Book Review: Hardening Linux

April 08, 2006
Linux enjoys a large space in the server arena. It is favoured as a server over the competition by many for its robustness, stability and also its cost advantage. But now a days, it has also widely found favour as a desktop replacement for windows. But as with any OS, it is imperative to take necessary steps to make Linux more secure. This book titled - Hardening Linux - by James Turnbull concentrates on this very important topic of securing your Linux machine.

The book is divided into 11 chapters and 3 appendices each covering a niche area related to security in Linux. The author starts the narration by explaining why and how one could make the boot-loader (Grub or LiLo) more secure. He throws light on the various services that could be running on a default installation of Linux and explores which of them are beneficial and which could be stopped. In this chapter, the author goes into the nitty gritty basics of securing Linux like user and process accounting, PAM, how to harden and secure the Linux kernel through use of openwall patch and more.

A firewall forms one of the most important element in a computer's defence against attack. More so if there are servers running on one's computer. The second chapter takes an in depth look at configuring a firewall using iptables in Linux. Here the author lays stress on configuring a firewall for bastion hosts - those computers which form the gateway between a trusted and untrusted network. This chapter gives a very good idea of the concept of firewall and how one can leverage the use of iptables to make ones computer more secure.

Most Linux servers are administered remotely from different places across the world. It is common for the production server to be physically situated in one country and the support personnel in an entirely different country. In such situations, the people administering the remote server log in to the server using SSH or VPNs. The author starts the third chapter with an introduction to public-private keys and goes on to explain protocols like SSL,Transport Layer Security and OpenSSL. This chapter gives a firm foundation on how to use openssl to generate and use RSA keys, use of OpenSWAN to create a virtual private network between two subnets over the internet, port forwarding using SSH and more. In fact this book can be considered to be a hands on book with the right amount of theory explaining the concepts without overwhelming the user.

The fourth chapter of the book deals with the various facets of file and file system security. Here the author explains the basic file permissions and attributes as well as how one can make sure there are no suspicious files lying around in the system. I especially liked the part which explains ways of scanning for and finding files and objects in a variety of states like world-writable and setuid files, making your files immutable, creating an encrypted file system and so on. This chapter also goes into a detailed analysis of how one can install and configure Tripwire - a checksum and integrity scanner famed for its robustness as well as cryptic configuration commands.

Logging is a very important function in any Linux server. One can learn a lot by checking the logs generated by the various services running on it. The beauty of Linux is that one can configure to log the actions of any of the daemons running in it using the syslog daemon. In the fifth chapter of this book, the author explains in detail the working and configuration of two popular logging daemons namely syslog and its more secure counterpart syslog-NG. And true to the title of the book, all along, stress is laid on security while explaining these topics.

The sixth chapter is one which every system and network administrator will vouch as their favourite which is the use of tools like nmap, netstat, nessus and the ubiquitous find for security testing. But the author does not stop with just that. He also describes how one can use a script called Bastile Linux to harden the Linux system. I was fascinated when I read a section which explains the use of the most popular password cracking tool available called John The Ripper to check the strength of the passwords used in the system. There is also a section which explains the steps to be taken in the advent that a system gets compromised.

The next 3 chapters deal exclusively in securing a computer running a mail server. Here the author goes in-depth into configuring sendmail, postfix, fetchmail in a way that security is enhanced and not compromised. That is not all, there is an in depth section on installing and configuring Cyrus IMAP - a secure IMAP and POP server for Linux.

The penultimate chapter in this book pursues configuring an ftp server. More specifically the vsftp server known for its security. There is also a section on locking down the ftp server using the ip_conntrack_ftp iptables module.

Hardening DNS and BIND form the last and final chapter of this well written book where the author explains the potential security issues faced by a DNS server such as man in the middle attack, cache poisoning, DoS attack and data corruption and alteration. He then goes on to explain how to securely design and configure a Bind DNS server.

A word about the author
James Turnbull is an IT&T security consultant at the Commonwealth Bank of Australia. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and support services design, and business application support.

Book Specifications
Name : Hardening Linux
ISBN No: 1-59059-444-4
Author : James Turnbull
Publisher : APress
Price : Check at Amazon.com
No. of Pages : 560
Category : Intermediate to Advanced
Rating : 4/5

Through out these chapters, the author takes a hands on approach for every topic being explained. I found it really useful that at the end of each chapter, the author has provided links to various webpages where one can get more details on the related topic. After going through the book, one gets the impression that the author has covered most of the issues related to security in Linux and how to overcome them. The book is a right mix of both theory and practice which makes it a very useful book for people who are looking forward to securing their computer running Linux.

5 comments:

  • Fred

    Useful review, thanks; however I don't think I'll buy such a book when the same information is available online for free, no?

  • A nice review. Thanks.
    @fred
    Not really. You give me a book any time and I will opt for a book rather than staring at a monitor for hours on end. It is precicely because of this reason that the printing media is not going to go bust.
    __
    Rusty

  • Agreed. Its a convenient book for those who don't have the time OR lack the google.com skills to find the information.

    I suppose its something to do when there's a blackout. Whip out a Linux book. :) (just kidding)

    I would probably supplement this book with stuff on the web. (Which I usually print out)...And bundle the whole lot into my own collection of notes.

  • Fred

    I see your point, Rusty. With a book, however, I will not be able to do what I do with online material: jump and skip to just exactly those areas I'm interested in.

  • Per Fred's point pertinent to skipping to those areas of interest, you could of course buy the Apress eBook (at 50% of list), which is in PDF format, searchable, and printable.

    Jason Gilmore
    Apress Open Source Editor