Linux System Security: The Administrator’s Guide to Open Source Security Tools, 2/e
Authors: Scott Mann, Mitchell Krell and Ellen Mitchell
Publisher: Prentice Hall PTR
Choosing “Linux System Security” for a title of your book is surely a pretentious step. But usually, when someone picks this kind of name for a planned publication, he or she is sure to deliver the quality readers expect. I’m satisfied to say that, in this case, the authors do provide the level of information suitable for the book’s title.
About the authors
Scott Mann is a Linux software engineer at LeftHand Networks in Colorado. He has previously specialized in Linux and UNIX systems for both SGI and Sun Microsystems. His previous Prentice Hall PTR books include Linux TCP/IP Network Administration.
An interview with Scott Mann is available here.
Mitchell Krell, Ph.D., is a former university professor turned consultant. He currently travels around the country teaching classes and consulting for various government agencies on a variety of topics including Linux, IRIX, system administration, networking, web development, and computer security.
Ellen Mitchell is a security analyst at Texas A&M University, where she is responsible for campus network security, development, and administration. She currently maintains the Tiger UNIX security package.
Inside the book
The main difference between this second edition and the initial first publication, is that it provides an update for all those things that changed in the time frame between the two releases. As the Red Hat Linux is authors’ preferred distribution, everything was made sure it works on Red Hat’s 7.2/7.3 Linux releases. Several new chapters were added, for instance the iptables one and another one dealing with network scanners and sniffers. Several chapters from the first edition, such as overview of OPIE tool, TCP Wrappers and cryptographic filesystems were moved to the Appendixes part of the book. As the authors note, this was done because the information is still valuable, but not used as much as before.
As expected, the authors start the book with several light reading chapters on information security basics. The vulnerabilities are categorized into three separate categories – Technical (trojan horses, back doors, buffer overflows, password cracking, spoofing, session hijacking, etc.), Social (ever popular manipulating and impersonating schemes as well as all-around-us shoulder surfing tactics) and Physical (system access and various networking tampering issues). Don’t expect to find questions for all your answers in this section, as the basic level of security knowledge is needed in order to enjoy this book to the maximum. If you are trying to find any specific Linux Security related answers, you’ll probably find it in this massive 800 pages long guide.
“This ‘n That” is the name of the chapter that covers several topics, including dissection of all those services that are actively running on the system with a default installation. In a neat table structured point of view, around 30 services such as chargen, discard, smtp, shell, uucp, auth and others, are presented with an appropriate port number, description and authors’ recommendations. Basically, as it should be, authors suggest to shut down all un-necessary services. An introduction on TCP/IP mode layers and cryptography is also presented, giving the reader a by-the-way overview of basics regarding these important topics.
User administration is big issue, as by doing this inadequately, attacker can be granted easy access to the system. Some of the tips included in this chapter of the book include: usage of /etc/login.defs as an alternative way for password aging, creation of restricted guest accounts, minimization the impact of root compromise situation, configuring /etc/securetty and playing around with file and directory permissions. The use of the pluggable authentication modules for Linux (PAM) is described, with a focus on its logging and session management flexibility. As the authors describe usage of several available PAM modules and applications, this topic is covered over 50 pages. BY skipping a few chapters of the book, you’ll see a guide on using popular password auditing tool Crack, which will help you test the passwords of your system’s users.
As system accounting was developed with keeping track of user resource management on mind, the seventh chapter shows us its usage for the security purposes. Some of the commands included in this connection accounting overview include dump-utmp (converting utmp and wtmp logs into ASCII parsable format), last (showing the information on users logging in) and who (printing the currently logged-in users). Process accounting overview offers information on sa (produces process usage per user or command) and lastcomm (produces output on per-command basis). These commands can be of a great use, but you shouldn’t totally trust them, as after the successful compromise, they can be modified to show false output. As for the host integrity, tools like Tripwire should be quite useful.
One of the great Linux features is its excessive logging. Every system administrator should, either manually or automatically, check those logs for any possible problems. Grepping error logs can help you realize the possible attack attempts targeting your system, or it can alert you that your hard-drive is progressively fading away with blocks of errors (evil grin at several series of IBM drives that give me bad memories). The authors started its system logging coverage with introduction on syslog, its facilities and levels, configuration and finally usage. Also, for the advanced usage, example of configuring /etc/syslog.conf is mentioned along with a tip on synchronizing system clocks and examples of output logs related to these procedures. By skipping to the ending chapters of the book, addition as regarding to system logging is presented in the way of log file management overview. Whether you’ll do it manually, or with swatch, logcheck or any other tool, you will find this chapter an interesting addendum.
As from Red Hat Linux 7.0, this Linux developer uses xinetd rather then inetd for the role of the default super daemon for networking. The improvements in this extended daemon are that it incorporates many useful portmapper and TCP Wrappers capabilities. Some of the advantages noted by the authors are its access limitations based on time, access control for TCP/UDP/RPC services, numerous Denial of Service prevention mechanisms and additional /etc/hosts.allow and /etc/hosts.deny checks. The chapter on xinetd offers a lot of information on xinetd as to be used to protect the network services on the Linux based system.
In the time when telnet was used for remote access, the title of the eleventh chapter, “Let ‘Em Sniff the Net!” wouldn’t be as suitable as it is now. Secure Shell (SSH), utility written by Tatu Ylonen, provided all the needed capabilities of a client-server environment with an encrypted tunnel. As you probably know, there are two versions of SSH – version 1 and 2. Conceptually similar to version 1, SSH 2 offers the difference where no server key is being generated, but key agreement is performed using Diffie-Hellman. Afterwards session key is generated and exchanged between the two parties. This isn’t the end of the process, as the session is then encrypted using the session key together with an available algorithm. Also, from the security perspective, the difference is that SSH 2 uses SHA-1 or MD5, rather then the insecure CRC which is used within SSH 1. This section of the book provides SSH configuration and usage information, as well as it briefly mentions Secure Shell alternatives.
Following the previously mentioned chapter dealing with “Crack”, authors present several extended chapters on some of the “toys” used for playing with the system’s security. Bastille Linux being the one, can help you learn more about the state of your system security. To summarize the things, this tool: helps increasing logging facilities, managing permissions and services, provides file hardening and also includes a firewall (implemented via ipchains/iptables) and a port scan detector. As Bastille is a collection of scripts written by its authors, which are by-the-way noted names in the Information Security community, it can be run manually or automatically. As usual, authors provide in-depth information regarding Bastille’s configuration and usage. In the same manner, Tripwire and both ipchains and iptables are covered providing information on both file integrity and firewalling under Linux.
One of the new additions to the second edition of “Linux System Security – The Administrator’s Guide to Open Source Security Tools” is, already talked about, chapter on scanners, sniffers and detectors. These tools aren’t just dark-side related, as they proved to be valuable to system administrators by both making sure the state of their system security is satisfying and copycating the potential attacker with a system compromise on the mind. Scanners covered include SARA, Nmap, Nessus and NetSaint. “Honorable Mentions” are Internet Security Scanner, VLAD and SAINT. As for the members of the sniffing tool sector, authors present TCPDUMP, Ethereal and Ettercap. Neped and PortSentry are the only detection tools mentioned.
The appendixes that follow the book include information links that should make the administrators up to date. Resources here covered are divided into Web pages, full disclosure resources, mailing lists and USENET groups. Appendix B is taking care some of the notable tools that aren’t covered in more details. OPIE, TCP Wrappers and The Cryptographic and Transparent Cryptographic FileSystems chapters from the first edition are also placed within the Appendixes, because of the reasons I mentioned on the beginning of this review. As usual, the appendixes are closed with a glossary of the phrases mentioned in the book.
As a perfect ending point, these are some of the suggestions authors spread through more then 800 pages of the book:
- Use well planned and well implemented security policy
- Harden your Linux system
- Secure Filesystems, important files and important directories
- Restrict the root access and watch after it carefully
- Make sure that user and group accounts are secure
- Configure log checking and parsing utilities
- Configure network services and use SSH for remote access
- Configure ipchains or iptables (depending on the kernel)
- Run the tools mentioned throughout the book
- Stay in touch with current information security topics
What do I think of it
The authors really did put some energy into this book, which can be seen at every step of this information packed publication. After every thematic section, the reader is presented with additional examples and tips that often include interesting and very useful facts. From my perspective the book is a must for any Linux user interested in progressing the state of his/her security knowledge. Administrators should find it a useful read, as it provides in-depth coverage of Linux system security topics, which is a direct result derived from the experience the book’s authors have. The only thing I would suggest to the authors and the publisher is to include a CD-ROM containing security tools mentioned throughout the book and some useful scripts or personalized configuration files.