Real World Linux Security, 2nd Edition 109
| Real World Linux Security, 2nd edition | |
| author | Bob Toxen |
| pages | 848 |
| publisher | Prentice Hall PTR |
| rating | 10 |
| reviewer | Berislav Kucan |
| ISBN | 0130464562 |
| summary | In the mentioned 800 pages, this book proves to be pure gold, when we are talking about all aspects of Linux security. Well written, filled with lot of interesting tips and facts about securing the Linux environment, the book can be used both for pumping your knowledge and as a reference in your future security related work. |
Who's behind this book?
The author of this book, Bob Toxen, is one of the 162 recognized developers of Berkeley UNIX. He has more then 28 years of UNIX and 8 years of Linux experience. Trivia from his resume includes that he was one of the four developers who did the initial port of UNIX to Silicon Graphics hardware, that he was an architect of the client/server system used by NASA's Kennedy Space Center and that he wrote the "The Problem Solver" column for popular UNIX Review magazine. Currently he is a president of Fly-By-Day Consulting, Inc. offering Linux security-consulting services.
The cover
The Real World Linux Security cover features Cerberus, the three headed dog that safeguarded the entrance to Hades. Hades is an underground place from Greek mythology where deceased people ended up. Cerberus was there to stop the demons from Hades to escape into our world, and vice-versa - stopping the living people entering the Hades. Mr. Toxen did a metaphor connecting the three headed demon dog to a system administrator. How come? "This is not unlike the security aspects of system administrator's job and it certainly seems to require three heads to keep ahead of the problem," he notes.
Inside the book
From the introduction credits, you can see that this book will be an interesting read. The author has a lot of expertise in Linux/UNIX areas, which gives the credibility to the book's title "Real World Linux Security." Another big plus is that the book has about 800 pages of valuable information, divided into these four interest areas:
- Securing your system
- Preparing for an intrusion
- Detecting an intrusion
- Recovering from an intrusion
- Weak and default passwords
- Open Network ports
- Old software versions
- Insecure and badly configured programs
- Insufficient resources and misplaced priorities
- Stale and unnecessary accounts
- Procrastination
If you are interested in various aspects and details on securing your system, you'll enjoy the first 400 pages of the book as it deals with:
- quick fixes for common problems (shutting down unnecessary services, using quality passwords, limiting access)
- common subsystem hacking (playing with sendmail, POP and IMAP servers, samba etc)
- usual hacker attacks (rootkits, packet spoofing, man in the middle and other common attacks)
- advanced security issues (apache and web server security techniques, buffer overflows)
After securing your system, what should you do as the next step? Well -- secure it even more, of course. The second part of the book continues with hardening the system, which is a must for preparing on a possibility of an intrusion. Possible intrusion must always be on your mind, as no one is safe when connected to the Internet. Vulnerability scanners deployed by crackers don't see the difference between your home computer system, a test e-commerce server or a big consultancy company server -- if you have a vulnerable service running on it, you'll probably get burned. This part introduces you to the world of protecting user sessions with SSH, Virtual Private Networks, PGP/GPG cryptography usage, firewalls and DMZs and preparing your hardware to meet the security readiness. I should especially note a great coverage on iptables with some helpful rule sets both mentioned in the book and placed on the CD.
This publication also bears in mind the situation of your system being compromised. It is noted that probably 10-20 percent of people reading this book will suffer a system break-in. By proactively monitoring your system and keeping up-to-date with security web sites, you can reduce the risk of someone hacking your system to the minimum. As a quality security book should have in mind, Real World Linux Security also deals with the darkest system administrator's moment -- successful compromise. The author explains the steps of regaining the control of your system, finding and repairing the damage, tracking the attacker, and sending him/her/them to prison.
As a notable addition, the author doesn't stay blindly connected with just Linux security. As a true expert in his field, he walks into some areas that aren't closely connected with Linux, but with security in general. One of the examples is a 20 page chapter dealing with security policies. In this mini suggestion to the decision makers, he guides us through the possible policies - from accounts and e-mail to network topology, problem reporting and even policy policies.
Another good part that came from Mr. Toxen's experience is a part called "Case studies." Several stories contained in this area describe some of the actual cases that can be compared with hacking history jewels like "Masters of Deception: The Gang That Ruled Cyberspace" by Slatalla/Quittner and "Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage." Stories here describe old-school playing cat-and-mouse with Berkeley sysadmins back in late seventies and making virtual-machine trojans to the latest issues with easy DNS information changes and Microsoft's Visual Studio .Net getting shipped with Nimda worm.
The CD-ROM
The accompanying CD-ROM contains the author's own software for instantly locking out attackers and alerting system administrators. There are also exclusive iptables and ipchains firewall rules, as well as a collection of tools for monitoring network health, detecting and reporting suspicious activities, securing backups, simplifying recovery etc.
The CD has two main folders: "book" and "net." The "book" folder contains up to 100 files, mostly written by the author especially for the needs of this book. These files include Cracker Trap software, sample iptables and ipchains scripts and various useful programs for doing different security related activities. The other folder contains about 40 MB of security software that the author used as references in this book. The tools from this section contain: crack, firestarter, sniffit, john the ripper, LIDS, netfilter, ntop, samhain, snort and more. As you can see, Mr. Toxen has really worked hard to make this CD a worthy addition to the book.
The verdict
After reading some of the comments on the first edition of this book and briefly taking a look at the chapters of this second edition, I knew it would be a great read. After reading it, I must say that "Real World Linux Security" is even better -- I can even say terrific. In the mentioned 800 pages, this book proves to be pure gold, when we are talking about all aspects of Linux security. Well written, filled with lot of interesting tips and facts about securing the Linux environment, the book can be used both for pumping your knowledge and as a reference in your future security related work.
The release of a second edition of this book was proven to be a good choice, and I am really looking forward to the possible third edition in the future.
An interview with the author is available here.
You can purchase Real World Linux Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This is indeed a great book (Score:1, Insightful)
Which is the problem, really. Why is this security stuff put on the user/administrator to do? This is OS-level work. The people who really need this book are the Alans and Linii of the world. It's their fault that Linux requires a 600 page book to make it usable, make them fix it.
[1]*cough*debian*cough*
Just read Bob Toxen interviews... (Score:5, Informative)
For more info, refer to this interview on Linux Online [linux.org] and also to this article in UNIX Review [cavu.com].
I mean, the guy was already hacking UNIX systems when Bill Joy was his system administrator!!
Re:qualified? (Score:1)
Eric Raymond wrote the Foreword.
Mod the parent up! (Score:2)
Re:Just read Bob Toxen interviews... (Score:2)
I'm glad to hear he's keeping it up, and I plan to get a copy of the 2nd Edition ASAP.
Unix Review article (Score:2)
I wrote with Bob for Unix Review; browsing
it really brings back nostalgic memories.
800 pages! WOOHOOO!!! (Score:3, Funny)
Re:800 pages! WOOHOOO!!! (Score:1, Funny)
Just scribble the word TOLKIEN on the front.
RAID readers (Score:2, Funny)
RAID 1 reading: get a bunch of reviewers and make them read different chapters from different copies
RAID 0 reading: split the book in several parts and get a bunch of reviewers and make them read different chapters
Promise reading: get a reader read the odd line numbers and other the even ones
Re:800 pages! WOOHOOO!!! (Score:2)
Maybe you should get a Beowulf cluster of readers?
Re:800 pages! WOOHOOO!!! (Score:1)
Let me quote Woody Allen on that subject:
"I went on a speed reading course last week - and it worked! Yesterday I read War and Peace in an hour
A far better read than (Score:3, Funny)
Re:A far better read than (Score:2, Funny)
What about LIDS? (Score:4, Interesting)
Anybody know how LIDS is dealt with in this book?
Re:What about LIDS? (Score:1, Funny)
Re:What about LIDS? (Score:1)
Re:What about LIDS? (Score:2)
$15 Cheaper at Amazon (Score:5, Interesting)
SlashDot must have some deal worked out with BN* since they are recommending you buy reviewed books there when they can be bought much cheaper ($34.99 at Amazon [amazon.com]) elsewhere on the web.
* Full dislosure: yes I have a 'deal' worked out with Amazon in the form of their affiliate program, but it seems the typical shopper should care more about how much they are spending rather than where they are spending it.
Re:$15 Cheaper at Amazon (Score:1)
I hope at least you're kicking some of that money back to Rob in the form of a Slashdot subscription, since he's providing you a free business model.
Re:$15 Cheaper at Amazon (Score:1)
Re:$15 Cheaper at Amazon (Score:1)
Re:$15 Cheaper at Amazon (Score:1, Informative)
The typical shopper probably does care more about how much they spend than where they spend it. I know there's a group of shoppers that refuses to support Amazon in anyway until they stop harassing other companies for also using obvious techniques for selling items on the web.
Re:$15 Cheaper at Amazon (Score:1)
Re:$15 Cheaper at Amazon (Score:1)
Re:$15 Cheaper at Amazon (Score:1)
I've tried Froogle for some other products though and was less satisfied, since it seems to grab the price in closest proximity on the page to the search term you used - which is sometimes for a different product or for some other charge besides the product price like the shipping, warranty, cost of a peripheral.
Re:$15 Cheaper at Amazon (Score:1)
not that typical shopper cares in reality what ethics the companies they give moneyt are pursuing..
800 pages isn't bad (Score:3, Funny)
Re:800 pages isn't bad (Score:1, Funny)
Even better (Score:1, Funny)
Procrastination! (Score:4, Funny)
Re:Procrastination! (Score:2)
I think... (Score:4, Funny)
Linux? (Score:2, Interesting)
Re:Linux? (Score:2)
15 years before linux! (Score:2)
If you're trying to fault him for an allegiance to BSD instead of Linux, consider that his BSD work was 15 years before Linux even existed!
Doh!
I went to U.C. Berkeley with the author and have a very similar history to his (look for me in the book ;-). We both specialize
in Linux these days, not BSD.
And yes, the book is about Linux.
What, you think that maybe if you open it, it would be all about BSD security despite the title??? Why comment about what you don't know and haven't bothered to check? Bizarre.
You got it all wrong. (Score:1)
What I meant was that different subjects mentioned in the post (like sendmail, Apache, SSH etc.) are quite the same in other *NIXes, like BSDs.
Even the "ideas" behind the firewall rulesets could be ported to other firewalls.
So even if some parts are particulary Linux, I got the impression based on the post that the 800 pages include information, that could be usefull to all *NIX admins. So I tought calling it UNIX security would broaden the reader community. :)
They are not _that_ different after all. :)
Re:You got it all wrong. (Score:2)
I think you are correct in part -- lots of it certainly is applicable to Unix in general, and some of the anecdotes give warnings that would be useful even on non-Unix systems like Windows.
But the focus is nonetheless on Linux.
BTW the author posted several comments here under the user name "Real World Linux Sec" (it was truncated), but not until fairly late in the day, so most readers of the story didn't see them...search the page if you're interested to see his responses to questions.
Re:Linux? Why "Real World" (Score:1)
Thus, I give advice on how to recover a compromised system quickly. Other books say "re-install from scratch" or "recover from backup". If one has production data on it, these suggestions from (from other Linux security books) would cause loss of that data. My techniques will save the data.
One Linux security book says not to remotely manage Linux firewalls because of the risk of locking oneself out or briefly opening up insecure access. I explain how to remotely manage Linux firewalls without the risk of locking oneself out or having even a nanosecond of insecurity. My techniques have worked well for my managing clients' firewalls around the world for three years.
I start with quick fixes for common problems that everyone can benefit from, especially those new to Linux security. Then I get into increased security in different areas, such as desktop systems, mail servers, web servers, etc.
First Ed. was great (Score:4, Informative)
After that it's just a question of how much time and effort you want to expend being safe from the more determined attacks. The strength of this book is that it is organized so you can get the most from your early simpler efforts, but still goes into as much depth as you need if you want to get really serious.
Recommended.
CD-ROM contains...exclusive iptables and ipchains (Score:5, Interesting)
When you say exclusive, I hear closed license. Is that the case? If I get the book [amazon.com], and look at the iptables and ipchains configs provided am I actually allowed to use it on my own firewall box? Am I allowed to recommend them to my friends? My employer?
The review says the author's own software is also included. What sort of license is it provided under? Is there a EULA with proscriptive provisions? Will I only find out about the license/EULA after I have bought the book and loaded the CD?
Copyright - Re:CD-ROM contains... (Score:1)
In fact there are two causes why it is probably not protected by copyright:
- To simple: In most countries, copyright requires a certain amount of "creativity". A simple firewall script as it is shown in hundreds of tutorials may not fulfil this requirement.
- You won't copy it: Copyright protects not an idea (as patents do) but a concrete piece of code. If you catch the "idea" from his example code and do your own script (you should do this anyway), there's no problem with copyrights or licences.
Re:CD-ROM contains...exclusive iptables and ipchai (Score:1)
several definitions for the word exclusive.
exclusive adj.
1. Excluding or tending to exclude
Yeah, pretty much sums up a firewall ruleset. Unless your FW ruleset is
designed to allow everything, they do tend to exclude.
But my favorite definition is:
8. Catering to a wealthy clientele; expensive
Perhaps they are catering to the wealthy people who can afford to purchase the book and read the license agreement on the CDROM?
Re:CD-ROM contains...exclusive iptables and ipchai (Score:2)
Good this book is just what I needed.... (Score:1, Flamebait)
Re:Good this book is just what I needed.... (Score:2)
t_t_b
Lies, damn lies, and statistics (Score:1)
However, Aberdeen's analysis is flawed because it failed to weight each according to its severity (whether it offers a remote root or remote non-root vulnerability, what percentage of the installed base is vulnerable, etc.)
The reality is that many Windows vulnerabilities are the equivalent of a Linux "remote root" vulnerability and affect either every Windows system running IE or every Windows system that runs IIS. Most Linux vulnerabilities are not remotely exploitable and most of those that are affect only a small percentage of systems.
Using a valid analysis, a Linux system deployed for the same purpose as a Windows system (e.g., as a desktop system, web server, file server, mail server, or whatever) is far less likely to be violated, in my opinion.
buy.com - $32 (Score:2)
I can't believe B&N would sell this for $47... I guess they are relying on lazyness. A few mouse clicks will generally yield better results.
yet another security book (Score:1)
At 800 pages, they MUST be re-inventing the wheel to some degree. A lot of those bullets in the contents seem like general things you should know about host-based security in general. Boosk like that usually annoy me - sifting through all that to get to the fresh information is tedious. I have an American attention span, damnit!
Re:yet another security book (Score:2)
Yah, there are too many books in the world! Burn them! :-)
sifting through all that to get to the fresh information is tedious
If you're knowledgeable enough to already know all of the old information, why would you even consider reading a new book? Perhaps you should be writing your own book.
Oh wait, no, I forgot the "too many books in the world" point. Certainly wouldn't want to contribute to that evil!
Brand new, cutting edge, up-to-the-moment security information you get from various web sites, not books -- as you surely know.
Re:yet another security book (Score:1)
> Burn them!
That's funny.
> If you're knowledgeable enough to already know
> all of the old information, why would you even
> consider reading a new book? Perhaps you should
> be writing your own book.
I'm not complaining that there are too many books. On the contrary, I'm saying there are not enough - with a narrower scope. Many have a general knowledge of security, but not every single platform. Surely you can see the benefit to writing a concise platform-specific book rather than (or in addition to) yet another biblical security compendium with a one platform focus?
Imagine being an admin and being tasked with "securing" a client's heterogeneous network. You could either a) read through a general security bible and adapt the concepts to each platform, researching the specific methods yourself, or b) you could have a cookbook-style guide for each platform that names the popular tools, configuration options, and pitfalls.
I think b) would be quicker and would avoid reinvention of the wheel during implementation. What would really be irritating is if all of those books cost 50 bucks and had 600 pages of duplicate material common to each book.
> Brand new, cutting edge, up-to-the-moment
> security information you get from various web
> sites, not books -- as you surely know.
At this point, it should be clear that I'm not talking about bleeding-edge changes.
Bought this books lots of goodies (Score:1)
Man behind the book... (Score:3, Funny)
The author of this book, Bob Toxen, is one of the 162 recognized developers of Berkeley UNIX. He has more then 28 years of UNIX and 8 years of Linux experience. Trivia from his resume includes that he was one of the four developers who did the initial port of UNIX to Silicon Graphics hardware, that he was an architect of the client/server system used by NASA's Kennedy Space Center and that he wrote the "The Problem Solver" column for popular UNIX Review magazine. Currently he is a president of Fly-By-Day Consulting, Inc. offering Linux security-consulting services.
Yes, yes -- but is he qualified?
bookpool.com - $29.95 (but out of stock right now) (Score:2, Informative)
Re:bookpool.com - $29.95 (but out of stock right n (Score:1)
A bit rambling and unconnected (Score:1, Insightful)
There is a lot of stuff on the cd, but it seems like he's just plopped in stuff
that he wrote for clients, whithout making it obvious where it is appropriate on my machine. I think he would do much better to avoid trying to be an authority on everything and point to texts where they are covered in better detail. rather than writing a half-assed iptables stuff, he should point to the ziegler "linux firewalls" book, which is the true authority, where it hasenough time to get
real coverage needed.
Re:A bit rambling and unconnected post (Score:1)
Almost every issue discussed in the book can affect the newest Linux versions. Most of the problems of BSD that I discuss are in the category of "Those who fail to learn from history are doomed to repeat it".
Most of my original code on the CD was written for the book. While some of it, such as my substantially enhanced versions of Logcheck and Arpwatch were written for clients, these are of general interest and I have sent my enhancements back to the authors for including in their next versions if they desire. The use of each of my programs is discussed in detail in the book. Logcheck and Arpwatch each get about 5 pages under the obscure titles of "Using Logcheck to Check Log Files You Never Check" and "Using Arpwatch..."
RWLS 2/e covers many aspects of IP Tables that Ziegler's book does not. This includes how to safely debug a firewall remotely (Zieger says not to bother), a detailed comparison of Tables to Chains for those considering switching, and tips and techniques for working with IP Tables or Chains.
RWLS's CD contains a complete IP Tables-based firewall rules script that does not need configuration, not even specifying one's external IP address because it figures it out automatically. Ziegler does not provide a CD.
Hacking Linux Exposed 2nd edition much better (Score:4, Informative)
WHat I noticed about the new editions of both books is that HLE took out stuff that's no longer relevant and/or put it online instead, while RWLS just added (often repetitive) stuff. You get a much better bang for your buck with hacking linux.
Also, hacking linux is donating any money they make from sales to the EFF. See their site [hackinglinuxexposed.com] for more info.
Thanks for the info! (Score:2)
Thank you for the info!
Re:Hacking Linux Exposed 2nd edition (Score:1)
Regarding "ages old" stories in RWLS 2/e, my discussion of Microsoft's Korean version of .Net having shipped with Nimda was based on a June 2002 report. I then explain nine lessons that can be learned to avoid repeating Microsoft's mistake. For those who actually have read the book, this case study begins on page 387.
Re:Hacking Linux Exposed 2nd edition much better (Score:2)
I got both Hacking Linux Exposed 2nd edition and Real world Linux Security 2nd Edition this year, and hacking Linux Exposed is infinitely better.
I cannot disagree more. I bought some of the Hacking Unix/Linux series, and they're pretty much large-type-to-fatten-the-book, punk-cracker-posturing affairs. They're worthless for a working admin.
OTOH, Real World Linux Security -- albeit the first edition -- has been invaluable to me and my team. Toxen knows his stuff, and when we say that, we mean he knows specifics. Like: here's what to do to prevent chroot jails from being broken out of. Here's some stuff you've never seen before to harden Sendmail.
I cannot imagine why someone would recommend the 'Exposed' series, unless said person is the author or something. That series is not of help to someone who actually has to do this stuff on a regular basis. It is of help if you like to read some socially inept guys posture about what mad hackz they know about.
Re:Hacking Linux Exposed 2nd edition much better (Score:1)
The real problem with security in General (Score:2, Interesting)
Linux security is tainted (Score:1)
There are many linux security options. (Score:1)
In vanilla 2.2 and 2.4 kernels, you don't have any additional kernel level controls (not counting filesystem controls, such as ext2/ext3's extended attributes, (chattr +i filename to make filename unchangeable, even by root, for example)) but you are effectively correct. However there are user-level tools you can use, such as libsafe and stackguard that can prevent many common attacks such as generic buffer overflows.
However there are various patches to the kernel that can provide much more finely tuned control of software. LIDS, GRSecurity, SELinux, and more can allow you to say exactly what a process can or can not do. By creating good rules for the software you need, you can effectively make root no more special than any other user. Only Apache can bind port 80, and no other port. Only ntpd can change the system time - not even root using 'date'. When you create an explicit list of what can do what (easiest by locking everything down and then adding permissions back in where needed) you will have a machine where a piece of software that is compromised only means it can function as it was built to - it has no new functionality it can abuse.
Now kernel patching is intimidating for many, whic h keeps them from trying these advanced security measures. However a new infrastructure is under development which can make this much simpler to use. LSM, the Linux Security Module, has been accepted into linux 2.5 kernel, and it allows you to load or unload advanced linux kernel security systems at run time without the need for kernel recompilation. (This requires that an LSM version of the patch exists, which is the case with LIDS, GRSecurity, SELinux and friends.)
As these are more visible, they will become more mainstream. Debian has an SELinux installer, for example, which can let you boot a very secure version without compiling anything on your own.
Advanced linux security is here today if you want it.
Quick Security/Mythology trivia (Score:1)
"The Real World Linux Security cover features Cerberus, the three headed dog that safeguarded the entrance to Hades. Hades is an underground place from Greek mythology where deceased people ended up."
Please correct me if I'm wrong but I believe that Cerberus is the Latin spelling and Kerberos (the security framework we all know and love... or not) is the Greek spelling.
It's very appropriate that a beast that guards something is a icon for security, and at the same time ironic that what it's guarding (one's network) is "where deceased people ended up". I know /.'ers have particular attitudes about their users, but give me a break!
Re:Quick Security/Mythology trivia (Score:2, Informative)
Cerberus is a Latin transliteration, rather than a "spelling" since you cannot spell a greek work without the greek letters. We transliterate it as Kerberos because our pronunciation of the letter C would tend towards a soft pronounciation if we spelled it like the Romans. Their letter C was always hard. Similar with the o or u.
Since alot of our literature is from the Romans, the latin spelling has persisted, and as with many latin words, we have changed the pronunciation and often say SERberous when we see "Cerberus".
However, neither Cerberos nor Kerberos are more greek than the other. It is still the Greek Mythological three headed dog protector of Hades.
-Jacob
Re:Quick Security/Mythology trivia (Score:1)
I own the first edition (Score:2)
However...
Had it been on any other subject, I probably would have put it away and went looking for a better book not long after buying it. The only reason it was as useful as it was to me was that at the time, it was the only Linux-specific security book I could find. While there is good information, it is incredibly badly organized. The various tips seem to be haphazardly scattered around the book rather than carefully organized into any coherent scheme; and what's worse, it's redundant. Badly redundant. As I recall, many passages and some paragraphs are repeated word-for-word at different places in the book. Security issues are sometimes covered twice over in different parts of the book, artificially inflating the content. Toxen also comes across as someone who thinks of himself as a real bad-ass cowboy of the UNIX world, which contrasts poorly with the proffessional, occasionally wry tone of the classic O'Reilly UNIX books to which this book must naturally be compared.
Basicaly, the first edition was a good collection of tips and tricks, although no more so than your typical top-teir UNIX security website offers. What it badly needed was the hand of a competent editor to clean up the writing and the organization. Hopefully this second edition recuieved such a treatment.
Check out Safari (Score:2)
Books For The "New" Year (Score:1)
Re:IN SOVIET RUSSIA... (Score:1)