The book, BUILDING SECURE SERVERS with LINUX, written by Michael D. Bauer, is well written, and should be required reading for anyone administrating, or securing, a server that one or more persons have access to, either electronically or physically. This book is not about firewalls, yet it does review the basics of them, and even provides a very basic example for use with IPtables. It does deal with DNS, FTP, web, and mail servers, along with the kernel and log files. It doesn't cover SAMBA, NTF, NFS, Win NT/2K, or other servers that would be used on a private, secured, and non-public accessible LAN, but rather deals with servers that can be accessed from the Internet, and maintained by an intranet.

The book starts out by giving a way of presenting the need for added network security to management, and those holding the purse strings. Two things stand out, that I feel need stating here. The first is that some people don't take network security, or even server security, seriously, and don't feel that they are a likely target for black hackers. Ask the person if you can take all of the information on their computer, and make it publicly available. The other item that caught my attention near the beginning of the book is how much it cost of an attack against a system you help maintain. Mr. Bauer presents two methods of determining cost to recover from an attack, and how you can present it to management. One example is if your mail server is not secured, and you get hacked twice per year, and each time, 10 people in the office are not able to send or receive e-mails for half a day, what is the cost in lost productivity, poor public image, lost customers, and the lost of confidential information? The first is easy, if you where to say that on average, each employee is paid $17 per hour, lost four hours, so you would be looking at 10 * 17 * 4 = $680, just in lost productivity, plus the expense of repairing the damage, of maybe $150 per hour for a tech to come out, and restore the system, for another $600, plus, if a spammer got a hold of the address book for the MTA, then you will lose at least a half hour per day per employee filtering spam, till you get new filters in place, and/or change every user's mail address. And this is just for the first of two attacks you could expect in the year - so just having your e-mail server compromised could cost you over $2500 per year in labor along, not counting the civil liability you face.

Even thou the book doesn't focus on firewalls, it does cover it in a general manner. It mentions some items available, and what a person should look for in a firewall, and/or a router. It does cover setting up IPtables for just a server, so if a person manages to get past a firewall then s/he will still have another barrier to worry about.

The book then spends a good amount of time covering secure communications, both from the internal network, and remotely, both dial-up and Internet based. It covers TCP-wrappers, stunnel, SSL, and ssh, and how to configure it both for stand alone use, and use with other programs. Like other books, it covers downloading both brainy and source files, how to install - and compile if necessary, and why you may prefer one over another, for each package discussed. The book also focuses on the idea of hardening the Linux operating system, both the kernel and the physical location, such as insuring the computer is located in a secure location. This lays the foundation for what is to follow.

Another cornerstone of network, and in this case, server security is authenticating users. Even if a person makes it through a firewall how do you know they have not spoofed the information to look like another user? This is where encryption, login and passwords, certificates and keys comes in, and how everything communicates and works together. The different strengths and weaknesses of different options are reviewed, along with how to figure out what is best in your own case. Examples are provided, along with the information on how to implement the ideas presented. Two chapters present the needed information to begin, and then other chapters build on the foundation. Again, code and examples are provided throughout the book, and this lets you see how the various things are tied together.

The book takes a good, long, hard look at chroot jails for a multitude of programs, and why it helps, along with vulnerabilities. By making the programs think that the home directory is also the root directory, it is hoped that if someone is able to compromise a program then the attacker is not able to get to the underlying file and operating systems. Each program, as it is reviewed, has it's chroot jail capability critiqued, along with other vulnerabilities. The main problem with programs that offer a service, i.e. - email and web pages, is that they need root permission to listen to a port below 1025, and also to access some shared libraries and log files. Two programs that pose a real problem, BIND and sendmail, are discussed, and an alternative for each is offered. BIND can, and should, be chroot jailed, while only part of sendmail can be, and the way to implement this is gone over in great detail. Other programs are mentioned as well, and the pros and cons as to why you should consider jailing a program are discussed.

Mr. Bauer makes a case to eliminate , or severely limit, anonymous public services, such as ftp. He does provide a means for when a file needs to be transferred from a person to a web server, and if you want to be able to accept a file submitted by an unknown source. Some of the reasons that Mr. Bauer sets forth are the ports that need to be opened, the need for special filters and proxy servers, disk space, having someone try to crash the system with too many uploads, and the liability for hosting a file, just to touch on the major issues. He does acknowledge the need to be able to transfer files, and make some of them available to the public, such as a web page, or a program to be downloaded. The idea of using scp and/or a program along with ssh are better options than using ftp to transfer a program or web page to a site, and he provides guidelines, along with a working method, for doing so.

Programs such as FreeS/WAN and SAMBA are not covered, and with good reason, as stated in the book. This isn't an oversight, just an acknowledgment that some things don't belong in this book. For example, FreeS/WAN is better dealt with when discussing firewalls, while SAMBA is for a private LAN, and not something to be shared with the general public. This lets the book focus on the services offered over the various 'nets (intra, inter, and extra), and accessible by the office. This book should be required reading by anyone dealing with networks, even if you are hosting your own web server for the fun, or challenge, of it. Even if you don't add it to your bookshelf, you should make the effort to find, and read, it - it is available through the inter-library loan system.

About the reviewer: