[Gllug] Up-to-date Linux security books

[Walter Stanish]

>> In a field where up-to-date information is so vital I'm quite
>> surprised at the lack of choice. Any recommendations?
>
> I'm not sure if good security practices really change that quickly.
>
> Sure, new attacks are created evey day, but it is no good trying to
> implement a new defense against ever attack. The best general defense
> is still mostly the same as it was 10 years ago - apply security
> updates, run the bare minimum of services and packages, firewall both
> incoming and outgoing traffic, don't use unencrypted traffic, etc.

Excellent advice.

> There are new defenses like SELinux and AppArmor, but they are
> documented by both themselves and by the distribution. Encrypting
> filesystems that contain sensitive data can also be useful in places
> where a server might be stolen.

To these I would add the following.
 - Virtualisation systems and related brethren (chroot, etc.)
 - Resource limits

Detection and response is also an area where you can find many
useful tools.  Logging off-host, host-based and network based
intrusion detection systems can all be useful.  These measures
are largely useless, however, unless you maintain a security-
conscious systems administration team with enough time to
investigate potential issues that are identified.

> If you are looking to secure a web server it really helps if you
> learn a bit about the programming languages such as PHP and Perl
> that will be used. Learn about Cross-Site Scripting and SQL
> Injections and how to spot them in the programs you are running.

Following through with this mentality, it pays to spend time
thinking like an attacker and/or actually developing attacks
against elements of your infrastructure.  While there are
copious resources online, one excellent book I could
recommend (disclaimer: written by a friend of mine) is The
Art of Software Security Assessment: http://taossa.com/

Also remember that a large and popular class of attacks, 'denial of
service', often require less technical knowledge (or simply worse
luck) to see executed against your infrastructure.  The obvious save
for these is often redundancy in hardware and connectivity, plus a
software architecture that allows for horizontal scaling.

Unfortunately, the skills to design truly scalable services are
not yet particularly widespread (often linked to particular technical
elements, each coming with limitations) thus modifying a real world
system to scale past a dedicated node to a live cluster or live-
failover capable system can sometimes be a ridiculously time
consuming process that amounts to a redesign.

Ahh, the glory of the mess :)  God bless the internet.

- Walter
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug