Hardening Linux 137
r3lody writes "Hardening Linux, by James Turnbull, stands out as an important text that clearly lays out how to make your Linux boxes as secure as possible. Mr. Turnbull has done a noteworthy job in delineating many potential vulnerabilities, and how to mitigate them. Each chapter covers a particular area in depth, with carefully worded and easy-to-follow examples. In the cases where you need to install some other piece of software to provide extra security, Turnbull gives you the step-by-step details, removing the chance of misinterpretation. As you finish each chapter, you will want to apply your newfound knowledge to the machines at your disposal." Read on for r3lody's review.
| Hardening Linux | |
| author | James Turnbull |
| pages | 584 |
| publisher | Apress |
| rating | 9/10 |
| reviewer | Ray Lodato (rlodato AT yahoo DOT com) |
| ISBN | 1590594444 |
| summary | In-depth explanations with step-by-step techniques for securing Linux and common applications. |
Naturally, the strongest building will collapse if built on a weak foundation, so Turnbull starts by considering what you need to harden a stand-alone Linux host. He discusses what applications to install and how to secure the boot loader (both LILO and GRUB are covered). The init sequences and scripts are covered next, as well as the login screen. Information on securing users and groups using PAM (Pluggable Authentication Modules) comes next, followed by package management and kernel patching. Finally, Turnbull finishes up with how to keep informed on security issues in the future. All of that is contained in chapter 1, and there are ten more to go! Each chapter ends with a list of resources in the form of mailing lists, web sites, books, etc., so you can fill in any blanks Turnbull may have left in.
Current security postures dictate that every network-connected device needs to be secured from the inside out. Turnbull apparently believes the same thing, and covers the Netfilter firewall framework built into the Linux kernel. Once again providing the careful step-by-step procedures, he demonstrates how to use iptables to manipulate Netfilter chains for maximum protection. There are a number of kernel parameters to Netfilter that can be modified using the sysctl command. James describes the more important ones (such as conf/all/accept_redirects, icmp_echo_ignore_broadcasts, and all under the /proc/sys/net/ipv4 pseudo-directory), and how to keep the changes in place across reboots. He also discusses how to log firewall rules, and keep the code updated using Patch-O-Matic.
As each subsequent chapter unfolds, Turnbull carefully explains how to tighten remote administration, files and file systems, mail, ftp, and DNS/BIND. He gives additional information on how to log important information securely and efficiently monitor the data collected. In addition, tools for testing the security of your hosts are described very clearly, from the inside out and the outside in, along with explanations of how to detect penetrations and recover from them.
Writing about securing a computer system can be written on a few different levels, from the general suggestions which apply to just about any program, to the specific which apply to just one. Turnbull picked commonly used programs and provide step-by-step procedures for locking them down. For example, if you are hardening a mail server, you will find descriptions of Sendmail and Postfix, but not of Qmail or Courier. While this might limit the appeal of the book to just those using the more common programs, it allows a depth that would be otherwise unavailable.
The only quibble I have is that his book does not go far enough. While the chosen applications are covered in great depth, some applications are missing. There is no coverage for a web server, such as Apache, or a database server, such as MySQL. I can only hope that a future edition of the book includes chapters on these and other categories of programs.
Hardening Linux by James Turnbull belongs on the shelf of anyone who installs and maintains Linux servers. The information is easy to follow, and will help you configure your systems very securely. The additional insights into why the configurations are important is extremely valuable in its own right."
You can purchase Hardening Linux from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
important topic (Score:1)
Avoid PHP. (Score:1, Flamebait)
While it doesn't involve the security of Linux (or any other open-source OS) in any way, the security issues that plague PHP do end up making the entire community look bad. Thus I think the open source community as a whole should put more pressure on the PHP developers to introduce technology that wil
Re:Avoid PHP. (Score:2, Insightful)
Re:Avoid PHP. (Score:2)
I blame PHP in that it could probably do more to prevent such security problems, but it does not.
Re:Avoid PHP. (Score:2)
Sure PHP could do better, but it's not unusual in this regard. It's just as mediocre as anything else.
Re:important topic (Score:2)
" He discusses what applications to install...secure the boot loader...init sequences and scripts...securing users and groups....kernel patching. ... All of that is contained in chapter 1, and there are ten more to go!"
They make it sound like Windows, where all of these things need to be done first in order to lockdown the system.
I'm already working on the unofficial sequel! (Score:1, Funny)
At first I read... (Score:2, Funny)
Im glad that wasn't really what it said.
Let me be the first to say... (Score:2, Funny)
GNU/Linux is hard enough
Re:Let me be the first to say... (Score:1)
Re:Let me be the first to say... (Score:2)
For the record, I am a GNU/Linux zealot
Re:Let me be the first to say... (Score:2)
Good advice... (Score:1)
Re:Good advice... (Score:3, Funny)
Class C2 rating, Orange Book, IIRC. The same rating that Microsoft made such a big deal about [theregister.co.uk] Windows NT obtaining. So much for that bit of marketting.
Re:Good advice... (Score:2, Informative)
Re:Good advice... (Score:1)
> irregardless of...<snip>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARGH!
You need to read a little bit of this [mcsweeneys.net] chap's rantings.
SELinux? (Score:2)
Re:SELinux? (Score:1)
What percentage of people who need to harden Linux (but haven't done so, perhaps those who remain logged in as root; see also: Windows XP users who are signed in with Administrator privilege; unsecured wireless routers at home) have even heard of SELinux? (let alone know where to get it [nsa.gov]?)
Re:SELinux? (Score:3, Informative)
Getting SELinux is easy. Some distributions (notably Fedora [redhat.com] and CentOS [centos.org]) have it installed and enabled by default, and I suspect that anyone who has done any amount of research into "hardening" their system has heard of SELinux.
SELinux et al (Score:5, Interesting)
Having said that, there are some good arguments that GRSecurity and some of the other Linux-hardening patches offer better role-based security than SELinux, due to potential limitations of the Linux Security Modules infrastructure. Those seriously interested in hardening Linux would be very well-advised to look through what is available. Having said that, BEWARE FUD! There's lots of claims and counter-claims, and nothing seems to have earned more rigid, fundamentalist stances than computer security.
There are checks for Common Criteria level 3 for Linux, but none for level 4 (which I believe RHEL is now certified to, or was it SuSE?) and there is a lot of contention as to whether these checks actually do anything useful. Are role-based memory locks and network locks actually useful? It would severely limit the security mechanisms you could use, so if you needed some other criteria as well, you might be stuck. POSIX ACLs or Trustees or do you need ACLs at all with role-based mechanisms?
Then there's the password file. Shadow is limited in the number of hashing algorithms it'll support and it may be vulnerable to rainbow dictionary cracks. The mainstream implementation does not support any unbroken hashing algorithms, which may pose other problems - though that is hard to prove. PAM is notoriously fragile, raising questions as to whether it can be considered safe or whether it should be redone. It is also unclear, especially if you use role-based computing, that the full username list should be exposed to all users. It may be more correct for the password and shadow files (if used) to be virtual, where the entries "present" depend on the user viewing the file. But that would add complexity (a BIG no-no in security) and latency.
Not all security options even exist for Linux, though it is unclear why. No Orange Book B-class patches exist for Linux, to the best of my knowledge, the best I've ever seen are just partial implementations. Very little encryption hardware is supported - far more specs have been published than have been coded to, and far more chips exist than specs. I won't even get into the limited security of e-mail clients and servers. How long have PGP and GnuPG been around??? X.400 may not be popular, but it is good on the security angle - so how many clients or servers exist for Linux???
All in all, this is an area the GOOD security guy will be doing a LOT of research in, no matter how much they know. And then, because nobody is an expert in everything and even fewer are experts in security, the REALLY GOOD security guy will not limit themselves to what they can know or understand. The REALLY REALLY GOOD security guys won't even limit themselves to what others can know or understand*.
*Ok, that's worded more for effect than accuracy. The accurate version would be that they are interested in solutions that make unauthorized access within the expected lifetime of the data and/or system highly unlikely at best - or, in the few cases you can do this, actually impossible. (You cannot break a one-time pad without the key, for example.) This is usually done by looking for "really hard problems" and hoping nobody comes up with a really easy solution. (A "really hard problem" is one that either cannot be solved in a determinate timeframe - such as NP-complete problems - or that cannot be solved, on average, in the timeframe you care about - which accounts for 99% of all popular strategies used in encryption.)
Re:SELinux et al (Score:2)
SELinux is mainly a sandbox to restrict the damage a compromised application can inflict on a system.
grsecurity aims to prevent the compromise from happening in the first place.
Re:SELinux? (Score:1)
It seems some aspects of SELinux are patented and the patent holder allows distribution, but once $$ or something that competes with their product is involved, there's a license fee.
Anyway, beyond the IP issues, just because the kernel has SElinux enabled doesn't mean the applications on top of the kernel have SELinux functionality.
I think it's reasonable to say that SELinux does not solve many se
Re:SELinux? (Score:2)
Do you have a link for this SELinux patent issue? I've been developing SELinux policy for a while now and read the SELinux mailing lists daily and I've never heard such a thing. SELinux was originally developed by t
Re:Secure Computing Corporation (Score:2)
http://www.securecomputing.com/pdf/Statement_of_A
Re:Secure Computing Corporation (Score:2)
Either way, it hasn't stopped my employer from implementing SELinux in our product, either. Blatant plug: download our LiveCD [engardelinux.org] if you'd like to check out our SELinux implementation.
Re:Clarifications (Score:2)
More specifically, the NSA paid Secure Computing Corp to develop something for them that turned into SELinux.
The corporation currently has 20 patents related to security in the patent db. They only mention three in their "assurance." What about the other 17?
The code is GPL, and it appears they won't drag you into court for a GPL'd hobby distro today, but what happens when you sell service on top? Do they knock on your door asking for a little p
Re:Clarifications (Score:2)
Re:SELinux? (Score:3, Interesting)
For the most part SELinux provides binary compatibility for user space applications and ever since it was integrated into the 2.6 kernel provides binary compatibility with most modules... there are some modules that don't behav
Re:SELinux? (Score:2)
SELinux is mentioned in a single paragraph on page 75. A link to the web site (http://www.nsa.gov/selinux/ [nsa.gov]) is given, with a brief description likening it to grsecurity.
chroot jails are discussed for the FTP server vsftpd, and for BIND. vsftpd has a couple of parameters (chroot_local_user=YES|NO, chroot_list_enable=YES|NO, chroot_list_file=<filename>) to make it easy to set up the jail. Chrooting BIND follows the more traditional format of creating the duplicate tree for the new root, and is explain
So .. why doesn't Linux come setup with all this? (Score:1, Insightful)
So why aren't they?
Re:So .. why doesn't Linux come setup with all thi (Score:5, Funny)
Because it's not OpenBSD?
--
The universe is a figment of its own imagination.
There are tradeoffs. (Score:5, Insightful)
Take OpenBSD, for instance. While it offers an extremely high level of security, it comes at a price. A system running OpenBSD usually does not perform as well as a system running FreeBSD or NetBSD, for instance. You may also have to use older versions of software, or not use certain software at all (ie. PHP).
In many situations, performance is more of an issue that security. Most Linux distributions, especially those intended for use on servers, are fairly secure out of the box. So users end up getting a higher degree of performance, even if there security level isn't as high as possible. A good blend, one might say. However, if you do need the utmost level of security, you can always use something like SELinux or OpenBSD.
Re:So .. why doesn't Linux come setup with all thi (Score:2)
Thing is
Thus, distributions which allow for flexible yet easy to manage policies may be better. Although not commonly considered a server-grade distribution, Mandri
Linux II: The Hardening (Score:3, Funny)
IDS (Score:5, Interesting)
Btw, thanks to fellow Slashdot readers for recommending DenyHosts [sourceforge.net] - superb tool to stop those brute force SSH attacks...
Re:IDS (Score:4, Informative)
Chapter 6 (Using Tools for Security Testing) goes into NMAP and Nessus in depth, then mentions a few additional tools at the end. dsniff, Ethereal, Ettercap, LIDS, Netcat, SARA, Snort, tcpdump, and Titan each have a one-paragraph writeup, with links to the websites for the tools.
Re:IDS (Score:2)
Re:IDS (Score:2)
Article infringes Amazon's new patent?! (Score:1)
The full text of the book (Score:5, Funny)
There, I've save y'all $20
Re:The full text of the book (Score:1)
Re:The full text of the book (Score:3, Funny)
It just tried that and it didn'
Re:The full text of the book (Score:1)
Re:The full text of the book (Score:2)
$>sync
$>halt
Re:The full text of the book (Score:1)
Re:The full text of the book (Score:1)
> There, I've save y'all $20
That only partially secures the box. If you have multiple IP addresses, you MUST stop all of them like so:
ifconfig | grep Link | awk '{print $1}' | perl -e 'while() { $_ =~ s/[\n\r]//g; system("ifconfig ${_} down"); }'
NOW your box is secure, from the net at least.
Re:The full text of the book (Score:1)
I'll stick with OpenBSD and Trusted Solaris. (Score:3, Insightful)
Has anyone done a recent comparison/evaluation of a highly secured Linux system versus similar OpenBSD and Trusted Solaris systems?
Re:I'll stick with OpenBSD and Trusted Solaris. (Score:3, Interesting)
Re:I'll stick with OpenBSD and Trusted Solaris. (Score:2)
Re:I'll stick with OpenBSD and Trusted Solaris. (Score:3, Insightful)
Package management (ports collection) has really been improved in OpenBSD 3.7 and 3.8. Here is one interview with an OpenBSD ports developer [mongers.org]. It seems to me that OpenBSD developers actually recommend that users should install binary packages (from the interview: "Most people should only see the binary packages and pkg_add"). One quite nice thing about these OpenBSD ports tree compared to FreeBSD ports is that the OpenBSD ports tree is frozen so you actually get something like Debian stable style system whe
Comparisons... (Score:2)
I don't find enough difference in security for my purposes (running the server and maintaining desktops at our medical practice) between OpenBSD and Linux to make it worthwhile. The software we use is much more readily available for Linux, and we've had no security issues in the 2+ years we've run it. I can't see learning t
A similar book (Score:3, Informative)
Hmmm... (Score:4, Insightful)
If we could get the average Joe Bob Windows user to read a book about security, I'm sure we'd see a lot fewer Windows security breaches, too.
All of which just suggests to me that the difference is in the user base (that's a compliment), not the technology.
Re:Hmmm... (Score:2, Insightful)
Jim wrecked his Hummer and died
Therefore both vehicles are deathtraps.
Never mind that the accidents may have happened completely differently. One is safer than the other. It all a matter of degree.
Re:Hmmm... (Score:2)
You seem to think that knowledgeable user base somehow precludes or lowers the possibility of better inherent system security. In fact the opposite is probably true -- people who understand computer security are probably going to select more secure syste
Re:Hmmm... (Score:1)
Furthermore, there are many Windows sysadmins out there who are fooled into a false sense of security by the appearant ease of use of Windows. Because Linux forces you to atte
Re:Hmmm... (Score:2)
For example, in Windows as it is, the moment you let execute anything they want on your computer, you can assume it's been breached, since practically everybody runs everything as Administrator on Windows. Not so on Linux.
Now, while giving somebody an user account on your Linux box doesn't le
Because "better" != "perfect". (Score:5, Informative)
A good Windows admin can "secure" his system as well as a good Linux "admin". The difference is how much work and effort are required.
I like Ubuntu. By default, Ubuntu installs with no open ports. So, securing Ubuntu against worm attacks takes no effort on a default installation.
But securing Windows against worm attacks requires constantly reading the vulnerability disclosures. Or adding an additional layer that requires a different skill set.
It's only when you get beyond the default installation that admin skills become important. The current problem is that there are so many older versions of Windows out there were sold with a very open default installation that are still vulnerable.
Re:Hmmm... (Score:2)
The problem is you have teach "Joe Bob Windows user" how to read first.
Personally, I think a special campaign that sends out spam and phish attempts should be put into place. All those that respond will be identified and their computers confiscated, their cable and phone jacks removed from their house, and then they would be sterilized. We have to end this
Re:Hmmm... (Score:2)
One theory would be that *NIX has better security because the people who use it and develop it have spent the last 40 years having their systems attacked by an incredible variety of threats, so they've had no choice but to create systems which can be effectively secured.
But that means that a lot is down to the operators as well as the software, which is why books are useful. A book on s
securing networks (Score:4, Interesting)
I've never really dealt with security issues on my home machine as it's behind a firewall and really isn't a target anyone would be interested in, but if I take the position as an administrator at my school I'll be responsible for maintaining and keeping upward of 100 computers secure and running.
For a beginner such as myself, and with my limited experience with Linux and Linux security, would this book be the best resource? Certainly by the review it seems sufficient, but I'm interested in what other people may recommend too.
Re:securing networks (Score:4, Interesting)
I picked up O'Reilly's book "Building Secure Servers with Linux" and learned a lot.
it pretty much explains how to set up iptables, the theory behind ssh and ways of better securing it (private/public/shared keys, etc), ways of securing apache, and a slew of other stuff. It's all about best practices.
The only real problem I had with the book is that in some cases, the author is truly paranoid and goes seriously overboard with some techniques, and some of his ideas would never work on a gentoo system. One such thing is that he advises against having development tools (namely gcc) on the server, that way, even if someone manages to compromise the box, they won't have any tools to build/run their rootkit. He suggests using a separate NIC and connecting with a laptop to transfer the binaries to the server. although that will give you a serious piece of mind, it's overkill for many people.
I'm considering picking up this book, though. I like to read about computer security, and I'm amazed at the ingenuity of hackers, from the white-hat to the black-hat. Computer security is quite facinating.
Re:securing networks (Score:2)
Re:securing networks (Score:1)
Re:securing networks (Score:3, Insightful)
Does the system have Perl?
First you paste a Mime::Base64-running Perl program in, and then you launch it and paste in the Base64 code. Look, you can get binaries on the system from a shell window!
This is what is known as 'security-through-inconvience'.
Re:securing networks (Score:2)
I think the point of not having dev tools is not only to attempt to prevent someone from building their rootkit when they log in, but to also increase the amount of time it takes them to do any potential damage.
I doubt that most attackers would be prepared with their Mime::Base64-running perl program right off the bat... unless of course, the attacker is a serious pro and their hacking my multi-
Re:securing networks (Score:2)
I think I'll add this one to the stack as well.
Re:securing networks (Score:3, Interesting)
I also purchased Hardening Apache, although I haven't had a chance to make use of it.
Shameless (Score:5, Informative)
http://www.bookpool.com/sm/1590594444 [bookpool.com]
or for 29.69 at Amazon:
http://www.amazon.com/gp/product/1590594444/002-0
or you could spend 40.49 at BN:
http://search.barnesandnoble.com/booksearch/isbnI
But of course BN is linked in this review.
Re:Shameless (Score:1)
Part of a "series"? (Score:2, Informative)
It looks like the publisher already has a book out called "Hardening Apache".
Harden Linux? (Score:2, Funny)
Sendmail? In a secure system (Score:4, Interesting)
Results 1 - 10 of about 191,000 for 'sendmail "security hole"'
Results 1 - 10 of about 1,910,000 for 'sendmail bug'.
Any questions?
Re:Sendmail? In a secure system (Score:2)
*ducks*
Re:Sendmail? In a secure system (Score:1)
Sendmail has as much place on a secure system as Postfix or Qmail. If either of those MTAs had been around as long as sendmail (22+ years) they would probably have as sordid a security history. The thing to remember is that those holes have been patched, some as much as ten years, or more, ago. No software is going to be bug or security hole free. (OpenBSD doesn't even have a pristine security history for all of its code audits.) Like any MTA software, sendmail can be configured to b
Re:Sendmail? In a secure system (Score:2, Informative)
Compare the security history since both qmail and postfix were released, lets choose January 2003, against sendmail.
CERT Vulnerability note search.
Sendmail 6 vulnerabilities including 4 buffer overflow vulnerabilities, at least one risks a remote root exploit, one was IBM specific and just silly IBM. Many prior ignored.
Postfix one DoS in 2003.
Qmail no hits.
Patching complex systems doesn'
Re: (Score:2)
Re:Sendmail? In a secure system (Score:2)
As Google puts it,
Results 1 - 10 of about 935,000 for 'linux "security hole"'
Results 1 - 10 of about 46,300,000 for 'linux bug'
Any questions?
Re:Sendmail? In a secure system (Score:2)
Alas:
Your search - "sendmail plays the piano" - did not match any documents.
What was your point again?
D
general purpose computer security hardener (Score:2)
http://www.bondo-online.com/catalog_item.asp?item
it works with both Linux (TM) and Windows (TM).
Re:general purpose computer security hardener (Score:2)
It's easy! (Score:4, Funny)
Cheese (Score:1)
still not enough (Score:2)
But even that isn't enough. What will truly stop people from accessing your data? Volume encryption? Ha! That may work to slow down a thief who has removed the hard disk. But when you mount that volume for normal use, everything inside it is decrypted for the duration of the mount, hence access
Re:still not enough (Score:2)
Yes, and buy a server that stores the BIOS password in NVRAM and not CMOS, so it can't simply be cleared by removing the battery...
Other Hardening Resources (Score:1)
The full list is here [theory.kaos.to].
Protecting against seizure of the hardware (Score:1, Interesting)
Just run bastille (Score:1)
3 easy steps to hardening linux (Score:2, Funny)
2) Drink Beer
3) Drink more Beer.
Secure your Linux box... (Score:2)
chmod 500
Congratulations: you've stopped practically every script kiddy. (Every exploit I've ever seen has used wget to pull down a "root kit". So deny wget to every user but root. If you want to be clever, you can allow sudo use of wget, but don't feel obliged.)
Of course, this isn't real security. But if I'm running poorly debugged PHP apps on my webserver (you know
Bastille Linux (Score:2)
mark "use it, no compromises in five years"
root logins (Score:1)
Re:Save (more than) FIFTEEN BUCKS! (Score:3, Informative)
How about prices which include shipping and are less than Amazon's cover price? [addall.com]
(there are online bookstores other than Amazon and B&N)
Re:Save (more than) FIFTEEN BUCKS! (Score:1)
What about the audits? (Score:3, Informative)
Then there's the whole emphasis on security in the first place. Code doesn't make its way into OpenBSD without being heavily scrutinized.
OpenBSD is secure because they don't enable potentially dangerous services right off the bat, but also because their development process puts such a heavy emphasis on only includi
Re:Hardening? (Score:2)
But then there are times when you need to make sure that the system isn't just extremely difficult to crack. That's when you need to make sure the system is basically impenetrable. Of course, you'll probably degrade the performance somewhat, in addition to other tradeoffs.
Re:OUTGOING (Score:1)
Re:OUTGOING (Score:2)