Mastering Linux Security and Hardening
eBook - ePub

Mastering Linux Security and Hardening

Donald A. Tevault, Salman Aftab

Condividi libro
  1. 376 pagine
  2. English
  3. ePUB (disponibile sull'app)
  4. Disponibile su iOS e Android
eBook - ePub

Mastering Linux Security and Hardening

Donald A. Tevault, Salman Aftab

Dettagli del libro
Anteprima del libro
Indice dei contenuti
Citazioni

Informazioni sul libro

A comprehensive guide to mastering the art of preventing your Linux system from getting compromised.

Key Features

  • Leverage this guide to confidently deliver a system that reduces the risk of being hacked
  • Perform a number of advanced Linux security techniques such as network service detection, user authentication, controlling special permissions, encrypting file systems, and much more
  • Master the art of securing a Linux environment with this end-to-end practical guide

Book Description

This book has extensive coverage of techniques that will help prevent attackers from breaching your system, by building a much more secure Linux environment. You will learn various security techniques such as SSH hardening, network service detection, setting up firewalls, encrypting file systems, protecting user accounts, authentication processes, and so on. Moving forward, you will also develop hands-on skills with advanced Linux permissions, access control, special modes, and more. Lastly, this book will also cover best practices and troubleshooting techniques to get your work done efficiently.By the end of this book, you will be confident in delivering a system that will be much harder to compromise.

What you will learn

  • Use various techniques to prevent intruders from accessing sensitive data
  • Prevent intruders from planting malware, and detect whether malware has been planted
  • Prevent insiders from accessing data that they aren't authorized to access
  • Do quick checks to see whether a computer is running network services that it doesn't need to run
  • Learn security techniques that are common to all Linux distros, and some that are distro-specific

Who this book is for

If you are a systems administrator or a network engineer interested in making your Linux environment more secure, then this book is for you. Security consultants wanting to enhance their Linux security skills will also benefit from this book. Prior knowledge of Linux is mandatory.

]]>

Domande frequenti

Come faccio ad annullare l'abbonamento?
È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui
È possibile scaricare libri? Se sì, come?
Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui
Che differenza c'è tra i piani?
Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.
Cos'è Perlego?
Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.
Perlego supporta la sintesi vocale?
Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.
Mastering Linux Security and Hardening è disponibile online in formato PDF/ePub?
Sì, puoi accedere a Mastering Linux Security and Hardening di Donald A. Tevault, Salman Aftab in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Computer Science e Computer Networking. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.

Informazioni

Editore
Packt Publishing
Anno
2018
ISBN
9781788625067
Argomento
Computer Science
Categoria
Computer Networking

Encrypting and SSH Hardening

You may work for a super-secret government agency, or you may be just a regular Joe or Jane citizen. Either way, you will still have sensitive data that you need to protect from prying eyes. Business secrets, government secrets, personal secrets—it doesn't matter; it all needs protection. Locking down user's home directories with restrictive permissions settings, as we saw in Chapter 2, Securing User Accounts, is only part of the puzzle; we also need encryption.
The two general types of data encryption that we'll look at in this chapter are meant to protect data at rest and data in transit. We'll begin with using file, partition, and directory encryption to protect data at rest. We'll then cover Secure Shell (SSH) to protect data in transit.
In this chapter, we'll cover:
  • GNU Privacy Guard (GPG)
  • Encrypting partitions with Linux Unified Key Setup (LUKS)
  • Encrypting directories with eCryptfs
  • Using VeraCrypt for the cross-platform sharing of encrypted containers
  • Ensuring that SSH protocol 1 is disabled
  • Creating and managing keys for password-less logins
  • Disabling root user login
  • Disabling username/password logins
  • Setting up a chroot environment for SFTP users

GNU Privacy Guard

We'll begin with GNU Privacy Guard (GPG). This is a free open source implementation of Phil Zimmermann's Pretty Good Privacy, which he created back in 1991. You can use either one of them to either encrypt or cryptographically sign files or messages. In this section, we'll focus strictly on GPG.
There are some advantages of using GPG:
  • It uses strong, hard-to-crack encryption algorithms.
  • It uses the private/public key scheme, which eliminates the need to transfer a password to a message or file recipient in a secure manner. Instead, just send along your public key, which is useless to anyone other than the intended recipient.
  • You can use GPG to just encrypt your own files for your own use, the same as you'd use any other encryption utility.
  • It can be used to encrypt email messages, allowing you to have true end-to-end encryption for sensitive emails.
  • There are a few GUI-type frontends available to make it somewhat easier to use.
But, as you might know, there are also some disadvantages:
  • Using public keys instead of passwords is great when you work directly only with people who you implicitly trust. But, for anything beyond that, such as distributing a public key to the general population so that everyone can verify your signed messages, you're dependent upon a web-of-trust model that can be very hard to set up.
  • For the end-to-end encryption of email, the recipients of your email must also have GPG set up on their systems, and know how to use it. That might work in a corporate environment, but lots of luck getting your friends to set that up. (I've never once succeeded in getting someone else to set up email encryption.)
  • If you use a standalone email client, such as Mozilla Thunderbird, you can install a plugin that will encrypt and decrypt messages automatically. But, every time a new Thunderbird update is released, the plugin breaks, and it always takes a while before a new working version gets released.
Even with its numerous weaknesses, GPG is still one of the best ways to share encrypted files and emails. GPG comes preinstalled on both Ubuntu Server and CentOS. So, you can use either of your virtual machines for these demos.

Creating your GPG keys

Getting started with GPG requires you to first generate your GPG keys. You'll do that with:
gpg --gen-key
Note that, since you're setting this up for yourself, you don't need sudo privileges.
The output of this command is too long to show all at once, so I'll show relevant sections of it, and break down what it means.
The first thing that this command does is to create a populated .gnupg directory in your home directory:
gpg: directory `/home/donnie/.gnupg' created
gpg: new configuration file `/home/donnie/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/donnie/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/donnie/.gnupg/secring.gpg' created
gpg: keyring `/home/donnie/.gnupg/pubring.gpg' created
You'll then be asked to select which kinds of keys you want. We'll just go with the default RSA and RSA. (RSA keys are stronger and harder to crack than the older DSA keys. Elgamal keys are good, but they may not be supported by older versions of GPG.):
Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
Your selection?
For decent encryption, you'll want to go with a key of at least 2048 bits, because anything smaller is now considered vulnerable. Since 2048 just happens to be the default, we'll go with it:
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Next, select how long you want for the keys to remain valid before they automatically expire. For our purposes, we'll go with the default key does not expire.
Please specify how long the key should be valid.
 0 = key does not expire
 <n> = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
Key is valid for? (0)
Provide your personal information:
GnuPG needs to construct a user ID to identify your key.

Real name: Donald A. Tevault
Email address: [email protected]
Comment: No comment
You selected this USER-ID:
 "Donald A. Tevault (No comment) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
Create a passphrase for your private key:
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
This could take a while, even when you're doing all of the recommended things to create entropy. Be patient; it will eventually finish. By running a sudo yum upgrade in another window, I created enough entropy so that the process didn't take too long:
gpg: /home/donnie/.gnupg/trustdb.gpg: trustdb created
gpg: key 19CAEC5B marked as ultimately trusted
public and secret key created and signed...

Indice dei contenuti