We live in a consumer-oriented society. Symptomatic of the consumer attitude is the notion that everything can be bought and disposed of with great convenience.
Computers have become almost a commodity, so it is not surprising to hear business managers make statements like, We need to buy a new network, or Where can we buy a firewall? One office manager recently stated with absolute indignation that the server he had bought recently was not secure because someone had been able to hack into it and mess up our files.
This book is designed to help you, the administrator or the the IT person cut through the noise on the bookshelves and on the Web and secure your Linux environment. Hardening your system is more like a way of traveling than a destination. A
The information systems cracker is the modern equivalent of the person who breaks into a safe or a bank vault. Some network crackers practice their craft just for thrills, while others may have sinister motives. One thing we can be sure of is that the best defense available is only effective until someone learns to break through and compromise it.
Perpetual vigilance is the price of
Linux servers are increasingly subject to scurrilous activity, as are all other server and desktop platforms. The majority of attacks and intrusions that occur are the result of inadequate measures taken to harden the network and its resources. So let s start with the right steps to close the door on the potential for a security breach, and then work toward
It has been often pointed out that the only totally secure server is one that is turned off and sealed inside concrete. Unfortunately, that is not a practical solution to business and organizational needs. A server can also be secured by isolating it from all users, but that too is seldom
Hardening involves more than security. It includes all action that must be taken to make the total Linux server suitable for the task for which it is being used. A holistic approach is necessary if the results of hardening are to be acceptable in the long run. New computer security legislation is being enacted almost daily and
Our journey begins with seven initiatives that will help you take control of your servers. The remaining chapters should be followed with a resolute determination to gain and hold effective control over all network resources, never giving a criminal opportunity to do more harm.
This book approaches the system hardening challenge from a position that is rather uncommon in the Linux world. It assumes that you have purchased a commercially supported Linux server product from a reputable company that does all the right things to help secure your server. Bear in mind that you are responsible for applying the security updates your vendor provides, but we assume that they are the experts in providing a secure system, particularly when the patches and updates they provide have been applied.
The first chapter will help you to verify that the Linux server is in a condition that is suitable for hardening. If these steps provide cause for concern you should ask yourself, Is this system worthy of hardening? If the system has been compromised before the hardening process has even begun you should consider reinstallation from installation media that is known to be safe.
Assuming that your server shows no evidence of intrusion or of having been compromised your server is in good shape to commence the hardening process.
Following the principle that a safe computer is one that has been shut down, you will ensure that only essential processes are running. This
Now that the system is providing only essential services the
A proactive security policy will do everything possible to ensure that an intruder will find as few tools to make easy any intended alien activities. True to this sentiment, you will remove all software that is not needed for the services that the Linux system must provide.
In light of the increasing presence of people who have nasty intent and who make an art out of exploiting newly
Intruders want root level access because they know that is the only way they can get around all system restrictions, but we must fully anticipate system misuse by the normal user also. In this chapter you will learn how to use techniques to help protect files from the prying eyes and wanton access attempts by the ordinary
Learn how to protect the most sensitive information through the use of cryptography. You will take positive steps to deprive an intruder as well as the
Understanding of how authentication and system access controls function will help you to provide better locks and improved safeguards against unauthorized system access. This chapter covers the pluggable authentication modules (PAM) and the
The UNIX system
Communication over local as well as public networks can not be avoided. Learn how
to secure all private traffic that must traverse a public network infrastructure. You will learn how to use secure data tunneling techniques as well as use of secure communication tools.
In this chapter you will experience the use of system monitoring as well as the use of sophisticated tools to probe and
Scattered throughout this book you will find reference to logging or critical information. Here you will learn how to configure a centralized log server that can be equipped with automated log file scanning and reporting tools. Never give a criminal an even break; instead you will most likely be alerted to an intruder before he even
Just when you think that the application of patches and security updates is so easy, you stumble upon this chapter to help you to take hold of a most intensely important responsibility. Seasoned security
What more can be done to find the cancer within? This chapter provides a cogent answer to nagging
Find out how to get management buy-in for Linux system hardening. The tips and tools presented here are worth more their weight in gold “ they will help you to get total commitment to the return on investment opportunity that management expects.
Finally, your server has been secured and management has bought into your security goals and objectives. Now to maintain that support you ll learn how to set goals and implement sustainable security policies and practices that work.