book

Linux Server Security, Second Edition

Name: Linux Server Security, Second Edition
Author: Michael D. Bauer
ISBN: 9780596006709

by Michael D. Bauer

January 2005

Intermediate to advanced

544 pages

23h 44m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Table of Contents
Preface
What This Book Is About
The Paranoid Penguin Connection
The Second Edition
Audience
What This Book Doesn’t Cover
Assumptions This Book Makes
Organization of This Book
Conventions Used in This Book
Safari® Enabled
How to Contact UsUsing Code Examples
Acknowledgments
Threat Modeling and Risk Management

Components of Risk
Assets
Security Goals
Data confidentialityData integritySystem integritySystem/network availability
Threats
Motives
Financial motivesPolitical motivesPersonal/psychological motives
Vulnerabilities and Attacks Against Them
Simple Risk Analysis: ALEs
An Alternative: Attack Trees
Defenses
Asset Devaluation
Vulnerability Mitigation
Attack Mitigation
Conclusion
Resources
Designing Perimeter Networks
Some Terminology
Types of Firewall and DMZ Architectures
The “Inside Versus Outside” Architecture
The “Three-Homed Firewall” DMZ Architecture
A Weak Screened-Subnet Architecture
A Strong Screened-Subnet Architecture
Deciding What Should Reside on the DMZ
Allocating Resources in the DMZ
The Firewall
Types of FirewallSimple packet filtersStateful packet filteringStateful InspectionApplication-layer proxies
Selecting a Firewall
General Firewall Configuration Guidelines
Harden your firewall’s OSConfigure anti-IP-spoofing rulesDeny by defaultStrictly limit incoming trafficStrictly limit all traffic out of the DMZDon’t give internal systems unrestricted outbound accessIf you have the means, use an application-gateway firewallDon’t be complacent about host security
Hardening Linux and Using iptables
OS Hardening Principles
Installing/Running Only Necessary Software (1/2)
Commonly unnecessary packagesDisabling services in Red Hat and related distributions
Installing/Running Only Necessary Software (2/2)
Disabling services in SUSEDisabling services in Debian 3.0Disabling services in other Linux distributions
Keeping Software Up to Date (1/4)
Distribution (global) updates versus per-package updatesWhither X-based updates?How to be notified of and obtain security updates: Red Hat
Keeping Software Up to Date (2/4)
RPM updates for the extremely cautiousYum: a free alternative to up2date
Keeping Software Up to Date (3/4)
How to be notified of and obtain security updates: SUSESUSE’s online-update feature
Keeping Software Up to Date (4/4)
How to be notified of and obtain security updates: Debian
Deleting Unnecessary User Accounts and Restricting Shell Access
Restricting Access to Known Users
Running Services in chrooted Filesystems
Minimizing Use of SUID root
Identifying and dealing with SUID root files
Using su and sudoUsing suUsing sudo
Configuring, Managing, and Monitoring Logs
Every System Can Be Its Own Firewall: Using iptables for Local SecurityUsing iptables: Preparatory stepsHow netfilter works
Using iptables
Checking Your Work with Scanners (1/4)
Types of scans and their usesWhy we (good guys) scannmap, world champion port scannerGetting and installing nmapUsing nmap
Checking Your Work with Scanners (2/4)
Some simple port scansNessus, a full-featured security scannerSecurity scanners explainedNessus’s architecture
Checking Your Work with Scanners (3/4)
Getting and installing NessusNessus clientsPerforming security scans with Nessus
Checking Your Work with Scanners (4/4)
Understanding and Using Available Security Features
Documenting Bastion Hosts’ Configurations
Automated Hardening with Bastille Linux
Background
How Bastille came to beObtaining and Installing Bastille
Running Bastille
Some Notes on InteractiveBastille
Bastille’s Logs
Hooray! I’m Completely Secure Now! Or Am I?
Secure Remote Administration
Why It’s Time to Retire Cleartext Admin Tools
Secure Shell Background and Basic Use
How SSH Works
Getting and Installing OpenSSH
SSH Quick Start
Using sftp and scp for Encrypted File Transfers
Digging into SSH Configuration
Configuring and Running sshd, the Secure Shell Daemon
Intermediate and Advanced SSH
Public-Key Cryptography
Advanced SSH Theory: How SSH Uses PK Crypto
Setting Up and Using RSA and DSA Authentication
Minimizing Passphrase Typing with ssh-agent
Passphrase-Less Keys for Maximum Scriptability
Using SSH to Execute Remote Commands
TCP Port Forwarding with SSH: VPN for the Masses!
OpenSSL and Stunnel
Stunnel and OpenSSL: Concepts
OpenSSL (1/2)
What a Certificate Authority does and why you might need oneHow to become a small-time CA
OpenSSL (2/2)
Creating CA-signed certificatesCreating self-signed certificates
Client certificates
Using Stunnel (1/2)A quick Stunnel example
Using Stunnel (2/2)
Explanation of the example stunnel.conf settingsSome security-enhancing global settingsAnother method for using Stunnel on the server
Using Certificate Authentication
X.509 authentication example
Using Stunnel on the Server and Other SSL Applications on the Clients
Other Tunneling Tools
Resources
Securing Domain Name Services (DNS)
DNS Basics
DNS Security Principles
Selecting a DNS Software Package
Securing BIND
Making Sense out of BIND Versions
Obtaining and Installing BIND
Preparing to Run BIND (or, Furnishing the Cell) (1/2)
Provisioning a chroot jail for BIND v8Provisioning a chroot jail for BIND v9Invoking named
Preparing to Run BIND (or, Furnishing the Cell) (2/2)
Securing named.conf (1/2)
acl{} sectionsGlobal options: The options{} sectionLogging
Securing named.conf (2/2)
zone{} sectionsSplit DNS and BIND v9
Zone File Security
Advanced BIND Security: TSIGS and DNSSEC
Transaction Signatures (TSIGs)Additional uses for TSIGs
Sources of BIND (and IS Security) Information
djbdns
What Is djbdns?
Why not BIND?
Choosing djbdns Services
How djbdns Works
Installing djbdns
Installing the service manager: daemontoolsInstalling djbdns itselfInstalling an internal cache: dnscacheInstalling an “external” cache: dnscachexInstalling an “external” forwarding cacheSplit horizonInstalling a DNS server: tinydns
Running tinydns
Helper applicationsThe tinydns-data formattinydns-data reference
Running djbdns client programs
Coexisting with BIND
Installing ucspi-tcpRunning axfr-get
Installing axfrdns
Running axfrdnsEncrypting Zone Transfers with rsync and ssh
Migrating from BIND
Resources
General DNS Security Resources
Some DNS-related RFCs (available at http://www.rfc-editor.org)Some DNS/BIND security advisories (available at http://www.cert.org)BIND Resources
djbdns Resources
Using LDAP for Authentication
LDAP Basics
Directory-Services Protocols
Hierarchies and Naming Conventions
Setting Up the Server
Getting and Installing OpenLDAP
Configuring and Starting slapd
TLS for Secure LDAP Transactions
slapd Startup Options for TLS
Testing
LDAP Schema
Creating Your First LDAP Record
LDAP Database Management
Database StructureSchema and user records
Building and Adding Records
Creating Passwords
Access Controls
Conclusions
Resources
Database Security
Types of Security Problems
Server Location
Secure Remote Administration
VPN to the serverssh to the serverTunneling a local port to the serverUsing the Web
Server Installation
Choosing a VersionInstalling and Configuring the Server and Clients
Files
Setting the MySQL root User Password
Deleting Anonymous Users and Test Databases
Creating MySQL User Accounts and Privileges
Checking Your Server
The MySQL Configuration File
Database Operation
MySQL Table Types
Loading Datafiles
Writing Data to FilesViewing Database ThreadsKilling Database Threads
Stopping the Server
BackupsLoggingReplicationQueries
SQL Injection
Resources
Securing Internet Email
Background: MTA and SMTP Security
Email Architecture: SMTP Gateways and DMZ Networks
SMTP Security
Unsolicited Commercial Email
SMTP AUTH
Using SMTP Commands to Troubleshoot and Test SMTP Servers
Securing Your MTA
Sendmail
Sendmail Pros and Cons
Sendmail Architecture
Obtaining and Installing Sendmail
Sendmail on SUSERed Hat Sendmail preparationDebian Sendmail preparation
Configuring Sendmail: Overview
Configuring sendmail.mcSome sendmail.mc m4 variable definitions
Configuring Sendmail to Run Semichrooted
Feature directives and databasesMasquerading
Applying your new configuration
Configuring Sendmail’s Maps and Other Fileslocal-host-namesConfiguring the mailertableConfiguring the access databaseConfiguring virtusersDefining aliases
Sendmail and SMTP AUTH (1/2)
Versions of Sendmail that support SMTP AUTHObtaining Cyrus SASLConfiguring SASL for server-server authentication
Sendmail and SMTP AUTH (2/2)
Configuring SASL for client-server authenticationConfiguring Sendmail for server-server authenticationConfiguring Sendmail for client-server authentication
Sendmail and STARTTLS
Sendmail support for STARTTLSGetting keys and certificatesConfiguring Sendmail to use TLS
Postfix
Postfix Architecture
Getting and Installing Postfix
Postfix for the Lazy: A Quick-Start Procedure
Configuring Postfix
Hiding Internal Email Addresses by Masquerading
Running Postfix in a chroot Jail
Postfix Aliases, Revealed
Keeping Out Unsolicited Commercial Email (UCE)
Mail Delivery Agents
Principles of MDA Security
Which IMAP Server?
Getting and installing Cyrus IMAP
Configuring SASL
Configuring SASL to use LDAP directlyConfiguring SASL to use LDAP via PAMConfiguring Cyrus IMAP
Using cyradm to Administer Cyrus IMAP
Creating mailboxes with cyradm
Cyrus IMAP ACLs (and Deleting Mailboxes)
Configuring Postfix to deliver mail to Cyrus IMAPNext steps
A Brief Introduction to Email Encryption
PGP and GnuPG
S/MIME
Which Should You Use?
ResourcesSMTP Information
Sendmail Information
Postfix Information
IMAP Information
Securing Web Servers
Web Security
What, When, and Where to Secure
Some Principles
The Web Server
Build Time: Installing Apache (1/2)
Setting up your firewallChecking your Apache versionInstallation methodsLinking methodsSecuring Apache’s file hierarchy
Build Time: Installing Apache (2/2)
Logging
Setup Time: Configuring Apache
Apache configuration filesConfiguration options
Robots and Spiders
Web ContentStatic Content
Dynamic Content: Server-Side Includes (SSI)
SSI configuration
Including files
Executing commandsDynamic Content: Common Gateway Interface (CGI) (1/2)Standalone and built-in CGI interpreterssuEXECCgiwrapFastCGISpecifying CGI programsHTTP, URLs, and CGI
Dynamic Content: Common Gateway Interface (CGI) (2/2)
CGI languages
Web Applications
Processing FormsPHPPerl
Including Files
PHPPerl
Executing Programs
PHPPerlUploading Files from FormsPHPPerl
Accessing Databases
PHP
Perl
AuthenticationBasic authenticationDigest authenticationSafer authentication
Access Control and Authorization
Host-based access controlEnvironment-variable access controlUser-based access controlCombined access control
SSL
Sessions and CookiesPHP
Perl
Site Management: Uploading FilesNot-so-good ideasBetter ideas: ssh, scp, sftp, rsyncDAV
XML, Web Services, and REST
Detecting and Deflecting Attackers
Caches, Proxies, and Load Balancers
Layers of DefenseResources
Securing File Services
FTP Security
Principles of FTP Security (1/2)
Active mode versus passive mode FTPThe case against nonanonymous FTPTips for securing anonymous FTP
Principles of FTP Security (2/2)
Using ProFTPD for Anonymous FTP (1/3)
Getting ProFTPDProFTPD modulesSetting up the anonymous FTP account and its chroot jailGeneral ProFTPD configuration
Using ProFTPD for Anonymous FTP (2/3)
Base-server and global settings
Using ProFTPD for Anonymous FTP (3/3)
Anonymous FTP setupVirtual-server setup
Using vsftpd for Anonymous FTP (1/2)
Getting and installing vsftpdvsftpd’s documentationStandalone daemon versus inetd/xinetdConfiguring vsftpd for anonymous FTP
Using vsftpd for Anonymous FTP (2/2)
Virtual servers
Other File-Sharing Methods
SFTP and scp
rsync (1/3)
Getting, compiling, and installing rsyncRunning rsync over SSHSetting up an rsync server
rsync (2/3)
rsync (3/3)
Using rsync to connect to an rsync serverTunneling rsync with Stunnel
Resources
System Log Management and Monitoring
syslog
Configuring syslog (1/2)
FacilitiesPrioritiesActionsMore sophisticated selectors
Configuring syslog (2/2)
Running syslogd
Syslog-ng
Installing Syslog-ng from Binary PackagesReplacing syslogd with Syslog-ng on SUSE
Replacing syslogd with Syslog-ng on Fedora (Vidal’s RPMs)
Compiling and Installing Syslog-ng from Source Code
Setting Syslog-ng’s Startup Parameters
Building a chroot jail for Syslog-ngWhere to specify Syslog-ng’s startup parameters
Configuring Syslog-ng (1/3)
Global optionsSources
Configuring Syslog-ng (2/3)
DestinationsFilters
Configuring Syslog-ng (3/3)
Log statements
Advanced Configurations
Testing System Logging with logger
Managing System Logfiles with logrotate
Running logrotate
Syntax of logrotate.conf and its included scripts
Running logrotate
Using Swatch for Automated Log Monitoring
Installing Swatch
Swatch Configuration in Brief
Advanced Swatch Configuration
Running Swatch
Fine-Tuning Swatch
Why You Shouldn’t Configure Swatch Once and Forget About It
Some Simple Log-Reporting Tools
Resources
Simple Intrusion Detection Techniques
Principles of Intrusion Detection Systems
Host-Based IDSes: Integrity Checkers
NIDS: Scanning for Signatures Versus Anomalies
Signature-based systemsAnomaly-detection systems
Using Tripwire
Obtaining, Compiling, and Installing TripwireBuilding from official sourceBuilding from patched sourceInstalling
Configuring Tripwire (1/2)
Managing the configuration fileEditing or creating a policyPolicy file structure and syntax
Configuring Tripwire (2/2)
Property masksInstalling the policy file
Running Tripwire Checks and Updates
Updating Tripwire’s database after violations or system changes
Changing Tripwire’s Policy
Other Integrity Checkers
Snort
Obtaining, Compiling, and Installing SnortGetting Snort source code and binariesInstalling Snort RPMsCompiling and installing Snort from sourceMaking Snort feel at home after compiling and installing itCreating a database for Snort
Using Snort as a Packet Sniffer
Using Snort as a Packet Logger
Configuring and Using Snort as an IDS (1/2)
Variable definitionsPreprocessor plug-in statementsOutput (postprocessor) plug-in statementsRulesStarting snort in IDS modeTesting Snort and watching its logs
Configuring and Using Snort as an IDS (2/2)
Snort analyzersUpdating Snort’s rules automatically
Resources
Two Complete iptables Startup Scripts (1/3)
Two Complete iptables Startup Scripts (2/3)
Two Complete iptables Startup Scripts (3/3)
Index (1/5)
Index (2/5)
Index (3/5)
Index (4/5)
Index (5/5)

Content preview from Linux Server Security, Second Edition

This is the Title of the Book, eMatter Edition

Chapter 3: Hardening Linux and Using iptables

(Note that your named startup script may have a different name and exist in differ-

ent or additional subdirectories of /etc/rc.d.)

Keeping Software Up to Date

It isn’t enough to weed out unnecessary software: all software that remains, includ-

ing both the operating system itself and “user-space” applications, must be kept up

to date. This is a more subtle problem than you might think, since many Linux dis-

tributions offer updates on both a package-by-package basis (e.g., the Red Hat Errata

web site) and in the form of new distribution revisions (e.g., new CD-ROM sets).

What, then, constitutes “up to date”? Does it mean you must immediately upgrade

your entire system every time your distribution of choice releases a new set of CD-

ROMs? Or is it okay simply to check the distribution’s web page every six months or

so? In my opinion, neither extreme is a good approach.

Distribution (global) updates versus per-package updates

The good news is that it’s seldom necessary to upgrade a system completely just

because the distribution on which it’s based has undergone an incremental revision

(e.g., 7.2

➝ 7.3). The bad news is that updates to individual packages should proba-

bly be applied much more frequently than that; if you have one or more ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596006705Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Linux Server Security, Second Edition

by Michael D. Bauer

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Building Secure Servers with Linux

Linux Hardening in Hostile Networks: Server Security from TLS to Tor

Linux Security Cookbook

Practical Linux Security Cookbook - Second Edition

Publisher Resources