-server and global settingsAnonymous FTP setupVirtual-server setup
Other File-Sharing Methods
SFTP and scprsyncGetting, compiling, and installing rsyncRunning rsync over SSHSetting up an rsync serverUsing rsync to connect to an rsync serverTunneling rsync with Stunnel
Resources
10. System Log Management and Monitoring
syslogConfiguring syslogFacilitiesPrioritiesActionsMore sophisticated selectorsRunning syslogd
Syslog-ng
Compiling and Installing Syslog-ng from Source CodeRunning syslog-ngConfiguring Syslog-ngGlobal optionsSourcesDestinationsFiltersLog statementsAdvanced Configurations
Testing System Logging with logger
Managing System-Log Files
Log Management in Red Hat 7 and Debian 2.2: /sbin/logrotateSyntax of logrotate.conf and its included scriptsRunning logrotateLog Management in SuSE 7
Using Swatch for Automated Log Monitoring
Installing Swatchswatch Configuration in BriefAdvanced swatch ConfigurationRunning swatchFine-Tuning swatchWhy You Shouldn’t Configure swatch Once and Forget About It
Resources
11. Simple Intrusion Detection Techniques
Principles of Intrusion Detection SystemsHost-Based IDSes: Integrity CheckersNIDS: Scanning for Signatures Versus AnomaliesSignature-based systemsAnomaly-detection systems
Using Tripwire
Obtaining, Compiling, and Installing TripwireConfiguring TripwireManaging the configuration fileEditing or creating a policyPolicy file structure and syntaxProperty masksInstalling the policy fileRunning Tripwire Checks and UpdatesUpdating Tripwire’s database after violations or system changesChanging Tripwire’s Policy
Other Integrity Checkers
Snort
Obtaining, Compiling, and Installing SnortGetting Snort source code and binariesInstalling Snort RPMsCompiling and installing Snort from sourceMaking Snort at home after compiling and installing itCreating a database for SnortUsing Snort as a Packet SnifferUsing Snort as a Packet LoggerConfiguring and Using Snort as an IDSVariable definitionsPreprocessor plug-in statementsOutput (postprocessor) plug-in statementsRulesStarting snort in IDS modeTesting Snort and watching its logsUpdating Snort’s rules automatically
Resources
A. Two Complete Iptables Startup Scripts
Index
Colophon

Content preview from Building Secure Servers with Linux

Syslog-ng

As useful and ubiquitous as syslog is, it’s beginning to show its age. Modern Unix and Unix-like systems are considerably more complex than they were when syslog was invented, and they have outgrown both syslog’s limited facilities and its primitive network-forwarding functionality.

Syslog-ng (“syslog new generation”) is an attempt to increase syslog’s flexibility by adding better message filtering, better forwarding, and eventually (though not quite yet), message integrity and encryption. In addition, Syslog-ng supports remote logging over both the TCP and UDP protocols. Syslog-ng is the brainchild of and is primarily developed and maintained by Balazs (“Bazsi”) Scheidler.

Lest you think Syslog-ng is untested or untrusted, it’s already been incorporated into Debian GNU/Linux 2.2 “Potato” as a binary package (in the “admin” section). Syslog-ng is in fact both stable and popular. Furthermore, even though its advanced security features are still works in progress, Syslog-ng can be used in conjunction with TCP “tunneling” tools such as stunnel and ssh to authenticate or encrypt log messages sent to remote hosts.

Compiling and Installing Syslog-ng from Source Code

The non-Debian users among you may not wish to wait for your distribution of choice to follow suit with its own binary package of Syslog-ng. Let’s start, then, with a brief description of how to compile and install Syslog-ng from source.

First, you need to obtain the latest Syslog-ng source code. As of this writing, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

CCNP Security Firewall 642-617 Quick Reference

Integrated Security Technologies and Solutions - Volume II: Cisco Security Solutions for Network Access Control, Segmentation, Context Sharing, Secure Connectivity and Virtualization

Chad Mitchell, Jamie Sanbower, Aaron Woland, Vivek Santuka

Publisher Resources

ISBN: 0596002173Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Building Secure Servers with Linux

by Michael D. Bauer

Syslog-ng

Compiling and Installing Syslog-ng from Source Code

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.