Programmer Musings

Review of Hardening Linux

Hardening Linux
James Turnbull
Apress, 2005.

I've read several books over the years focused on increasing the security of a Linux system. I think Hardening Linux may be the best example I've seen of a practical book on the subject. Turnbull walks through a number of potential security vulnerabilities and gives specific advice on locking them down.

The book includes the expected grounding in basic security principles like denying access by default and strong passwords. Even though Turnbull spends most of the book on securing individual vulnerabilities, the book is not just a checklist of things to change. He also explains the reasoning behind the changes and some of the side effects that you should be aware of. This explanation is probably the most important feature of the book. If you need to set up a bastion host, secure a mail server connected to the Internet, or just want to know something about the dangers of providing services to the Internet, this book gives you a strong grounding in the issues that determine the security of a server.

As a good example, I have read several articles and books that tell you how to configure a firewall. But, I don't think I have ever seen a better description of why you make some changes and not others. I particularly liked Turnbull's discussion of the issues with configuring a firewall remotely. Anyone who has accidentally locked themselves out of the system they are configuring would appreciate his advice.

I especially liked the the chapter on securing FTP. Turnbull firmly states that FTP is extremely hard to secure. He covers the various reasons why it is hard to secure. He states firmly that in the interest of security, you should not run an FTP server. Then, he goes step-by-step to show how to provide as secure an FTP server as possible if you really have to have one. This stands in stark contrast to an academic approach of ignoring systems that can't be made secure. Turnbull does a great job of making that point, and then bowing to the necessity that some people will need the service anyway.

Although I really enjoyed the book, it did have a couple of flaws. One is inherent in the topic: this is a really dense book. If you don't do serious system administration on a daily basis, you may find this book to be slow going. I sure did. However, this material is well covered despite being dense. Working through the material is worth the effort. The other problem has to do with editing. I found a relatively large number of minor typos, grammar errors, and mistakes in examples. Although it was still possible to understand what the author was saying, I feel that these errors made the task of working through the book a little more difficult.

Overall, I would definitely recommend this book to anyone who needs to secure a Linux server for any reason. If you are interested in what needs to be done to secure a mail server, DNS server, FTP server or any other public server, this is definitely a book you need to read.