Mastering Linux security and hardening secure your Linux server and protect it from intruders, malware attacks, and other external threats
A comprehensive guide to mastering the art of preventing your Linux system from getting compromised. About This Book Leverage this guide to confidently deliver a system that reduces the risk of being hacked Perform a number of advanced Linux security techniques such as network service detection, use...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham, England :
Packt Publishing
2018.
|
| Edición: | 1st edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009631635506719 |
Tabla de Contenidos:
- Intro
- Cover
- Copyright and Credits
- Packt Upsell
- Contributors
- Table of Contents
- Preface
- Chapter 1: Running Linux in a Virtual Environment
- The threat landscape
- So, how does this happen?
- Keeping up with security news
- Introduction to VirtualBox and Cygwin
- Installing a virtual machine in VirtualBox
- The EPEL repository on the CentOS virtual machine
- Configuring a network for VirtualBox virtual machines
- Creating a virtual machine snapshot with VirtualBox
- Using Cygwin to connect to your virtual machines
- Installing Cygwin on your Windows host
- Summary
- Chapter 2: Securing User Accounts
- The dangers of logging in as the root user
- The advantages of using sudo
- Setting up sudo privileges for full administrative users
- Method 1 - adding users to a predefined admin group
- Method 2 - creating an entry in the sudo policy file
- Setting up sudo for users with only certain delegated privileges
- Hands-on lab for assigning limited sudo privileges
- Advanced tips and tricks for using sudo
- The sudo timer
- Hands-on lab for disabling the sudo timer
- Preventing users from having root shell access
- Preventing users from using shell escapes
- Preventing users from using other dangerous programs
- Limiting the user's actions with commands
- Letting users run as other users
- Locking down users' home directories the Red Hat or CentOS way
- Locking down users' home directories the Debian/Ubuntu way
- useradd on Debian/Ubuntu
- adduser on Debian/Ubuntu
- Hands-on lab for configuring adduser
- Enforcing strong password criteria
- Installing and configuring pwquality
- Hands-on lab for setting password complexity criteria
- Setting and enforcing password and account expiration
- Configuring default expiry data for useradd - for Red Hat or CentOS only.
- Setting expiry data on a per-account basis, with useradd and usermod
- Setting expiry data on a per-account basis, with chage
- Hands-on lab for setting account and password expiry data
- Preventing brute-force password attacks
- Configuring the pam_tally2 PAM module
- Hands-on lab for configuring pam_tally2
- Locking user accounts
- Using usermod to lock a user account
- Using passwd to lock user accounts
- Locking the root user account
- Setting up security banners
- Using the motd file
- Using the issue file
- Using the issue.net file
- Summary
- Chapter 3: Securing Your Server with a Firewall
- An overview of iptables
- Basic usage of iptables
- Hands-on lab for basic iptables usage
- Uncomplicated Firewall for Ubuntu systems
- Basic usage of ufw
- Hands-on lab for basic ufw usage
- firewalld for Red Hat systems
- Verifying the status of firewalld
- firewalld zones
- firewalld services
- Adding ports to a firewalld zone
- firewalld rich language rules
- Hands-on lab for firewalld commands
- nftables - a more universal type of firewall system
- nftables tables and chains
- Getting started with nftables
- Using nft commands
- Hands-on lab for nftables on Ubuntu
- Summary
- Chapter 4: Encrypting and SSH Hardening
- GNU Privacy Guard
- Creating your GPG keys
- Symmetrically encrypting your own files
- Hands-on lab - combining gpg and tar for encrypted backups
- Using private and public keys for asymmetric encryption and signing
- Signing a file without encryption
- Encrypting partitions with Linux Unified Key Setup - LUKS
- Disk encryption during operating system installation
- Adding an encrypted partition with LUKS
- Configuring the LUKS partition to mount automatically
- Encrypting directories with eCryptfs
- Home directory and disk encryption during Ubuntu installation.
- Encrypting a home directory for a new user account
- Creating a private directory within an existing home directory
- Encrypting other directories with eCryptfs
- Encrypting the swap partition with eCryptfs
- Using VeraCrypt for cross-platform sharing of encrypted containers
- Getting and installing VeraCrypt
- Creating and mounting a VeraCrypt volume in console mode
- Using VeraCrypt in GUI mode
- Ensuring that SSH protocol 1 is disabled
- Creating and managing keys for password-less logins
- Creating a user's SSH key set
- Transferring the public key to the remote server
- Disabling root user login
- Disabling username/password logins
- Setting up a chroot environment for SFTP users
- Creating a group and configuring the sshd_config file
- Hands-on lab - setting up a chroot directory for sftpusers group
- Summary
- Chapter 5: Mastering Discretionary Access Control
- Using chown to change ownership of files and directories
- Using chmod to set permissions values on files and directories
- Setting permissions with the symbolic method
- Setting permissions with the numerical method
- Using SUID and SGID on regular files
- The security implications of the SUID and SGID permissions
- Finding spurious SUID or SGID files
- Hands-on lab - searching for SUID and SGID files
- Preventing SUID and SGID usage on a partition
- Using extended file attributes to protect sensitive files
- Setting the a attribute
- Setting the i attribute
- Hands-on lab - setting security-related extended file attributes
- Summary
- Chapter 6: Access Control Lists and Shared Directory Management
- Creating an access control list for either a user or a group
- Creating an inherited access control list for a directory
- Removing a specific permission by using an ACL mask
- Using the tar
- acls option to prevent the loss of ACLs during a backup.
- Creating a user group and adding members to it
- Adding members as we create their user accounts
- Using usermod to add an existing user to a group
- Adding users to a group by editing the /etc/group file
- Creating a shared directory
- Setting the SGID bit and the sticky bit on the shared directory
- Using ACLs to access files in the shared directory
- Setting the permissions and creating the ACL
- Charlie tries to access Vicky's file with an ACL set for Cleopatra
- Hands-on lab - creating a shared group directory
- Summary
- Chapter 7: Implementing Mandatory Access Control with SELinux and AppArmor
- How SELinux can benefit a systems administrator
- Setting security contexts for files and directories
- Installing the SELinux tools
- Creating web content files with SELinux enabled
- Fixing an incorrect SELinux context
- Using chcon
- Using restorecon
- Using semanage
- Hands-on lab - SELinux type enforcement
- Troubleshooting with setroubleshoot
- Viewing setroubleshoot messages
- Using the graphical setroubleshoot utility
- Troubleshooting in permissive mode
- Working with SELinux policies
- Viewing the Booleans
- Configuring the Booleans
- Protecting your web server
- Protecting network ports
- Creating custom policy modules
- Hands-on lab - SELinux Booleans and ports
- How AppArmor can benefit a systems administrator
- Looking at AppArmor profiles
- Working with AppArmor command-line utilities
- Troubleshooting AppArmor problems
- Summary
- Chapter 8: Scanning, Auditing, and Hardening
- Installing and updating ClamAV and maldet
- Installing ClamAV and maldet
- Configuring maldet
- Updating ClamAV and maldet
- Scanning with ClamAV and maldet
- SELinux considerations
- Scanning for rootkits with Rootkit Hunter
- Installing and updating Rootkit Hunter
- Scanning for rootkits.
- Controlling the auditd daemon
- Creating audit rules
- Auditing a file for changes
- Auditing a directory
- Auditing system calls
- Using ausearch and aureport
- Searching for file change alerts
- Searching for directory access rule violations
- Searching for system call rule violations
- Generating authentication reports
- Using predefined rules sets
- Applying OpenSCAP policies with oscap
- Installing OpenSCAP
- Viewing the profile files
- Scanning the system
- Remediating the system
- Using SCAP Workbench
- More about OpenSCAP profiles
- Applying an OpenSCAP profile during system installation
- Summary
- Chapter 9: Vulnerability Scanning and Intrusion Detection
- Looking at Snort and Security Onion
- Obtaining and installing Snort
- Graphical interfaces for Snort
- Getting Snort in prebuilt appliances
- Using Security Onion
- Scanning and hardening with Lynis
- Installing Lynis on Red Hat/CentOS
- Installing Lynis on Ubuntu
- Scanning with Lynis
- Finding vulnerabilities with OpenVAS
- Web server scanning with Nikto
- Nikto in Kali Linux
- Installing and updating Nikto on Linux
- Scanning a web server with Nikto
- Summary
- Chapter 10: Security Tips and Tricks for the Busy Bee
- Auditing system services
- Auditing system services with systemctl
- Auditing network services with netstat
- Auditing network services with Nmap
- Port states
- Scan types
- Password-protecting the GRUB 2 bootloader
- Resetting the password for Red Hat/CentOS
- Resetting the password for Ubuntu
- Preventing kernel parameter edits on Red Hat/CentOS
- Preventing kernel parameter edits on Ubuntu
- Password-protecting boot options
- Disabling the submenu for Ubuntu
- Password-protecting boot option steps for both Ubuntu and Red Hat
- Securely configuring BIOS/UEFI
- Using a security checklist for system setup
- Summary.
- Other Books You May Enjoy.
