Hardening Linux

James Turnbull is the author of five technical books about open source software and a longtime member of the open source community. James authored the first and second books about Puppet, and works for Puppet Labs, running client services. James speaks regularly at conferences including OSCON, Linux.conf.au, FOSDEM, OpenSourceBridge, DevOpsDays and a number of others. He is a past president of Linux Australia, has run Linux.conf.au and serves on the program committee of Linux.conf.au and OSCON. James is Australian but currently lives in Portland, Oregon. His interests include cooking, wine, political theory, photojournalism, philosophy, and most recently the Portland Timbers association football team.

Introduction Who should buy this book? Why buy this book? Security Fundamentals Risk Assessment – Who is going to attack me? Types of attackers Internal versus External attacks Mitigating Risk Security Doctrine Patch now, patch often Minimalism is good Keeping informed Logging is your friend Installing Linux securely Installing Linux securely Step-by-step example Finalising your installation Keeping your installation up-to-date Operating system security Boot security Grub Boot password security Booting file systems securely Kernel security Compiling your own kernel Sysctl Flags Users and Groups Logins and Passwords Sudo Chroot Components of a chroot jail Using the jail Development Tools Preparation How to compile packages Securing the tools Firewalling Firewall basics Network architecture & design The DMZ Iptables Configuring Testing your configuration Some firewalling examples Mail server Web server MySQL server Firewall logging & analysis Securing connections SSH Stunnel Inetd/xinetd tcpwrappers PAM Kerberos Radius and FreeRadius Securing files and file systems File & directory level security Permissions Ownership ACLs File Integrity PGP and signatures MD5 sums Tripwire NFS and why not to use it Alternatives to NFS Logging Why log? What do you need to know? Syslog Syslog-ng Log Rotation Centralised logging Logging securely using SSL? Log analysis – SEC, Swatch, Logwatch and Logcheck Where do I learn more about logging? Testing your security Testing internal security CIS Scan Testing external security Nmap Nessus Mail Transfer Agents What is a mail server? Why would I install a mail server? Where do I put my mail server? Choosing the right mail server for you SendmailPostfix Other flavours Introduction to Postfix Getting Postfix Compiling & Installing Postfix Configuring Postfix Logging for Postfix Where do I learn more about Postfix? Apache Web Server What is a web server? Why would I install a web server? Where do I put my web server? Apache (2.0.x) Getting Apache Compiling & Installing Apache Configuring Apache Httpd.conf .htaccess Chrooting Apache Using Apache with SSL Logging for Apache httpd logging Syslog logging Statistics logging (Webaliz