Cover image for Building Secure Servers with Linux

Book description

Linux consistently turns up high in the list of popular Internet servers, whether it's for the Web, anonymous FTP, or general services like DNS and routing mail. But security is uppermost on the mind of anyone providing such a service. Any server experiences casual probe attempts dozens of time a day, and serious break-in attempts with some frequency as well. As the cost of broadband and other high-speed Internet connectivity has gone down, and its availability has increased, more Linux users are providing or considering providing Internet services such as HTTP, Anonymous FTP, etc., to the world at large. At the same time, some important, powerful, and popular Open Source tools have emerged and rapidly matured--some of which rival expensive commercial equivalents--making Linux a particularly appropriate platform for providing secure Internet services. Building Secure Servers with Linux will help you master the principles of reliable system and network security by combining practical advice with a firm knowledge of the technical tools needed to ensure security. The book focuses on the most common use of Linux--as a hub offering services to an organization or the larger Internet--and shows readers how to harden their hosts against attacks. Author Mick Bauer, a security consultant, network architect, and lead author of the popular Paranoid Penguin column in Linux Journal, carefully outlines the security risks, defines precautions that can minimize those risks, and offers recipes for robust security. The book does not cover firewalls, but covers the more common situation where an organization protects its hub using other systems as firewalls, often proprietary firewalls. The book includes:

  • Precise directions for securing common services, including the Web, mail, DNS, and file transfer.

  • Ancillary tasks, such as hardening Linux, using SSH and certificates for tunneling, and using iptables for firewalling.

  • Basic installation of intrusion detection tools.

Writing for Linux users with little security expertise, the author explains security concepts and techniques in clear language, beginning with the fundamentals. Building Secure Servers with Linux provides a unique balance of "big picture" principles that transcend specific software packages and version numbers, and very clear procedures on securing some of those software packages. An all-inclusive resource for Linux users who wish to harden their systems, the book covers general security as well as key services such as DNS, the Apache Web server, mail, file transfer, and secure shell. With this book in hand, you'll have everything you need to ensure robust security of your Linux system.

Table of Contents

  1. Building Secure Servers with Linux
    1. Preface
      1. What This Book Is About
      2. The Paranoid Penguin Connection
      3. Audience
      4. What This Book Doesn’t Cover
      5. Assumptions This Book Makes
      6. Conventions Used in This Book
      7. Request for Comments
      8. Acknowledgments
    2. 1. Threat Modeling and Risk Management
      1. Components of Risk
        1. Assets
        2. Security Goals
          1. Data confidentiality
          2. Data integrity
          3. System integrity
          4. System/network availability
        3. Threats
        4. Motives
          1. Financial motives
          2. Political motives
          3. Personal/psychological motives
        5. Vulnerabilities and Attacks Against Them
      2. Simple Risk Analysis: ALEs
      3. An Alternative: Attack Trees
      4. Defenses
        1. Asset Devaluation
        2. Vulnerability Mitigation
        3. Attack Mitigation
      5. Conclusion
      6. Resources
    3. 2. Designing Perimeter Networks
      1. Some Terminology
      2. Types of Firewall and DMZ Architectures
        1. The “Inside Versus Outside” Architecture
        2. The “Three-Homed Firewall” DMZ Architecture
        3. A Weak Screened-Subnet Architecture
        4. A Strong Screened-Subnet Architecture
      3. Deciding What Should Reside on the DMZ
      4. Allocating Resources in the DMZ
      5. The Firewall
        1. Types of Firewall
          1. Simple packet-filters
          2. Stateful packet-filtering
          3. Stateful Inspection
          4. Application-layer proxies
        2. Selecting a Firewall
        3. General Firewall Configuration Guidelines
          1. Harden your firewall’s OS
          2. Configure anti-IP-spoofing rules
          3. Deny by default
          4. Strictly limit incoming traffic
          5. Strictly limit all traffic out of the DMZ
          6. Don’t give internal systems unrestricted outbound access
          7. If you have the means, use an application-Gateway firewall
          8. Don’t be complacent about host security
    4. 3. Hardening Linux
      1. OS Hardening Principles
        1. Installing/Running Only Necessary Software
          1. Commonly unnecessary packages
          2. Disabling services without uninstalling them
        2. Keeping Software Up to Date
          1. Distribution (global) updates versus per-package updates
          2. Whither X-based updates?
          3. How to be notified of and obtain security updates: Red Hat
          4. RPM updates for the extremely cautious
          5. How to be notified of and obtain security updates: SuSE
          6. SuSE’s online-update feature
          7. How to be notified of and obtain security updates: Debian
        3. Deleting Unnecessary User Accounts and Restricting Shell Access
        4. Restricting Access to Known Users
        5. Running Services in chrooted Filesystems
        6. Minimizing Use of SUID=root
          1. Identifying and dealing with SUID=root files
        7. Configuring, Managing, and Monitoring Logs
        8. Every System Can Be Its Own Firewall: Using iptables for Local Security
          1. Using iptables: preparatory steps
          2. How netfilter works
          3. Using iptables
        9. Checking Your Work with Scanners
          1. Types of scans and their uses
          2. Why we (good guys) scan
          3. nmap, world champion port scanner
          4. Getting and installing nmap
          5. Using nmap
          6. Some simple port scans
          7. Nessus, a full-featured security scanner
          8. Security Scanners Explained
          9. Nessus’ architecture
          10. Getting and installing Nessus
          11. Nessus clients
          12. Running and maintaining nessusd
          13. Performing security scans with Nessus
        10. Understanding and Using Available Security Features
        11. Documenting Bastion Hosts’ Configurations
      2. Automated Hardening with Bastille Linux
        1. Background
          1. How Bastille came to be
        2. Obtaining and Installing Bastille
        3. Running Bastille
        4. Some Notes on InteractiveBastille
        5. Bastille’s Logs
        6. Hooray! I’m Completely Secure Now! Or Am I?
    5. 4. Secure Remote Administration
      1. Why It’s Time to Retire Clear-Text Admin Tools
      2. Secure Shell Background and Basic Use
        1. How SSH Works
        2. Getting and Installing OpenSSH
        3. SSH Quick Start
        4. Using sftp and scp for Encrypted File Transfers
        5. Digging into SSH Configuration
        6. Configuring and Running sshd, the Secure Shell Daemon
      3. Intermediate and Advanced SSH
        1. Public-Key Cryptography
        2. Advanced SSH Theory: How SSH Uses PK Crypto
        3. Setting Up and Using RSA and DSA Authentication
        4. Minimizing Passphrase Typing with ssh-agent
        5. Passphrase-less Keys for Maximum Scriptability
        6. Using SSH to Execute Remote Commands
        7. TCP Port Forwarding with SSH: VPN for the Masses!
      4. Other Handy Tools
        1. What’s Wrong with Being root?
        2. su
        3. sudo
    6. 5. Tunneling
      1. Stunnel and OpenSSL: Concepts
        1. OpenSSL
          1. What a Certificate Authority does and why you might need one
          2. How to become a small-time CA
          3. Generating and signing certificates
          4. Client certificates
        2. Using Stunnel
          1. A quick Stunnel example
          2. The quick example, explained less quickly
          3. Another method for using Stunnel on the server
        3. Using Certificate Authentication
          1. x.509 authentication example
        4. Using Stunnel on the Server and Other SSL Applications on the Clients
          1. One final pointer on Stunnel: chrooting it
        5. Other Tunneling Tools
    7. 6. Securing Domain Name Services (DNS)
      1. DNS Basics
      2. DNS Security Principles
      3. Selecting a DNS Software Package
      4. Securing BIND
        1. Making Sense out of BIND Versions
        2. Obtaining and Installing BIND
        3. Preparing to Run BIND (or, Furnishing the Cell)
          1. Provisioning a chroot jail for BIND v8
          2. Provisioning a chroot jail for BIND v9
          3. Invoking named
        4. Securing named.conf
          1. acl{} sections
          2. Global options: The options{} section
          3. Logging
          4. zone{} sections
          5. Split DNS and BIND v9
        5. Zone File Security
        6. Advanced BIND Security: TSIGS and DNSSEC
          1. Transaction Signatures (TSIGs)
          2. Additional uses for TSIGs
        7. Sources of BIND (and IS Security) Information
      5. djbdns
        1. What Is djbdns?
          1. Why not BIND?
        2. Choosing djbdns Services
        3. How djbdns Works
        4. Installing djbdns
          1. Installing the service manager: daemontools
          2. Installing djbdns itself
          3. Installing an internal cache: dnscache
          4. Installing an external cache: dnscachex
          5. Installing a DNS server: tinydns
        5. Running tinydns
          1. Helper applications
          2. The tinydns-data format
          3. tinydns data reference
        6. Running djbdns client programs
        7. Coexisting with BIND
          1. Installing ucspi-tcp
          2. Running axfr-get
          3. Installing axfrdns
          4. Running axfrdns
        8. Encrypting Zone Transfers with rsync and ssh
        9. Migrating from BIND
      6. Resources
        1. General DNS Security Resources
          1. Some DNS-related RFCs (available at )
          2. Some DNS/BIND security advisories (available at http://www.cert.org)
        2. BIND Resources
        3. djbdns Resources
    8. 7. Securing Internet Email
      1. Background: MTA and SMTP Security
        1. Email Architecture: SMTP Gateways and DMZ Networks
        2. SMTP Security
        3. Unsolicited Commercial Email
        4. SMTP AUTH
      2. Using SMTP Commands to Troubleshoot and Test SMTP Servers
      3. Securing Your MTA
      4. Sendmail
        1. Sendmail Pros and Cons
        2. Sendmail Architecture
        3. Obtaining and Installing Sendmail
          1. SuSE Sendmail preparation
          2. Red Hat Sendmail preparation
          3. Debian Sendmail preparation
        4. Configuring Sendmail: Overview
        5. Configuring sendmail.mc
          1. Some sendmail.mc m4 variable definitions
        6. Configuring Sendmail to Run Semichrooted
          1. Feature directives
          2. Masquerading
          3. Applying your new configuration
        7. Configuring Sendmail’s Maps and Other Files
          1. local-host-names
          2. Configuring the mailertable
          3. Configuring the access database
          4. Configuring virtusers
          5. Defining aliases
        8. Sendmail and SMTP AUTH
          1. Versions of Sendmail that support SMTP AUTH
          2. Obtaining Cyrus SASL
          3. Configuring SASL for server-server authentication
          4. Configuring SASL for client-server authentication
          5. Configuring Sendmail for server-server authentication
          6. Configuring Sendmail for client-server authentication
        9. Sendmail and STARTTLS
          1. Versions of Sendmail that support STARTTLS
          2. Getting keys and certificates
          3. Configuring Sendmail to Use TLS
      5. Postfix
        1. Postfix Architecture
        2. Getting and Installing Postfix
        3. Postfix for the Lazy: A Quick-Start Procedure
        4. Configuring Postfix
        5. Hiding Internal Email Addresses by Masquerading
        6. Running Postfix in a chroot Jail
        7. Postfix Aliases, Revealed
        8. Keeping out Unsolicited Commercial Email (UCE)
      6. Resources
        1. SMTP Information
        2. Sendmail Information
        3. Postfix Information
    9. 8. Securing Web Services
      1. Web Server Security
        1. Problems and Goals
        2. What, When, and Where to Secure
        3. Some Principles
      2. Build Time: Installing Apache
        1. Starting Installation
          1. Setting up Your firewall
          2. Checking Your Apache version
        2. Installation Methods
          1. RPM installation
          2. Source installation
          3. Linking methods
        3. Securing Apache’s File Hierarchy
      3. Setup Time: Configuring Apache
        1. Apache Configuration Files
        2. Configuration Options
          1. User and group
          2. Files and directories
          3. Listen
          4. Containers: Directory, Location, and Files
          5. Options
          6. Resource limits
          7. User directories
        3. Static Content
        4. Dynamic Content: Server-Side Includes (SSI)
          1. SSI configuration
          2. Including files
          3. Executing commands
        5. Dynamic Content: Common Gateway Interface (CGI)
          1. Standalone and built-in CGI interpreters
          2. Specifying CGI programs
          3. suEXEC
          4. FastCGI
      4. Runtime: Securing CGI Scripts
        1. HTTP, URLs, and CGI
          1. HEAD method
          2. OPTIONS method
          3. GET method
          4. POST method
          5. PUT method
        2. CGI Languages
          1. PHP
          2. Perl
        3. Processing Form Data
          1. PHP
          2. Perl
        4. Including Files
          1. PHP
          2. Perl
        5. Executing Programs
          1. PHP
          2. Perl
        6. Uploading Files from Forms
          1. PHP
          2. Perl
        7. Accessing Databases
          1. PHP
          2. Perl
        8. Checking Other Scripts
        9. Continuing Care
      5. Special Topics
        1. Authentication
          1. Basic authentication
          2. Digest authentication
          3. Safer authentication
        2. Access Control and Authorization
          1. Host-based access control
          2. Environment-variable access control
          3. User-based access control
          4. Combined access control
        3. SSL
        4. Sessions and Cookies
          1. PHP
          2. Perl
        5. Site Management: Uploading Files
          1. Not-so-good ideas
          2. Better ideas: ssh, scp, sftp, rsync
          3. WebDAV
        6. New Frameworks: SOAP, Web Services, and REST
        7. Robots and Spiders
        8. Detecting and Deflecting Attackers
        9. Caches, Proxies, and Load Balancers
        10. Logging
      6. Other Servers and Web Security
        1. Web Servers
        2. Application Servers
    10. 9. Securing File Services
      1. FTP Security
        1. Principles of FTP Security
          1. Active mode versus passive mode FTP
          2. The case against nonanonymous FTP
          3. Tips for securing anonymous FTP
        2. Using ProFTPD for Anonymous FTP
          1. Getting ProFTPD
            1. Inetd/Xinetd Versus standalone mode
          2. ProFTPD modules
          3. Setting up the anonymous FTP account and its chroot jail
          4. General ProFTPD configuration
          5. Base-server and global settings
          6. Anonymous FTP setup
          7. Virtual-server setup
      2. Other File-Sharing Methods
        1. SFTP and scp
        2. rsync
          1. Getting, compiling, and installing rsync
          2. Running rsync over SSH
          3. Setting up an rsync server
          4. Using rsync to connect to an rsync server
          5. Tunneling rsync with Stunnel
      3. Resources
    11. 10. System Log Management and Monitoring
      1. syslog
        1. Configuring syslog
          1. Facilities
          2. Priorities
          3. Actions
          4. More sophisticated selectors
          5. Running syslogd
      2. Syslog-ng
        1. Compiling and Installing Syslog-ng from Source Code
        2. Running syslog-ng
        3. Configuring Syslog-ng
          1. Global options
          2. Sources
          3. Destinations
          4. Filters
          5. Log statements
        4. Advanced Configurations
      3. Testing System Logging with logger
      4. Managing System-Log Files
        1. Log Management in Red Hat 7 and Debian 2.2: /sbin/logrotate
          1. Syntax of logrotate.conf and its included scripts
          2. Running logrotate
        2. Log Management in SuSE 7
      5. Using Swatch for Automated Log Monitoring
        1. Installing Swatch
        2. swatch Configuration in Brief
        3. Advanced swatch Configuration
        4. Running swatch
        5. Fine-Tuning swatch
        6. Why You Shouldn’t Configure swatch Once and Forget About It
      6. Resources
    12. 11. Simple Intrusion Detection Techniques
      1. Principles of Intrusion Detection Systems
        1. Host-Based IDSes: Integrity Checkers
        2. NIDS: Scanning for Signatures Versus Anomalies
          1. Signature-based systems
          2. Anomaly-detection systems
      2. Using Tripwire
        1. Obtaining, Compiling, and Installing Tripwire
        2. Configuring Tripwire
          1. Managing the configuration file
          2. Editing or creating a policy
          3. Policy file structure and syntax
          4. Property masks
          5. Installing the policy file
        3. Running Tripwire Checks and Updates
          1. Updating Tripwire’s database after violations or system changes
        4. Changing Tripwire’s Policy
      3. Other Integrity Checkers
      4. Snort
        1. Obtaining, Compiling, and Installing Snort
          1. Getting Snort source code and binaries
          2. Installing Snort RPMs
          3. Compiling and installing Snort from source
          4. Making Snort at home after compiling and installing it
          5. Creating a database for Snort
        2. Using Snort as a Packet Sniffer
        3. Using Snort as a Packet Logger
        4. Configuring and Using Snort as an IDS
          1. Variable definitions
          2. Preprocessor plug-in statements
          3. Output (postprocessor) plug-in statements
          4. Rules
          5. Starting snort in IDS mode
          6. Testing Snort and watching its logs
          7. Updating Snort’s rules automatically
      5. Resources
    13. A. Two Complete Iptables Startup Scripts
    14. Index
    15. Colophon