Securing Linux: Step by Step

The subtitle says it all: “A Survival Guide for Linux Security”.

This book is the result of an iterative process of consulting with experts in the field of computer and network security. The list of contributors includes staff at well-known organizations like the Computer Emergency Response Team (CERT) and the U.S. Census Bureau, so it is more than just the two main authors' expertise—it is a collaborative effort of 48 experts.

It is not simply a theoretical book on computer security. First, it details only one Linux distribution, Red Hat 6.0. Users of other distributions will be able to use the book as well, but they will need to fudge things according to the differences between their distribution and Red Hat 6.0. Users of Mandrake 6.x should have no problem; users of Slackware will have to adjust a lot of the information on system startup. Debian users will probably find themselves scrambling to map all the RPM package names to Debian package equivalents.

Second, it is a step-by-step walk through the process. The authors don't simply say, “remove package foo”; they walk the reader through the process of removing package foo, with the complete command-line and system response for each command. It may be only one or two steps, but they are there to show you exactly what to type on the command line and what response to expect from the system.

The book is entirely command-line-oriented. This is good, in that the authors can show exactly what to do in each step. It also means you get to do a lot of typing and careful checking of your command lines. If you aren't already familiar with Bash's tab completion, now is a good time to read up on it in the man page.

Theory is minimal in this book. There is usually a brief discussion of each group of command-line steps. Then the steps to carry out are shown, interspersed with useful commentary.

The book is organized in a logical manner, starting with step one on security policies, the physical security of the computer, and a pre-installation check of the BIOS's security-related features (e.g., turn off the ability to boot from floppy). Each step is divided into sub-steps, so you can easily find an appropriate sub-step for any aspect of security.

Step two, which would be chapter two in any other book, deals with the installation of Linux. The authors cover pre-installation security, where they point out that (for example) an FTP installation from a public server on the Internet could leave your computer compromised before the installation is complete. Similarly, they discuss the security implications of partitioning.

It's no surprise that the authors prefer the custom installation of Red Hat over either workstation or server. Their motto is “When in doubt, leave it out”, an excellent motto. If it isn't there, it can't be cracked. The installation step continues with password setup and some recommendations such as creating a boot diskette. The book then shows how to set system access policies and configure logging.

The next two chapters (excuse me—steps) are about securing a workstation on a network and a server on a network. The server step includes instructions for installing Secure SHell (SSH) tools, which are far more secure than the “r” analogs (rlogin, rsh, etc.), ftp or telnet. Other substeps show how to set up DNS, electronic mail and several other services. The documentation on securing Apache includes password protection and adding mod_ssl to your Apache d<\#230>mon.

The process of securing a workstation includes disabling and removing a number of standard d<\#230>mons, or limiting access to those d<\#230>mons.

Step five deals with system tuning and packet firewalls. It gives a brief introduction to IPCHAINS, and shows how to make, install and test a strong ruleset.

Step six points the reader toward a number of tools for network security, such as the (in)famous SATAN and its descendants.

Appendix A has an excellent bibliography of Linux security resources on the Internet. Appendix B is the stock Red Hat 6.0 /etc/inetd.conf. Appendix C is a System V-style startup script for ssh, which fills a gap in at least two of the ssh products out there. Appendix D is a 20-page script for a strong firewall IPCHAINS ruleset, adapted for the book from David Ranch's highly respected Trinty OS.

Appendix E is a script to modify the permissions of a number of system utilities. The authors recommend you run it every time you install Linux. It is worth studying to see how insecure the authors find Linux to be.

The book is printed in an unusual format. It is spiral-bound, standard (North American) letter-size paper. The unusual part is that it is printed in landscape layout. The result is you see the book as a 17 x 11-inch sheet of paper, with the binding across the middle. This makes it possible to have a lot of information in front of you while working at the keyboard. There is plenty of white space for your notes. The effect was a bit disconcerting at first, but I found it easy to work with and rather like it.

The steps are wellwritten, and I was able to walk through several of the sub-steps. The only problems I had were caused by other problems in the system, ones outside the scope of the book. I was able to install ssh, for example, in minutes because the steps in this book are better than the README file that came with one of the distributions I tried.

One thing to keep in mind: while the book is a set of step-by-step instructions, you will have to remain alert to your own situation and local needs.

At first, I thought the scripts, especially the 20-page IPCHAINS ruleset, were not available on the Net. Well, I am glad to report that they are. The URL is carefully hidden away at the beginning of Appendix A, which is not where the reader looking for, say, Appendix D is going to look.

I recommend this book to professionals in the field. If you are on the Internet with a firewall or any sort of server, you should read it and take the steps appropriate to your situation. As you do, check off each step completed so that you have a permanent record of how you have customized your firewall.