E-Book, Englisch, 584 Seiten
Turnbull Hardening Linux
1. ed
ISBN: 978-1-4302-0005-5
Verlag: Apress
Format: PDF
Kopierschutz: 1 - PDF Watermark
E-Book, Englisch, 584 Seiten
ISBN: 978-1-4302-0005-5
Verlag: Apress
Format: PDF
Kopierschutz: 1 - PDF Watermark
*Imparts good security doctrine, methodology, and strategies *Each application-focused chapter will be able to be used as a stand-alone HOW-TO for that particular application. *Offers users a selection of resources (websites, mailing lists, and books) to further their knowledge.
James Turnbull is the author of five technical books about open source software and a longtime member of the open source community. James authored the first and second books about Puppet, and works for Puppet Labs, running client services. James speaks regularly at conferences including OSCON, Linux.conf.au, FOSDEM, OpenSourceBridge, DevOpsDays and a number of others. He is a past president of Linux Australia, has run Linux.conf.au and serves on the program committee of Linux.conf.au and OSCON. James is Australian but currently lives in Portland, Oregon. His interests include cooking, wine, political theory, photojournalism, philosophy, and most recently the Portland Timbers association football team.
Autoren/Hrsg.
Weitere Infos & Material
1;Contents;6
2;About the Author;14
3;About the Technical Reviewer;15
4;Acknowledgments;16
5;Introduction;17
6;Chapter 1 Hardening the Basics;24
6.1;Installing Your Distribution Securely;25
6.1.1;Some Answers to Common Installation Questions;25
6.1.2;Install Only What You Need;25
6.2;Secure Booting, Boot Loaders, and Boot-Time Services;27
6.2.1;Securing Your Boat Loader;28
6.2.2;Init, Starting Services, and Boot Sequencing;31
6.3;Consoles, Virtual Terminals, and Login Screens;38
6.3.1;Securing the Console;39
6.3.2;The Red Hat Console;39
6.3.3;Securing Virtual Terminals;40
6.3.4;Securing Login Screens;41
6.4;Users and Groups;42
6.4.1;Shadow Passwording;45
6.4.2;Groups;46
6.4.3;Adding Users;47
6.4.4;Adding Groups;49
6.4.5;Deleting Unnecessary Users and Groups;51
6.4.6;Passwords;54
6.4.7;Password Aging;58
6.4.8;User Accounting;65
6.5;Process Accounting;67
6.6;Pluggable Authentication Modules (PAM);69
6.6.1;PAM Module Stacking;71
6.6.2;The PAM “Other” Service;72
6.6.3;Restricting su Using PAM;73
6.6.4;Setting Limits with PAM;74
6.6.5;Restricting Users to Specific Login Times with PAM;76
6.7;Package Management, File Integrity, and Updating;79
6.7.1;Ensuring File Integrity;80
6.7.2;Downloading Updates and Patches;84
6.8;Compilers and Development Tools;87
6.8.1;Removing the Compilers and Development Tools;87
6.8.2;Restricting the Compilers and Development Tools;88
6.9;Hardening and Securing Your Kernel;89
6.9.1;Getting Your Kernel Source;89
6.9.2;The Openwall Project;91
6.9.3;Other Kernel-Hardening Options;97
6.10;Keeping Informed About Security;98
6.10.1;Security Sites and Mailing Lists;98
6.10.2;Vendor and Distribution Security Sites;99
6.11;Resources;99
6.11.1;Mailing Lists;99
6.11.2;Sites;100
7;Chapter 2 Firewalling Your Hosts;101
7.1;So, How Does a Linux Firewall Work?;102
7.1.1;Tables;104
7.1.2;Chains;104
7.1.3;Policies;104
7.2;Adding Your First Rules;105
7.3;Choosing Filtering Criteria;108
7.4;The iptables Command;109
7.5;Creating a Basic Firewall;113
7.6;Creating a Firewall for a Bastion Host;119
7.7;Kernel Modules and Parameters;139
7.7.1;Patch-o-Matic;139
7.7.2;Kernel Parameters;146
7.8;Managing iptables and Your Rules;151
7.8.1;iptables-save and iptables-restore;152
7.8.2;iptables init Scripts;153
7.8.3;Testing and Troubleshooting;154
7.9;Resources;158
7.9.1;Mailing Lists;158
7.9.2;Sites;158
7.9.3;Books;158
8;Chapter 3 Securing Connections and Remote Administration;159
8.1;Public-Key Encryption;159
8.1.1;SSL, TLS, and OpenSSL;162
8.1.2;Stunnel;174
8.1.3;IPSec,VPNs, and Openswan;181
8.1.4;inetd and xinetd-Based Connections;189
8.2;Remote Administration;191
8.2.1;ssh-agent and Agent Forwarding;199
8.2.2;The sshd Daemon;201
8.2.3;Configuring ssh and sshd;202
8.2.4;Port Forwarding with OpenSSH;205
8.2.5;Forwarding X with OpenSSH;206
8.3;Resources;207
8.3.1;Mailing Lists;207
8.3.2;Sites;207
9;Chapter 4 Securing Files and File Systems;208
9.1;Basic File Permissions and File Attributes;209
9.1.1;Access Permissions;209
9.1.2;Ownership;219
9.2;Immutable Files;219
9.3;Capabilities and lcap;221
9.4;Encrypting Files;223
9.5;Securely Mounting File Systems;225
9.6;Securing Removable Devices;228
9.7;Creating an Encrypted File System;229
9.7.1;Installing the Userland Tools;230
9.7.2;Enabling the Functionality;230
9.7.3;Encrypting a Loop File System;231
9.7.4;Unmounting Your Encrypted File System;235
9.7.5;Remounting;236
9.8;Maintaining File Integrity with Tripwire;236
9.8.1;Configuring Tripwire;237
9.8.2;Explaining Tripwire Policy;239
9.9;Network File System (NFS);250
9.10;Resources;252
9.10.1;Mailing Lists;252
9.10.2;Sites;252
9.10.3;Sites About ACLs;252
10;Chapter 5 Understanding Logging and Log Monitoring;253
10.1;Syslog;253
10.1.1;Configuring Syslog;255
10.1.2;Starting syslogd and Its Options;259
10.2;syslog-NG;261
10.2.1;Installing and Configuring syslog-NG;261
10.2.2;The contrib Directory;262
10.2.3;Running and Configuring syslog-NG;262
10.2.4;Sample syslog-ng.conf File;274
10.2.5;Logging to a Database with syslog-NG;276
10.2.6;Secure Logging with syslog-NG;279
10.2.7;Testing Logging with logger;283
10.3;Log Analysis and Correlation;284
10.3.1;Installing and Running SEC;287
10.3.2;Inputting Messages to SEC;289
10.3.3;Building Your SEC Rules;290
10.4;Log Management and Rotation;297
10.5;Resources;300
10.5.1;Mailing Lists;300
10.5.2;Sites;300
10.5.3;Books;300
11;Chapter 6 Using Tools for Security Testing;301
11.1;Inner Layer;302
11.1.1;Scanning for Exploits and Root Kits;302
11.1.2;Testing Your Password Security;307
11.1.3;Automated Security Hardening with Bastille Linux;310
11.2;Outer Layer;315
11.2.1;NMAP;316
11.2.2;Nessus;322
11.3;Other Methods of Detecting a Penetration;333
11.4;Recovering from a Penetration;335
11.5;Additional Security Tools;338
11.5.1;dsniff;338
11.5.2;Ethereal;338
11.5.3;Ettercap;338
11.5.4;LIDS;338
11.5.5;Netcat;339
11.5.6;SARA;339
11.5.7;Snort;339
11.5.8;tcpdump;339
11.5.9;Titan;339
11.6;Resources;339
11.6.1;Sites;340
12;Chapter 7 Securing Your Mail Server;341
12.1;Which Mail Server to Choose?;341
12.2;How Is Your Mail Server at Risk?;343
12.3;Protecting Your Mail Server;343
12.3.1;Chrooting a Sendmail SMTP Gateway or Relay;344
12.3.2;Chrooting Postfix;350
12.4;Securing Your SMTP Server;353
12.4.1;Obfuscating the MTA Banner and Version;353
12.4.2;Disabling Dangerous and Legacy SMTP Commands;356
12.4.3;Some Additional Sendmail Privacy Flags;359
12.4.4;Sendmail and smrsh;359
12.4.5;Writing to Files Safely;360
12.4.6;Limiting the Risk of (Distributed) DoS Attacks;361
12.5;Relaying, Spam, and Viruses;366
12.5.1;Relaying;366
12.5.2;Antispam;371
12.5.3;Antivirus Scanning Your E-mail Server;384
12.6;Resources;392
12.6.1;Mailing Lists;392
12.6.2;Sites;392
13;Chapter 8 Authenticating and Securing Your Mail;393
13.1;TLS;393
13.1.1;Creating Certificates for TLS;394
13.1.2;TLS with Sendmail;397
13.1.3;TLS with Postfix;401
13.2;SMTP AUTH Using Cyrus SASL;407
13.2.1;Compiling Cyrus SASL;408
13.2.2;Configuring SASL saslauthd;409
13.3;SMTP AUTH Using Cyrus SASL for Sendmail;409
13.3.1;Compiling Cyrus SASL into Sendmail;410
13.3.2;Configuring Cyrus SASL for Sendmail;411
13.3.3;Using SMTP Server Authentication with Sendmail;412
13.3.4;Using SMTP Client Authentication with Sendmail;414
13.4;SMTP AUTH Using Cyrus SASL for Postfix;415
13.4.1;Compiling Cyrus SASL into Postfix;415
13.4.2;Configuring Cyrus SASL for Postfix;416
13.4.3;Using SMTP Server Authentication with Postfix;418
13.4.4;Using SMTP Client Authentication with Postfix;420
13.5;Testing SMTP AUTH with Outlook Express;420
13.6;Resources;422
13.6.1;Mailing Lists;422
13.6.2;Sites;422
14;Chapter 9 Hardening Remote Access to E-mail;423
14.1;IMAP;424
14.2;POP;424
14.3;Choosing IMAP or POP Servers;425
14.4;How Is Your IMAP or POP Server at Risk?;426
14.5;Cyrus IMAP;427
14.5.1;Installing and Compiling Cyrus IMAP;429
14.5.2;Installing Cyrus IMAP into a chroot Jail;431
14.5.3;Configuring Cyrus IMAP;437
14.5.4;Cyrus IMAP Authentication with SASL;442
14.5.5;Cyrus IMAP Access Control and Authorization;445
14.5.6;Testing Cyrus IMAP with imtest/pop3test;448
14.6;Fetchmail;450
14.6.1;Installing Fetchmail;451
14.6.2;Configuring and Running Fetchmail;454
14.7;Resources;461
14.7.1;Mailing Lists;461
14.7.2;Sites;461
15;Chapter 10 Securing an FTP Server;463
15.1;How Does FTP Work?;464
15.2;Firewalling Your FTP Server;466
15.3;What FTP Server to Use?;468
15.4;Installing vsftpd;468
15.5;Configuring vsftpd for Anonymous FTP;470
15.5.1;General Configuration;471
15.5.2;Mode and Access Rights;472
15.5.3;General Security;474
15.5.4;Preventing Denial of Service Attacks;475
15.6;Configuring vsftpd with Local Users;476
15.7;Adding SSL/TLS Support;479
15.8;Starting and Stopping vsftpd;481
15.9;Resources;481
15.9.1;Sites;481
16;Chapter 11 Hardening DNS and BIND;482
16.1;Your DNS Server at Risk;483
16.1.1;Man-in-the-Middle Attacks;483
16.1.2;Cache Poisoning;484
16.1.3;Denial of Service Attacks;484
16.1.4;Data Corruption and Alteration;485
16.1.5;Other Risks;485
16.2;What DNS Server Should You Choose?;485
16.3;Secure BIND Design;486
16.4;Installing BIND;489
16.5;Chrooting BIND;491
16.6;Permissions in the chroot Jail;492
16.7;Starting and Running named;493
16.8;Configuring BIND;495
16.8.1;Access Control Lists;498
16.8.2;Logging;499
16.8.3;Options;503
16.8.4;Views and Zones;512
16.8.5;Zones;516
16.9;TSIG;519
16.10;The rndc Command;523
16.10.1;rndc.conf;524
16.10.2;Adding rndc Support to named.conf;526
16.10.3;Using rndc;527
16.11;Resources;529
16.11.1;Mailing Lists;529
16.11.2;Sites;529
16.11.3;Information About Zone Files;529
16.11.4;Books;529
17;APPENDIX A The Bastion Host Firewall Script;530
18;APPENDIX B BIND Configuration Files;536
18.1;A Caching Server;536
18.2;An Authoritative Master Name Server;538
18.3;A Split DNS Name Server;539
18.4;A Sample Named init Script;542
19;APPENDIX C Checkpoints;544
19.1;Chapter 1;544
19.2;Chapter 2;545
19.3;Chapter 3;546
19.4;Chapter 4;546
19.5;Chapter 5;547
19.6;Chapter 6;548
19.7;Chapter 7;548
19.8;Chapter 8;549
19.9;Chapter 9;549
19.10;Chapter 10;550
19.11;Chapter 11;550
20;Index;552
