he subtitle says it all: “A Survival Guide for Linux Security”.

This book is the result of an iterative process of consulting with experts in the field of computer and
network security. The list of contributors includes staff at well-known organizations like the Computer
Emergency Response Team (CERT) and the U.S. Census Bureau, so it is more than just the two main
authors' expertise—it is a collaborative effort of 48 experts.

It is not simply a theoretical book on computer security. First, it details only one Linux distribution, Red
Hat 6.0. Users of other distributions will be able to use the book as well, but they will need to fudge
things according to the differences between their distribution and Red Hat 6.0. Users of Mandrake 6.x
should have no problem; users of Slackware will have to adjust a lot of the information on system
startup. Debian users will probably find themselves scrambling to map all the RPM package names to
Debian package equivalents.

Second, it is a step-by-step walk through the process. The authors don't simply say, “remove package
foo”; they walk the reader through the process of removing package foo, with the complete command-
line and system response for each command. It may be only one or two steps, but they are there to
show you exactly what to type on the command line and what response to expect from the system.

The book is entirely command-line-oriented. This is good, in that the authors can show exactly what to
do in each step. It also means you get to do a lot of typing and careful checking of your command lines.
If you aren't already familiar with Bash's tab completion, now is a good time to read up on it in the man
page.

Theory is minimal in this book. There is usually a brief discussion of each group of command-line steps.
Then the steps to carry out are shown, interspersed with useful commentary.

The book is organized in a logical manner, starting with step one on security policies, the physical
security of the computer, and a pre-installation check of the BIOS's security-related features (e.g., turn
off the ability to boot from floppy). Each step is divided into sub-steps, so you can easily find an
appropriate sub-step for any aspect of security.
Step two, which would be chapter two in any other book, deals with the installation of Linux. The
authors cover pre-installation security, where they point out that (for example) an FTP installation from
a public server on the Internet could leave your computer compromised before the installation is
complete. Similarly, they discuss the security implications of partitioning.

It's no surprise that the authors prefer the custom installation of Red Hat over either workstation or
server. Their motto is “When in doubt, leave it out”, an excellent motto. If it isn't there, it can't be
cracked. The installation step continues with password setup and some recommendations such as
creating a boot diskette. The book then shows how to set system access policies and configure logging.

The next two chapters (excuse me—steps) are about securing a workstation on a network and a server
on a network. The server step includes instructions for installing Secure SHell (SSH) tools, which are far
more secure than the “r” analogs (rlogin, rsh, etc.), ftp or telnet. Other substeps show how to set up
DNS, electronic mail and several other services. The documentation on securing Apache includes
password protection and adding mod_ssl to your Apache d<\#230>mon.

The process of securing a workstation includes disabling and removing a number of standard
d<\#230>mons, or limiting access to those d<\#230>mons.

Step five deals with system tuning and packet firewalls. It gives a brief introduction to IPCHAINS, and
shows how to make, install and test a strong ruleset.

Step six points the reader toward a number of tools for network security, such as the (in)famous SATAN
and its descendants.

Appendix A has an excellent bibliography of Linux security resources on the Internet. Appendix B is the
stock Red Hat 6.0 /etc/inetd.conf. Appendix C is a System V-style startup script for ssh, which fills a gap
in at least two of the ssh products out there. Appendix D is a 20-page script for a strong firewall
IPCHAINS ruleset, adapted for the book from David Ranch's highly respected Trinty OS.

Appendix E is a script to modify the permissions of a number of system utilities. The authors recommend
you run it every time you install Linux. It is worth studying to see how insecure the authors find Linux to
be.
The book is printed in an unusual format. It is spiral-bound, standard (North American) letter-size paper.
The unusual part is that it is printed in landscape layout. The result is you see the book as a 17 x 11-inch
sheet of paper, with the binding across the middle. This makes it possible to have a lot of information in
front of you while working at the keyboard. There is plenty of white space for your notes. The effect was
a bit disconcerting at first, but I found it easy to work with and rather like it.

The steps are wellwritten, and I was able to walk through several of the sub-steps. The only problems I
had were caused by other problems in the system, ones outside the scope of the book. I was able to
install ssh, for example, in minutes because the steps in this book are better than the README file that
came with one of the distributions I tried.

One thing to keep in mind: while the book is a set of step-by-step instructions, you will have to remain
alert to your own situation and local needs.

At first, I thought the scripts, especially the 20-page IPCHAINS ruleset, were not available on the Net.
Well, I am glad to report that they are. The URL is carefully hidden away at the beginning of Appendix A,
which is not where the reader looking for, say, Appendix D is going to look.

I recommend this book to professionals in the field. If you are on the Internet with a firewall or any sort
of server, you should read it and take the steps appropriate to your situation. As you do, check off each
step completed so that you have a permanent record of how you have customized your firewall.

email: ccurley@trib.com

Charles Curley (ccurley@trib.com) lives in Wyoming, where he rides horses and herds cattle, cats and
electrons. Only the last of those pays well, so he also writes documentation for a small software
company headquartered in Redmond, Washington.

*1
 *2

* next ›

* last »

______________________

* Login to save this as favorite

* Delicious

* Digg

* StumbleUpon

* Reddit

* Facebook
 * Post to Twitter

Comments

Post new comment

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *
 * Allowed HTML tags: <a> <em> <strong> <cite> <code> <pre><tt> <ul> <ol> <li> <dl> <dt> <dd> <i>
<b><blockquote>

* Lines and paragraphs break automatically.

* Use to create page breaks.

More information about formatting options

Notify me when new comments are posted

All comments
Replies to my comment