ebook img

Linux Server Security PDF

544 Pages·2005·4.273 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Linux Server Security

LINUX SERVER SECURITY SECOND EDITION Michael D. Bauer Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Server Security, Second Edition by Michael D. Bauer Copyright © 2005, 2003 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reillybooksmaybepurchasedforeducational,business,orsalespromotionaluse.Onlineedi- tions are also available for most titles (safari.oreilly.com). For more information, contact our cor- porate/institutional sales department: (800) 998-9938 [email protected]. Editor: Andy Oram Production Editor: Sanders Kleinfeld Cover Designer: Emma Colby Interior Designer: Melanie Wang Printing History: January 2005: Second Edition,Linux Server Security. October 2002: First Edition,Building Secure Servers with Linux. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarksofO’ReillyMedia,Inc.LinuxServerSecurity,theimageofacaravan,andrelatedtrade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. Whileeveryprecautionhasbeentakeninthepreparationofthisbook,thepublisherandauthor assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. ISBN: 0-596-00670-5 [M] To Felice Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. Threat Modeling and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Components of Risk 2 Simple Risk Analysis: ALEs 11 An Alternative: Attack Trees 15 Defenses 18 Conclusion 20 Resources 20 2. Designing Perimeter Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Some Terminology 22 Types of Firewall and DMZ Architectures 24 Deciding What Should Reside on the DMZ 29 Allocating Resources in the DMZ 30 The Firewall 32 3. Hardening Linux and Using iptables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 OS Hardening Principles 44 Automated Hardening with Bastille Linux 111 4. Secure Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Why It’s Time to Retire Cleartext Admin Tools 117 Secure Shell Background and Basic Use 118 Intermediate and Advanced SSH 128 5. OpenSSL and Stunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Stunnel and OpenSSL: Concepts 143 v 6. Securing Domain Name Services (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 DNS Basics 168 DNS Security Principles 170 Selecting a DNS Software Package 172 Securing BIND 173 djbdns 194 Resources 212 7. Using LDAP for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 LDAP Basics 215 Setting Up the Server 220 LDAP Database Management 229 Conclusions 235 Resources 235 8. Database Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Types of Security Problems 238 Server Location 238 Server Installation 241 Database Operation 246 Resources 250 9. Securing Internet Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Background: MTA and SMTP Security 252 Using SMTP Commands to Troubleshoot and Test SMTP Servers 255 Securing Your MTA 257 Sendmail 257 Postfix 285 Mail Delivery Agents 293 A Brief Introduction to Email Encryption 308 Resources 311 10. Securing Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Web Security 314 The Web Server 316 Web Content 327 Web Applications 337 Layers of Defense 359 Resources 359 vi | Table of Contents 11. Securing File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 FTP Security 361 Other File-Sharing Methods 392 Resources 405 12. System Log Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 syslog 406 Syslog-ng 417 Testing System Logging with logger 435 Managing System Logfiles with logrotate 436 Using Swatch for Automated Log Monitoring 439 Some Simple Log-Reporting Tools 448 Resources 449 13. Simple Intrusion Detection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Principles of Intrusion Detection Systems 451 Using Tripwire 454 Other Integrity Checkers 469 Snort 472 Resources 486 Appendix: Two Complete iptables Startup Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 489 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Table of Contents | vii

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.