Best Linux Security Books? 33
RyuMaou asks: "I'm about to move a small company from an old, ailing Windows server to some flavor of Linux and I want to make sure they're proprietary information is safe. Here's the problem: I've only run Linux as an application server, behind the firewall, in a Novell environment. Time is short and I have limited resources and want to read at least one really great book on Linux security, then follow that up with some good reinforcement. I know the information is mostly available on the Internet for free, but I like reading actual books, not printouts. So, if you had to pick five books, or fewer, on Linux security, what would you read?"
Re:roffle (Score:1)
There, Their, They're (Score:1, Offtopic)
There - "There is something wrong with the grammar in the story."
Their - "It's their problem they don't know any better."
They're - "They're going to go down to the pub after installing Linux."
Re:There, Their, They're (Score:1, Troll)
Re:There, Their, They're (Score:1)
Re:There, Their, They're (Score:1)
But, to be honest, I'm terribly embarassed by that mistake. I suppose that's what I get for submitting stories late at night, past my bedtime!
Scary (Score:4, Insightful)
Why are you moving the server to a platform you are not familiar enough with? Because you have used it in an unrelated application? Is there something wrong with the Windows server (besides being old and the typical Windows bashing?)
I'm all for trying things out but is it right to do this with a clients "proprietary" data? What is your backup plan? Will the server store the information as well as act as the firewall? Why Linux and not a flavor of BSD?
After all of that, whlie a book may feel nice - you will get much better and more up to date information on the 'net.
Clearly (Score:1, Troll)
Right?
Oh dear.
Re:Scary (Score:1)
I'm not moving to Linux "just because". I'm moving to Linux because the boss wants to do it and currently they run Windows NT on a dying server. I've worked with Linux, primarily as an application server as opposed to a file server, for about four years and I've worked with other flavors of Unix as an operator. I was primarily concerned with properly securing the fileserver, being able to m
Dude, get with the times (Score:1, Funny)
The current slashbot cheer is "use Ubuntu!"
Example usage:
You're on the right track, though. This article had absolutely nothing to do with distribution selection and yet you felt compelled to get out your pom-poms and cheer for the flavor of the month. The only thing you did wrong was select last month's flavor.
Kudos to you, slashbot. Keep reaching for that rain
Re:Dude, get with the times (Score:1)
You're a guy who sits around reading
Does it have to be Linux? (Score:5, Informative)
Why not use OpenBSD? I might recomend using Absolute OpenBSD [amazon.com], Secure Architectures with OpenBSD [amazon.com], and Building Firewalls with OpenBSD and PF [amazon.com]. Of course the OpenBSD man pages are superb. You also have access to CARP (rather an implementation that works as expected), plus you get the benefit of not having to update very often (I've only had to patch SSH and FTPD in the last 2 or 3 years).
[1]Shorewall does make this easier though.
Re:Does it have to be Linux? (Score:2)
Is there a way to make it behave more like GNU man ?
doh.. (Score:2)
export MANPAGER=less
much better!
Re:Does it have to be Linux? (Score:4, Insightful)
1. Install distribution
2. Comment out all services running via
3. For services you want running, determine which ones are only needed by the machine actually running the services and research how to get them listening on 127.0.0.1 only. Implement. smtp is usually the one I do this for so I can send emails but don't have to worry about external abuse.
4. determine your default runlevel by opening "/etc/inittab" and looking for a line like "id:n:initdefault:". The number is your default runlevel.
5. run netstat -tunap to get a list of services listening on the machine. Browse
6. Open
7. install logcheck/some kind of log auditing software that can email you hourly errors/warnings.
8. forward root's email via
Patch if needed. Subscribe to distribution security mailing list, subscribe to bugtraq, check for new patches every week via distribution's upgrade/patching tool, if a patch is not available for a particular vulnerability, think of ways to survive if server is compromised.
Partially there. Now just need some nice slashdotter to confirm I am on the right track, correct me where I am wrong and offer other options or a book that continues beyond this.
Re: (Score:1)
Real World Linux Security (Score:5, Informative)
Get a good overview (Score:4, Informative)
I'm a huge advocate of McKusick's Kernel Internals course [mckusick.com]. It's essential for anyone serious about understanding the core components of the OS. The videos are like a grand, but you can find it free in a lot of libraries, or you might be lucky to catch a copy on half.com.
My bookshelf... (Score:3, Informative)
It's really only slightly dated, and I have no idea if an updated version is available, but it's a good start.
Re:My bookshelf... (Score:2, Interesting)
I would take `jimpop' advice and go with Bob Toxen's "Real World Linux Security" if you must have a linux book. Besides he is a really nice guy.
Maximum Linux Security was written by anonymous author(s) who couldn't be bothered to sign there name to their work.
Your best bet is to grab "Absolute OpenBSD: UNIX for the Practical Paran
Try looking at Benchmarks (Score:5, Informative)
Try these for starters:
Center for Internet Security
http://www.cisecurity.org/ [cisecurity.org]
SANS Step-By-Step Guides
https://store.sans.org/store_category.php?categor
Both will provide you with a checklist to secure your systems, and although neither will be "all inclusive" they will give you a foundation to build your security program on.
In large enterprises subject to regulatory oversight and external auditing they use these as a starting point.
Hope this helps,
Jim Robinson Jr., CISSP
Re:Try looking at Benchmarks (Score:1)
Thank you!
SELinux (Score:5, Informative)
Re:SELinux (Score:2)
The book's good for a grounding in the theory of SELinux and MAC, but as far as implementation specifics it's a bit expired. Unfortunately, there aren't any other SELinux books that are more up-to-date.
Negative suggestion (Score:1)
Books? (Score:2)
The first step towards security is to reduce the services and access to only what you need and what you understand. If you see the service in.inetd, and have no clue what it does, or what needs it, kill it.
The second step is to read peoples experiences on how they got hacked and what did they do wrong. Skim over cert advisories.
Lastly keep the system patched up depending on the OS. Windows should be automatically updated between 10pm and 7am, dont make all machines DDOS yo
Not a replacement for a book... (Score:3, Informative)
Simple rules (Score:3, Informative)
2) Stop and Disable network servers that you do not need right now (e.g. chkconfig --del)
3) Restrict access to the rest using built in ACLs, tcp_wrappers (i.e. hosts.allow/hosts.deny) and/or iptables/netfilter.
4) Set strong passwords where applicable.
5) Keep patched up-to-date.
6) If your distribution includes SELinux, consider enabling it. Test thoroughly before moving to production status.
7) Perform regular backups.
8) Test your backups and your backup hardware.
9) Monitor log files.
To do anything more than that requires fairly extreme justification, and will increase costs due to administrative overhead. Doing the above will probably render your site a less attractive target than 90-something percent of sites. If you and a friend are running away from a tiger, you don't need to outrun the tiger - just your friend. :-)
My recommendation (Score:2)
Linux System Security - The Administrator's Guide to Open Source Security Tools [amazon.com]
I am very pleased with this book... and just check out the (5 star average) reviews on Amazon above.