Building Secure Servers with Linux

Several months ago I decided to setup my personal weblog on one of my home based Linux box. I knew, that counting on cheap DSL router "firewall" capability, to keep real hackers out of the system is simply not enough (and counting on the fact, that hacker wannabes and script kiddies outnumber real hackers in real life, is not reassuring either). Sure, soon after, I opened necessary ports on DSL router for web, mail and ftp service I regularly noticed port scanning probes in router log. I questioned myself if I really built secure Linux box or not? What should I do next time, to strengthen security right from the beginning, and not later, when server is already in use? Where to place Linux server and how to protect my internal network? Of course, I realized that my general knowledge about security (especially on Linux) is insufficient. I'm following Mr. Bauer excellent articles in Linux Journal for some time, appreciating not only the author knowledge in the field of security, but also his writing skills. It was a logical choice for me to begin learning about security on Linux with the help of his book. It's not some kind of "super" book on the security subject that'll give you answers on all your questions and the same time cover all security aspects.On contrary, it covers the most important security issues concerning the services and tools that you'll probably use or support on average Linux box connected to the net. This book really helped me a lot in that respect, not only with home project but also on my daily job that is only occasionally related with network security.If my case sounds familiar to you then you're definitely the prime candidate for this book.

I run a small home network with a registered static IP. I wanted to secure it and use it to run a web server and an app server. By trade I am an enterprise Java developer. Prior to reading this book, I had had zero experience securing any kind of server, and nearly zero experience administering Linux boxes at all. I was pretty intimidated by the concepts of computer security in general. Also, you should know that I actually read 90% of this book.Let me say without hesitation that this book has changed my life. I have secured my network, protected my data, detected attempted hacks, and learned a TON. This knowledge has also helped me tremendously in my day job, as an awareness of the overall network security environment is essential to being a good enterprise developer. I give 100% of the credit to Mr. Bauer, whose writing is complete, comprehensible, succinct, and lively. He progresses logically through the material, covering firewall architecture, server hardening, use of ssh for all administration, log watching, web and DNS security, threat detection, and many other topics. His coverage is a judicious mixture of utilitarian and theoretical - he gives you just the right instructions to accomplish your goals, and just enough background to make it interesting and understandable. This approach makes his chapters on bastion hosts, ssh, and tripwire especially definitive. His humor, unlike that of many other technical authors, actually is funny and helpful. When he refers to the complex Diffie-Hellman key exchange algorithm as a "large-prime-number hoe-down," he succeeds in both entertaining and providing an adequate summary for the average network administrator. Bauer's sense of organization and style enables him to take the mystique and complexity out of computer security and empower the reader.I take extreme exception to the negative reviewer who claims that Bauer relies too heavily on graphical tools, which is bad since one should not even have X11 running on a secure server. Obviously this other reviewer never read the book. In his chapter on hardening Linux, Bauer EXPRESSLY SAYS not to install X11 on a secure server. Almost NOWHERE in the book does he use graphical tools. What the other reviewer has written is unfair and untrue. Maybe he read a different book.One minor quibble I have is that the log monitoring software Bauer suggests, "swatch," is adequate but has really been superseded by "logwatcher," which comes with Red Hat Linux. Logwatcher has built-in smarts, and does not need to rely on downloading modules from CPAN onto your secure server. But consider this: the fact that I can even raise this issue, after previously knowing absolutely nothing about computer security, is further testament to the greatness of this book.

With several years of network and server experience but very little Linux knowledge, this book is the perfect stepping stone to getting some practical experience. The book covers enough of the basics to help along without getting caught up in them.Excellent reference book or book to read cover-to-cover.

Mick's book is the first Linux title since Matt Welsh's first edition of "Running Linux" that I believe is worth reading cover-to-cover. Most security books are either 1) just rehashes of the basics (turn of unused ports, don't let sendmail be an open relay, use ssh, etc) or 2) lengthy descriptions of how to prevent known types of attacks. The latter type is useful, but most of that information can be found (more up-to-date, too) on a number of websites."Building Secure Servers with Linux" instead take the approach of describing the various tools available to secure Linux-based hosts and networks, what they do, and how best to configure them. He covers both standard Linux packages: sendmail, openssh, syslog and apache, and less-commonly-installed tools like djbdns, nessus, Bastille, and postfix. Explanations are clear, the writing style is easy to read, and, like good technical books do, he points out places where the normal documentation is lacking or unclear, and warns you of pitfalls before you experience them. Many powerful linux security packages are written for hackers by hackers and leave a lot of blanks to fill in. The two things that people might find lacking about this book--I believe are actually advantages. The first is that there are many security tools available that this book does not cover. I'm sure as time progresses someone will post here "This book doesn't cover X." However, most of the time, Bauer mentions those tools' availability and points you in the direction of places where you can learn how to use them. This is a good compromise, because the alternative is for him to try to cover _every_ tool, including those for which he's had little experience. Instead he sticks to those packages he can confidently recommend and help you configure. Secondly, he does inject a good dose of personal opinion and experience: I'm sure he'll push one or two buttons with his statements. However, I find those opinions valuable, even if you personally disagree, and he backs them all up with good evidence.I hope that the author is able to keep this book up-to-date as the years progress (practical security books have a half-life of about 18 months) and continues to keep us informed with his very excellent column in Linux Journal.

There are many ways to do things right and many ways to do things wrong. This book goes into great detail about best practices for your DNS, web, mail, database and FTP servers. Specifically it covers BIND 8 and 9, djbdns, Apache, Mysql, Sendmail and Postfix, ProFTPd, scp, ssh, sftp, rsync, and many more applications. It also covers firewalls with good iptables examples. Although the subject may sound uninteresting I could not put the book down. So many questions I have thought of are answered here. Be warned, you will immediately want to upgrade your existing servers utilizing the suggestions in this book so be prepared for a lot of work.