Linux Hardening in Hostile Networks

Implement Industrial-Strength Security on Any Linux Server In an age of mass surveillance, when advanced cyberwarfare weapons rapidly migrate into every hacker's toolkit, you can't rely on outdated security methods-especially if you're responsible for Internet-facing services. In Linux® Hardening in Hostile Networks, Kyle Rankin helps you to implement modern safeguards that provide maximum impact with minimum effort and to strip away old techniques that are no longer worth your time. Rankin provides clear, concise guidance on modern workstation, server, and network hardening, and explains how to harden specific services, such as web servers, email, DNS, and databases. Along the way, he demystifies technologies once viewed as too complex or mysterious but now essential to mainstream Linux security. He also includes a full chapter on effective incident response that both DevOps and SecOps can use to write their own incident response plan. Each chapter begins with techniques any sysadmin can use quickly to protect against entry-level hackers and presents intermediate and advanced techniques to safeguard against sophisticated and knowledgeable attackers, perhaps even state actors. Throughout, you learn what each technique does, how it works, what it does and doesn't protect against, and whether it would be useful in your environment.

Register your product at informit.com/register for convenient access to downloads, updates, and corrections as they become available.

Kyle Rankin is the vice president of engineering operations for Final, Inc.; the author of DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, Knoppix Pocket Reference, Linux Multimedia Hacks, and Ubuntu Hacks; and a contributor to a number of other books. Rankin is an award-winning columnist for Linux Journal and has written for PC Magazine, TechTarget websites, and other publications. He speaks frequently on Open Source software, including a keynote at SCALE 11x and numerous other talks at SCALE, O'Reilly Security Conference, OSCON, CactusCon, Linux World Expo, Penguicon, and a number of Linux Users' Groups. In his free time Kyle does much of what he does at work-plays with Linux and computers in general. He's also interested in brewing, BBQing, playing the banjo, 3D printing, and far too many other hobbies.

Foreword xiii Preface xv Acknowledgments xxiii About the Author xxv Chapter 1: Overall Security Concepts 1 Section 1: Security Fundamentals 1 Section 2: Security Practices Against a Knowledgeable Attacker 10 Section 3: Security Practices Against an Advanced Attacker 20 Summary 24 Chapter 2: Workstation Security 25 Section 1: Security Fundamentals 25 Section 2: Additional Workstation Hardening 33 Section 3: Qubes 37 Summary 52 Chapter 3: Server Security 53 Section 1: Server Security Fundamentals 53 Section 2: Intermediate Server-Hardening Techniques 58 Section 3: Advanced Server-Hardening Techniques 68 Summary 74 Chapter 4: Network 75 Section 1: Essential Network Hardening 76 Section 2: Encrypted Networks 87 Section 3: Anonymous Networks 100 Summary 107 Chapter 5: Web Servers 109 Section 1: Web Server Security Fundamentals 109 Section 2: HTTPS 113 Section 3: Advanced HTTPS Configuration 118 Summary 131 Chapter 6: Email 133 Section 1: Essential Email Hardening 133 Section 2: Authentication and Encryption 137 Section 3: Advanced Hardening 141 Summary 156 Chapter 7: DNS 157 Section 1: DNS Security Fundamentals 158 Section 2: DNS Amplification Attacks and Rate Limiting 161 Section 3: DNSSEC 166 Summary 175 Chapter 8: Database 177 Section 1: Database Security Fundamentals 177 Section 2: Database Hardening 185 Section 3: Database Encryption 191 Summary 195 Chapter 9: Incident Response 197 Section 1: Incident Response Fundamentals 197 Section 2: Secure Disk Imaging Techniques 200 Section 3: Walk Through a Sample Investigation 209 Summary 214 Appendix A: Tor 215 What Is Tor? 215 How Tor Works 216 Security Risks 219 Appendix B: SSL/TLS 221 What Is TLS? 221 How TLS Works 222 TLS Troubleshooting Commands 224 Security Risks 224 Index 229