Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux Security Cookbook

timothy posted more than 11 years ago | from the paranoid-naked-chef dept.

Security 131

Charles McColm writes "As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows. The truth is, I've never really paid much attention to Linux security, even on the Linux router I had running for a year. I always knew I should be concerned about security, but I never found a good starting point until I decided to review O'Reilly's Linux Security Cookbook (LSC)." Read on below for Charles' review.

As the title suggests, LSC is a series of different Linux security "recipes." I found the cookbook-style of presentation both good and bad. Some recipes were a breeze to follow (such as the gpg recipes). Other recipes I felt could have been ordered a little better. The ipchains/iptables recipes in Chapter 2 are terrific, but I had to wait until the 19th recipe in the chapter to find out how to make the ipchains/iptables recipes stick. Though it makes sense to have saving a firewall configuration near the end of the chapter, I would have put the information after the first few recipes.

The only chapter that I glossed over was Chapter, "4 Authentication Techniques and Infrastructures." Chapter 4 covers Linux-PAM, OpenSSL and Kerberos. The chapter begins with a recipe for creating a PAM-Aware Application. I started to type in the C code but stopped a few lines from the end, it just didn't make sense for me to have this knowledge at this time. The introduction at the beginning of Chapter 4 is very good, but on the whole it is one of those chapters I've slotted for future reference. OpenSSH is discussed at the beginning of Chapter 4 but covered in more detail (an entire chapter) in Chapter 6.

The chapters I found most useful were those on intrusion detection systems (Chapter 1) and GPG (Chapters 7 & 8). Actually, I found almost all of LSC useful except the previously noted Chapter 4. Some of the software covered in the recipes are programs I've never heard of before, John the Ripper for example. Other recipes cover those programs I know I should check out (like Snort) but have never taken the time to.

LSC is for the most part very easy to follow. The authors have been very careful to mention when software (snort for example) might or might not be included and how to find and install it. I got tripped up a little in the first chapter (which covers tripwire), because I tried downloading and compiling the tripwire source found at the tripwire web site. I obtained the source from a couple of recommended sites. In one instance tripwire failed to compile correctly, in another it compiled but kept segfaulting when I tried to initialize the database. It wasn't until after I emailed O'Reilly that I saw mention further in Chapter 1 that tripwire is included with Red Hat Linux. One of the authors, Daniel J. Barrett, also emailed me to tell me that it was on the third CD - doh! The upside of this little tale is that I got to know aide (another intrusion detection system) a little better after I installed it on my Debian-based notebook.

I happen to think that computer books are overpriced. I have bought a number of $50-$90 computer books that ended up being doorstops after about a month and useless after a couple of years. Because of this experience I am a bit more stingy when shelling out for a computer book. Though I hate reading online documentation (I wear glasses and cannot stare at text on the screen for a long time), I have forced myself to read a lot more online documentation over the past year. This is one instance where I would be willing to shell out the $61.95 Canadian for a book. The Linux Security Cookbook covers a wide range of potential security problems and it presents its solutions such that each takes only a few minutes to implement.

I've saved what is actually covered in LSC for the end of this review. My intention in this review has been mainly to present my experience with LSC so that other members who are also still desktop users, or have never really been concerned with Linux security issues can take away the fact that despite a few sticking points I found this book to be a great source for information on different Linux security issues. For those concerned with the meat of the book, here's how it breaks down:

1. System Snapshots with Tripwire
2. Firewalls with iptables and ipchains
3. Network Access Control (xinetd, inetd, preventing DOS attacks)
4. Authentication Techniques and Infrastructures (PAM, SSL, Kerberos)
5. Authorization Controls (su and sudo)
6. Protecting Outgoing Network Connections (OpenSSH)
7. Protecting Files (permissions, GPG)
8. Protecting Email (all popular mail user agents, SSL and SSH)
9. Testing and Monitoring (Jack the Ripper, Cracklib, Snort, tcpdump, syslog)

You really need to have a good look at the table of contents to get an idea of all this book covers. I have written about it from a desktop-user standpoint, but there are so many recipes that I couldn't cover everything. There are many great code snippets that more advanced users would find useful.

If you don't have an intrusion detection system, need to grant some of your users limited root privileges, have been using the default firewall rules (or don't have a clue about iptables/ipchains), haven't checked your system for root kits or insecure protocols, then the Linux Security Cookbook should be at the top of your reading list.


You can purchase the Linux Security Cookbook from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

But where is the recipe for (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6501350)

Microwave BBQ ribs? That's what every Linux geek needs in a cookbook, a fast way to make ribs.

Early post! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6501360)

the syphilitic donkeyfucker approves.

A linux user cooking? (0, Funny)

Anonymous Coward | more than 11 years ago | (#6501375)

What's he doing... boiling water? Or making top ramen?

How is SCO's Lawsuit affecting sales of Linux? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6501377)

If I were a CIO or CTO debating the TCO of *nix vs. Win2K3 to a CEO, would IBM vs. SCO be the TKO that stops the CEO from approving A/P to pay my PO for RH's LGX?

FWIW, even if OSS is FAIB, if the DOJ considers *nix IP with a TM, then it basically become's SCO's LIC, meaning our OSS becomes a CSS OS, which would RSTBO.

AIBO going w/ an ASP that manages our OS? BTA, we might end up w/ a BOFH giving us ZA, which WWAD PMS.

AFAIK, INMP if SCO wants to be ITM by enforcing its supposed IPR - *nix IP should be PD or GNU, like BSD just on GP, IYKWIM. I keep asking myself in this situation - WWLD?

Oh, BTW - IITYWIMWYBMAD?

LSC... (-1, Flamebait)

krog (25663) | more than 11 years ago | (#6501400)

SUCKS!!!!!!!

(if you know, you know)

Re:LSC... (-1)

Anonymous Coward | more than 11 years ago | (#6501489)

but does it suck...in stereo?

running Linux problem (0, Flamebait)

Anonymous Coward | more than 11 years ago | (#6501412)

I don't want to start a holy war here, but what is the deal with you Linux fanatics? I've been sitting here at my freelance gig in front of a Mac running Linux(a 8600/300 w/64 Megs of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium Pro 200 running NT 4, which by all standards should be a lot slower than this Mac, the same operation would take about 2 minutes. If that.

In addition, during this file transfer, Netscape will not work. And everything else has ground to a halt. Even BBEdit Lite is straining to keep up as I type this.

I won't bore you with the laundry list of other problems that I've encountered while working on various Macs running Linux, but suffice it to say there have been many, not the least of which is I've never seen a Mac that has run faster than its Wintel counterpart, despite the Macs' faster chip architecture. My 486/66 with 8 megs of ram runs faster than this 300 mhz machine at times. From a productivity standpoint, I don't get how people can claim that the Macintosh running Linux is a superior.

Linux addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Mac over other faster, cheaper, more stable systems.

Re:running Linux problem (-1, Offtopic)

geckofiend (314803) | more than 11 years ago | (#6501480)

Linux != Mac

Why would a Linux "addict" flame you over using or not using Mac hardware. Put Linux on your POS home hardware then compare the differences troll-boy.

Re:running Linux problem (-1)

Anonymous Coward | more than 11 years ago | (#6501558)

YHBT. YHL. HAND

The 2nd funniest math joke evar!!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6501491)

Q: Why is six scared?

A: Because seven ate nine!!![*]




(Alternate slashdot punchline : "A:Because free for five!")

Re:The 2nd funniest math joke evar!!! (0)

Anonymous Coward | more than 11 years ago | (#6501591)

>Q: Why is six scared?

>A: Because seven ate nine!!![*]

A: Or because nine ate seven (987, code for murder).

Re:The 2nd funniest math joke evar!!! (0)

Anonymous Coward | more than 11 years ago | (#6501628)

If you're talking about the code from demolition man, wasn't it 187?

Re:The 2nd funniest math joke evar!!! (0)

Anonymous Coward | more than 11 years ago | (#6501719)

eeeeeyowtch!!! reamed for BOTH offtopic AND overrated! Just for some silly joke. It didn't even have a goatse [goatse.cx] link in it!

Re:running Linux problem (1)

damballah (691477) | more than 11 years ago | (#6502095)

This troll has become quite popular...

bastille script (5, Interesting)

stonebeat.org (562495) | more than 11 years ago | (#6501415)

if you really wanna learn about securing linux, looking at the bastille script for securing linux is a good idea. you can go through the scrit and see what checks are being performed and things like that.

WITH /.'S TENDENCIES, SHOULDN'T IT BE "COCKBOOK"? (-1)

Subject Line Troll (581198) | more than 11 years ago | (#6501775)

Re:bastille script (0)

Anonymous Coward | more than 11 years ago | (#6501948)

"bastille script"?

Bah! I shall freedom fork it as Alcatraz Script.

Re:bastille script More info and link (3, Informative)

maggotbrain_777 (450700) | more than 11 years ago | (#6502261)

For those of you who aren't familiar with Bastille, check out it site at Bastille Linux site [bastille-linux.org] They have links for Redhat, Debian distors as well as HP-UX and Mac OS X.
There is also some info out at Bastille-Linux Scripts to Secure Linux and HP-UX [sans.org]

Bastille + books better (5, Informative)

Ubl (663671) | more than 11 years ago | (#6502339)

Bastille is a great tool, but it's no match for understanding what you're doing. It has really nice explanations of all the things it could do, but it doesn't actuall yshow you how to do them. Also, it doesn't do well with non-recent installs, and if you end up installing software later that could have been modified by bastille, it's too late to change the config.

If you want to do it right, you want to learn about how to secure your machine yourself. That means not being scared by coniguration files, and knowing how to use netstat on the command line to find the servers you're running, knowing what inetd or xinetd do, etc. bastille won't teach you that.

(I'm not dissing Bastille - it does exactly what it is supposed to do, but it's not a teacher, it's a tool.)

The only linux security books out there that are worth their salt are hacking linux exposed, 2nd edition [hackinglinuxexposed.com] , followed by the Linux Firewalls, 2nd edition [linux-firewall-tools.com] book. The former doesn't have enough space to cover firewalls in enough depth, while the later fills that need perfectly.

If you want a lot of disjointed hacks, the recent O'Reilly hacks books are good fun. I learned a lot from the google hacks book, for example. However they are far from comprehensive (that's not their mandate) and this cookbook really should have been in the *hacks line. Their building secure servers with linux book falls into the same hole - it was based on linux journal entries, and is not a comprehensive security book.

If you want to learn about linux security in a complete fashion, HLE and LF are the only contenders.

(I'd also vote for the Linux Security [hackinglinuxexposed.com] newsletter which was meantioned below by an AC. Very good. Of course, it falls into the small tidbits of wisdom camp, rather than being a complete solution/education, but that's what you expect in a mailing list.)

At least... (-1, Redundant)

deman1985 (684265) | more than 11 years ago | (#6501424)

there's a book out there now that the Linux newbies can use to setup their box properly without leaving the gaping security holes that some distros have by default

Security isn't something you "cook" (4, Insightful)

cxreg (44671) | more than 11 years ago | (#6501429)

Sure you can learn a few tricks about current versions of software, but that's no substitute for staying up to date and UNDERSTANDING the software you run, in addition to watching security related mailing lists and newsgroups.

System administration isn't easy, that's why they make big dollars.

Re:Security isn't something you "cook" (1)

BlueTrin (683373) | more than 11 years ago | (#6501462)

I think that you mean "security consultants" by "system administration" because the admins who work for a fixed company do not make that much money.

Re:Security isn't something you "cook" (0)

Anonymous Coward | more than 11 years ago | (#6501573)

I would disagree, I'm a "Systems Administrator" and make 100K...

Re:Security isn't something you "cook" (3, Funny)

Anonymous Coward | more than 11 years ago | (#6501755)

a pittance compared to what us phone support helpdesk types make. thats where the real money is.

Re:Security isn't something you "cook" (0)

Anonymous Coward | more than 11 years ago | (#6501803)

100K Japanese Yen?

Security isn't something you "cook" (0)

Anonymous Coward | more than 11 years ago | (#6501483)

You're right.

Its definitely something you "bake".

Wow. Thanks for clearing that up for us!

Re:Security isn't something you "cook" (1)

jpsst34 (582349) | more than 11 years ago | (#6501589)

Nope. Baking is cooking. So I'm still confused.

Food + Heat = Cooking [amazon.com]

Remember? [slashdot.org]

Not "cook", the sacrifices must be raw- (3, Insightful)

Mu*puppy (464254) | more than 11 years ago | (#6501649)

System administration isn't easy, that's why they make big dollars.

Tell that to my IT manager, my wallet sure doesn't agree... ;)

So long as everything's going well, you're 'not doing anything productive' by searching around the web checking said mailing lists and newsgroups, so you get pulled off to work on Pet Project Y for Manager T. Then, when the shit hits the fan, suddenly it's 'Well, why weren't we prepared for each and everything that could possibly happen??' Go fig'.

But hey, at least I don't have to do end-user tech support any more...

Re:Security isn't something you "cook" (-1, Flamebait)

IRNI (5906) | more than 11 years ago | (#6501679)

Mod Parent Down!!!! He stole my crayons!

Re:Security isn't something you "cook" (4, Informative)

Phroggy (441) | more than 11 years ago | (#6501717)

Sure you can learn a few tricks about current versions of software, but that's no substitute for staying up to date

Before you can stay up to date, you have to get up to date. This book helps.

and UNDERSTANDING the software you run,

So far I've found the explanations very thorough. You haven't read the book, I take it.

in addition to watching security related mailing lists and newsgroups.

This will let you know about holes in your software, but if your software isn't configured securely in the first place, it won't help you that much. Start with this book.

System administration isn't easy, that's why they make big dollars.

Hopefully the economy will recover soon, and that will be true again. In the mean time, there are a lot of talented sysadmins waiting tables because their unemployment benefits have run out.

Re:Tell that to my Boss... (0)

Anonymous Coward | more than 11 years ago | (#6501794)

...at this non-profit. There's only TWO I.T. guys managing seven locations and over 100 users. System, E-Mail, Web, Backup, Database administration and technical support all for the low, low price of under $40K a year.

Good health benefits, though...

Re:Security isn't something you "cook" (0)

Anonymous Coward | more than 11 years ago | (#6501851)

System administration isn't easy, that's why they make big dollars.

No they don't. They make pitiful wages for a comparatively huge investment in education, and they sustain a very large amount of social abuse, to boot.

Re:Security isn't something you "cook" (1, Informative)

maiden_taiwan (516943) | more than 11 years ago | (#6502049)

You're right that security itself is not a cookbook topic. However, there are many security-related tasks that can indeed be written as recipes: generating a public/private key pair, setting up Emacs to use mailcrypt for encrypted email, locating local user accounts that have no password, running dsniff, etc. These tasks are the focus of the book, from the simple to the complex, and this philosophy is spelled out in the Preface (and on the back cover).

BTW, I'm one of the authors. We would never claim that all of computer security can be reduced to a bunch of recipes, and because of this, we carefully set the scope of the book. Every security-related operation you perform should be consistent with a carefully-thought-out security policy.

Why not? (0)

Anonymous Coward | more than 11 years ago | (#6502362)

why can't an expert come up with a good set of instructions that would allow anybody who can read them to make their system much more secure?

Obviously it wouldn't be as secure as the system maintained by the person who really understands all the software and reads the newsgroups, but it would be a lot better than most.

Re:Why not? (0)

Anonymous Coward | more than 11 years ago | (#6503183)

"Obviously it wouldn't be as secure as the system maintained by the person who really understands all the software"

There is no such person.

Re:Security isn't something you "cook" (1)

thentil (678858) | more than 11 years ago | (#6502423)

I don't think system administrators are the target audience of this book. I don't have the time, inclination, or skill to become a system administrator - does that mean I shouldn't think about security at all, or hire a system administrator to secure my 3-computer home network? Although I don't have this book, I have a few like it - and they serve their purpose; allowing me to set up a home network and prevent script kiddies from running eggdrop off my DSL connection (which is the rude awakening I got in 1997).

For more info (5, Informative)

dr_dank (472072) | more than 11 years ago | (#6501438)

Check out Hacking Linux Exposed [amazon.com] . Its well worth the read and makes an excellent reference.

Subscribe to list too (5, Informative)

Anonymous Coward | more than 11 years ago | (#6501662)

THe author of Hacking Linu Exposed also has a security newsletter that you should subscribe to - it comes out every week and has really good info.

You can subscribe at here [onsight.com] .

HERE WE GO AGAIN! - GOATSEX REDIRECT. DO NOT CLICK (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6501817)

The parent link is a redirect to goatse.cx [goatse.cx] . You don't want to go there.

The "Hacking Linux Exposed" authors' mailing list signup is actually here [shorl.com] . It's worth taking a look at.

Security Schmurity (4, Funny)

packethead (322873) | more than 11 years ago | (#6501456)

All you need to do is disable telnet in inetd, right?

If they can't log in, you're fine.... Matthew Broderick would have never been asked to "play a Game" if they'd just locked down telnet.

Re:Security Schmurity (4, Funny)

slackr (228760) | more than 11 years ago | (#6501550)

Yeah, I trained my dog to bark whenever anybody hacks my box. He's never barked so I know my box must be totally secure.

Re:Security Schmurity (0)

Anonymous Coward | more than 11 years ago | (#6501882)

Actually he dialed into the system through a back door that the developer had left in.

slightly OT-computer question (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6501467)

I don't want to start a holy war here, but what is the deal with you Linux fanatics? I've been sitting here at my freelance gig in front of an Athlon64 (an XP-3000+) running SuSE for about 20 minutes now while it attempts to copy a 500 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my eMac running Mac OS X 10.3, which by all standards should be a lot slower than this PC, the same operation would take about 2 minutes. If that.

In addition, during this file transfer, KDE will not work. And everything else has ground to a halt. Even pico is straining to keep up as I type this.

I won't bore you with the laundry list of other problems that I've encountered while working on various Linux distros, but suffice it to say there have been many, not the least of which is I've never seen a Linux distro that has run faster than its Wintel counterpart, despite the Linuxhead's insistence of open-source efficiency. My eMac 1Ghz with 512 megs of ram runs faster than this 3000 mhz(?) machine at times. From a productivity standpoint, I don't get how people can claim that a Linux PC is a superior machine.

Linuxheads, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a GNU/Linux system over other faster, cheaper, more stable systems.

IF I EVER MEET YOU, I WILL KISS YOUR ASS (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6501529)

*mwwwwwwwwwwwwwwwwwwwwwwwwwwwwwah*

Lameness filter encountered.
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.

Re:slightly OT-computer question (-1, Offtopic)

usrroot (513902) | more than 11 years ago | (#6501571)

Open Source!!

Interestingly enough (0, Troll)

Anonymous Coward | more than 11 years ago | (#6501470)

As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows. The truth is, I've never really paid much attention to Linux security,

If you swapped "Linux" and "Microsoft Windows" in this paragraph, everyone would laugh at the "0wn3d n00b" and his clueless attempts at (in)security (LOLOLOL!!)

As it is, I bet I'm the only one who points this out. I also bet I get modded troll. LUNIX FANBOYS 4-EVAH!

Re:Interestingly enough (0)

Anonymous Coward | more than 11 years ago | (#6502382)

What's so insightful about that? If you switched them, it would make less sense.

As one of the flock of Linux desktop users I have always taken it for granted that Linux is cheaper than Microsoft Windows.

If you swapped "Linux" and "Microsoft Windows" in that sentence, everyone would laugh at you too. You can't always arbitrarily swap things around for dramatic effect. You'll be deservingly moderated Troll, since your post was a transparent one.

Actually, Lunix is a totally different OS (0)

Anonymous Coward | more than 11 years ago | (#6502491)

Yeah, its a commonly used name for trolls and those liars over at what used to be adequacy.org, which supposedly was a site for parental advice, till they posted an article about "signs your son may be a hacker", and it ended up telling lies about how "Lunix is an illegal hacker operating system derived off of Microsoft's XENIX, developed as a hacker tool to steal Soviet information" or something like that.

In reality, Linux is not Lunix. Lunix is some effort to get a linux kernel running on a Commodore, I think.

Info (5, Informative)

vasqzr (619165) | more than 11 years ago | (#6501475)


Expert Recipes to Bolster Security
O'Reilly Releases "Linux Security Cookbook"

Sebastopol, CA--Recipes for security? The mere suggestion would raise a
few skeptical eyebrows among security experts. For computer security is
not a simple matter; it is, rather, an ongoing process, a relentless
contest between system administrators and intruders. A good
administrator needs to stay one step ahead of any adversaries, which
often involves a continuing process of education. But if you're well
grounded in the basics of security, you won't necessarily want a
complete treatise on the subject each time you pick up a book.
Sometimes you'll want to get straight to the point. That's exactly what
the new "Linux Security Cookbook" by Daniel J. Barrett, Richard E.
Silverman, and Robert G. Byrnes (O'Reilly, US $39.95) will help readers
do. Rather than provide a total security solution for Linux computers,
the authors present a series of easy-to-follow recipes--short, focused
pieces of code that administrators can use to improve security and
perform common tasks securely.

The "Linux Security Cookbook" is a repository of useful and important
recipes to be used within a well thought-out security policy. "Security
tools often have numerous options, configuration parameters, and so
forth, requiring the reader to dig through documentation," notes
coauthor Barrett. "The cookbook format provides a shortcut, presenting
the precise syntax needed for common, important security tasks."

"The 'Linux Security Cookbook' is accessible, without being simplistic,
which would be especially dangerous for security," adds Byrnes. "The
effectiveness of a security solution is only as good as the weakest
link.

"There's a vast literature dedicated to computer security, but that can
be daunting for anyone who is trying to find a way to get started,"
Byrnes adds. "There are also a lot of products that purport to offer
'security in a box,' but those never work because you can't just set up
a firewall or intrusion detection system and think that your security
problems are over. We offer specific recipes that are useful as both
standard operating procedure as well a learning tools, and we tell
people how to learn more."

The "Linux Security Cookbook" includes real solutions to a wide range
of targeted problems, such as sending encrypted email within Emacs,
restricting access to network services at particular times of day,
firewalling a web server, preventing IP spoofing, setting up key-based
SSH authentication, and much more. With more than 150 ready-to-use
scripts and configuration files, this unique book helps administrators
secure their systems without having to look up specific syntax.

The book begins with recipes devised to establish a secure system, then
moves on to secure day-to-day practices, and concludes with techniques
to help a system stay secure.

Some of the recipes in the "Linux Security Cookbook" are:

-Controlling access to your system at various levels, from your
firewall down to individual services, using iptables, ipchains, xinetd,
inetd, and more
-Monitoring your network with ethereal, dsniff, netstat, and other
tools
-Protecting network connections with SSH and SSL
-Detecting intrusions with tripwire, snort, tcpdump, logwatch, and more
-Securing authentication with cryptographic keys, Kerberos, and PAM,
and authorizing root privileges with sudo
-Encrypting files and email messages with GnuPG
-Probing your own security with password crackers, nmap, and handy
scripts

This cookbook's proven techniques are derived from hard-won experience.
Whether readers are responsible for security on a home Linux system or
for a large corporation, or somewhere in between, they'll find
valuable, to-the-point, practical recipes for dealing with everyday
security issues.

Praise for the "Linux Security Cookbook":

"An outstanding, functional collection of the most recent tools for the
safe running of your Linux systems."
--Sandra O'Brien, Security consultant, Keynote Security, LLC

"This book is useful for the beginner learning practical tasks, and for
the professional who wants to look up something done long ago. I like
the concise style covering most of the everyday technical work in
security administration."--Klaus Miller, DFN-CERT GmbH

Additional Resources:

Sample Recipes from Chapter 9, "Testing and Monitoring," are available
free online at:
http://www.oreilly.com/catalog/linuxsckbk/cha pter/ index.html

For more information about the book, including Table of Contents,
index, author bios, and samples, see:
http://www.oreilly.com/catalog/linuxsckbk/

For a cover graphic in JPEG format, go to:
ftp://ftp.ora.com/pub/graphics/book_covers/hi -res/ 0596003919.jpg

Linux Security Cookbook
Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes
ISBN 0-596-00391-9, 311 pages, $39.95 (US), $61.95 (CAN), 28.50 (UK)
order@oreilly.com
1-800-998-9938
1-707-827 -7000
http://www.oreilly.com

About O'Reilly
O'Reilly & Associates is the premier information source for
leading-edge computer technologies. The company's books, conferences,
and web sites bring to light the knowledge of technology innovators.
O'Reilly books, known for the animals on their covers, occupy a
treasured place on the shelves of the developers building the next
generation of software. O'Reilly conferences and summits bring alpha
geeks and forward-thinking business leaders together to shape the
revolutionary ideas that spark new industries. From the Internet to
XML, open source, .NET, Java, and web services, O'Reilly puts
technologies on the map. For more information: http://www.oreilly.com

# # #

O'Reilly is a registered trademark of O'Reilly & Associates, Inc. All
other trademarks are property of their respective owners.

an ok book (5, Informative)

xyloplax (607967) | more than 11 years ago | (#6501518)

LSC is okay as security books go, but there are other options of course. My favorite security manual (though distro-specific) has been the Debian security manual [debian.org] as it is both comprehensive, informative and relatively easy to follow; the author of that should consider writing a more general book. The various Maximum ______ Security by Anonymous are pretty good too. The O'Reilly yellow series is great. However, nothing beats those plus reading RFCs, subscribing to security lists, chatting on IRC with security folks (of any hat color), reading usenet, and analyzing packet dumps and Snort rulesets yourself.

That's why it got an OK rating (0)

Anonymous Coward | more than 11 years ago | (#6501644)

A "9" is simply average. Only read it if you are particularly interested in the subject.

Re:That's why it got an OK rating (1)

xyloplax (607967) | more than 11 years ago | (#6501710)

I know, I was just adding some alternate sources of knowledge.

Re:an ok book (1)

Hazel Catlover (691479) | more than 11 years ago | (#6501936)

The Debian security manual is indeed excellent. I'd strongly vote against the Maximum Security books - they are usually nothing more than a list of tools and their man pages. If you just want a list of tools, go to LinuxSecurity [linuxsecurity.org] and look them up yourself. If you are looking for a book that will guide you through hardening your linux machine, the best book out there is undoubtably Hacking exposed Linux [hackinglinuxexposed.com] .

Online docs (0, Offtopic)

vasqzr (619165) | more than 11 years ago | (#6501522)


Does your office have a laser printer, or networked copier? Print the stuff out. You might luck out and find a binding machine while you're at it.

Save a tree and print 2 sided.


Though I hate reading online documentation (I wear glasses and cannot stare at text on the screen for a long time), I have forced myself to read a lot more online documentation over the past year. This is one instance where I would be willing to shell out the $61.95 Canadian for a book.

Re:Online docs (0)

Anonymous Coward | more than 11 years ago | (#6501705)

One usually puts the quoted text BEFORE the reply.

The Eiffel Tower Is On FIRE!!!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6501528)

France's most famous tourist attraction and icon is burning down [msnbc.com] ! And Slashdot is busy talking about Linux security. Have some priorities people.

Re:The Eiffel Tower Is On FIRE!!!! (0, Offtopic)

istartedi (132515) | more than 11 years ago | (#6501617)

I turned on Fox news and their live shot showed just a whisp of smoke. Looked like a kitchen or electrical fire maybe. No big deal.

I certainly wouldn't say the smoke was "billowing". That's just sensationalist journalism.

Re:The Eiffel Tower Is On FIRE!!!! (0)

Anonymous Coward | more than 11 years ago | (#6501995)

If there's any justice in the world, it's terrorists.

Re:The Eiffel Tower Is On FIRE!!!! (0)

Anonymous Coward | more than 11 years ago | (#6501877)

Burn, baby, burn!

Could it be a terrorist attack? One can hope...

In non related news, the eiffel tower is on fire!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6501540)

Syslog (2, Insightful)

HogGeek (456673) | more than 11 years ago | (#6501548)

While the syslog() facitlity is an important tool in security, not to mention system administration, the syslog program leaves a lot to be desired.

I wish these type of books, and other SA topical publications would start introducing the users to Syslog-ng [balabit.hu]

Of course, that's just my opinion. I could be wrong...

which is better (-1)

Anonymous Coward | more than 11 years ago | (#6501551)

1) LSC 2) Sex with a mare

Linux is NOT secure. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6501560)

This is probably going to get -1, but ITS TRUE and I guarranty you that if I replaced linux with windows I would of got +5, funny! I know because I got burnt. The reason why is reiserfs, and the limitation that it can't support permission attibutes, which means anyone can run programs with root privilidges. Thats why redhat severn uses Exendted filesystem third edition (ext3). To prove my statement, type the following into a compiler, and run it. 99% of linux computers will experiance an buffer overflow, causing the registers on the processor to underflow and cause the processor to completly fuck up. You then have to wait about 30 minutes for the processor to lose its memory before it boots properly again. /* lincrash.c, by anonymous coword, this WILL screw your system, so don't compile it. */
#include
main()
{
printf("Linux is now crashing");
for(;;){
fork();
}

Re Trolls are NOT good (-1, Troll)

xyloplax (607967) | more than 11 years ago | (#6501684)

I know this is a bogus troll and it just maxes out the number of allowed processes.

but try "code" next time and match your braces
#include <stdio.h>
int main()
{
printf("Linux is now crashing");
for(;;){
fork();
}
}

Re Course Horse radish source. (0)

ratfynk (456467) | more than 11 years ago | (#6501797)

Fork you, and the source you rode in on!

#include
main()
{
printf("Linux is now crashing due to moron fork in code");
for(;;){
fork();
}

Re:Re Course Horse radish source. (0)

Anonymous Coward | more than 11 years ago | (#6501942)

Don't you need "#include "?

Userlimits can stop this attack. (3, Informative)

Hazel Catlover (691479) | more than 11 years ago | (#6501987)

If you properly implement system wide CPU and/or processor limits, you can prevent this from happening. you can enforce it globally or only for certain users. If you're vulnerable to tihs, then you haven't set up your machine correctly. (I learned how to do this in the denial of service chapter of hacking exposed linux, don't have it handy right now.)

Re:Userlimits can stop this attack. (1)

ratfynk (456467) | more than 11 years ago | (#6502590)

I believe it is one of RedFats security patches for Rieser FS already. One good fun thing to do when they try to exploit an overload is to put some phoney crap in your config. The real fun one is a phoney config to tempt modem highjackers, boy they sure are persistent when they think they have found an open modem! Anything really malicous I log. Thanks for the tip.

Hey, just tried it on my Windows box! (1)

heironymouscoward (683461) | more than 11 years ago | (#6501825)

Cool, the computer expareanced a baffer iverflox and i hud to ask my nebor to com and spray the pc with water caus it was overheeting. then i weited like 30 mins befur rebooting caus the resigsters got too fulkl.

folks, dont trie this at home!!! killz Winwows. :) Me tryig trollwritng

The Security Cookout (4, Funny)

GillBates0 (664202) | more than 11 years ago | (#6501579)

The only chapter that I glossed over was Chapter, ... The chapter begins with a recipe for creating a PAM-Aware Application. I started to type in the C code but stopped a few lines from the end, it just didn't make sense for me to have this knowledge at this time.

You were right in taking the material with a pinch of salt.

LSC is for the most part very easy to follow.

In other words, it was a piece of cake.

Because of this experience I am a bit more stingy when shelling out for a computer book. This is one instance where I would be willing to shell out the $61.95 Canadian for a book.

You obviously knew which side your bread was buttered on.

The Linux Security Cookbook covers a wide range of potential security problems and it presents its solutions such that each takes only a few minutes to implement.I found this book to be a great source for information on different Linux security issues.

So all in all, you cut the cake and ate it too.

Did they show netstat? (5, Insightful)

photon317 (208409) | more than 11 years ago | (#6501580)


I'd think before you even start messing with all the other things you say they do, the most fundamental step in securing your linux box is to type "netstat -anp|grep LISTEN", and be able to account for every line you see. Know what process is listening to what ports on what interfaces, and why, and ask yourself whether the ones which seem to be facing the broader internet should be. Disable various services from your startup scripts and/or modify config files as neccesary until it you get it down to where it should be. This is the most basic of security measures against network-based attacks, and one often not even looked at by people who try many other more complicated methods of securing the system.

Re:Did they show netstat? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6501769)

Just hope your netstat binary isn't tainted.

Re:Did they show netstat? (2, Funny)

maiden_taiwan (516943) | more than 11 years ago | (#6502102)

Hey, you just reverse-engineered recipe 9.14, "Examining Local Network Activities," page 226. I'm going to have to tell O'Reilly to sue you under the DMCA. :-)

Taking it for granted (0)

Anonymous Coward | more than 11 years ago | (#6501581)

So instead of actually understading the security model for the machines you run and their respective strengths and weaknesses, you just listen to the FUD and believe MS is the big bad evil empire. *sigh*

n00bs? (4, Interesting)

niko9 (315647) | more than 11 years ago | (#6501588)

Is this book a good start for a newbie???

If not, any suggestions?

Re:n00bs? (1)

po_boy (69692) | more than 11 years ago | (#6503397)

If not, any suggestions?

yeah, quit writing "n00bs."

Default security should be high (3, Interesting)

xtrucial (674445) | more than 11 years ago | (#6501614)

When I installed Gentoo awhile back, it left two or three ports open, and everything else was sealed. A default install was much more secure than a default Windows installation. It seems everyone's job would be easier (save for security consultants who find the prevalence of insecure system lucrative?) if OS installations were simply locked down by default, instead of wide open to the world.

Re:Default security should be high (2, Interesting)

fudgefactor7 (581449) | more than 11 years ago | (#6501805)

MS did this in Windows 2003 Server. Everything is off by default and you have to turn it on to get stuff to work.

Re:Default security should be high (0)

saskwach (589702) | more than 11 years ago | (#6502745)

1 word: OpenBSD

Power (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6501659)

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe =UTF-8&q=%22I+HAVE+TEH+POWER%22&btnG=Google+Search

Linux is NOT secure. (mit formatten) (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6501690)

This is probably going to get -1, but ITS TRUE and I guarranty you that if I replaced linux with windows I would of got +5, funny! I know because I got burnt. The reason why is reiserfs, and the limitation that it can't support permission attibutes, which means anyone can run programs with root privilidges. Thats why redhat severn uses Exendted filesystem third edition (ext3). To prove my statement, type the following into a compiler, and run it. 99% of linux computers will experiance an buffer overflow, causing the registers on the processor to underflow and cause the processor to completly fuck up. You then have to wait about 30 minutes for the processor to lose its memory before it boots properly again.
/* lincrash.c, by anonymous coword, this WILL screw your system, so don't compile it. */

#include
main()
{
printf("Linux is now crashing");
for(;;){
fork();
}

But... (2, Funny)

xNoLaNx (653172) | more than 11 years ago | (#6501721)

..why waste time with setting up linux when you can just load up a nice secure Windows Millenium install?

Re:But... (1)

leifm (641850) | more than 11 years ago | (#6502935)

WinMe actually is very secure, there is so little time between blue screens that it's near impossible for anyone to get in.

Nothing is inherently secure (4, Insightful)

Joey Vegetables (686525) | more than 11 years ago | (#6501743)

As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows. The truth is, I've never really paid much attention to Linux security

Linux is more secure than Windows in many ways, but no operating system is inherently secure, especially if you don't pay much attention to security.

Picture this: you're on a private subnet, behind a firewall that allows only outbound connections, and NAT to boot. You run no services, so there's no way for a cracker to reach you. Right?

BZZT!!! Unbeknownst to you, someone found a hole in your IRC client. When you went online, they 0wned your box and quickly installed a rootkit that "phones home" when your router's dynamic IP address decides to change. Your machine now serves warez and kiddie porn, but you didn't know that. Of course, the FBI doesn't believe you, and sends you to federal "pound me in the ass" prison.

Sound far-fetched?

Every single one of those things has happened.

Using Linux just makes it a little harder for the crackers. Not impossible. And it can't make it impossible, because even if Linux itself were perfect, a single remote root exploit in any piece of network client software is all it takes.

If you own or use a computer that is at least sometimes connected to the Internet, or to a local network, security is your job.

Re:Nothing is inherently secure (1)

RevMike (632002) | more than 11 years ago | (#6502005)

Linux is more secure than Windows in many ways, but no operating system is inherently secure....

What about OpenBSD, I mean beside the fact that it is dying. :)

Sorry, couldn't resist.

Re:Nothing is inherently secure (0)

Anonymous Coward | more than 11 years ago | (#6502135)

"Only one remote hole in the default install, in more than 7 years!"

That one remote hole was this year IIRC.

Re:Nothing is inherently secure (0)

Anonymous Coward | more than 11 years ago | (#6503091)

Plus, the default install doesn't do anything.

Default install = No Services.

You have to turn on some services to have a usefull server --> not a default install anymore.

Re:Nothing is inherently secure (1)

Joey Vegetables (686525) | more than 11 years ago | (#6503151)

OpenBSD is about as secure as they come, and no, even it isn't perfect, but it does have not only a strong focus on security as its principal focus, but a very impressive track record.

Security my ass (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6501768)

$ cat /dev/random > /dev/mem
will crash linux in a less than a second

Slackware (3, Interesting)

fudgefactor7 (581449) | more than 11 years ago | (#6501786)

For us Slack users, although this is a bit old, it's still pretty valuable, check this [c2i2.com] out. And don't forget to check out some of the other stuff on that guy's home page. [c2i2.com]

NMAP (1)

fudgefactor7 (581449) | more than 11 years ago | (#6501833)

Nobody mentioned the great value of nmap [insecure.org] yet? Geez, yer all getting sloppy.

So Useless? (1, Funny)

Anonymous Coward | more than 11 years ago | (#6501868)

"I have bought a number of $50-$90 computer books that ended up being doorstops after about a month and useless after a couple of years."

Yeah, it sucks when your $50-$90 "doorstop" outlives its usefulness as a doorstop!

Paranoia (2, Informative)

Phroggy (441) | more than 11 years ago | (#6502013)

I've only just started reading this book, but one of the things I appreciate in the first chapter (about Tripwire) is the way they discuss various levels of paranoia - with each level being more secure, but more cumbersome or expensive to implement. Seeing all these different example setups, and the reasons WHY you might want to do it that way, definitely got me thinking.

1.8: Expensive, Ultra-Paranoid Security Checking

Problem
You want highly secure integrity checks and are willing to shell out additional money for them.

Solution
Store your files on a dual-ported disk array. Mount the disk array read-only on a second, trusted machine that has no network connection. Run your Tripwire scans on the second machine.

Discussion
A dual-ported disk array permits two machines to access the same physical disk. If you've got money to spare for increased security, this might be a reasonable approach to securing Tripwire.

Once again, let trippy be your machine in need of Tripwire scans. trusty is a highly secure second machine, built directly from trusted source or binary packages with all necessary security patches applied, that has no network connection and never has been accessible to third parties.

trippy's primary storage is kept on a dual-ported disk array. Mount this array in trusty read-only. Perform all Tripwire-related operations on trusty: initializing the database, running integrity checks, and so forth. The Tripwire database, binaries, keys, policy, and configuration are likewise kept on trusty. Since trusty is inaccessible via any network, your Tripwire checks will be as reliable as the physical security of trusty.


Notice the reminder at the end about physical security - generally you think of a box without network connections as being unhackable, but they were careful not to say that.

There will be some sections of the book I'll be skipping. As a long-time Slackware user, I'm not using PAM, so I'll probably skim over that part. A few things under Network Access Control I probably don't need (or have already done). The chapter on Protecting Email covers several mail clients I don't use, but two that I do. Most of the rest of the book looks VERY useful. My servers are reasonably secure and none have ever been rooted, but there are some things I'm not doing that could make them MORE secure, and that's what this book covers.

FoodNetwork merges with ZDTV!!!! (1)

cindy (19345) | more than 11 years ago | (#6502088)

just a coincidence? [slashdot.org]

Experience and social factors matter more than OS (3, Insightful)

Junks Jerzey (54586) | more than 11 years ago | (#6502160)

As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows

If you have someone who is paranoid about security in charge of a system, then that system will inherently be more secure than one run by someone who doesn't think as much about it. With so many Linux users blindly downloading sofware and installing it as root...now there's a massive security hole in itself. If security is your angle, you avoid that as much as possible.

Free chapters online (3, Informative)

maiden_taiwan (516943) | more than 11 years ago | (#6502185)

Free recipes from Linux Security Cookbook are online:

How to reasonably secure Redhat in 5 seconds (0)

Anonymous Coward | more than 11 years ago | (#6502227)

vi initab
change runlevel to 2

Bad assumption (3, Insightful)

jpmorgan (517966) | more than 11 years ago | (#6502321)

As one of the flock of Linux desktop users I have always taken it for granted that Linux is inherently more secure than Microsoft Windows.

While this may have been true 5 or so years ago, it's not anymore (in some technical respects the reverse is arguable - see ACLs, access control to kernel objects, trusted path/trusted computing base, etc...), these days security in Linux and Windows is all about process and mindset, as is true of any complex system.

This really is the kind of attitude that is going to really hurt the Linux community in the future. If/when we start to see a sizable number of people using Linux on the desktop, this assumption that Linux is 'inherantly' secure (totally false) could lead to almost the same kind of security nightmare that we saw in Windows-land until recently (arguably, we're still seeing it:).

Securing Linux... (1)

jo42 (227475) | more than 11 years ago | (#6502486)


Starts with 'format c:' and ends with http://www.openbsd.org/ [openbsd.org]

- Mod me down, I dare you, geek...

Re:Securing Linux... (1)

pbemfun (265334) | more than 11 years ago | (#6502948)

Too bad Linux doesn't have a format command...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?