[Sussex] [fwd] [REVIEW] Building Secure Servers with Linux

Natalie S. Ford natalie at ourshack.com
Thu Jan 23 18:51:01 UTC 2003 

Spotted on the london.pm mailing list.  I thought you guys might find it
interesting/useful and checked with Roger before I cross-posted it...

----- Forwarded message from Roger Burton West <roger at firedrake.org> -----

> Date: Thu, 23 Jan 2003 18:10:40 +0000
> From: Roger Burton West <roger at firedrake.org>
> To: london.pm at london.pm.org
> Subject: [REVIEW] Building Secure Servers with Linux
> 
> An excellent resource for the Linux administrator concerned with
> security.
> 
> Michael D. Bauer; Building Secure Servers with Linux; O'Reilly
> 0-596-00217-3, 432pp (softcover)
> 
> Review by Roger Burton West
> 
> This book is a comprehensive guide to Linux security. While many books
> deal with installation and setup of a basic server system, they tend to
> be lacking in any security consideration, preferring to emphasise ease
> of use; this is the requisite companion volume to those, assuming a
> basic competence in Linux use and concentrating on security concerns.
> 
> Throughout the book, the author emphasises that systems fail: the
> existence of a firewall doesn't entirely prevent attacks on systems
> within it, proxies can be subverted, and so on. This leads him to a
> preferred position of robust defence in depth.
> 
> Although the book is copyrighted 2003, its history is in a series of
> columns written by the author for _Linux Journal_; in places it is
> significantly outdated, for example considering Debian release 2.2 as
> the most recent version even though 3.0 was released in July 2002.
> 
> The book opens with a consideration of risk. Since there is no such
> thing as a perfectly secure system, against whom should one attempt to
> protect it, and with what level of resource will it be attacked?
> Obviously there are no quick answers, but the author provides a set of
> tools with which reasonable estimates can be made.
> 
> The next chapter deals with perimeter networks: how to position
> firewalls and routers to reach a useful compromise between accessibility
> and security. Various types of firewall are considered, including
> commercial hardware-based products; this book is a rare example of work
> by an author whose expertise is primarily in open-source systems but who
> is also familiar with current commercial software.
> 
> The book now starts to go into rather more detail, as it describes the
> process of hardening a Linux server; the basics of this are as they have
> been described for a long time (run only necessary software, keep up to
> date, read the security mailing list for your chosen distribution), but
> the author expands usefully on all these concepts. This is one of the
> more basic chapters, but even the experienced administrator can usefully
> refresh and expand his knowledge. This chapter also covers security
> scanning with nmap and Nessus, as well as the Bastille Linux automated
> hardening system.
> 
> Remote administration tools are the concern of the next chapter,
> starting with ssh (the author rightly deprecates telnet and related
> clear-text administration tools) in some details, then briefly coverying
> sudo. Next is SSL tunnelling with stunnel, probably the most convenient
> of the programs available, including its client-certificate
> authentication mode (probably the trickiest part of stunnel to set up).
> 
> The next four chapters deal with the security of specific applications,
> starting with DNS. Remarkably, the author is prepared to mention the
> existence of djbdns as well as bind, and gives it a substantial amount
> of space; this is one of very few descriptions of djbdns in print, and
> would deserve attention for that even if it were not rather more clearly
> written than the official documentation. Next comes email, with a long
> general section (mostly considering unauthorised relaying) and detail on
> two specific mail transport agents, sendmail (because of its popularity)
> and postfix (because of the author's admitted bias in its favour). It is
> unfortunate that no room could be found for exim or qmail as well, as
> this would have provided coverage of the vast majority of SMTP servers
> deployed on Linux platforms.
> 
> The web services chapter only covers Apache, which is perhaps a
> pardonable failing given its preponderance on Internet-connected hosts,
> though some coverage of the many lighter-weight servers would have been
> welcome; it also covers CGI script and authentication security, though
> not in any great depth (these are more properly the province of the
> developer than of the system administrator in any case). The final
> application chapter, on file services, describes ProFTPD in some detail
> with some limited consideration of sftp and rsync.
> 
> The book's final section returns to the business of system, rather than
> application, administration, with consideration of intrusion detection.
> One chapter covers inbuilt systems for this (syslog and its
> ramifications including remote loggin, syslog-ng, and the automated
> log-watcher swatch); the other deals with external monitoring packages
> such as tripwire (and some of its kin) and snort. An appendix gives
> pre-built iptables firewall scripts.
> 
> The book is rather shorter than some other security handbooks on the
> market, and more space could perhaps have been given to alternative
> application software, particuarly for email and web services (and client
> mail protocols such as POP3 and IMAP are not even considered). Moreover,
> a slightly expanded treatment of networking - covering security under
> N:N masquerading  rather than the simple N:1 described here and in a
> hundred existing articles - would have added significantly to the value
> of the book.
> 
> The quality of the prose is good and clear throughout, and examples are
> generous though not excessive. In summary, this is a book that I should
> recommend to anyone running a Linux server in an environment where not
> all potential users are fully trusted.
> 

----- End forwarded message -----

-- 
Natalie S. Ford   .................................   natalie at ourshack.com
.........................................  http://www.natalie.ourshack.org

More information about the Sussex mailing list