The big reason why I purchased this book was because it claimed it was great about security and it said it would show how to setup these services the correct way.

Well first of all this author loves to use the binary packages (RPMs, etc.). And anyone that is a major security buff knows that the RPMs are the last things to get updated when a flaw is found out.

Secondly that's all the user shows for the installation of most of the software is how to do it with a binary distribution. So unless you are using Suse, Redhat, Fedora it is quite useless. This book should indicate that it made for those distributions and it is not general "Linux".



Also his views on running some of the software is really off the wall. But that is just a personal preference I guess.



Overall if he would have used the regular "./configure ---comands", "make", "make install" this book would have been much better and it would have been able to be used for those that don't want to be stuck in "rpm hell".

The big reason why I purchased this book was because it claimed it was great about security and it said it would show how to setup these services the correct way.
Well first of all this author loves to use the binary packages (RPMs, etc.). And anyone that is a major security buff knows that the RPMs are the last things to get updated when a flaw is found out.
Secondly that's all the user shows for the installation of most of the software is how to do it with a binary distribution. So unless you are using Suse, Redhat, Fedora it is quite useless. This book should indicate that it made for those distributions and it is not general "Linux".

Also his views on running some of the software is really off the wall. But that is just a personal preference I guess.

Overall if he would have used the regular "./configure ---comands", "make", "make install" this book would have been much better and it would have been able to be used for those that don't want to be stuck in "rpm hell".

The big reason why I purchased this book was because it claimed it was great about security and it said it would show how to setup these services the correct way.
Well first of all this author loves to use the binary packages (RPMs, etc.). And anyone that is a major security buff knows that the RPMs are the last things to get updated when a flaw is found out.
Secondly that's all the user shows for the installation of most of the software is how to do it with a binary distribution. So unless you are using Suse, Redhat, Fedora it is quite useless. This book should indicate that it made for those distributions and it is not general "Linux".

Also his views on running some of the software is really off the wall. But that is just a personal preference I guess.

Overall if he would have used the regular "./configure ---comands", "make", "make install" this book would have been much better and it would have been able to be used for those that don't want to be stuck in "rpm hell".

I read every column of paranoid penguin and they are quite good. This book is ok, but not great. They (I mean they because several chapters are not by Mike) try to cover a huge amount of information and make the mistake of being both too broad in some areas and too specific in others. Overall, there wasn't a cohesive glue to bring the chapters together into a single vision.

For instance, for a book that introduces FTP servers, web servers, mail (imap/smtp), dns - they are like separate entities. They do not complete the picture by showing a complete network diagram with IDS / VPN, -- showing an example of all of their advice coming together in a working solution. And Kerberos isn't even mentioned.

They were extremely specific in some areas like talking about rpm example/debian/ make options and specific .conf options ad nauseum - which detracted from the whole picture. Is someone securing bind 4 really reading this book? Also, maybe a mention of apt-get - - but don't tell me how to install each package on every architecture - it just inflates the word count.

I don't think this book was focused enough in the 'big picture' of trying to piece together all of the tiny pieces into a coherant whole, while at the same time it gets cought up in the minute details of certain packages making for a tough read.

Perhaps they could have included an actual example company or two showing possible layouts of ldap in action with:
login/mail/split-dns/firewalls/database$web.

Anyone for OpenBSD?

Linux Server Security, Second Edition
By Michael D. Bauer
Second Edition January 2005
ISBN: 0-596-00670-5
544 pages, $44.95 US
(...)
This book goes along with the moving trend of the normal computer user, securing your data. Servers generally are targeted more often than the average home PC because most are made to be accessible from the outside world. This is where securing that server comes into play. This book covers the tools and techniques to securing your Bastion host.

First I'd like to start out and explain what Bastion host means as according this book so you can understand what this book covers more specifically. Bastion Host is defined as "A system that runs publicly accessible services but is usually not itself a firewall. Bastion hosts are what we put on DMZ (although they can be put anywhere). The term implies that a certain amount of system hardening has been done, but sadly, this is not always the case."

After you understand what a Bastion host is defined as, you should understand that this book mainly covers these server daemons and the systems that run them. But some of the information applies to a Linux desktop system such as a per host iptables firewall, using secure shell, keeping up with your logs, and intrusion detection. Most of these things the average user doesn't care much about but sometimes being paranoid comes in handy.

Someone who would most likely use this book more than the average desktop user would probaly be a system administrator. Securing web, database, ftp, dns, and email servers is what majority of this book contains. Along with covering these server systems, there are guides to securing the Linux system that runs these daemons along with designing the networks around these types of hosts.

One of the sections I'm most fond of is Chapter 2: Designing Perimeter Networks. With this section you can really take a look at the design and layout of the different types of networks and figure out the portions that suit your needs for your own network. The diagrams shown in this chapter help explain what is going on with the traffic and allows you to see exactly what is going on and at what points the systems are protected.

At the end of the book there are 2 well commented iptables firewall scripted that allow you to get a feel for the netfilter iptables system if you're not familiar with it already. With some modification of these scripts you can easily bring them into a working environment depending on your situation, which sometimes these helps with some of the frustration with the iptables syntax. I personally prefer the PF system within OpenBSD for it's clean syntax and have grown away from iptables, but both are powerful firewall systems and should fit the needs of your network.

I'd definitely recommend this book to system admins or anyone who is paranoid about their security. Security is always something that people should be educated about.

Lloyd Randall
Pensacola Linux User's Group

Linux Server Security, Second Edition
By Michael D. Bauer
Second Edition January 2005
ISBN: 0-596-00670-5
544 pages, $44.95 US
(...)
This book goes along with the moving trend of the normal computer user, securing your data. Servers generally are targeted more often than the average home PC because most are made to be accessible from the outside world. This is where securing that server comes into play. This book covers the tools and techniques to securing your Bastion host.

First I'd like to start out and explain what Bastion host means as according this book so you can understand what this book covers more specifically. Bastion Host is defined as "A system that runs publicly accessible services but is usually not itself a firewall. Bastion hosts are what we put on DMZ (although they can be put anywhere). The term implies that a certain amount of system hardening has been done, but sadly, this is not always the case."

After you understand what a Bastion host is defined as, you should understand that this book mainly covers these server daemons and the systems that run them. But some of the information applies to a Linux desktop system such as a per host iptables firewall, using secure shell, keeping up with your logs, and intrusion detection. Most of these things the average user doesn't care much about but sometimes being paranoid comes in handy.

Someone who would most likely use this book more than the average desktop user would probaly be a system administrator. Securing web, database, ftp, dns, and email servers is what majority of this book contains. Along with covering these server systems, there are guides to securing the Linux system that runs these daemons along with designing the networks around these types of hosts.

One of the sections I'm most fond of is Chapter 2: Designing Perimeter Networks. With this section you can really take a look at the design and layout of the different types of networks and figure out the portions that suit your needs for your own network. The diagrams shown in this chapter help explain what is going on with the traffic and allows you to see exactly what is going on and at what points the systems are protected.

At the end of the book there are 2 well commented iptables firewall scripted that allow you to get a feel for the netfilter iptables system if you're not familiar with it already. With some modification of these scripts you can easily bring them into a working environment depending on your situation, which sometimes these helps with some of the frustration with the iptables syntax. I personally prefer the PF system within OpenBSD for it's clean syntax and have grown away from iptables, but both are powerful firewall systems and should fit the needs of your network.

I'd definitely recommend this book to system admins or anyone who is paranoid about their security. Security is always something that people should be educated about.

Lloyd Randall
Pensacola Linux User's Group

I highly recommend this book to anyone who is involved with securing Internet servers. The book strikes a nice balance between theoretical background and implementation examples.

Though certainly not all encompassing, the book touches on several key elements of server security, including DNS, Email, File Servers, Web Services, IDS methods and more. People new or just curious about Linux server security will gain the most. More experienced system administrators will find a few implementation tips and useful background information for presentation or training purposes.

Unlike many server security books, this one includes some notes on alternatives to the most popular software packages. For example, the chapter on securing Internet email includes excellent tips on securing both Sendmail and Postfix while the IDS chapter covers the popular Tripwire package and some lesser-known integrity checkers. References and the end of each chapter are provided to point you to even more solutions.

This book certainly will not replace a dedicated reference volume, but I find it to be a good summary of major security practices for bastion hosts. Note that the book focuses primarily on host hardening. Though there are some sections on network security, most of the chapters focus on locking down your server. So if you are mainly interested in network clusters, network surveillance, or honeypots, you will probably want to find another reference. Also, if you have several years of experience, you may not find too much new information, but the book is a handy reference volume that can point you in the right direction. If, however, you are new to Linux server security or just simply want a concise summary of common security practices, then this will be a welcomed addition to your technical library.

I highly recommend this book to anyone who is involved with securing Internet servers. The book strikes a nice balance between theoretical background and implementation examples.

Though certainly not all encompassing, the book touches on several key elements of server security, including DNS, Email, File Servers, Web Services, IDS methods and more. People new or just curious about Linux server security will gain the most. More experienced system administrators will find a few implementation tips and useful background information for presentation or training purposes.

Unlike many server security books, this one includes some notes on alternatives to the most popular software packages. For example, the chapter on securing Internet email includes excellent tips on securing both Sendmail and Postfix while the IDS chapter covers the popular Tripwire package and some lesser-known integrity checkers. References and the end of each chapter are provided to point you to even more solutions.

This book certainly will not replace a dedicated reference volume, but I find it to be a good summary of major security practices for bastion hosts. Note that the book focuses primarily on host hardening. Though there are some sections on network security, most of the chapters focus on locking down your server. So if you are mainly interested in network clusters, network surveillance, or honeypots, you will probably want to find another reference. Also, if you have several years of experience, you may not find too much new information, but the book is a handy reference volume that can point you in the right direction. If, however, you are new to Linux server security or just simply want a concise summary of common security practices, then this will be a welcomed addition to your technical library.

I am quite happy that there are books like Linux Server Security.

A lot of people think Linux is bullet proof, but its not. If not configured correctly, it can be just as insecure as Windows.

Linux Server Security is an important and timely book in that it shows how to harden Linux to be very secure.

The book plays to linux's strengths on server side computing. Where the server controls a subnet of computers that depend on it to connect them to the Internet, or for other resources. Bauer emphasises throughout how to secure the server. Starting with a top down risk analysis and a designing of a perimeter network; typically a DMZ. So he carefully suggests what belongs in the DMZ and what belongs behind it.

He deprecates cleartext network communication, in favour of ssh and SSL for remote access. The book has concise explanations of various intrusion detection systems like Nesses and Vlad. Though perhaps if you do decide on using Nessus, you may also want to consult books devoted to it.

Overall, the book is a sobering and cautionary tale of current computing. With the best practices recommended here, you can remain reasonably secure.

The book plays to linux's strengths on server side computing. Where the server controls a subnet of computers that depend on it to connect them to the Internet, or for other resources. Bauer emphasises throughout how to secure the server. Starting with a top down risk analysis and a designing of a perimeter network; typically a DMZ. So he carefully suggests what belongs in the DMZ and what belongs behind it.

He deprecates cleartext network communication, in favour of ssh and SSL for remote access. The book has concise explanations of various intrusion detection systems like Nesses and Vlad. Though perhaps if you do decide on using Nessus, you may also want to consult books devoted to it.

Overall, the book is a sobering and cautionary tale of current computing. With the best practices recommended here, you can remain reasonably secure.

It used to be that Linux was so much safer than Windows because of the sheer number of people out attacking Windows. But now there several reasons for the bad guys to attack Linux:

73 (or so) of the web servers run Linux,
more than that run DNS or mail,
these tend to be powerful boxes with big communications pipes - just what the Spammers need.

As the book says it's futile to expect perfect security unless you turn off the machine, power it down, repeatedly degause its hard drive and pulverize the whole thing into dust. On the other hand, it's not too difficult to do at least a minimal amount of hardening that will dramatically increase the effort required to break into the system.

This book, written by the author of the popular Paranoid Penguin column in Linux Journal covers the general rules. It gives you a broad coverage of the types of attacks you can expect and how to counter them. It does not attempt to cover the problem of the moment, because these are changing so fast that the book would be immediately out of date.

System security is a constant struggle against the dark side of the force. If you haven't been hit yet, you will be.

This is a somewhat high level walkthrough of all Linux related security issues, from basic networking and operating system issues, to web server configuration and scripting language security. At about 500 pages that's a tight squeeze, even for O'Reilly. Some of the coverage suffers, specifically I found the security information on PHP to be very scanty given the popularity of the language and how often web applications that use it are fraught with SQL injection vulnerabilities.

That being said, the writing is excellent, and the coverage that is there, which is at a reasonable level of depth, is solid. In addition, security is something you have to work at, so having an introduction to get you down the road is probably a good idea anyway. I'd like to see the next version have deeper information on web server security, but in the meantime this is a solid walkthrough of Linux security.