Linux Hardening in Hostile Networks: Server Security from TLS to Tor

Book Description

Implement Industrial-Strength Security on Any Linux Server

In an age of mass surveillance, when advanced cyberwarfare weapons rapidly migrate into every hacker’s toolkit, you can’t rely on outdated security methods–especially if you’re responsible for Internet-facing services. In Linux? Hardening in Hostile Networks, Kyle Rankin helps you to implement modern safeguards that provide maximum impact with minimum effort and to strip away old techniques that are no longer worth your time.

Rankin provides clear, concise guidance on modern workstation, server, and network hardening, and explains how to harden specific services, such as web servers, email, DNS, and databases. Along the way, he demystifies technologies once viewed as too complex or mysterious but now essential to mainstream Linux security. He also includes a full chapter on effective incident response that both DevOps and SecOps can use to write their own incident response plan.

Each chapter begins with techniques any sysadmin can use quickly to protect against entry-level hackers and presents intermediate and advanced techniques to safeguard against sophisticated and knowledgeable attackers, perhaps even state actors. Throughout, you learn what each technique does, how it works, what it does and doesn’t protect against, and whether it would be useful in your environment.

• Apply core security techniques including 2FA and strong passwords
• Protect admin workstations via lock screens, disk encryption, BIOS passwords, and other methods
• Use the security-focused Tails distribution as a quick path to a hardened workstation
• Compartmentalize workstation tasks into VMs with varying levels of trust
• Harden servers with SSH, use apparmor and sudo to limit the damage attackers can do, and set up remote syslog servers to track their actions
• Establish secure VPNs with OpenVPN, and leverage SSH to tunnel traffic when VPNs can’t be used
• Configure a software load balancer to terminate SSL/TLS connections and initiate new ones downstream
• Set up standalone Tor services and hidden Tor services and relays
• Secure Apache and Nginx web servers, and take full advantage of HTTPS
• Perform advanced web server hardening with HTTPS forward secrecy and ModSecurity web application firewalls
• Strengthen email security with SMTP relay authentication, SMTPS, SPF records, DKIM, and DMARC
• Harden DNS servers, deter their use in DDoS attacks, and fully implement DNSSEC
• Systematically protect databases via network access control, TLS traffic encryption, and encrypted data storage
• Respond to a compromised server, collect evidence, and prevent future attacks

Register your product at informit.com/register for convenient access to downloads, updates, and corrections as they become available.

Table of Contents

Chapter 1. Overall Security Concepts
Chapter 2. Workstation Security
Chapter 3. Server Security
Chapter 4. Network
Chapter 5. Web Servers
Chapter 6. Email
Chapter 7. DNS
Chapter 8. Database
Chapter 9. Incident Response
Appendix A. Tor
Appendix B. SSL/TLS

中文：

书名：恶意网络中的Linux加固：从TLS到ToR的服务器安全

在任何Linux服务器上实施行业级别的安全

在一个大规模监控的时代，先进的网络战武器迅速进入每个黑客的工具箱，你不能依赖过时的安全方法–特别是如果你负责面向互联网的服务。在……里面 Linux？恶意网络中的强化， Kyle Rankin帮助您实施现代保障措施，以最小的努力提供最大的影响，并消除不再值得您花费时间的旧技术。

Rankin就现代工作站、服务器和网络强化提供了清晰、简洁的指导，并解释了如何强化特定服务，如Web服务器、电子邮件、DNS和数据库。在此过程中，他揭开了曾经被认为过于复杂或神秘但现在对主流Linux安全至关重要的技术的神秘面纱。他还包括一个关于有效事件响应的完整章节，DevOps和SecOps都可以用来制定自己的事件响应计划。

每一章从任何系统管理员都可以快速使用的技术开始，以防止入门级黑客，并提供中级和高级技术来防止复杂和知识渊博的攻击者，甚至可能是国家行为者。在整个过程中，您将了解每种技术的作用、工作原理、做什么和不做什么防护，以及它在您的环境中是否有用。

• Apply core security techniques including 2FA and strong passwords
• 通过锁屏、磁盘加密、BIOS密码和其他方法保护管理员工作站
• 使用以安全为重点的Tail分发作为实现强化工作站的快捷途径
• 将工作站任务划分为具有不同信任级别的虚拟机
• 使用SSH强化服务器，使用applmor和sudo来限制攻击者可以造成的破坏，并设置远程系统日志服务器来跟踪他们的操作
• 使用OpenVPN建立安全VPN，并在无法使用VPN时利用SSH对流量进行隧道传输
• 配置软件负载均衡器以终止SSL/TLS连接并向下游发起新连接
• 设置独立的ToR服务和隐藏的ToR服务和中继
• 保护阿帕奇和Nginx Web服务器，并充分利用HTTPS
• 使用HTTPS Forward Secrecy和ModSecurity Web应用程序防火墙执行高级Web服务器强化
• 通过SMTP中继身份验证、SMTPS、SPF记录、DKIM和DMARC增强电子邮件安全性
• 加固DNS服务器，阻止其在DDoS攻击中使用，并全面实施DNSSEC
• 通过网络访问控制、TLS流量加密和加密数据存储系统地保护数据库
• 对受到攻击的服务器做出响应、收集证据并防止未来的攻击

在INFORIT.com/REGISTER上注册您的产品，以便在下载、更新和更正可用时方便地访问它们。

Table of Contents

第1章：总体安全概念
第2章：工作站安全
Chapter 3. Server Security
Chapter 4. Network
Chapter 5. Web Servers
第6章.电子邮件
第7章.域名系统
Chapter 8. Database
第9章.事件响应
附录A.托尔
Appendix B. SSL/TLS