O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Linux Hardening in Hostile Networks: Server Security from TLS to Tor

Book Description

Implement Industrial-Strength Security on Any Linux Server

In an age of mass surveillance, when advanced cyberwarfare weapons rapidly migrate into every hacker's toolkit, you can't rely on outdated security methods-especially if you're responsible for Internet-facing services. In Linux® Hardening in Hostile Networks, Kyle Rankin helps you to implement modern safeguards that provide maximum impact with minimum effort and to strip away old techniques that are no longer worth your time.

Rankin provides clear, concise guidance on modern workstation, server, and network hardening, and explains how to harden specific services, such as web servers, email, DNS, and databases. Along the way, he demystifies technologies once viewed as too complex or mysterious but now essential to mainstream Linux security. He also includes a full chapter on effective incident response that both DevOps and SecOps can use to write their own incident response plan.

Each chapter begins with techniques any sysadmin can use quickly to protect against entry-level hackers and presents intermediate and advanced techniques to safeguard against sophisticated and knowledgeable attackers, perhaps even state actors. Throughout, you learn what each technique does, how it works, what it does and doesn't protect against, and whether it would be useful in your environment.

  • Apply core security techniques including 2FA and strong passwords

  • Protect admin workstations via lock screens, disk encryption, BIOS passwords, and other methods

  • Use the security-focused Tails distribution as a quick path to a hardened workstation

  • Compartmentalize workstation tasks into VMs with varying levels of trust

  • Harden servers with SSH, use apparmor and sudo to limit the damage attackers can do, and set up remote syslog servers to track their actions

  • Establish secure VPNs with OpenVPN, and leverage SSH to tunnel traffic when VPNs can't be used

  • Configure a software load balancer to terminate SSL/TLS connections and initiate new ones downstream

  • Set up standalone Tor services and hidden Tor services and relays

  • Secure Apache and Nginx web servers, and take full advantage of HTTPS

  • Perform advanced web server hardening with HTTPS forward secrecy and ModSecurity web application firewalls

  • Strengthen email security with SMTP relay authentication, SMTPS, SPF records, DKIM, and DMARC

  • Harden DNS servers, deter their use in DDoS attacks, and fully implement DNSSEC

  • Systematically protect databases via network access control, TLS traffic encryption, and encrypted data storage

  • Respond to a compromised server, collect evidence, and prevent future attacks

Register your product at informit.com/register for convenient access to downloads, updates, and corrections as they become available.

Table of Contents

  1. About This E-Book
  2. Title page
  3. Copyright Page
  4. Dedications
  5. Contents at a Glance
  6. Contents
  7. Foreword
  8. Preface
  9. Acknowledgments
  10. About the Author
  11. 1. Overall Security Concepts
    1. Section 1: Security Fundamentals
      1. Essential Security Principles
      2. Basic Password Security
    2. Section 2: Security Practices Against a Knowledgeable Attacker
      1. Security Best Practices
      2. Password-Cracking Techniques
      3. Password-Cracking Countermeasures
    3. Section 3: Security Practices Against an Advanced Attacker
      1. Advanced Password-Cracking Techniques
      2. Advanced Password-Cracking Countermeasures
    4. Summary
  12. 2. Workstation Security
    1. Section 1: Security Fundamentals
      1. Workstation Security Fundamentals
      2. Web Security Fundamentals
      3. Introduction to Tails
      4. Download, Validate, and Install Tails
      5. Use Tails
    2. Section 2: Additional Workstation Hardening
      1. Workstation Disk Encryption
      2. BIOS Passwords
      3. Tails Persistence and Encryption
    3. Section 3: Qubes
      1. Introduction to Qubes
      2. Qubes Download and Installation
      3. The Qubes Desktop
      4. An AppVM Compartmentalization Example
      5. Split GPG
      6. USB VM
    4. Summary
  13. 3. Server Security
    1. Section 1: Server Security Fundamentals
      1. Fundamental Server Security Practices
      2. SSH Configuration
      3. Sudo
    2. Section 2: Intermediate Server-Hardening Techniques
      1. SSH Key Authentication
      2. AppArmor
      3. Remote Logging
    3. Section 3: Advanced Server-Hardening Techniques
      1. Server Disk Encryption
      2. Secure NTP Alternatives
      3. Two-Factor Authentication with SSH
    4. Summary
  14. 4. Network
    1. Section 1: Essential Network Hardening
      1. Network Security Fundamentals
      2. Man-in-the-Middle Attacks
      3. Server Firewall Settings
    2. Section 2: Encrypted Networks
      1. OpenVPN Configuration
      2. SSH Tunnels
      3. SSL/TLS-Enabled Load Balancing
    3. Section 3: Anonymous Networks
      1. Tor Configuration
      2. Tor Hidden Services
    4. Summary
  15. 5. Web Servers
    1. Section 1: Web Server Security Fundamentals
      1. Permissions
      2. HTTP Basic Authentication
    2. Section 2: HTTPS
      1. Enable HTTPS
      2. Redirect HTTP to HTTPS
      3. HTTPS Reverse Proxy
      4. HTTPS Client Authentication
    3. Section 3: Advanced HTTPS Configuration
      1. HSTS
      2. HTTPS Forward Secrecy
      3. Web Application Firewalls
    4. Summary
  16. 6. Email
    1. Section 1: Essential Email Hardening
      1. Email Security Fundamentals
      2. Basic Email Hardening
    2. Section 2: Authentication and Encryption
      1. SMTP Authentication
      2. SMTPS
    3. Section 3: Advanced Hardening
      1. SPF
      2. DKIM
      3. DMARC
    4. Summary
  17. 7. DNS
    1. Section 1: DNS Security Fundamentals
      1. Authoritative DNS Server Hardening
      2. Recursive DNS Server Hardening
    2. Section 2: DNS Amplification Attacks and Rate Limiting
      1. DNS Query Logging
      2. Dynamic DNS Authentication
    3. Section 3: DNSSEC
      1. How DNS Works
      2. DNS Security Issues
      3. How DNSSEC Works
      4. DNSSEC Terminology
      5. Add DNSSEC to a Zone
    4. Summary
  18. 8. Database
    1. Section 1: Database Security Fundamentals
      1. Essential Database Security
      2. Local Database Administration
      3. Database User Permissions
    2. Section 2: Database Hardening
      1. Database Network Access Control
      2. Enable SSL/TLS
    3. Section 3: Database Encryption
      1. Full Disk Encryption
      2. Application-Side Encryption
      3. Client-Side Encryption
    4. Summary
  19. 9. Incident Response
    1. Section 1: Incident Response Fundamentals
      1. Who Performs Incident Response?
      2. Do You Prosecute?
      3. Pull the Plug
      4. Image the Server
      5. Server Redeployment
      6. Forensics
    2. Section 2: Secure Disk Imaging Techniques
      1. Choose the Imaging System
      2. Create the Image
      3. Introduction to Sleuth Kit and Autopsy
    3. Section 3: Walk Through a Sample Investigation
      1. Cloud Incident Response
    4. Summary
  20. Appendix A. Tor
    1. What Is Tor?
      1. Why Use Tor?
    2. How Tor Works
    3. Security Risks
      1. Outdated Tor Software
      2. Identity Leaks
  21. Appendix B. SSL/TLS
    1. What Is TLS?
      1. Why Use TLS?
    2. How TLS Works
      1. Deciphering Cipher Names
    3. TLS Troubleshooting Commands
      1. View the Contents of a Certificate
      2. View the Contents of a CSR
      3. Troubleshoot a Protocol over TLS
    4. Security Risks
      1. Man-in-the-Middle Attacks
      2. Downgrade Attacks
      3. Forward Secrecy
  22. Index