Practical Unix & Internet Security 123
| Practical Unix & Internet Security | |
| author | Simson Garfinkel, Gene Spafford & Alan Schwartz |
| pages | 954 |
| publisher | O'Reilly & Associates |
| rating | 8/10 |
| reviewer | Charles McColm |
| ISBN | 0596003234 |
| summary | The 3rd edition of Practical Unix & Internet Security adds much-needed updated information to an already classic security text. It's very comprehensive but a little dry in parts. |
Practical Unix & Internet Security is divided up into six sections:
The first section covers the basics of computer security, tracing the history of Unix and security, as well as providing details of what should be in a good security policy.
The second section covers the building blocks of security, authentication, users and groups, filesystems, cryptography, physical security for servers, and personnel security.
Network and Internet security are focused on in the third section, with emphasis on modems and dialup security, TCP/IP networks, securing TCP and UDP services, Sun RPC, NIS, Kerberos, LDAP, NFS, and SAMBA, and finishing up with a chapter dedicated to secure programming techniques.
Day-to-day operations are the focus of the fourth section. Keeping up to date, making backups, defending accounts, using integrity checking tools, and auditing, logging, and forensics are all expanded upon in detail over five chapters.
The fifth section rounds off the main part of the book by describing how to handle security incidents. Special focus is given to discovering a break-in, protecting against programmed threats, Denial of Service Attacks (& DDoS), legal options, and a chapter on who you can trust.
The Appendixes make up the sixth and final section. Not a spot is wasted in the appendixes, which begin with a Unix security checklist, and then outline Unix processes, provide extensive links to both paper and electronic resources, and conclude with a sub-section on security organizations.
Among the topics I found most interesting were: Access Control Lists (ACL), Pluggable Authentication Modules (PAM), the section about 128-bit keys and dictionary-based passwords, connection laundering, honeypots, the false syslog example, and the example detailing a call to Microsoft's anti-piracy help line. The real-life examples scattered throughout Practical Unix & Internet Security keep the security sections from seeming overwhelming. This is one of the few books that I've found ever chapter of the appendix useful, so don't overlook them as simple reference pages.
Normally one-liners are reserved for movie discussions but for those who've already delved into Practical Unix & Internet Security here are a few of my favorite one-liners:
- "...we do believe that making files readable and writable by everyone leads to many evil deeds." - talking about the octal mode 666.
- "Humidity is your computer's friend." - just before static discharge kills your entire system.
- "Beware of Key Employees." - warning against making one person so key that their departure could cause your company irreparable harm.
- "You mean, you don't really have a copy? [of Windows 98]" - the last part of a conversation with Microsoft's Anti-Piracy line. The company which called Microsoft's was tracing some intruders who had uploaded a copy of Windows 98 to the company's web site and was using the site to peddle warez. Microsoft was just about to launch Windows 98. The example shows just how clueless some help desks can be.
One of the great things about Practical Unix & Internet Security is that it is appropriate for a wide audience. There is relevant material for system administrators, security, company decision makers, even the guy sitting at the accounting terminal. Despite its massive size Practical Unix & Internet Security is entertaining enough to be read cover to cover. (It's good for the arm muscles too.) Though it is easy to read, beginners should probably reread their system manual before plunging headlong into this book. All in all Practical Unix & Internet Security continues to be one of those must-have books for any Linux user.
You can purchase Practical Unix & Internet Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Practical UNIX... (Score:5, Funny)
Re:Practical UNIX... (Score:4, Funny)
the thing i always want to know (Score:5, Interesting)
What does this book offer that I can't easily find by asking google or google groups?
Re:the thing i always want to know (Score:5, Insightful)
No power requirements and need to connect to the Internet. Very handy feature.
Re:the thing i always want to know (Score:3, Interesting)
Perhaps I should have been more specific and said "networking books." When the topic is Internet Security, chances are pretty good you have a network connection available to you at the time when you are asking the questions.
Re:the thing i always want to know (Score:3, Insightful)
That having been said, Linux security is pretty well documented and easy to search on google. If only Windows had a bit of security, then M$ could have a book of its own as well. Sadly, Wind
Re:the thing i always want to know (Score:3, Informative)
Re:the thing i always want to know (Score:2)
Re:the thing i always want to know (Score:4, Funny)
What's this "offline" thing you mention? I've never heard of it.
What's their website?
Re:the thing i always want to know (Score:3, Funny)
Re:the thing i always want to know (Score:3, Funny)
It's also not nearly as impressive for that geek-babe you've had your eye on to catch you searching google as to catch you reading this.
Re:the thing i always want to know (Score:2)
Re:the thing i always want to know (Score:1)
Re:the thing i always want to know (Score:2)
One centralised Corporation makes it REAL easy to control the flow of knowledge.
For now, it's some urban exploration and scientology. Wonder what it'll be tomorrow?
Re:the thing i always want to know (Score:1)
Re:the thing i always want to know (Score:5, Funny)
A book.
KFG
Get for just $27! (Score:5, Interesting)
Re:Get for just $27! (Score:3, Informative)
Or get it for just $21.47 used... (Score:2)
Froogle isn't anywhere near as good as addall.com for books, or pricegrabber.com & pricewatch.com for tech.
--
viruses (Score:1, Insightful)
except when the virus has a brain and the users choose weak passwords
Re:viruses (Score:4, Insightful)
Since people frequently use tools like NIS, rdist, rsync/ssh, and LDAP to create single authentication domains that span multiple physical boxen, somebody could use one of the usual social engineering tricks to get root on a single box and then load a boot-sector infector into the
Best that *nix sysadmins remain on guard, regardless.
Re:viruses (Score:5, Funny)
Sounds like a nerd garage band.
Re:viruses (Score:3, Funny)
Re:viruses (Score:2)
Not with the facist-nazi SAs I have in my group. Root should really never be handed out. "sudo" may not be perfect, but it's a far better alternative. The only reason we give root out is for very specific servers and for limited amounts of time.
The other thing is that your trusted server had better not be loading .profile from remote boxes anyway, certianly not for root. Even our everyday users have scripts they have to run to set u
Re:viruses (Score:1)
> skills! We read BOFH articles in the same way as "HOW-TO" documents!
User: I'm having a little trouble starting up Notepad...
BOFH: That's because we're standardising everyone on two text
editors, to maintain consistency across the network. We
upgraded the Windows systems from Notepad to EDLIN last
night during overnight processing.
User: But I don't know how to use EDLIN!
BOFH: Whose fault is that?
User: You said
Sounds silly... (Score:1)
I never have known why I felt that way, just that it is something that didn't seem right to me. So, when I do get that all slapped together on the network I am running, I will make certain to work it in such a way as to keep root out of the chain.
I already use a different root password on every
Re:Passwords are a bad idea (Score:2)
The only secure system is an open system that allows the public to find out what is going on. The open source bazaar will take care of the rest.
sec (Score:1)
At least you have your health! (Score:3, Funny)
But can we patch... (Score:1, Troll)
Had to ask since SCO can not seem to patch OpenServer
Re:But can we patch... (Score:1)
UnixWare is UnixWare.
ah, both suck anyway.
UUCP (Score:5, Informative)
Sendmail (a program) is not an alternative to UUCP (a protocol). Even if you are talking about the UUCP software and not the protocol, the alternative is pppd, not sendmail.
Sendmail still supports UUCP, but most distros do not enable that support, and hardly anyone uses UUCP anymore.
HP-sUX still needs UUCP (Score:2, Interesting)
One MORE reason why HP-UX is the most GODAWFUL WORST *NIX on the FUCKING PLANET!
Re:HP-sUX still needs UUCP (Score:3, Insightful)
Because the uucp uid still owns all the serial port hardware. You need UUCP so that your modems will work, even though they are not running the UUCP protocol.
This is irrational. Presumably you could create any user/group you wanted and give it access to this hardware, so long as the users that the programs that need access to this hardware run as are also part of that group/that user. BUt why mess with perfection? If it works, there is no reason to change it. There is nothing magic about the name uu
Re:HP-sUX still needs UUCP (Score:1)
Are you certain you don't have it confused with XENIX?
Re:UUCP (Score:2)
But the main selling point of UUCP was to be able to handle scheduled intermittent connections.
This was useful before the Internet got its mojo on, when Email was delivered in batches in a fido-style bucket brigade. "This Email is for California, dial up Chicago at midnight and have them pass it on".
Usenet also started on UUCP (yes, Usenet existed before the Internet) but migrated to NNTP ov
Re:UUCP (Score:2, Interesting)
Re:UUCP (Score:1)
Sendmail and fetchmail's queueing functions implement store-and-forward quite nicely... and in any case, I have been helping to run a full MTA (sendmail) for three domains on a dynamic IP *without* the co-operation of the (completely evil and un-nice) provider for three years now, so I have to say you're mistaken about the need for UUCP.
Dynamic DNS is a simple solution that works fine for me and hundreds of other people with DHCP-assigned IP address
Re:UUCP (Score:1)
UUCP will instead consider this mail delivered once it is in an intermediate spool. I have a cable ISP that forbids me to run an SMTP server (on port 25 anyway) and changes my IP address regularly.
Dynamic DNS allows my remote UUCP host to contact me
Re:UUCP (Score:1)
I'm not trying to say you shouldn't use UUCP, use whatever you want. I'm saying UUCP is no longer an indispensible part of a *nix system, because it does not perform any tasks that can't be accomplished in other ways.
Using almost any standard linux distribution, you could probably come up with a dozen ways to do what you need - having a
Re:UUCP (Score:2)
Re:UUCP (Score:1)
Re:UUCP (Score:1)
Capitalization is usually used to define which thing you're writing about: UUCP is a protocol, and uucp is a suite of programs.
I think some implementations used the name uucpd for the daemon and uucp for the uid it ran under, but older versions ran as root and were named uucp. (Don't trust this last comment, though, it's based on my foggy recollections of usin
Simson Garfinkel... (Score:5, Funny)
this vs. Robert Slade in comp.risks (Score:4, Interesting)
cheers...ank
is there a digital copy with the book? (Score:4, Interesting)
Re:is there a digital copy with the book? (Score:1)
Re:is there a digital copy with the book? (Score:3, Informative)
Re:is there a digital copy with the book? (Score:4, Informative)
If you [have|want] to manage large quantities of Linux servers, pay closer attention to the Linux on zSeries materials since its customary to run hundreds of virtual Linux servers at a time, and they still need to be managed. Same goes for HPC clusters. Since these books are written by different people, its neat to hear the tack they've each taken to managing large-scale communities. One book even touches on configuring a Linux virtual server on a zbox with LEAF [sf.net] to serve as a software firewall for the remaining machines.
You laugh!
and also importantly... (Score:4, Insightful)
Re:and also importantly... (Score:2)
- Alan (one of the co-authors)
Hey... (Score:5, Funny)
One of the great things about Practical Unix & Internet Security is that it is appropriate for a wide audience
I resemble that remark.
Re:Hey... (Score:1)
I resemble that remark you insensitive clod!
Re:Hey... (Score:1)
This sounds like something I want on my shelf... (Score:3, Insightful)
Re:This sounds like something I want on my shelf.. (Score:2)
You must not have met my parents, or many people who are not that computer literate. To many, many people a computer is just a tool they use to make life easier. It should not be a full time job to administer.
The problem is with all the hackers, port sniffers, crackers, and the like. I want to see some harsh penalties which send people to jail just for looking.
Re:This sounds like something I want on my shelf.. (Score:1)
This book is overkill for slammer/blaster (Score:3, Insightful)
You don't need a 1000 page book on security to patch your systems against worms; you need a 1 page book on common sense.
Re:This book is overkill for slammer/blaster (Score:1, Funny)
Moderators on crack, film at 11.
Sample Chapters (Score:5, Informative)
Here's my book (Score:2)
When will Cliff Notes be available? (Score:1)
I thought about audio books, but the sysadmins don't listen, either. <SIGH^2>
To the topic: All the manuals in the world, no matter how thorough & thoughtfully written, are of no use if the people who need to read them are busier worrying about their golf game. And the doubly sad thing, is that these guys "know
Re:When will Cliff Notes be available? (Score:1)
Practical Unix Security? (Score:1, Offtopic)
Now if I could only find a good off-shore haven... [vacationbookreview.com]
1000 page? (Score:1)
My RSI is bad enough as it is.
A book like this borders on being unreadable because of its size. And its especially irritating to have to man-handle the book if you just want to look at the material in a single section or chapter.
good book for beginners (Score:2)
www.xml-dev.com [xml-dev.com]
Re:good book for beginners (Score:4, Interesting)
I learned all the great stuff about TCP Wrappers and how it was revolutionizing inetd. When I went to my Slackware box to try to implement, it was already done! Same for shadow passwords. Its funny in that, even being a 7 year user and an RHCE, it still seems like commercial UNIX was in the dark ages until the early 90's just based on those two features alone. Not to say MS was any better (my god no), but to require applications to have root privs to bind to a low port and have world-readable password hashes just seems like something from a million years ago. Different times, those were.
I *still* have to instruct local UNIX pros on the virtues of ssh over telnet. If the X forwarding over ssh doesn't sell them on it, password collectors like ettercap will, every time
Re:good book for beginners (Score:2)
Seriously, the chapter given (11), was more of a prelude and background to chapter 12, which is securing TCP and UDP services. Don't be too misled.
Celebrity Endorsement (Score:1)
If it's good enough for him, it's good enough for me. That spurred me to read it, and I've found it to be quite an interesting read. It also has a good history section, detailing the "family-tree" of all the unices.
Second opinion(s) (Score:1)
Re:Second opinion(s) (Score:2)
Of course, I still think it's a great book, but that's to be expected.
Almost considered buying this book (Score:1, Offtopic)
Or save some bucks by ordering from Bookpool (Score:1)
Disclaimer: I'm not affiliated with Bookpool and receive no kickbacks. I've been a happy customer with BP and just don't like to pay too much for books.
regards,
Heiko
Re:1000 pages (Score:4, Informative)
Real World Linux Security
Re:1000 pages (Score:2)
Basically, my only gripe about it is the case studies, which were one of the reasons that I bought it. They're all what he and his buddies did during the 70s to academic systems that they already had physical access to. Duh. Oh, that and him using a 'case study' to bitch about MCI.
He's also the first person I've ever read advocating the use of active blocking software, though he makes a good case for his (pretty kludgey) o
Re:Mode 666? (Score:5, Informative)
777 is rwxrwxrwx : Read, Write & Excutable for all
666 is rw-rw-rw- : Read, Write for all
remember octal? r=4; w=2; x=1
r + w = 4 + 2 = 6
rho
Re:Mode 666? (Score:2)
_u___g__o
rwx rwx rwx = 111 111 111
rw- rw- rw- = 110 110 110
110 in binary is 6 in decimal.
Re:Mode 666? (Score:1)
we do believe that making files readable and writable by everyone leads to many evil deeds." - talking about the octal mode 666
that IS 666, NOT 777. a lot of damage can be done merely by writing to config files.
Re:Mode 666? (Score:2)
Re:$5.50 CHEAPER and FREE SHIPPING (Score:1)
This silly "let's pretend Amazon with its cheaper prices does not exist" farce really should stop already.
Re:Sheesh. (Score:2)
What the world needs is a book on WINDOWS security. Not YABOUS.
This [sourcemage.org] is the answer to your Windows security problem.