O’Reilly news

"Linux Server Security": Beyond the Patch Rat Race--Tools and Best Practices for Bastion Hosts

February 1, 2005

Sebastopol, CA--Most people agree that a sufficiently skilled and determined attacker can compromise almost any system, even if you've carefully considered and planned against likely attack vectors. "It therefore follows," observes Michael D. "Mick" Bauer, author of Linux Server Security (O'Reilly, US $44.95), "that if you don't plan for even the most plausible and likely threats to a given system's security, that system will be particularly vulnerable." Considering, however, that most servers experience casual probe attempts dozens of times each day and serious break-in attempts occur with regular frequency, planning for "likely" threats will seldom be enough.

"The recent, unprecedented growth in automated attacks, especially in the form of worms, viruses, and Trojans, has really amplified the ramifications of system vulnerabilities," notes Bauer. "Since these crop up relentlessly and unpredictably, it's more important than ever that any Internet-connected Linux system be not only patched, but very carefully configured to contain both anticipated and unanticipated security failures.

"Put another way," Bauer adds, "the bad news is that the patch rat race is futile, and sooner or later your system will be exposed to an unpatched security hole; the good news is that there are lots of other things you can do to prevent one hole being used to compromise your entire system. My book explains what those techniques are and how to use them."

Bauer, who is a security consultant, network architect, and lead author of the popular Paranoid Penguin column in "Linux Journal," carefully outlines security risks, defines precautions that can minimize those risks, and offers recipes for robust security. He is joined on several chapters by administrator and developer Bill Lubanovic.

Linux Server Security combines practical advice with a firm knowledge of the technical tools needed to ensure server security. The book focuses on the most common use of Linux--as a hub offering services to an organization or the Internet--and shows readers how to harden their hosts against attacks. It's a unique but much needed approach, as Bauer explains: "Most of the books on Linux security are either very broad, touching on many different security concepts but lacking detailed procedures for how to secure things. Or they're focused on possible attacks and how they work, rather than on detailed defensive techniques. It seemed to me that what the world needed was a step-by-step manual for securing Internet-connected Linux servers, both at the Operating System level and at the application level. Naturally, I couldn't cover all possible applications or usage-scenarios, but my book covers popular applications in a number of different spaces: DNS, SMTP, FTP, WWW, remote administration, etc., and in most of these spaces I cover more than one application."

This new edition of Linux Server Security, originally titled Building Secure Servers with Linux, covers a number of new security topics, including:

  • Database security, with a focus on MySQL
  • The use of OpenLDAP for authentication
  • An introduction to email encryption
  • The Cyrus IMAP server, a popular mail delivery agent
  • The vsftpd FTP server
  • Beginning with the fundamentals, Linux Server Security explains security concepts and techniques in clear language, so that Linux users with minimal knowledge of security will be able to grasp and apply its lessons. The book provides a unique blend of "big picture" principles that transcend specific software packages and version numbers, and practical procedures for securing some of those software packages on several popular distributions. With this book in hand, Linux administrators will have everything they need to ensure the robust security of their Linux systems.

    Praise for the previous edition, Building Secure Servers with Linux:

    "From the author of Linux Journal's 'Paranoid Penguin' column comes what may be the best-ever, common sense guide to securing network attached Linux servers. While Bauer admits that the only true way to secure a server is by disconnecting it and powering it down, he writes for those who must maintain always-on, connected servers (and for whom other suggested securing techniques such as drive degaussing and pulverizing are simply out of the question)...The concepts and methods applied in this book give the Linux Administrator not only a wonderful guide to the intricacies of systems security, but also a conceptual toolbox and a deep understanding of common sense security techniques. Recommended."
    --Wayne Bridges, Kickstartnews.com

    "Of particular interest to admins of larger and/or more complex networks is the discussion on how to assess the most vulnerable part of your network in order to prioritize the process of securing it...Look at the table of contents. Each subject mentioned therein is dealt with clearly, consistently, and comprehensively. Read the preface and back cover. Everything promised is fulfilled within the book. They also provide an excellent guide as to whether the information you are looking for is contained within. If that's the case, I recommend this book."
    --Helen McManus, LinuxChix

    "Building Secure Servers with Linux really does provide an excellent practical guide to best practices for secure hosts. Anyone seeking to set up any manner of internet service would be well advised to start here."
    --Martin Howse, Linux User & Developer, Issue 26

    Further reviews of the first edition can be found here.

    Additional Resources:

    Linux Server Security, Second Edition
    Michael D. Bauer
    ISBN: 0-596-00670-5, 522 pages, $44.95 US, $65.95 CA
    order@oreilly.com
    1-800-998-9938; 1-707-827-7000

    About O’Reilly

    O’Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O’Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying “faint signals” from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.

    Email a link to this press release