Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Mastering Linux Security and Hardening
Mastering Linux Security and Hardening

Mastering Linux Security and Hardening: Secure your Linux server and protect it from intruders, malware attacks, and other external threats

eBook
€28.99 €41.99
Paperback
€52.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Table of content icon View table of contents Preview book icon Preview Book

Mastering Linux Security and Hardening

Running Linux in a Virtual Environment

So, you may be asking yourself, "Why do I need to study Linux security? Isn't Linux already secure? After all, it's not Windows." But, the fact is, there are many reasons.

It's true that Linux has certain advantages over Windows when it comes to security.  These include:

  • Unlike Windows, Linux was designed from the ground up as a multiuser operating system. So, user security tends to be a bit better on a Linux system.
  • Linux offers a better separation between administrative users and unprivileged users. This makes it a bit harder for intruders, and it also makes it a bit harder for a user to accidentally infect a Linux machine with something nasty.
  • Linux is much more resistant to virus and malware infections than Windows is.
  • Certain Linux distributions come with built-in mechanisms, such as SELinux in Red Hat and CentOS and AppArmor in Ubuntu, which prevents intruders from taking control of a system.
  • Linux is a free and open source software. This allows anyone who has the skill to audit Linux code to hunt for bugs or backdoors.

But, even with those advantages, Linux is just like everything else that's been created by mankind. That is, it isn't perfect.

Here are the topics that we'll cover in this chapter:

  • Why every Linux administrator needs to learn about Linux security
  • A bit about the threat landscape, with some examples of how attackers have, at times, been able to breach Linux systems
  • Resources for keeping up with IT security news
  • How to set up Ubuntu Server and CentOS virtual machines with VirtualBox, and how to install the EPEL repository in the CentOS virtual machine
  • How to create virtual machine snapshots
  • How to install Cygwin on a Windows host so that Windows users can connect to a virtual machine from their Windows hosts

The threat landscape

If you've kept up with IT technology news over the past few years, you'll likely have seen at least a few articles about how attackers have compromised Linux servers.  For example, while it's true that Linux isn't really susceptible to virus infections, there have been several cases where attackers have planted other types of malware on Linux servers.  These cases have included:

  • Botnet malware: It causes a server to join a botnet that is controlled by a remote attacker. One of the more famous cases involved joining Linux servers to a botnet that launched denial-of-service attacks against other networks.
  • Ransomware: It is designed to encrypt user data until the server owner pays a ransom fee. But, even after paying the fee, there's no guarantee that the data can be recovered.
  • Cryptocoin mining software: It causes the CPUs of the server on which it's planted to work extra hard and consume more energy. Cryptocoins that get mined go to the accounts of the attackers who planted the software.

And, of course, there have been plenty of breaches that don't involve malware, such as where attackers have found a way to steal user credentials, credit card data, or other sensitive information.

Some security breaches come about because of plain carelessness. Here's an example of where a careless Adobe administrator placed the company's private security key on a public security blog: https://www.theinquirer.net/inquirer/news/3018010/adobe-stupidly-posts-private-pgp-key-on-its-security-blog.

So, how does this happen?

Regardless of whether you're running Linux, Windows, or whatever else, the reasons for security breaches are usually the same. They could be security bugs in the operating system, or security bugs in an application that's running on that operating system.  Often, a bug-related security breach could have been prevented had the administrators applied security updates in a timely manner.

Another big issue is poorly-configured servers. A standard, out-of-the-box configuration of a Linux server is actually quite insecure and can cause a whole ton of problems. One cause of poorly-configured servers is simply the lack of properly-trained personnel to securely administer Linux servers. (Of course, that's great news for the readers of this book, because, trust me, there's no lack of well-paying, IT security jobs.)

As we journey through this book, we'll see how to do business the right way, to make our servers as secure as possible.

Keeping up with security news

If you're in the IT business, even if you're not a security administrator, you want to keep up with the latest security news.  In the age of the internet, that's easy to do.

First, there are quite a few websites that specialize in network security news. Examples include Packet Storm Security and The Hacker News. Regular tech news sites and Linux news websites, such as The INQUIRER, The Register, ZDNet, and LXer also carry reports about network security breaches.  And, if you'd rather watch videos than read, you'll find plenty of good YouTube channels, such as BeginLinux Guru.

Finally, regardless of which Linux distribution you're using, be sure to keep up with the news and current documentation for your Linux distribution. Distribution maintainers should have a way of letting you know if a security problem crops up in their products.

Links to security news sites are as follows:

Links to general tech news sites are as follows:

You can check out some general Linux learning resources as well. Linux News Site:

(Full disclosure:  I am the BeginLinux Guru.)

One thing to always remember as you go through this book is that the only operating system you'll ever see that's totally, 100% secure will be installed on a computer that never gets turned on.

Introduction to VirtualBox and Cygwin

Whenever I write or teach, I try very hard not to provide students with a cure for insomnia. Throughout this book, you'll see a bit of theory whenever it's necessary, but I mainly like to provide good, practical information. There will also be plenty of step-by-step hands-on labs.

The best way to do the labs is to use Linux virtual machines. Most of what we'll do can apply to any Linux distribution, but we will also do some things that are specific to either Red Hat Enterprise Linux or Ubuntu Linux. (Red Hat Enterprise Linux is the most popular for enterprise use, while Ubuntu is most popular for cloud deployments.) 

Red Hat is a billion-dollar company, so there's no doubt about where they stand in the Linux market. But, since Ubuntu Server is free-of-charge, we can't judge its popularity strictly on the basis of its parent company's worth.  The reality is that Ubuntu Server is the most widely-used Linux distribution for deploying cloud-based applications.

See here for details: http://www.zdnet.com/article/ubuntu-linux-continues-to-dominate-openstack-and-other-clouds/.

Since Red Hat is a fee-based product, we'll substitute CentOS 7, which is built from Red Hat source code and is free-of-charge. There are several different virtualization platforms that you can use, but my own preferred choice is VirtualBox.

VirtualBox is available for Windows, Linux, and Mac hosts, and is free of charge for all of them. It has features that you have to pay for on other platforms, such as the ability to create snapshots of virtual machines. 

Some of the labs that we'll be doing will require you to simulate creating a connection from your host machine to a remote Linux server. If your host machine is either a Linux or a Mac machine, you'll just be able to open the Terminal and use the built-in Secure Shell tools.  If your host machine is running Windows, you'll need to install some sort of Bash shell, which we'll do by installing Cygwin.

Installing a virtual machine in VirtualBox

For those of you who've never used VirtualBox, here's a quick how-to to get you going:

  1. Download and install VirtualBox and the VirtualBox Extension Pack. You can get them from: https://www.virtualbox.org/.

  2. Download the installation .iso files for Ubuntu Server and CentOS 7. You can get them from: https://www.ubuntu.com/ and https://www.centos.org/.

 

  1. Start VirtualBox and click the New icon at the top of the screen. Fill out the information where requested. Increase the virtual drive size to 20 GB, but leave everything else as the default settings:
  1. Start the new virtual machine. Click on the folder icon at the bottom-left corner of the dialog box and navigate to the directory where you stored the .iso files that you downloaded.  Choose either the Ubuntu .iso file or the CentOS .iso file as shown in the following screenshot:
  1. Click the Start button on the dialog box to start installing the operating system. Note that, for Ubuntu Server, you won't be installing a desktop interface.  For the CentOS virtual machine, choose either the KDE desktop or the Gnome desktop, as you desire. (We'll go through at least one exercise that will require a desktop interface for the CentOS machine.)
  2. Repeat the procedure for the other Linux distribution.
  3. Update the Ubuntu virtual machine by entering:
        sudo apt update
sudo apt dist-upgrade
  1. Hold off on updating the CentOS virtual machine because we'll do that in the next exercise.
When installing Ubuntu, you'll be asked to create a normal user account and password for yourself. It won't ask you to create a root user password, but will instead automatically add you to the sudo group so that you'll have admin privileges.

When you get to the user account creation screen of the CentOS installer, be sure to check the Make this user administrator box for your own user account, since it isn't checked by default. It will offer you the chance to create a password for the root user, but that's entirely optional—in fact, I never do.

The user account creation screen of CentOS installer is shown as follows:

The EPEL repository on the CentOS virtual machine

While the Ubuntu package repositories have pretty much everything that you need for this course, the CentOS package repositories are—shall we say—lacking. To have the packages that you'll need for the CentOS hands-on labs, you'll need to install the EPEL (Extra Packages for Enterprise Linuxrepository. (The EPEL project is run by the Fedora team.) When you install third-party repositories on Red Hat and CentOS systems, you'll also need to install a priorities package, and edit the .repo files to set the proper priorities for each repository. This will prevent packages from the third-party repository from overwriting official Red Hat and CentOS packages if they just happen to have the same name. The following steps will help you install the required packages and edit .repo file:

  1. The two packages that you'll need to install EPEL are in the normal CentOS repositories. Run the command:
        sudo yum install yum-plugin-priorities epel-release
  1. When the installation completes, navigate to the /etc/yum.repos.d directory, and open the CentOS-Base.repo file in your favorite text editor. After the last line of the base, updates, and extras sections, add the line, priority=1. After the last line of the centosplus section, add the line, priority=2. Save the file and close the editor.  Each of the sections that you've edited should look something like this (except with the appropriate name and priority number):
        [base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?
release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/
$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
priority=1
  1. Open the epel.repo file for editing. After the last line of the epel section, add the line, priority=10. After the last line of each remaining section, add the line, priority=11.
  2. Update the system and then create a list of the installed and available packages by running:
        sudo yum upgrade
sudo yum list > yum_list.txt

Configuring a network for VirtualBox virtual machines

Some of our training scenarios will require you to simulate creating a connection to a remote server. You would do this by using your host machine to connect to a virtual machine. When you first create a virtual machine on VirtualBox, the networking is set to NAT mode. In order to connect to the virtual machine from the host, you'll need to set the virtual machine's network adapter to Bridged Adapter mode. Here's how you can do this:

  1. Shut down any virtual machines that you've already created.
  2. On the VirtualBox manager screen, open the Settings dialog for a virtual machine.
  3. Click the Network menu item, and change the Attached to setting from NAT to Bridged Adapter:
  1. Expand the Advanced item, and change the Promiscuous Mode setting to Allow All:
  1. Restart the virtual machine and set it to use a static IP address.
If you assign static IP addresses from the high end of your subnet range, it will be easier to prevent conflicts with low-number IP addresses that get handed out from your internet gateway.

Creating a virtual machine snapshot with VirtualBox

One of the beautiful things about working with virtual machines is that you can create a snapshot and roll back to it if you mess something up. With VirtualBox, that's easy to do.

  1. At the top, right-hand corner of the VirtualBox manager screen, click the Snapshots button:

  1. Just left of mid-screen, you'll see a camera icon. Click on that to bring up the snapshot dialog box. Either fill in the desired Snapshot Name, or accept the default name. Optionally, you can create a description:
  1. After you've made changes to the virtual machine, you can roll back to the snapshot by shutting down the virtual machine, then right-clicking on the snapshot name, and selecting the proper menu item:

Using Cygwin to connect to your virtual machines

If your host machine is either a Linux or Mac machine, you'll simply open the host's Terminal and use the tools that are already there to connect to the virtual machine. But, if you're running a Windows machine, you'll want to install some sort of Bash shell and use its networking tools. Windows 10 Pro now comes with a Bash shell that's been provided by the Ubuntu folk and you can use that if you desire. But, if you don't have Windows 10 Pro, or if you prefer to use something else, you might consider Cygwin.

Cygwin, a project of the Red Hat company, is a free open source Bash shell that's built for Windows. It's free-of-charge, and easy to install.

Installing Cygwin on your Windows host

Here's a quick how-to to get you going with Cygwin:

  1. In your host machine's browser, download the appropriate setup*.exe file for your version of Windows from: http://www.cygwin.com/.

  2. Double-click on the setup icon to begin the installation. For the most part, just accept the defaults until you get to the package selection screen. (The one exception will be the screen where you select a download mirror.)
  3. At the top of the package selection screen, select Category from the View menu:
  1. Expand the Net category:
  1. Scroll down until you see the openssh package. Under the New column, click on Skip. (This causes a version number to appear in place of the Skip.):
  1. After you have selected the proper package, your screen should look like this:
  1. In the bottom right-hand corner, click Next. If a Resolving Dependencies screen pops up, click Next on it as well.
  2. Keep the setup file that you downloaded, because you'll use it later to either install more software packages, or to update Cygwin. (When you open Cygwin, any updated packages will show up on the Pending view on View menu.)
  3. Once you open Cygwin from the Windows Start menu, you can resize it as you desire, and use either the Ctrl + + or Ctrl + - key combinations to resize the font:

Summary

So, we've made a good start to our journey into Linux security and hardening. In this chapter, we looked at why it's just as important to know about securing and hardening Linux systems as it is to know how to secure and harden Windows systems. We provided a few examples of how a poorly-configured Linux system can be compromised, and we mentioned that learning about Linux security could be good for your career. After that, we looked at how to set up a virtualized lab environment using VirtualBox and Cygwin.

In the next chapter, we'll look at locking down user accounts, and ensuring that the wrong people never get administrative privileges. I'll see you there.

Left arrow icon Right arrow icon

Key benefits

  • Leverage this guide to confidently deliver a system that reduces the risk of being hacked
  • Perform a number of advanced Linux security techniques such as network service detection, user authentication, controlling special permissions, encrypting file systems, and much more
  • Master the art of securing a Linux environment with this end-to-end practical guide

Description

This book has extensive coverage of techniques that will help prevent attackers from breaching your system, by building a much more secure Linux environment. You will learn various security techniques such as SSH hardening, network service detection, setting up firewalls, encrypting file systems, protecting user accounts, authentication processes, and so on. Moving forward, you will also develop hands-on skills with advanced Linux permissions, access control, special modes, and more. Lastly, this book will also cover best practices and troubleshooting techniques to get your work done efficiently. By the end of this book, you will be confident in delivering a system that will be much harder to compromise.

Who is this book for?

If you are a systems administrator or a network engineer interested in making your Linux environment more secure, then this book is for you. Security consultants wanting to enhance their Linux security skills will also benefit from this book. Prior knowledge of Linux is mandatory.

What you will learn

  • • Use various techniques to prevent intruders from accessing sensitive data
  • • Prevent intruders from planting malware, and detect whether malware has been planted
  • • Prevent insiders from accessing data that they aren't authorized to access
  • • Do quick checks to see whether a computer is running network services that it doesn't need to run
  • • Learn security techniques that are common to all Linux distros, and some that are distro-specific

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jan 11, 2018
Length: 376 pages
Edition : 1st
Language : English
ISBN-13 : 9781788625067
Category :
Concepts :
Tools :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want

Product Details

Publication date : Jan 11, 2018
Length: 376 pages
Edition : 1st
Language : English
ISBN-13 : 9781788625067
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 189.97
Linux: Powerful Server Administration
€94.99
Mastering Linux Kernel Development
€41.99
Mastering Linux Security and Hardening
€52.99
Total 189.97 Stars icon

Table of Contents

11 Chapters
Running Linux in a Virtual Environment Chevron down icon Chevron up icon
Securing User Accounts Chevron down icon Chevron up icon
Securing Your Server with a Firewall Chevron down icon Chevron up icon
Encrypting and SSH Hardening Chevron down icon Chevron up icon
Mastering Discretionary Access Control Chevron down icon Chevron up icon
Access Control Lists and Shared Directory Management Chevron down icon Chevron up icon
Implementing Mandatory Access Control with SELinux and AppArmor Chevron down icon Chevron up icon
Scanning, Auditing, and Hardening Chevron down icon Chevron up icon
Vulnerability Scanning and Intrusion Detection Chevron down icon Chevron up icon
Security Tips and Tricks for the Busy Bee Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.9
(7 Ratings)
5 star 42.9%
4 star 14.3%
3 star 28.6%
2 star 14.3%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




R. G. Apr 04, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Very good overview of a broad spectrum of tools, tips, and techniques without getting bogged into too heavy details. It's very good for Linux sysadmins to read through to pick up items they may not have realized existed or even know to search for. I just read through beginning to end as a training course and then marked sections where I wanted to dig into and search for more info like OpenSCAP and Security Onion.
Amazon Verified review Amazon
Amazon Customer May 06, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a great book about how Linux works in general, the security aspect puts it in the 5 star category. Comprehensive, informative and fun to read. I highly recommend this book to anyone interested in Linux Security..
Amazon Verified review Amazon
Van Mar 20, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a great tool for beginner and experienced Linux administrators alike. The author does an excellent job explaining the concepts, methods and the logic behind everything. Very easy to grasp and packed with useful information. Highly recommended
Amazon Verified review Amazon
Ham Mar 10, 2019
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Lots of practical information and hints and tips. Very helpful book. Lots of things to try out. Worth reading and referencing.
Amazon Verified review Amazon
Alex Aug 19, 2018
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
I was expecting this book to be like an updated version of Hardening Linux by James Turnbull, but was a bit disappointed. The technical level of the book is superficial. Although it certainly touches upon valid security-relevant points, there is little fleshed-out instruction or insightful content beyond what one can easily find on the web, which is where the reader is left to go anyway to build a more comprehensive understanding of the issues brushed in the book.Moreover, since computer security is really about knowing what you are doing, and preferably knowing as much as any potential attacker, I take issue with the many inaccurate simplifications in the book. E.g., in the section on firewalls (specifically on using iptables) one comes across a statement like “The -p indicates the protocol that this rule affects. This rule affects the TCP protocol, of which Secure Shell is a part.”. So the SSH protocol is part of the TCP protocol? Really...? No, of course not. And in the context of firewalls, it actually makes sense to understand this and to know your protocols.If you’re looking for a thorough and admin-practical introduction into Linux system security, I would recommend leaving this book for what it is, and starting with Turnbull instead. Although the latter shows its age, it provides for a better foundation.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.