This book fully covers the ground in securing a Linux system. Hardening Linux by James Turnbull (who also authored Pro Nagios 2.0) packs all you need to know about getting a Linux system secured into a single five- hundred page volume. Turnbull takes the reader in a fast-paced but very comprehensive fashion through the arduous tasks of closing up the open holes in a Red-Hat or Debian - based Linux distribution, and he covers all major topics which include unlikely candidates such as the virtual terminals on the console, immutable files and capabilities, system logging, rootkits, and penetration detection and recovery. After reading up on the basics which include users & passwords, Pluggable Authentication Modules (PAM), and information on hardening the Linux kernel and the boot loaders, the reader gets an excellent introduction to firewalling with iptables with a whole firewall script for a bastion host in the appendix. That is followed by a full chapter devoted to securing connections with SSL/TLS and remote administration with ssh. Chapter four is dedicated to securing files and file systems, and includes a section on encrypted file systems to safekeep your data, as well as a walk-through Tripwire. That is followed by a comprehensive look at logging with syslog and syslog-ng, and this chapter includes a discussion and tools related to log analysis and correlation. NMAP, Nessus and network sniffers make up the bulk of the security testing tools with which Turnbull rightly suggests we check our work after having hardened the basic system. These are covered on fourty pages. Although Mr. Turnbull recommends Postfix, he covers both that and Sendmail, carefully noting that he doesn't want to contribute to the "my mail server is better than yours" wars. On over fifty pages, the two mail transport agents (MTA) are given careful consideration as to making them as secure as possible. In a further chapter aptly titled Authenticating and Securing Your Mail, the author covers SSL/TLS certificate generation with OpenSSL as well as SMTP authentication (SMTP AUTH) with Cyrus SASL, for both flavors of mail server. As far as access to mail is concerned, the Cyrus IMAP server is well documented in chapter nine, and the last two chapters guide the reader through securing FTP servers as well as the BIND name server. Every person responsible for installing a Linux server must read this book! There is of course also detailed information to be gathered from dedicated books which cover the individual subsystems (such as those for DNS & BIND, OpenSSH, etc.), but I strongly encourage every system administrator to have a copy of this excellent book on his or her desk.

Flattr this
Mail, Internet, Books, Linux, IMAP, SSH, and DNS :: 21 Aug 2006 :: e-mail

Comments

blog comments powered by Disqus