Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Practical Unix & Internet Security

Posted by timothy on Tue Aug 26, 2003 12:15 PM
from the updated-classic dept.
Books Media Security Operating Systems Software The Internet Unix
Charles McColm writes "At just under 1,000 pages the 3rd edition of Practical Unix & Internet Security might look intimidating on the shelf, but a quick glance through the pages reveals that it is both practical and entertaining. With Slammer and Blaster making their way into the news it seemed like a good time to brush up on security. Already considered a classic reference, the 3rd edition of the book provides extensive updated information about topics like PAM (Pluggable Authentication Modules), LDAP, forensics, intrusion detection, wireless devices, and cryptography." Read on for the rest of McColm's impressions of the book.

Practical Unix & Internet Security is divided up into six sections:

The first section covers the basics of computer security, tracing the history of Unix and security, as well as providing details of what should be in a good security policy.

The second section covers the building blocks of security, authentication, users and groups, filesystems, cryptography, physical security for servers, and personnel security.

Network and Internet security are focused on in the third section, with emphasis on modems and dialup security, TCP/IP networks, securing TCP and UDP services, Sun RPC, NIS, Kerberos, LDAP, NFS, and SAMBA, and finishing up with a chapter dedicated to secure programming techniques.

Day-to-day operations are the focus of the fourth section. Keeping up to date, making backups, defending accounts, using integrity checking tools, and auditing, logging, and forensics are all expanded upon in detail over five chapters.

The fifth section rounds off the main part of the book by describing how to handle security incidents. Special focus is given to discovering a break-in, protecting against programmed threats, Denial of Service Attacks (& DDoS), legal options, and a chapter on who you can trust.

The Appendixes make up the sixth and final section. Not a spot is wasted in the appendixes, which begin with a Unix security checklist, and then outline Unix processes, provide extensive links to both paper and electronic resources, and conclude with a sub-section on security organizations.

Among the topics I found most interesting were: Access Control Lists (ACL), Pluggable Authentication Modules (PAM), the section about 128-bit keys and dictionary-based passwords, connection laundering, honeypots, the false syslog example, and the example detailing a call to Microsoft's anti-piracy help line. The real-life examples scattered throughout Practical Unix & Internet Security keep the security sections from seeming overwhelming. This is one of the few books that I've found ever chapter of the appendix useful, so don't overlook them as simple reference pages.

Normally one-liners are reserved for movie discussions but for those who've already delved into Practical Unix & Internet Security here are a few of my favorite one-liners:

  • "...we do believe that making files readable and writable by everyone leads to many evil deeds." - talking about the octal mode 666.

  • "Humidity is your computer's friend." - just before static discharge kills your entire system.

  • "Beware of Key Employees." - warning against making one person so key that their departure could cause your company irreparable harm.

  • "You mean, you don't really have a copy? [of Windows 98]" - the last part of a conversation with Microsoft's Anti-Piracy line. The company which called Microsoft's was tracing some intruders who had uploaded a copy of Windows 98 to the company's web site and was using the site to peddle warez. Microsoft was just about to launch Windows 98. The example shows just how clueless some help desks can be.

There are a few spelling mistakes and grammatical flaws but not enough to take away from the bulk of the information and no glaring omissions. UUCP coverage was dumped because UUCP simply is not a practical anymore now that more advanced alternatives like sendmail exist. I started glazing over material by the middle of the NIS chapter, but it probably had more to do with the fact that I was thinking about the other 400 or so pages I had to read before I finished the main section of the book rather than the topic itself.

One of the great things about Practical Unix & Internet Security is that it is appropriate for a wide audience. There is relevant material for system administrators, security, company decision makers, even the guy sitting at the accounting terminal. Despite its massive size Practical Unix & Internet Security is entertaining enough to be read cover to cover. (It's good for the arm muscles too.) Though it is easy to read, beginners should probably reread their system manual before plunging headlong into this book. All in all Practical Unix & Internet Security continues to be one of those must-have books for any Linux user.

You can purchase Practical Unix & Internet Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Practical Unix & Internet Security 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Practical UNIX... (Score:5, Funny)

    by Anonymous Coward on Tuesday August 26 2003, @12:19PM (#6795720)
    The companion book [cashncarrion.co.uk] seems, uh, interesting too. :)

  • the thing i always want to know (Score:5, Interesting)

    by Transient0 (175617) on Tuesday August 26 2003, @12:19PM (#6795725) Homepage
    when talking about computer books is:

    What does this book offer that I can't easily find by asking google or google groups?

  • Get for just $27! (Score:5, Interesting)

    by Anonymous Coward on Tuesday August 26 2003, @12:20PM (#6795732)
    Thanks to froogle price check [google.com]

  • At least you have your health! (Score:3, Funny)

    by Anonymous Coward on Tuesday August 26 2003, @12:21PM (#6795749)
    How does one glance quickly through a 1000-page book without straining something important? ;-D

  • UUCP (Score:5, Informative)

    by Medievalist (16032) on Tuesday August 26 2003, @12:25PM (#6795790)
    UUCP coverage was dumped because UUCP simply is not a practical anymore now that more advanced alternatives like sendmail exist.
    Um, I think you meant "UUCP is not necessary anymore now that PPP, NNTP and SMTP are widely supported".

    Sendmail (a program) is not an alternative to UUCP (a protocol). Even if you are talking about the UUCP software and not the protocol, the alternative is pppd, not sendmail.

    Sendmail still supports UUCP, but most distros do not enable that support, and hardly anyone uses UUCP anymore.

    • HP-sUX still needs UUCP (Score:2, Interesting)

      by Anonymous Coward
      Because the uucp uid still owns all the serial port hardware. You need UUCP so that your modems will work, even though they are not running the UUCP protocol.

      One MORE reason why HP-UX is the most GODAWFUL WORST *NIX on the FUCKING PLANET!

      • Because the uucp uid still owns all the serial port hardware. You need UUCP so that your modems will work, even though they are not running the UUCP protocol.

        This is irrational. Presumably you could create any user/group you wanted and give it access to this hardware, so long as the users that the programs that need access to this hardware run as are also part of that group/that user. BUt why mess with perfection? If it works, there is no reason to change it. There is nothing magic about the name uu

      • If you really enjoy pointless configuration tasks, you can run UUCP over anything that can simulate a serial line.

        But the main selling point of UUCP was to be able to handle scheduled intermittent connections.

        This was useful before the Internet got its mojo on, when Email was delivered in batches in a fido-style bucket brigade. "This Email is for California, dial up Chicago at midnight and have them pass it on".

        Usenet also started on UUCP (yes, Usenet existed before the Internet) but migrated to NNTP ov

        • Re:UUCP (Score:2, Interesting)

          by philfr (89798)
          Actually, UUCP over TCP is probably the only sensible way to operate a full-featured mail server on a dynamic IP address or on an intermittent connection. Even people with dialup connections can have at home a full MTA serving multiple domains connected through UUCP to their (nice) provider. Other solutions (ETRN on SMTP, maildrop on POP3) are broken somewhere. UUCP is a generic store-and-forward protocol, supporting binary file transfer and custom commands, not only mail or news. UUCP mail transport can be
            • Certainly UUCP is not necessary. But for laptop users it is more convenient than something like fetchmail. It operates as a push protocol--when new mail comes in, it is immediately sent to the laptop if the laptop is on-line, otherwise it is queued until the laptop comes on-line. I've been using it this way for years.

  • Simson Garfinkel... (Score:5, Funny)

    by ravind (701403) on Tuesday August 26 2003, @12:26PM (#6795807)
    ...I love their music :D

  • this vs. Robert Slade in comp.risks (Score:4, Interesting)

    by ansak (80421) on Tuesday August 26 2003, @12:27PM (#6795828) Homepage Journal
    For more book reviews, especially on computer security, watch for Robert Slade's regular contributions to comp.risks [comp.risks]. It doesn't look as though Robert has reviewed this one yet so I'll look forward to reading and comparing. His praise for a former edition [victoria.tc.ca] seems uncharacteristically positive -- compare reviews of Secrets of a Super Hacker [victoria.tc.ca] or Computer Security Basics [victoria.tc.ca] -- so I'll be surprised if he doesn't praise this one, too...

    cheers...ank

  • is there a digital copy with the book? (Score:4, Interesting)

    by phaetonic (621542) on Tuesday August 26 2003, @12:27PM (#6795829)
    my newest requirement is to have the book in PDF format so I can simply search for keywords, saving time, and hassle. having the PDF on a few different computers and storing the book away after skimming through it works better than having thousands and thousands of pages take up my precious 500 sq ft. apartment

    • Re:is there a digital copy with the book? (Score:4, Informative)

      by LinuxHam (52232) on Tuesday August 26 2003, @02:50PM (#6797645) Homepage Journal
      Being a good IBMer, here [ibm.com] are a couple. :) But seriously, many people tend to miss IBM's publishing arm, and never even realize that all of their books are published as freely downloadable PDF's. Granted, there's an IBM slant to most of it, but there are some really good, get-to-the-good-stuff, hands-on tasty morsels in there. In fact, this [ibm.com] book on AIX is currently $117 at Amazon. Take the PDF to OfficeMax and get a book bound with comb binding (so it opens flat) for 1/3rd the price, and you can put the CD you burned the PDF onto inside the back cover :)

      If you [have|want] to manage large quantities of Linux servers, pay closer attention to the Linux on zSeries materials since its customary to run hundreds of virtual Linux servers at a time, and they still need to be managed. Same goes for HPC clusters. Since these books are written by different people, its neat to hear the tack they've each taken to managing large-scale communities. One book even touches on configuring a Linux virtual server on a zbox with LEAF [sf.net] to serve as a software firewall for the remaining machines.

      You laugh!

  • and also importantly... (Score:4, Insightful)

    by spamchang (302052) on Tuesday August 26 2003, @12:34PM (#6795900) Journal
    what about social engineering? or do they trust management and sysadmins to be socially mobile, compatible, and perceptive? i think humans are one of the weaker links in the security chain.

  • Hey... (Score:5, Funny)

    by blueforce (192332) <clannagael.gmail@com> on Tuesday August 26 2003, @12:35PM (#6795915) Homepage Journal

    One of the great things about Practical Unix & Internet Security is that it is appropriate for a wide audience

    I resemble that remark.

  • This sounds like something I want on my shelf... (Score:3, Insightful)

    by John Seminal (698722) on Tuesday August 26 2003, @12:37PM (#6795940) Journal
    I know that many computer users do not ever look at computer security, they just plug it in and go. At the best, some of my friends will block ports, but that is about it. They do not check logs, or anything. And how many people out there have a second PC attached by serial cable to log intrusion data? I think if more people secured their systems, then everyones security would increase because there would be less places to launch attacks from. What we need is someone at the major distros to write a program which, when executed, will secure a system. Something which is point and click "easy".
      • To me, security is a sound backup and restoration plan, and not keeping all of my personal info in a file called "my banking stuff.doc"

        You must not have met my parents, or many people who are not that computer literate. To many, many people a computer is just a tool they use to make life easier. It should not be a full time job to administer.

        The problem is with all the hackers, port sniffers, crackers, and the like. I want to see some harsh penalties which send people to jail just for looking.

  • This book is overkill for slammer/blaster (Score:3, Insightful)

    by SpaFF (18764) on Tuesday August 26 2003, @12:38PM (#6795942) Homepage
    With Slammer and Blaster making their way into the news it seemed like a good time to brush up on security.

    You don't need a 1000 page book on security to patch your systems against worms; you need a 1 page book on common sense.

  • Sample Chapters (Score:5, Informative)

    by Anonymous Coward on Tuesday August 26 2003, @12:51PM (#6796105)
    Sample chapters of the book can be found here [oreilly.com] and here. [onlamp.com] I read this first one (the one on TCP/IP) and found that it was an excellent introducation to it. The other is on "secure programming techniques." Gotta read that.
  • Using this [openbsd.org]during my install of an OpenBSD firewall taught me a quite a bit.
  • After reading the sample chapter @ oreilly, it seems like a good book fo beginners. I if you have involved in sysadmin/sys security, this book might be too basic for you. Just my thoughts.
    www.xml-dev.com [xml-dev.com]

    • Re:good book for beginners (Score:4, Interesting)

      by LinuxHam (52232) on Tuesday August 26 2003, @02:22PM (#6797283) Homepage Journal
      Yes, an older edition of this book did help me back when I was a beginner. But, its also one of the books that taught me that by the time something is in print, it's already out of date.

      I learned all the great stuff about TCP Wrappers and how it was revolutionizing inetd. When I went to my Slackware box to try to implement, it was already done! Same for shadow passwords. Its funny in that, even being a 7 year user and an RHCE, it still seems like commercial UNIX was in the dark ages until the early 90's just based on those two features alone. Not to say MS was any better (my god no), but to require applications to have root privs to bind to a low port and have world-readable password hashes just seems like something from a million years ago. Different times, those were.

      I *still* have to instruct local UNIX pros on the virtues of ssh over telnet. If the X forwarding over ssh doesn't sell them on it, password collectors like ettercap will, every time ;)
    • Well thank you for judging the depth of the book based on one sample chapter.

      Seriously, the chapter given (11), was more of a prelude and background to chapter 12, which is securing TCP and UDP services. Don't be too misled.

    • Re:1000 pages (Score:4, Informative)

      by BoomerSooner (308737) on Tuesday August 26 2003, @12:29PM (#6795851) Homepage Journal
      This book [amazon.com] is excellent. It's the best I've read on the subject and it has surprisingly good content where you're not bored out of your mind.

      Real World Linux Security
      • I second that, mostly. I've been thinking about doing a review of it here, actually.

        Basically, my only gripe about it is the case studies, which were one of the reasons that I bought it. They're all what he and his buddies did during the 70s to academic systems that they already had physical access to. Duh. Oh, that and him using a 'case study' to bitch about MCI.

        He's also the first person I've ever read advocating the use of active blocking software, though he makes a good case for his (pretty kludgey) o

    • Re:viruses (Score:4, Insightful)

      by Medievalist (16032) on Tuesday August 26 2003, @12:32PM (#6795878)
      one thing unix doesnt really have to worry about is viruses..
      I'm not so sure.

      Since people frequently use tools like NIS, rdist, rsync/ssh, and LDAP to create single authentication domains that span multiple physical boxen, somebody could use one of the usual social engineering tricks to get root on a single box and then load a boot-sector infector into the .profile in root's home dir. Then, every time root logs in on any particular physical box, that box get the boot-sector virus loaded.

      Best that *nix sysadmins remain on guard, regardless.

      • Re:viruses (Score:5, Funny)

        by jdludlow (316515) on Tuesday August 26 2003, @12:41PM (#6795982)
        boot-sector infector

        Sounds like a nerd garage band.

      • somebody could use one of the usual social engineering tricks to...

        Not with the facist-nazi SAs I have in my group. Root should really never be handed out. "sudo" may not be perfect, but it's a far better alternative. The only reason we give root out is for very specific servers and for limited amounts of time.

        The other thing is that your trusted server had better not be loading .profile from remote boxes anyway, certianly not for root. Even our everyday users have scripts they have to run to set u

    • Re:Mode 666? (Score:5, Informative)

      by Anonymous Coward on Tuesday August 26 2003, @12:58PM (#6796192)
      ummmm...back to unix school for you...

      777 is rwxrwxrwx : Read, Write & Excutable for all

      666 is rw-rw-rw- : Read, Write for all

      remember octal? r=4; w=2; x=1

      r + w = 4 + 2 = 6

      rho
      • Octal is one way to learn it but considering you know how to count in binary, I find the binary way more effective.

        _u___g__o
        rwx rwx rwx = 111 111 111

        rw- rw- rw- = 110 110 110

        110 in binary is 6 in decimal.
      • Doh! Good call, thats what I get for thinking. Thanks for correcting me. /me runs off to slap head against wall

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.