Mastering FreeBSD and OpenBSD Security. Building, Securing, and Maintaining BSD Systems

(ebook) (audiobook) (audiobook)

Autorzy:: Yanek Korff, Paco Hope, Bruce Potter

Promocja Przejdź

Mastering FreeBSD and OpenBSD Security. Building, Securing, and Maintaining BSD Systems Yanek Korff, Paco Hope, Bruce Potter - okładka książki

Mastering FreeBSD and OpenBSD Security. Building, Securing, and Maintaining BSD Systems Yanek Korff, Paco Hope, Bruce Potter - okładka audiobooka MP3

Mastering FreeBSD and OpenBSD Security. Building, Securing, and Maintaining BSD Systems Yanek Korff, Paco Hope, Bruce Potter - okładka audiobooks CD

Wydawnictwo:: O'Reilly Media (Z chęcią przeczytam książkę w języku polskim)
Ocena:: Bądź pierwszym, który oceni tę książkę
Stron:: 466
Dostępne formaty:: ePub

Mobi

Ebook (29,90 zł najniższa cena z 30 dni)

~~199,00 zł~~ (-15%)
169,15 zł

Dodaj do koszyka lub Kup na prezent Kup 1-kliknięciem

(29,90 zł najniższa cena z 30 dni)

Przenieś na półkę

Do przechowalni

FreeBSD and OpenBSD are increasingly gaining traction in educational institutions, non-profits, and corporations worldwide because they provide significant security advantages over Linux. Although a lot can be said for the robustness, clean organization, and stability of the BSD operating systems, security is one of the main reasons system administrators use these two platforms.There are plenty of books to help you get a FreeBSD or OpenBSD system off the ground, and all of them touch on security to some extent, usually dedicating a chapter to the subject. But, as security is commonly named as the key concern for today's system administrators, a single chapter on the subject can't provide the depth of information you need to keep your systems secure.FreeBSD and OpenBSD are rife with security "building blocks" that you can put to use, and Mastering FreeBSD and OpenBSD Security shows you how. Both operating systems have kernel options and filesystem features that go well beyond traditional Unix permissions and controls. This power and flexibility is valuable, but the colossal range of possibilities need to be tackled one step at a time. This book walks you through the installation of a hardened operating system, the installation and configuration of critical services, and ongoing maintenance of your FreeBSD and OpenBSD systems.Using an application-specific approach that builds on your existing knowledge, the book provides sound technical information on FreeBSD and Open-BSD security with plenty of real-world examples to help you configure and deploy a secure system. By imparting a solid technical foundation as well as practical know-how, it enables administrators to push their server's security to the next level. Even administrators in other environments--like Linux and Solaris--can find useful paradigms to emulate.Written by security professionals with two decades of operating system experience, Mastering FreeBSD and OpenBSD Security features broad and deep explanations of how how to secure your most critical systems. Where other books on BSD systems help you achieve functionality, this book will help you more thoroughly secure your deployments.

Wybrane bestsellery

Ebooka przeczytasz na:

czytnikach Inkbook, Kindle, Pocketbook
i innych
systemach Windows, MacOS i innych

systemach Windows, Android, iOS, HarmonyOS
na dowolnych urządzeniach i aplikacjach obsługujących formaty: PDF, EPub, Mobi

Masz pytania? Zajrzyj do zakładki Pomoc »

Audiobooka posłuchasz:

w aplikacji Ebookpoint na Android, iOS, HarmonyOs
na systemach Windows, MacOS i innych

na dowolonych urządzeniach
i aplikacjach obsługujących format MP3
(pliki spakowane w ZIP)

Masz pytania? Zajrzyj do zakładki Pomoc »

Kurs Video zobaczysz:

Oceny i opinie klientów: Mastering FreeBSD and OpenBSD Security. Building, Securing, and Maintaining BSD Systems Yanek Korff, Paco Hope, Bruce Potter (0) Weryfikacja opinii następuję na podstawie historii zamówień na koncie Użytkownika umieszczającego opinię. Użytkownik mógł otrzymać punkty za opublikowanie opinii uprawniające do uzyskania rabatu w ramach Programu Punktowego.

Szczegóły książki

ISBN Ebooka:: 978-14-493-6957-6, 9781449369576
Data wydania ebooka:: 2005-03-24 Data wydania ebooka często jest dniem wprowadzenia tytułu do sprzedaży i może nie być równoznaczna z datą wydania książki papierowej. Dodatkowe informacje możesz znaleźć w darmowym fragmencie. Jeśli masz wątpliwości skontaktuj się z nami sklep@helion.pl.
Język publikacji:: angielski
Rozmiar pliku ePub:: 2.0MB
Rozmiar pliku Mobi:: 2.0MB

Kategorie:
Hacking » Bezpieczeństwo sieci
Hacking » Bezpieczeństwo systemów
Systemy operacyjne » BSD
Hacking » Inne

Spis treści książki

Mastering FreeBSD and OpenBSD Security
Preface
- Audience
- Assumptions This Book Makes
- Contents of This Book
  - Part I: Security Foundation
  - Part II: Deployment Situations
  - Part III: Auditing and Incident Response
- Conventions Used in This Book
  - Typographic Conventions
  - Conventions in Examples
- Using Code Examples
- Comments and Questions
- Safari Enabled
- Acknowledgments
  - Yanek Korff
  - Paco Hope
  - Bruce Potter
  - Our Reviewers
  - OReilly
I. Security Foundation
- 1. The Big Picture
  - What Is System Security?
    - Confidentiality
    - Integrity
    - Availability
    - Summary
  - Identifying Risks
    - Attacks
    - Problems in Software
      - Buffer overflows
      - SQL injection
      - Other software problems
      - Protecting yourself
    - Denial of Service Attacks
      - Target: physical
      - Target: network
      - Target: application
      - Protecting yourself
    - Improper Configuration and Use
      - Sloppy application configuration
      - Protecting yourself
      - Accounts and permissions
      - Passwords and other account problems
    - Network Versus Local Attacks
    - Physical Security
    - Summary
  - Responding to Risk
    - How Much Security?
      - Risk and consequence
      - Security versus functionality
    - Choosing the Right Response
      - Mitigate risk
      - Accept risk
      - Transfer risk
  - Security Process and Principles
    - Initial Configuration
    - Ongoing Maintenance
    - Auditing and Incident Response
  - System Security Principles
    - Apply Security Evenly
    - Practice Defense in Depth
    - Fail Safe
    - Enforce Least Privilege
    - Segregate Services
    - Simplify
    - Use Security Through Obscurity Wisely
    - Doubt by Default
    - Stay Up to Date
  - Wrapping Up
  - Resources
    - General Security Resources
    - General Security-Related Request for Comments (RFCs)
- 2. BSD Security Building Blocks
  - Filesystem Protections
    - Overview
    - UFS Filesystem Flags
      - Manipulating flags
      - System immutable flag (schg)
      - User immutable flag (uchg)
      - Nodump flag (nodump)
      - System append-only flag (sappnd)
      - User append-only flag (uappnd)
      - System no unlink flag (sunlnk)
      - User no unlink flag (uunlnk)
      - Opaque flag (opaque)
      - Archived flag (arch)
    - Common Uses of Flags
      - Candidates for system immutable
      - Candidates for append-only
      - Finding files with flags
    - POSIX Access Control Lists (FreeBSD Only)
      - Enabling ACLs
        
        ACLs in /etc/fstab
        
        ACLs in the superblock
      - Managing ACLs
  - Tweaking a Running Kernel: sysctl
    - Setting sysctl Values
    - Kernel Security Level
      - Level -1: permanently insecure
      - Level 0: transitional security level
      - Level 1: improved operational security
      - Level 2: high security
      - Level 3: network security
      - Setting the securelevel for FreeBSD
      - Setting the securelevel for OpenBSD
      - Thoughts on using securelevel
    - Other Security-Related Kernel Variables
      - Random PIDs
      - Controlling core dumps
      - Reducing visibility in the network
      - Dropping synfins
  - The Basic Sandbox: chroot
    - Creating a chroot Environment
    - An Example: chrooting ntpd
    - Finding Other Dependencies
      - Sorting through kdumps output
      - Making device nodes
    - Limitations of chroot
  - Jail: Beyond chroot
    - New Limitations
      - Limited process interaction
      - Limited access to network resources
      - Devices and mknod
    - Creating Jail Environments
      - Building jails from source
      - Installing from a distribution CD
    - Launching Jails
      - Fat jails as virtual machines
      - Jail security options
      - Managing jails
    - Installing Software in Jail
      - Make a builder jail
      - Install from binary package
      - Getting custom software installed in a jail
    - NFS-Based Jails
      - Creating a single NFS master jail
  - Inherent Protections
    - Fighting Buffer Overflows
      - W^X memory protection
      - ProPolice stack protection
    - Cryptography
    - Code Review
  - OS Tuning
    - maxusers: Basic Influence
    - Increasing Maximum Values
    - Network Buffering
  - Wrapping Up
  - Resources
- 3. Secure Installation and Hardening
  - General Concerns
    - What Are You Building?
      - Workstation
      - Workgroup server
      - Infrastructure server
      - Multipurpose system
    - Media and Network
      - To be networked or not to be networked
      - Media verification
    - Preexisting Vulnerabilities
    - Slicing Up Your Filesystem
    - XFree86
    - Users and Passwords
    - Summary
  - Installing FreeBSD
    - Preparing the Disk
    - Choosing Distribution Sets
    - Post-Installation Configuration
      - Basic network configuration
      - Network gateway
      - inetd
      - sshd
      - Security profile (FreeBSD 4.x only)
      - Anonymous FTP
      - NFS
      - Time zone
      - Linux compatibility
      - XFree86
      - Packages
      - Finishing up the install
  - FreeBSD Hardening: Your First Steps
    - Step 1: Configure sudo
    - Step 2: Turn Off Unnecessary Services
    - Step 3: Update Your System
      - Getting the latest sources
      - Kernel configuration
      - Your first upgrade
    - Step 4: Wrapping Up
  - Installing OpenBSD
    - Preparing the Disk
    - Configuring Your Network
    - Choosing Your Distribution Sets
    - Activating sshd
    - An Innocuous Question About X
    - Finishing Up
  - OpenBSD Hardening: Your First Steps
    - Step 1: Create a User
    - Step 2: Configure sudo
    - Step 3: Turn Off Unnecessary Services
      - sshd
      - inetd
      - Sendmail
    - Step 4: Update Your System
    - Step 5: Wrapping Up
  - Post-Upgrade Hardening
    - Configure Users and Groups
      - Toor (FreeBSD only)
    - Adjust Mount Options
    - Lock Down sshd
      - Password authentication
      - Public key authentication
      - Challenge response authentication
    - Configure Basic Logging
    - Create Login Banners
    - Configure NTP
    - Tune Your Kernel
    - Set File Flags
    - Local Security
      - On the screen
      - Adjust /etc/ttys
  - Wrapping Up
  - Resources
    - FreeBSD
    - OpenBSD
- 4. Secure Administration Techniques
  - Access Control
    - Controlling User Access
      - Using a catchall primary group
      - Project-based or role-based primary groups
      - Per-user groups
      - Login classes
      - umasks
      - The danger of ACLs (FreeBSD only)
    - Controlling Administrator Access
      - Disable and avoid clear-text access
      - Connect using SSH
      - Privileged access using ssh
    - General sudo Configuration
      - Avoid dangerous commands
      - Use explicit paths
      - Be very specific
      - Use NOPASSWD sparingly
      - Be realistic
    - Comparing sudo and su
    - Safeguard the Root Password
  - Security in Everyday Tasks
    - Installing Software
      - Ports and packages
      - Ports ownership
      - Ports and base conflicts
      - Multiple versions installed (FreeBSD only)
    - Change Control
    - Tracking Changes
    - Data Recovery
      - Data completeness
      - Data confidentiality
      - Data retention
      - Filesystem access
      - Network access
  - Upgrading
    - Patching Only
    - Tracking Branches
      - Tracking OpenBSD branches
      - Tracking FreeBSD branches
  - Security Vulnerability Response
    - Keeping Abreast
    - Security Advisory Response
      - Categorization
      - Severity assessment
      - Response planning and execution
  - Network Service Security
    - inetd and tcpwrappers
    - Network File System
      - Implicit UID and GID trust
      - NFS export control
      - NFS network restrictions
    - Network Information Services
      - Password format compatibility
      - Encrypted password exposure
      - Limiting access to NIS maps
      - On the client side
      - When is NIS right for you?
    - Secure File Distribution Using scp
      - Initial setup
      - Pushing files with passphrase authentication
      - Pushing files without passphrase authentication
      - An scp alternative
      - Wrapping up
    - The Importance of Time (NTP)
      - Security
      - Architecture
  - Monitoring System Health
    - Nagios
      - Installation
      - Configuration
      - Installing NRPE
      - Configuring Nagios with NRPE
      - Fine-tuning
      - Wrapping up
  - Wrapping Up
  - Resources
    - Operating System
    - System Monitoring
    - General Security
II. Deployment Situations
- 5. Creating a Secure DNS Server
  - The Criticality of DNS
    - Technical Risks Related to DNS
      - Vulnerabilities in DNS software
      - Zone misconfigurations
      - Missing zone information
    - Risks Related to DNS and Mail
    - Risks Related to DNS Attacks
      - Cache poisoning
      - DNS spoofing
      - Registration hijacking
    - Responding to DNS-Based Risks
      - Limit recursion
      - Limit zone transfers
      - Maintain your own zones
      - Run secure, organization-wide recursion servers
      - Separate caches from authoritative servers
    - Summary
  - DNS Software
    - BIND 9
    - djbdns
    - Typical Architecture
    - BIND Versus djbdns
      - One process or many?
      - Zone maintenance
      - Dynamic updates
      - Incremental zone transfers and notify
      - Remote control
      - Summary
  - Installing BIND
    - FreeBSD
  - Installing djbdns
    - Preliminaries
      - Locating zone data
      - Daemontools
      - ucspi-tcp
      - FreeBSD
      - Installing on OpenBSD via source
      - Installing on OpenBSD via unofficial ports
  - Operating BIND
    - Running BIND in chroot
      - Make a filesystem
      - Launch BIND from /etc/rc.conf
    - Configuration Ideas
      - Security restrictions
      - Logging
      - Using includes to separate permissions
    - Managing BIND
    - Transaction Signatures (TSIG)
      - Cautions about using TSIG
      - Practical uses for TSIG
  - Operating djbdns
    - Running tinydns
    - Routine Maintenance
      - The tinydns data file
      - Load balancing
      - Naming nameservers
  - Wrapping Up
  - Resources
    - BIND Resources
    - djbdns Resources
    - Selected DNS-Related Requests for Comments (RFCs)
- 6. Building Secure Mail Servers
  - Mail Server Attacks
    - Operating System Level Attacks
    - Illegitimate Mail Relaying
    - Unwanted Mail
  - Mail Architecture
    - Protect the Operating System
    - Avoid Being an Open Relay
    - Stop Unwanted Mail
      - Content filtering with SpamAssassin
      - Arbitrary content filtering
      - DNS real-time blacklists (RBLs)
  - Mail and DNS
    - Security Implications
  - SMTP
    - Envelope Versus Header
    - Security Implications
      - SMTP AUTH via SASL
      - TLS
      - SPF
      - Message integrity, privacy, and non-repudiation
  - Mail Server Configurations
    - Null Client
    - Internal Mail Server
    - Mail Relay
    - External Mail Server
  - Sendmail
    - Installation and Configuration
    - Root Background
    - The Configuration Files
    - Overall Sendmail Security
      - File and directory permissions
      - Beware recipient programs
    - Security-Related Configuration Options
      - Arbitrary program restriction
      - Dont blame Sendmail
      - Masquerade your domain
      - Obfuscate greeting
      - Permissions of transient files
      - Privacy options
      - Running sendmail as nonprivileged users
      - Safe file environment
      - Trusted user
      - Trusted users
    - Limiting Denial of Service Attacks
    - Blocking Unwanted Mail
      - Access database
      - DNS blacklists
      - Milters
      - Arbitrary content filtering
      - Virus protection
    - Authentication and Encryption
      - Installing Sendmail+SASL+TLS on FreeBSD
      - Installing Sendmail+SASL+TLS on OpenBSD
      - Configuring Sendmail with SASL+TLS
  - Postfix
    - Installation and Configuration: FreeBSD
    - Installation and Configuration: OpenBSD
    - Postfix Security Foundation
      - Do one thing, do it well
      - Understanding logging
      - Chroot
      - Configuration files
    - Security-Related Configuration Options
      - Arbitrary program restriction
      - Masquerade your domain
      - Obfuscate smtpd banner
      - Disable unneeded commands
    - Limiting Denial of Service Attacks
    - Blocking Unwanted Mail
      - Access table
      - Arbitrary content filtering
      - DNS blacklists
      - Virus protection
    - Authentication and Encryption
      - Verifying Postfix+SASL+TLS installation
      - Configuring Postfix with SASL+TLS
  - qmail
  - Mail Access
    - Guidelines for Securing Mail AccessInternally
    - Guidelines for Securing Mail AccessExternally
      - Virtual private networks (VPN)
      - Webmail
  - Wrapping Up
  - Resources
    - MTA Software
    - Spam Defense and Antivirus
    - SMTP Security
    - Mail Access Software
    - Selected Mail-Related Request for Comments (RFCs)
- 7. Building a Secure Web Server
  - Web Server Attacks
    - Why You Care
    - Specific Threats to Web Servers
      - File and data disclosure
      - Arbitrary program execution
      - Application abuse
  - Web Architecture
    - Server Software Choices
  - Apache
    - Installing Apache
      - FreeBSD
        
        Makefile options
        
        Recording your use of Apache 2
      - OpenBSD
        
        Configure parameters
    - Configuring Apache
      - User overrides
      - Protecting critical files
      - Resisting denial of service
    - Module Overview
      - mod_cgi
      - mod_php
        
        PHP and permissions
        
        mod_php Apache configuration
        
        PHP configuration
      - mod_perl
      - mod_include
      - mod_dav
      - mod_autoindex
      - mod_info and mod_status
      - mod_userdir
    - Apache Best Practices
      - Enable only modules you need
      - Minimize information leaks
      - Always separate HTML and CGI locations
      - Protect sensitive configuration files
      - Run CGI programs as normal users
        
        cgiwrap
        
        mod_suexec
      - Summary
    - Encrypting Web Traffic
      - SSL and certificates
      - Enabling SSL
      - SSL, TLS, and cipher choice
      - Restricting ciphers at the server
      - CPU usage
  - thttpd
    - Installing thttpd
    - Configuring thttpd
    - Resisting Denial of Service
  - Advanced Web Servers with Jails
    - Using Jail or Chroot
      - How many instances?
      - Building and installing into a jail
      - Finding and adding support files
      - Launching httpd in chroot(8) on OpenBSD or FreeBSD
      - Launching httpd in jail(8) on FreeBSD
    - A Two-Tiered Architecture
      - Configure the internal jails
      - Configuring the external jail
      - Jail versus chroot
    - Advantages and Disadvantages
      - Ultimate separation
      - Performance
      - Modularity
  - Wrapping Up
  - Resources
    - Apache Resources
    - thttpd Resources
    - General Resources
    - Selected Web-Related RFCs
- 8. Firewalls
  - Firewall Architectures
    - Bump in the Wire
    - DMZ
    - Spider
    - Transparent
    - Host
    - High Availability
  - Host Lockdown
  - The Options: IPFW Versus PF
    - IPFW
    - PF
    - Differences
  - Basic IPFW Configuration
    - Kernel Configuration
    - Startup Configuration
    - Firewall Configuration
      - Optional arguments
      - Required arguments
    - Using the Firewall
  - Basic PF Configuration
    - Kernel and Startup Configuration
    - PF in FreeBSD
    - Firewall Configuration
    - Using the Firewall
      - Logging
  - Handling Failure
    - CARP
    - CARP Configuration
    - pfsync
  - Wrapping Up
  - Resources
- 9. Intrusion Detection
  - No Magic Bullets
    - Monitoring an IDS
    - Responding to IDS Events
  - IDS Architectures
    - Host-Based IDS
    - Network-Based IDS
    - Log Analysis Versus IDS
    - Honeypots Versus IDS
    - Intrusion Prevention Systems
  - NIDS on BSD
  - Snort
    - Sensor Hardware
    - Host Lockdown
    - Installing and Configuring Snort
    - Containing Snort
    - Storing Events in Flat Files
    - Storing Events in MySQL
    - Snort with PF
  - ACID
    - Installing ACID
    - Configuring ACID
    - Running ACID
  - HIDS on BSD
    - Osiris
    - Installing and Configuring Osiris
    - Running Osiris
  - Wrapping Up
  - Resources
III. Auditing and Incident Response
- 10. Managing the Audit Trails
  - System Logging
  - Logging via syslogd
    - syslog.conf Configuration
    - Syslog Facilities
    - Syslog Levels
    - Program and Hostname Matching
    - Syslog Actions
      - Debugging syslogd
    - Running syslogd
      - Additional sockets
      - syslogd on FreeBSD
      - syslogd on OpenBSD
    - syslogd Drawbacks
      - Lack of access control
      - Lack of reliability
      - Lack of integrity or confidentiality
      - Monolithic
    - syslogd Replacements
      - syslog-ng
      - minirsyslogd
      - msyslog
    - Capturing Logs
  - Securing a Loghost
    - Benefits of a Loghost
    - Loghost System Security
    - Syslog Relay
      - Syslog relay configuration
    - Conclusion
  - logfile Management
    - newsyslog Overview
    - Configuring Log Rotation
    - Securing logfiles
  - Automated Log Monitoring
    - Automated Auditing Using logcheck
      - Installation
      - Configuration
      - Drawbacks
    - Automated Auditing Using swatch
      - Installation
      - Configuration
      - Running swatch
      - Catching new messages
    - Ongoing Monitoring
  - Automated Auditing Scripts
    - OpenBSDs Security Script
    - FreeBSDs Periodic Scripts
  - Wrapping Up
  - Resources
    - Logging Tools
    - Secure Transport Providers for Logging
    - Log Monitoring
    - Selected Logging-Related Request for Comments (RFCs)
- 11. Incident Response and Forensics
  - Incident Response
    - Preparation
      - Identifying resources
      - Training staff
      - Creation of document templates
      - Building your bag of tricks
    - Incident Detection
    - Incident Assessment
    - Response
    - Postmortem Analysis
  - Forensics on BSD
    - How Serious Are You?
    - Online and Offline Analysis
    - Things to Look For
      - Changed files
      - Added users
      - Strange directories
      - Unknown processes and LKMs
      - Known rootkits and hacker tools
  - Digging Deeper with the Sleuth Kit
    - History of the Sleuth Kit
    - Installing and Understanding TSK
    - Using TSK
    - Autopsy
  - Wrapping Up
  - Resources
Index
About the Authors
Colophon
Copyright

pokaż cały spis treści