This book fully covers the ground in securing a Linux system. Hardening
Linux by James Turnbull (who also authored Pro Nagios 2.0) packs all
you need to know about getting a Linux system secured into a single five-
hundred page volume. Turnbull takes the reader in a fast-paced but very
comprehensive fashion through the arduous tasks of closing up the open holes
in a Red-Hat or Debian - based Linux distribution, and he covers all major
topics which include unlikely candidates such as the virtual terminals on the
console, immutable files and capabilities, system logging, rootkits, and
penetration detection and recovery. After reading up on the basics which
include users & passwords, Pluggable Authentication Modules (PAM), and
information on hardening the Linux kernel and the boot loaders, the reader
gets an excellent introduction to firewalling with iptables with a whole
firewall script for a bastion host in the appendix. That is followed by a full
chapter devoted to securing connections with SSL/TLS and remote administration
with ssh. Chapter four is dedicated to securing files and file
systems, and includes a section on encrypted file systems to safekeep your
data, as well as a walk-through Tripwire. That is followed by a
comprehensive look at logging with syslog and syslog-ng, and this chapter
includes a discussion and tools related to log analysis and correlation. NMAP,
Nessus and network sniffers make up the bulk of the security testing tools
with which Turnbull rightly suggests we check our work after having hardened
the basic system. These are covered on fourty pages. Although Mr. Turnbull
recommends Postfix, he covers both that and Sendmail, carefully noting
that he doesn’t want to contribute to the “my mail server is better than
yours” wars. On over fifty pages, the two mail transport agents (MTA) are
given careful consideration as to making them as secure as possible. In a
further chapter aptly titled Authenticating and Securing Your Mail, the
author covers SSL/TLS certificate generation with OpenSSL as well as SMTP
authentication (SMTP AUTH) with Cyrus SASL, for both flavors of mail server.
As far as access to mail is concerned, the Cyrus IMAP server is well
documented in chapter nine, and the last two chapters guide the reader through
securing FTP servers as well as the BIND name server. Every person responsible
for installing a Linux server must read this book! There is of course also
detailed information to be gathered from dedicated books which cover the
individual subsystems (such as those for DNS & BIND, OpenSSH, etc.),
but I strongly encourage every system administrator to have a copy of this
excellent book on his or her desk.