Staying on my current security theme, O’Reilly has published a second edition of Linux Server Security by Michael D. Bauer. The book, targeted toward those managing Internet-connected systems, also known as bastion hosts, packs a powerful arsenal of security design, theory and practical configuration schemes into 500 pages.
保持我当前的安全主题不变,O'Reilly出版了Michael D. Bauer撰写的第二版Linux Server Security 。 该书针对那些管理与Internet连接的系统(也称为堡垒主机)的人,将500册强大的安全性设计,理论和实用配置方案汇总。
Bauer gained some notoriety from his Paranoid Penguin columns in the Linux Journal Magazine, which ultimately inspired the book.
鲍尔从《 Linux Journal》杂志的《偏执企鹅》专栏中获得了一些恶名,这最终启发了该书。
What stands out prominently is the time Bauer took to introduce network security design and risk management before digging into the hands-on nuts and bolts. As business models change for web professionals, many developers find themselves donning at least a part time system administrator’s hat. Understanding how underlying network designs work and how specific configurations can prevent attacks are critical before jumping into a command shell and making changes on a production server.
突出的是Bauer在深入研究动手实践之前花时间介绍了网络安全设计和风险管理。 随着针对Web专业人员的商业模式的变化,许多开发人员发现自己至少要兼职系统管理员。 在跳入命令外壳并在生产服务器上进行更改之前,了解底层网络设计如何工作以及特定的配置如何防止攻击至关重要。
Bauer used some popular Linux distributions to base his security research on, including Red Hat, Fedora, SUSE and Debian, though much of the material covered should work fine on most distributions and BSD. For those who are familiar with the first edition from a few years ago, the author has revalidated much of the existing content and also added content for:
Bauer使用了一些流行的Linux发行版作为其安全性研究的基础,其中包括Red Hat,Fedora,SUSE和Debian,尽管其中涵盖的大部分内容在大多数发行版和BSD上都可以正常工作。 对于几年前熟悉第一版的人,作者重新验证了许多现有内容,并添加了以下内容:
- LDAP for authentication services LDAP用于身份验证服务
- a Bill Lubanovic contributed chapter on database security Bill Lubanovic撰写了有关数据库安全性的章节
- Using LDAP and Cyrus-Imapd and email encryption as part of email server security 使用LDAP和Cyrus-Imapd以及电子邮件加密作为电子邮件服务器安全性的一部分
- Much needed coverage of vsftpd and ProFTPD FTP servers vsftpd和ProFTPD FTP服务器的大量需求
Before any other daemons and services are covered, the book correctly gets the administrator started with iptables and building a strong firewall. Bauer then digs in layer by layer looking at securing BIND and djbdns name server software for dns, taking control of mail with Sendmail and Postfix and managing Apache among others.
在涵盖任何其他守护程序和服务之前,该书正确地使管理员开始使用iptables并构建了强大的防火墙。 然后,鲍尔(Bauer)逐层深入研究,以保护dns的BIND和djbdns名称服务器软件的安全,使用Sendmail和Postfix来控制邮件并管理Apache等。
While many Linux admins may disagree, Bauer suggests that one of the first steps in hardening a Linux server that will touch the Internet is to insure X Windows is not installed. “If a server is to run “headless” (without a monitor and thus administered remotely), it certainly doesn’t need a full X installation with GNOME, KDE, etc., and probably doesn’t even need a minimal one,” he wrote.
尽管许多Linux管理员可能不同意,但鲍尔(Bauer)建议,加固将与Internet接触的Linux服务器的第一步就是确保未安装X Windows。 “如果服务器要“无头”运行(没有监视器,因此可以远程管理),那么它当然不需要使用GNOME,KDE等进行完整的X安装,甚至可能不需要最低的安装。”他写了。
In my case I run all but one local development Linux system without X at all – and those systems run just fine. A combination of command line administration via SSH combined with a nice root-level GUI interface such as Webmin should keep maintaing headless servers as easy as having access via Gnome or KDE.
以我为例,我运行了一个本地开发Linux系统,除了一个根本没有X的系统,其他系统都运行良好。 通过SSH进行命令行管理的同时,再加上良好的根级GUI界面(例如Webmin),应该使无头服务器的维护就像通过Gnome或KDE进行访问一样容易。
Perhaps the one gaping hole in this book is the lack of any caveat to QMail. Surely QMail is growing in popularity and at the very least ranks alongside Postfix. I continually run into Qmail users (including myself!) and it would have found a nice home in the chapter on email management.
也许本书中的一个大漏洞是对QMail的任何警告。 当然,QMail越来越受欢迎,至少与Postfix并列。 我不断遇到Qmail用户(包括我自己!),它会在有关电子邮件管理的章节中找到一个不错的家。
The book closes with important techniques for monitoring system logs as well as using one of my own favorites, Tripwire. The latter is in the final chapter on intrusion detection techniques and also includes coverage of Snort.
本书以监视系统日志的重要技术以及我自己喜欢的一种Tripwire结束。 后者在有关入侵检测技术的最后一章中,还涵盖了Snort的内容。
As a bonus for readers, two complete iptables startup scripts are included with book, one based on content covered in the book for a server sitting on the Internet and a second for multi-homed hosts, which is nice for firewalling in a DMZ where both internal and public network connections exist.
作为对读者的奖励,本书随附了两个完整的iptables启动脚本,一个基于书中介绍的内容,用于坐在Internet上的服务器,第二个用于多宿主主机,这非常适合在DMZ中进行防火墙内部和公共网络连接存在。
Chapters:
章节:
1. Threat Modeling and Risk Management
1.威胁建模和风险管理
* * *Components of Risk
* * *风险构成
* * *Simple Risk Analysis: ALEs
* * *简单的风险分析:ALE
* * *An Alternative: Attack Trees
* * *另一种选择:攻击树
* * *Defenses
* * *防御
* * *Conclusion
* * *结论
* * *Resources
* * *资源
2. Designing Perimeter Networks
2.设计外围网络
* * *Some Terminology
* * *某些术语
* * *Types of Firewall and DMZ Architectures
* * *防火墙和DMZ体系结构的类型
* * *Deciding What Should Reside on the DMZ
* * *确定DMZ应该保留的内容
* * *Allocating Resources in the DMZ
* * *在DMZ中分配资源
* * *The Firewall
* * *防火墙
3. Hardening Linux and Using iptables
3.强化Linux和使用iptables
* * *OS Hardening Principles
* * * OS强化原则
* * *Automated Hardening with Bastille Linux
* * *使用Bastille Linux进行自动强化
4. Secure Remote Administration
4.安全的远程管理
* * *Why It’s Time to Retire Cleartext Admin Tools
* * *为什么是时候淘汰明文管理工具
* * *Secure Shell Background and Basic Use
* * *确保Shell的背景和基本用法
* * *Intermediate and Advanced SSH
* * *中级和高级SSH
5. OpenSSL and Stunnel
5. OpenSSL和Stunnel
* * *Stunnel and OpenSSL: Concepts
* * * Stunnel和OpenSSL:概念
6. Securing Domain Name Services (DNS)
6.保护域名服务(DNS)
* * *DNS Basics
* * * DNS基础
* * *DNS Security Principles
* * * DNS安全原则
* * *Selecting a DNS Software Package
* * *选择DNS软件包
* * *Securing BIND
* * *确保绑定
* * *djbdns
* * * djbdns
* * *Resources
* * *资源
7. Using LDAP for Authentication
7.使用LDAP进行身份验证
* * *LDAP Basics
* * * LDAP基础
* * *Setting Up the Server
* * *设置服务器
* * *LDAP Database Management
* * * LDAP数据库管理
* * *Conclusions
* * *结论
* * *Resources
* * *资源
8. Database Security
8.数据库安全
* * *Types of Security Problems
* * *安全问题的类型
* * *Server Location
* * *服务器位置
* * *Server Installation
* * *服务器安装
* * *Database Operation
* * *数据库操作
* * *Resources
* * *资源
9. Securing Internet Email
9.保护互联网电子邮件
* * *Background: MTA and SMTP Security
* * *背景:MTA和SMTP安全
* * *Using SMTP Commands to Troubleshoot and Test SMTP Servers
* * *使用SMTP命令对SMTP服务器进行故障排除和测试
* * *Securing Your MTA
* * *保护您的MTA
* * *Sendmail
* * *发送邮件
* * *Postfix
* * *后缀
* * *Mail Delivery Agents
* * *邮件传递代理
* * *A Brief Introduction to Email Encryption
* * *电子邮件加密简介
* * *Resources
* * *资源
10. Securing Web Servers
10.保护Web服务器
* * *Web Security
* * *网络安全
* * *The Web Server
* * * Web服务器
* * *Web Content
* * *网页内容
* * *Web Applications
* * * Web应用程序
* * *Layers of Defense
* * *防御层
* * *Resources
* * *资源
11. Securing File Services
11.保护文件服务
* * *FTP Security
* * * FTP安全
* * *Other File-Sharing Methods
* * *其他文件共享方法
* * *Resources
* * *资源
12. System Log Management and Monitoring
12.系统日志管理和监视
* * *syslog
* * *系统日志
* * *Syslog-ng
* * *系统日志
* * *Testing System Logging with logger
* * *使用记录器测试系统记录
* * *Managing System Logfiles with logrotate
* * *使用logrotate管理系统日志文件
* * *Using Swatch for Automated Log Monitoring
* * *使用色板进行自动日志监视
* * *Some Simple Log-Reporting Tools
* * *一些简单的日志报告工具
* * *Resources
* * *资源
13. Simple Intrusion Detection Techniques
13.简单的入侵检测技术
* * *Principles of Intrusion Detection Systems
* * *入侵检测系统原理
* * *Using Tripwire
* * *使用Tripwire
* * *Other Integrity Checkers
* * *其他完整性检查程序
* * *Snort
* * *鼻
* * *Resources
* * *资源
Appendix: Two Complete iptables Startup Scripts
附录:两个完整的iptables启动脚本
翻译自: https://www.sitepoint.com/review-linux-server-security/
366
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
