Mastering Linux Security and Hardening
eBook - ePub

Mastering Linux Security and Hardening

Donald A. Tevault, Salman Aftab

Buch teilen
  1. 376 Seiten
  2. English
  3. ePUB (handyfreundlich)
  4. Über iOS und Android verfügbar
eBook - ePub

Mastering Linux Security and Hardening

Donald A. Tevault, Salman Aftab

Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben

Über dieses Buch

A comprehensive guide to mastering the art of preventing your Linux system from getting compromised.

Key Features

  • Leverage this guide to confidently deliver a system that reduces the risk of being hacked
  • Perform a number of advanced Linux security techniques such as network service detection, user authentication, controlling special permissions, encrypting file systems, and much more
  • Master the art of securing a Linux environment with this end-to-end practical guide

Book Description

This book has extensive coverage of techniques that will help prevent attackers from breaching your system, by building a much more secure Linux environment. You will learn various security techniques such as SSH hardening, network service detection, setting up firewalls, encrypting file systems, protecting user accounts, authentication processes, and so on. Moving forward, you will also develop hands-on skills with advanced Linux permissions, access control, special modes, and more. Lastly, this book will also cover best practices and troubleshooting techniques to get your work done efficiently.By the end of this book, you will be confident in delivering a system that will be much harder to compromise.

What you will learn

  • Use various techniques to prevent intruders from accessing sensitive data
  • Prevent intruders from planting malware, and detect whether malware has been planted
  • Prevent insiders from accessing data that they aren't authorized to access
  • Do quick checks to see whether a computer is running network services that it doesn't need to run
  • Learn security techniques that are common to all Linux distros, and some that are distro-specific

Who this book is for

If you are a systems administrator or a network engineer interested in making your Linux environment more secure, then this book is for you. Security consultants wanting to enhance their Linux security skills will also benefit from this book. Prior knowledge of Linux is mandatory.

]]>

Häufig gestellte Fragen

Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Mastering Linux Security and Hardening als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu Mastering Linux Security and Hardening von Donald A. Tevault, Salman Aftab im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Computer Science & Computer Networking. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.

Information

Verlag
Packt Publishing
Jahr
2018
ISBN
9781788625067
Thema
Computer Science
Thema
Computer Networking

Encrypting and SSH Hardening

You may work for a super-secret government agency, or you may be just a regular Joe or Jane citizen. Either way, you will still have sensitive data that you need to protect from prying eyes. Business secrets, government secrets, personal secrets—it doesn't matter; it all needs protection. Locking down user's home directories with restrictive permissions settings, as we saw in Chapter 2, Securing User Accounts, is only part of the puzzle; we also need encryption.
The two general types of data encryption that we'll look at in this chapter are meant to protect data at rest and data in transit. We'll begin with using file, partition, and directory encryption to protect data at rest. We'll then cover Secure Shell (SSH) to protect data in transit.
In this chapter, we'll cover:
  • GNU Privacy Guard (GPG)
  • Encrypting partitions with Linux Unified Key Setup (LUKS)
  • Encrypting directories with eCryptfs
  • Using VeraCrypt for the cross-platform sharing of encrypted containers
  • Ensuring that SSH protocol 1 is disabled
  • Creating and managing keys for password-less logins
  • Disabling root user login
  • Disabling username/password logins
  • Setting up a chroot environment for SFTP users

GNU Privacy Guard

We'll begin with GNU Privacy Guard (GPG). This is a free open source implementation of Phil Zimmermann's Pretty Good Privacy, which he created back in 1991. You can use either one of them to either encrypt or cryptographically sign files or messages. In this section, we'll focus strictly on GPG.
There are some advantages of using GPG:
  • It uses strong, hard-to-crack encryption algorithms.
  • It uses the private/public key scheme, which eliminates the need to transfer a password to a message or file recipient in a secure manner. Instead, just send along your public key, which is useless to anyone other than the intended recipient.
  • You can use GPG to just encrypt your own files for your own use, the same as you'd use any other encryption utility.
  • It can be used to encrypt email messages, allowing you to have true end-to-end encryption for sensitive emails.
  • There are a few GUI-type frontends available to make it somewhat easier to use.
But, as you might know, there are also some disadvantages:
  • Using public keys instead of passwords is great when you work directly only with people who you implicitly trust. But, for anything beyond that, such as distributing a public key to the general population so that everyone can verify your signed messages, you're dependent upon a web-of-trust model that can be very hard to set up.
  • For the end-to-end encryption of email, the recipients of your email must also have GPG set up on their systems, and know how to use it. That might work in a corporate environment, but lots of luck getting your friends to set that up. (I've never once succeeded in getting someone else to set up email encryption.)
  • If you use a standalone email client, such as Mozilla Thunderbird, you can install a plugin that will encrypt and decrypt messages automatically. But, every time a new Thunderbird update is released, the plugin breaks, and it always takes a while before a new working version gets released.
Even with its numerous weaknesses, GPG is still one of the best ways to share encrypted files and emails. GPG comes preinstalled on both Ubuntu Server and CentOS. So, you can use either of your virtual machines for these demos.

Creating your GPG keys

Getting started with GPG requires you to first generate your GPG keys. You'll do that with:
gpg --gen-key
Note that, since you're setting this up for yourself, you don't need sudo privileges.
The output of this command is too long to show all at once, so I'll show relevant sections of it, and break down what it means.
The first thing that this command does is to create a populated .gnupg directory in your home directory:
gpg: directory `/home/donnie/.gnupg' created
gpg: new configuration file `/home/donnie/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/donnie/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/donnie/.gnupg/secring.gpg' created
gpg: keyring `/home/donnie/.gnupg/pubring.gpg' created
You'll then be asked to select which kinds of keys you want. We'll just go with the default RSA and RSA. (RSA keys are stronger and harder to crack than the older DSA keys. Elgamal keys are good, but they may not be supported by older versions of GPG.):
Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
Your selection?
For decent encryption, you'll want to go with a key of at least 2048 bits, because anything smaller is now considered vulnerable. Since 2048 just happens to be the default, we'll go with it:
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Next, select how long you want for the keys to remain valid before they automatically expire. For our purposes, we'll go with the default key does not expire.
Please specify how long the key should be valid.
 0 = key does not expire
 <n> = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
Key is valid for? (0)
Provide your personal information:
GnuPG needs to construct a user ID to identify your key.

Real name: Donald A. Tevault
Email address: [email protected]
Comment: No comment
You selected this USER-ID:
 "Donald A. Tevault (No comment) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Create a passphrase for your private key:
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
This could take a while, even when you're doing all of the recommended things to create entropy. Be patient; it will eventually finish. By running a sudo yum upgrade in another window, I created enough entropy so that the process didn't take too long:
gpg: /home/donnie/.gnupg/trustdb.gpg: trustdb created
gpg: key 19CAEC5B marked as ultimately trusted
public and secret key created and signed...

Inhaltsverzeichnis