UKUUG home

UKUUG

(the UK's Unix & Open Systems User Group)

Home

Events

About UKUUG

UKUUG Diary

Membership

Book Discounts

Other Discounts

Mailing lists

Sponsors

Newsletter

Consulting

 


 

Building Secure Servers with Linux Michael D Bauer
Published by O'Reilly and Associates
ISBN:0-596-00217-3
448 pages
£ 31.95
Published: 1st November 2002
reviewed by Mike Smith
   in the June 2003 issue (pdf), (html)
bookcover  

The books I got to review for this newsletter have turned out to be rather a good bunch. Interestingly, this one has some similarities with Linux Server Hacks book which you should find reviewed nearby. Subjects like SSH, securing mail and DNS services, tunneling, and Tripwire are covered in both books. As you would expect, the other book has some brief tips on these subjects whilst this one covers them in more detail - a sort of half-way house. Of course much more detail on some of these things is covered in their own O'Reilly titles (DNS, Sendmail etc) - but the emphasis here is on security, naturally. Hang on, I'm getting a little ahead of myself here - lets get back to the beginning.

We start off with a discussion on modelling theats and performing risk assessments. This is quite interesting - we're not jumping straight into configuration parameters, but starting from the beginning - and that's a very good place to start too. Thankfully, its not a long chapter, but it is important to understand the context of security threats when building not only servers, but designing solution achitectures.

And that's precisely where we go next - network design. I (like many readers I suspect) have been used to multi-layer, multi-security-zone Internet designs for years now, but when you're new to them it may not be immediately apparent why we do things like we do. I remember my management saying that you'd never design such a complex mess (as they usually turn out to be) ... but actually there are reasons for it. It is unfortunate, as we do end up with more complex routing designs, firewall rulesets and higher management overheads - but that's just the way it has to be.

Right, so we've covered firewalls as part of that - quite a bit on iptables (we're on Linux, of course) but there is some detail on CheckPoint and other commercial solutions too. Then there's some info on hardening Linux servers. Good advice all round.

A little test: what do you do once you've set up a secure environment then?

Test it of course. In this text we look at nmap and Nessus. (I remember the days when I was playing with SATAN - we haven't really come on very far, have we.) I don't think its mentioned, but when you actually have to prove you've setup a secure environment, you do generally have to go to an external approved organisation. For Government, you need CLAS certified consultants to do this from the likes of Portcullis or Insight (see the CESG website for details). Security in this space is very regimented - has to be - so writing official documentation such as an ``ADS'' is essential too.

Next up - remote management. SSH. 'nough said. (Well, there is more, but you know it already.)

Finally, the book covers securing services like DNS and Mail, as I started out by saying. For DNS, it looks at running it in a chroot environment. It also looks at the main alternative - djbdns, but nothing on nsd.

For mail, there's quite a discussion on whether to Sendmail or not! This guy is a Postfix fan, but does also mention qmail and Exim. He obviously doesn't want to upset anyone, and recognises that sendmail is the most prevalent MTA, so this is covered in most detail.

Next up is Apache, ftp (ProFTP, of course) and we're done on services. Finally some aspects of monitoring and system management are covered. In terms of monitoring, we're just looking at logs really. Then there's a bit on IDS - Tripwire and Snort. This is perhaps a bit light. I've been looking at tools in this area and there's some good stuff about (not necessarily Linux based though, and commercial too.) If you're interested, have a look at the products from Mazu and Netforensics, for example.

Stuff missing? Hmm. There's no mention of threats in protocols such as BGP, OSPF etc ... though to be fair you don't usually run BGP on Linux boxes in production environments (I think). Didn't notice anything about UML - a big step up from chroot. Or LIDS. Or the ``secure'' distributions (SELinux etc).

Anyway, its another thumbs up from me. Perhaps I just like reading this stuff. Sad man.

Back to reviews list

Tel: 01763 273 475
Fax: 01763 273 255
Web: Webmaster
Queries: Ask Here
Join UKUUG Today!

UKUUG Secretariat
PO BOX 37
Buntingford
Herts
SG9 9UQ
More information

Page last modified 03 Apr 2007
Copyright © 1995-2011 UKUUG Ltd.