Review: Linux Server Security

Staying on my current security theme, O’Reilly has published a second edition of Linux Server Security by Michael D. Bauer. The book, targeted toward those managing Internet-connected systems, also known as bastion hosts, packs a powerful arsenal of security design, theory and practical configuration schemes into 500 pages.

Bauer gained some notoriety from his Paranoid Penguin columns in the Linux Journal Magazine, which ultimately inspired the book.

What stands out prominently is the time Bauer took to introduce network security design and risk management before digging into the hands-on nuts and bolts. As business models change for web professionals, many developers find themselves donning at least a part time system administrator’s hat. Understanding how underlying network designs work and how specific configurations can prevent attacks are critical before jumping into a command shell and making changes on a production server.

Bauer used some popular Linux distributions to base his security research on, including Red Hat, Fedora, SUSE and Debian, though much of the material covered should work fine on most distributions and BSD. For those who are familiar with the first edition from a few years ago, the author has revalidated much of the existing content and also added content for:

  • LDAP for authentication services
  • a Bill Lubanovic contributed chapter on database security
  • Using LDAP and Cyrus-Imapd and email encryption as part of email server security
  • Much needed coverage of vsftpd and ProFTPD FTP servers

Before any other daemons and services are covered, the book correctly gets the administrator started with iptables and building a strong firewall. Bauer then digs in layer by layer looking at securing BIND and djbdns name server software for dns, taking control of mail with Sendmail and Postfix and managing Apache among others.

While many Linux admins may disagree, Bauer suggests that one of the first steps in hardening a Linux server that will touch the Internet is to insure X Windows is not installed. “If a server is to run “headless” (without a monitor and thus administered remotely), it certainly doesn’t need a full X installation with GNOME, KDE, etc., and probably doesn’t even need a minimal one,” he wrote.

In my case I run all but one local development Linux system without X at all – and those systems run just fine. A combination of command line administration via SSH combined with a nice root-level GUI interface such as Webmin should keep maintaing headless servers as easy as having access via Gnome or KDE.

Perhaps the one gaping hole in this book is the lack of any caveat to QMail. Surely QMail is growing in popularity and at the very least ranks alongside Postfix. I continually run into Qmail users (including myself!) and it would have found a nice home in the chapter on email management.

The book closes with important techniques for monitoring system logs as well as using one of my own favorites, Tripwire. The latter is in the final chapter on intrusion detection techniques and also includes coverage of Snort.

As a bonus for readers, two complete iptables startup scripts are included with book, one based on content covered in the book for a server sitting on the Internet and a second for multi-homed hosts, which is nice for firewalling in a DMZ where both internal and public network connections exist.

Chapters:

1. Threat Modeling and Risk Management

* * *Components of Risk

* * *Simple Risk Analysis: ALEs

* * *An Alternative: Attack Trees

* * *Defenses

* * *Conclusion

* * *Resources

2. Designing Perimeter Networks

* * *Some Terminology

* * *Types of Firewall and DMZ Architectures

* * *Deciding What Should Reside on the DMZ

* * *Allocating Resources in the DMZ

* * *The Firewall

3. Hardening Linux and Using iptables

* * *OS Hardening Principles

* * *Automated Hardening with Bastille Linux

4. Secure Remote Administration

* * *Why It’s Time to Retire Cleartext Admin Tools

* * *Secure Shell Background and Basic Use

* * *Intermediate and Advanced SSH

5. OpenSSL and Stunnel

* * *Stunnel and OpenSSL: Concepts

6. Securing Domain Name Services (DNS)

* * *DNS Basics

* * *DNS Security Principles

* * *Selecting a DNS Software Package

* * *Securing BIND

* * *djbdns

* * *Resources

7. Using LDAP for Authentication

* * *LDAP Basics

* * *Setting Up the Server

* * *LDAP Database Management

* * *Conclusions

* * *Resources

8. Database Security

* * *Types of Security Problems

* * *Server Location

* * *Server Installation

* * *Database Operation

* * *Resources

9. Securing Internet Email

* * *Background: MTA and SMTP Security

* * *Using SMTP Commands to Troubleshoot and Test SMTP Servers

* * *Securing Your MTA

* * *Sendmail

* * *Postfix

* * *Mail Delivery Agents

* * *A Brief Introduction to Email Encryption

* * *Resources

10. Securing Web Servers

* * *Web Security

* * *The Web Server

* * *Web Content

* * *Web Applications

* * *Layers of Defense

* * *Resources

11. Securing File Services

* * *FTP Security

* * *Other File-Sharing Methods

* * *Resources

12. System Log Management and Monitoring

* * *syslog

* * *Syslog-ng

* * *Testing System Logging with logger

* * *Managing System Logfiles with logrotate

* * *Using Swatch for Automated Log Monitoring

* * *Some Simple Log-Reporting Tools

* * *Resources

13. Simple Intrusion Detection Techniques

* * *Principles of Intrusion Detection Systems

* * *Using Tripwire

* * *Other Integrity Checkers

* * *Snort

* * *Resources

Appendix: Two Complete iptables Startup Scripts

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.rideontwo.com z0s0

    Ahhh qmail. It was my favorite for a long, long time, but I don’t think my next server build will use qmail.

    I’m sick of all the patches that are required to Berstein’s codebase to achieve what can readily be considered standard MTA features.

    e.g. qmailqueue to allow things such as Spamassassin and antivirus software to be plugged in.

    And that it needs to be patched to compile against libc-2.3, while Bernstein refuses to acknowledge this as a bug.

    Rant over ;-)

  • Oisin Feeley

    QUOTE: QMail is growing in popularity and at the very least ranks alongside Postfix

    RESPONSE: While the above is true the problem of Qmail’s license and development model leading to a plethora of unofficial patches makes it hard to maintain. Add to this that Postfix’s security model which insulates individual daemons in a chroot’ed environment and it’s hard to see qmail as a viable contender.

    Maybe if the license changes and the qmail-community is able to create an official mainline version that doesn’t rely on the bottleneck of a single developer (no matter how excellent that developer) then it’ll thrive. And if we’re talking about missing MTAs then what about Exim?

  • Paul Gregg