Main Page

   
Linux Security Cookbook
By Daniel J. Barrett, Robert G. Byrnes, Richard Silverman
 
Publisher : O'Reilly
Pub Date : June 2003
ISBN : 0-596-00391-9
Pages : 332


The Linux Security Cookbook includes real solutions to a wide range of targeted problems, such as sending encrypted email within Emacs, restricting access to network services at particular times of day, firewalling a webserver, preventing IP spoofing, setting up key-based SSH authentication, and much more. With over 150 ready-to-use scripts and configuration files, this unique book helps administrators secure their systems without having to look up specific syntax.

   
•  Table of Contents
•  Index
•  Reviews
•  Reader Reviews
•  Errata
Linux Security Cookbook
By Daniel J. Barrett, Robert G. Byrnes, Richard Silverman
 
Publisher : O'Reilly
Pub Date : June 2003
ISBN : 0-596-00391-9
Pages : 332
Copyright
    Preface
      A Cookbook About Security?!?
      Intended Audience
      Roadmap of the Book
      Our Security Philosophy
      Supported Linux Distributions
      Trying the Recipes
      Conventions Used in This Book
      We'd Like to Hear from You
      Acknowledgments
   
    Chapter 1.  System Snapshots with Tripwire
      Recipe 1.1.  Setting Up Tripwire
      Recipe 1.2.  Displaying the Policy and Configuration
      Recipe 1.3.  Modifying the Policy and Configuration
      Recipe 1.4.  Basic Integrity Checking
      Recipe 1.5.  Read-Only Integrity Checking
      Recipe 1.6.  Remote Integrity Checking
      Recipe 1.7.  Ultra-Paranoid Integrity Checking
      Recipe 1.8.  Expensive, Ultra-Paranoid Security Checking
      Recipe 1.9.  Automated Integrity Checking
      Recipe 1.10.  Printing the Latest Tripwire Report
      Recipe 1.11.  Updating the Database
      Recipe 1.12.  Adding Files to the Database
      Recipe 1.13.  Excluding Files from the Database
      Recipe 1.14.  Checking Windows VFAT Filesystems
      Recipe 1.15.  Verifying RPM-Installed Files
      Recipe 1.16.  Integrity Checking with rsync
      Recipe 1.17.  Integrity Checking Manually
   
    Chapter 2.  Firewalls with iptables and ipchains
      Recipe 2.1.  Enabling Source Address Verification
      Recipe 2.2.  Blocking Spoofed Addresses
      Recipe 2.3.  Blocking All Network Traffic
      Recipe 2.4.  Blocking Incoming Traffic
      Recipe 2.5.  Blocking Outgoing Traffic
      Recipe 2.6.  Blocking Incoming Service Requests
      Recipe 2.7.  Blocking Access from a Remote Host
      Recipe 2.8.  Blocking Access to a Remote Host
      Recipe 2.9.  Blocking Outgoing Access to All Web Servers on a Network
      Recipe 2.10.  Blocking Remote Access, but Permitting Local
      Recipe 2.11.  Controlling Access by MAC Address
      Recipe 2.12.  Permitting SSH Access Only
      Recipe 2.13.  Prohibiting Outgoing Telnet Connections
      Recipe 2.14.  Protecting a Dedicated Server
      Recipe 2.15.  Preventing pings
      Recipe 2.16.  Listing Your Firewall Rules
      Recipe 2.17.  Deleting Firewall Rules
      Recipe 2.18.  Inserting Firewall Rules
      Recipe 2.19.  Saving a Firewall Configuration
      Recipe 2.20.  Loading a Firewall Configuration
      Recipe 2.21.  Testing a Firewall Configuration
      Recipe 2.22.  Building Complex Rule Trees
      Recipe 2.23.  Logging Simplified
   
    Chapter 3.  Network Access Control
      Recipe 3.1.  Listing Your Network Interfaces
      Recipe 3.2.  Starting and Stopping the Network Interface
      Recipe 3.3.  Enabling/Disabling a Service (xinetd)
      Recipe 3.4.  Enabling/Disabling a Service (inetd)
      Recipe 3.5.  Adding a New Service (xinetd)
      Recipe 3.6.  Adding a New Service (inetd)
      Recipe 3.7.  Restricting Access by Remote Users
      Recipe 3.8.  Restricting Access by Remote Hosts (xinetd)
      Recipe 3.9.  Restricting Access by Remote Hosts (xinetd with libwrap)
      Recipe 3.10.  Restricting Access by Remote Hosts (xinetd with tcpd)
      Recipe 3.11.  Restricting Access by Remote Hosts (inetd)
      Recipe 3.12.  Restricting Access by Time of Day
      Recipe 3.13.  Restricting Access to an SSH Server by Host
      Recipe 3.14.  Restricting Access to an SSH Server by Account
      Recipe 3.15.  Restricting Services to Specific Filesystem Directories
      Recipe 3.16.  Preventing Denial of Service Attacks
      Recipe 3.17.  Redirecting to Another Socket
      Recipe 3.18.  Logging Access to Your Services
      Recipe 3.19.  Prohibiting root Logins on Terminal Devices
   
    Chapter 4.  Authentication Techniques and Infrastructures
      Recipe 4.1.  Creating a PAM-Aware Application
      Recipe 4.2.  Enforcing Password Strength with PAM
      Recipe 4.3.  Creating Access Control Lists with PAM
      Recipe 4.4.  Validating an SSL Certificate
      Recipe 4.5.  Decoding an SSL Certificate
      Recipe 4.6.  Installing a New SSL Certificate
      Recipe 4.7.  Generating an SSL Certificate Signing Request (CSR)
      Recipe 4.8.  Creating a Self-Signed SSL Certificate
      Recipe 4.9.  Setting Up a Certifying Authority
      Recipe 4.10.  Converting SSL Certificates from DER to PEM
      Recipe 4.11.  Getting Started with Kerberos
      Recipe 4.12.  Adding Users to a Kerberos Realm
      Recipe 4.13.  Adding Hosts to a Kerberos Realm
      Recipe 4.14.  Using Kerberos with SSH
      Recipe 4.15.  Using Kerberos with Telnet
      Recipe 4.16.  Securing IMAP with Kerberos
      Recipe 4.17.  Using Kerberos with PAM for System-Wide Authentication
   
    Chapter 5.  Authorization Controls
      Recipe 5.1.  Running a root Login Shell
      Recipe 5.2.  Running X Programs as root
      Recipe 5.3.  Running Commands as Another User via sudo
      Recipe 5.4.  Bypassing Password Authentication in sudo
      Recipe 5.5.  Forcing Password Authentication in sudo
      Recipe 5.6.  Authorizing per Host in sudo
      Recipe 5.7.  Granting Privileges to a Group via sudo
      Recipe 5.8.  Running Any Program in a Directory via sudo
      Recipe 5.9.  Prohibiting Command Arguments with sudo
      Recipe 5.10.  Sharing Files Using Groups
      Recipe 5.11.  Permitting Read-Only Access to a Shared File via sudo
      Recipe 5.12.  Authorizing Password Changes via sudo
      Recipe 5.13.  Starting/Stopping Daemons via sudo
      Recipe 5.14.  Restricting root's Abilities via sudo
      Recipe 5.15.  Killing Processes via sudo
      Recipe 5.16.  Listing sudo Invocations
      Recipe 5.17.  Logging sudo Remotely
      Recipe 5.18.  Sharing root Privileges via SSH
      Recipe 5.19.  Running root Commands via SSH
      Recipe 5.20.  Sharing root Privileges via Kerberos su
   
    Chapter 6.  Protecting Outgoing Network Connections
      Recipe 6.1.  Logging into a Remote Host
      Recipe 6.2.  Invoking Remote Programs
      Recipe 6.3.  Copying Files Remotely
      Recipe 6.4.  Authenticating by Public Key (OpenSSH)
      Recipe 6.5.  Authenticating by Public Key (OpenSSH Client, SSH2 Server, OpenSSH Key)
      Recipe 6.6.  Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key)
      Recipe 6.7.  Authenticating by Public Key (SSH2 Client, OpenSSH Server)
      Recipe 6.8.  Authenticating by Trusted Host
      Recipe 6.9.  Authenticating Without a Password (Interactively)
      Recipe 6.10.  Authenticating in cron Jobs
      Recipe 6.11.  Terminating an SSH Agent on Logout
      Recipe 6.12.  Tailoring SSH per Host
      Recipe 6.13.  Changing SSH Client Defaults
      Recipe 6.14.  Tunneling Another TCP Session Through SSH
      Recipe 6.15.  Keeping Track of Passwords
   
    Chapter 7.  Protecting Files
      Recipe 7.1.  Using File Permissions
      Recipe 7.2.  Securing a Shared Directory
      Recipe 7.3.  Prohibiting Directory Listings
      Recipe 7.4.  Encrypting Files with a Password
      Recipe 7.5.  Decrypting Files
      Recipe 7.6.  Setting Up GnuPG for Public-Key Encryption
      Recipe 7.7.  Listing Your Keyring
      Recipe 7.8.  Setting a Default Key
      Recipe 7.9.  Sharing Public Keys
      Recipe 7.10.  Adding Keys to Your Keyring
      Recipe 7.11.  Encrypting Files for Others
      Recipe 7.12.  Signing a Text File
      Recipe 7.13.  Signing and Encrypting Files
      Recipe 7.14.  Creating a Detached Signature File
      Recipe 7.15.  Checking a Signature
      Recipe 7.16.  Printing Public Keys
      Recipe 7.17.  Backing Up a Private Key
      Recipe 7.18.  Encrypting Directories
      Recipe 7.19.  Adding Your Key to a Keyserver
      Recipe 7.20.  Uploading New Signatures to a Keyserver
      Recipe 7.21.  Obtaining Keys from a Keyserver
      Recipe 7.22.  Revoking a Key
      Recipe 7.23.  Maintaining Encrypted Files with Emacs
      Recipe 7.24.  Maintaining Encrypted Files with vim
      Recipe 7.25.  Encrypting Backups
      Recipe 7.26.  Using PGP Keys with GnuPG
   
    Chapter 8.  Protecting Email
      Recipe 8.1.  Encrypted Mail with Emacs
      Recipe 8.2.  Encrypted Mail with vim
      Recipe 8.3.  Encrypted Mail with Pine
      Recipe 8.4.  Encrypted Mail with Mozilla
      Recipe 8.5.  Encrypted Mail with Evolution
      Recipe 8.6.  Encrypted Mail with mutt
      Recipe 8.7.  Encrypted Mail with elm
      Recipe 8.8.  Encrypted Mail with MH
      Recipe 8.9.  Running a POP/IMAP Mail Server with SSL
      Recipe 8.10.  Testing an SSL Mail Connection
      Recipe 8.11.  Securing POP/IMAP with SSL and Pine
      Recipe 8.12.  Securing POP/IMAP with SSL and mutt
      Recipe 8.13.  Securing POP/IMAP with SSL and Evolution
      Recipe 8.14.  Securing POP/IMAP with stunnel and SSL
      Recipe 8.15.  Securing POP/IMAP with SSH
      Recipe 8.16.  Securing POP/IMAP with SSH and Pine
      Recipe 8.17.  Receiving Mail Without a Visible Server
      Recipe 8.18.  Using an SMTP Server from Arbitrary Clients
   
    Chapter 9.  Testing and Monitoring
      Recipe 9.1.  Testing Login Passwords (John the Ripper)
      Recipe 9.2.  Testing Login Passwords (CrackLib)
      Recipe 9.3.  Finding Accounts with No Password
      Recipe 9.4.  Finding Superuser Accounts
      Recipe 9.5.  Checking for Suspicious Account Use
      Recipe 9.6.  Checking for Suspicious Account Use, Multiple Systems
      Recipe 9.7.  Testing Your Search Path
      Recipe 9.8.  Searching Filesystems Effectively
      Recipe 9.9.  Finding setuid (or setgid) Programs
      Recipe 9.10.  Securing Device Special Files
      Recipe 9.11.  Finding Writable Files
      Recipe 9.12.  Looking for Rootkits
      Recipe 9.13.  Testing for Open Ports
      Recipe 9.14.  Examining Local Network Activities
      Recipe 9.15.  Tracing Processes
      Recipe 9.16.  Observing Network Traffic
      Recipe 9.17.  Observing Network Traffic (GUI)
      Recipe 9.18.  Searching for Strings in Network Traffic
      Recipe 9.19.  Detecting Insecure Network Protocols
      Recipe 9.20.  Getting Started with Snort
      Recipe 9.21.  Packet Sniffing with Snort
      Recipe 9.22.  Detecting Intrusions with Snort
      Recipe 9.23.  Decoding Snort Alert Messages
      Recipe 9.24.  Logging with Snort
      Recipe 9.25.  Partitioning Snort Logs Into Separate Files
      Recipe 9.26.  Upgrading and Tuning Snort's Ruleset
      Recipe 9.27.  Directing System Messages to Log Files (syslog)
      Recipe 9.28.  Testing a syslog Configuration
      Recipe 9.29.  Logging Remotely
      Recipe 9.30.  Rotating Log Files
      Recipe 9.31.  Sending Messages to the System Logger
      Recipe 9.32.  Writing Log Entries via Shell Scripts
      Recipe 9.33.  Writing Log Entries via Perl
      Recipe 9.34.  Writing Log Entries via C
      Recipe 9.35.  Combining Log Files
      Recipe 9.36.  Summarizing Your Logs with logwatch
      Recipe 9.37.  Defining a logwatch Filter
      Recipe 9.38.  Monitoring All Executed Commands
      Recipe 9.39.  Displaying All Executed Commands
      Recipe 9.40.  Parsing the Process Accounting Log
      Recipe 9.41.  Recovering from a Hack
      Recipe 9.42.  Filing an Incident Report
   
    Colophon
    Index