on September 25, 2001
I am a senior engineer for network security operations. I read "Hacking Linux Exposed" (HLE) to learn how adversaries compromise Linux hosts. HLE impressed me at every level. I highly recommend system administrators and security personnel read and heed this book's recommendations.
The "Hacking Exposed" series is known for its unique example-driven style. Rather than telling the reader about a technique or problem, the authors demonstrate the issue using command-line examples. I find myself reading with book and laptop at hand, ready to duplicate the authors' sample commands. This process reinforces the authors' message, while the reader learns if a specific problem applies to his situation. Furthermore, by showing exactly how to execute certain commands, the authors impart bits of wisdom and trickery not found elsewhere.
For example, chapter 11 describes attacks and defenses for FTP servers. To explain active and passive FTP sessions, the authors demonstrate running an FTP client with the -d switch to illustrate raw instructions sent by the client over the FTP command channel. I had never seen this switch in use, but as an intrusion detector I constantly see raw FTP instructions like those revealed by the -d switch. These and other tidbits, like using the chattr -i command or setting the "sticky bit", make HLE exceptional.
Beyond these benefits, readers will enjoy clear, thorough explanations of Linux security issues. HLE gives first-rate descriptions of ssh and web man-in-the-middle attacks, race conditions, and FTP data hijacking. HLE also provides great illustrated examples of FTP bounce attacks, giving intrusion detectors the minutiae we need to recognize these techniques. I had heard of most of the compromise methods offered by HLE, but never seen them discussed in such practical detail.
If the material in chapters 1-13 of HLE don't prompt you to verify your Linux host's integrity, then the case studies in appendix D will. The security community needs more of these narratives. These stories, based on true events, show the lengths to which some attacks will go to penetrate target machines.
"Hacking Linux Exposed" is another strong addition to the "Hacking Exposed" series, and the security community will benefit as a result.
(Disclaimer: I received a free review copy from the publisher.)
on May 30, 2001
I wasn't a fan of Hacking Exposed, largely because its Unix section was a mere 50 pages of superficial, outdated, and obvious fluff. Hacking Linux Exposed makes up for that lack by digging into Unix in much more depth.Though it is modeled after the attack/countermeasure style of the original HE, this book includes a whole chapter of security measures at the beginning that you can implement instantly to get your machine locked down before getting into the nitty-gritty detail about other things in the hacker's arsenal.I was particularly enthralled with chapter 10, which talks about what the hacker will do after they have gained root access, from simple things like adding accounts to complicated issues like kernel modules, complete with source code. Chapter 7 includes some really wonderful examples of how the hacker can abuse networking protocols themselves, something I haven't seen covered in such depth before.The book is logically organized. The first part covers the way the hackers find and probe your machine. The second talks about getting in from the outside, be it network or physical. The third part talks about gaining additional priveleges, and the last part of the book is dedicated to mail, ftp, web, and firewalls. The appendicies are actually useful. They seem to have dropped the small 1-page case studies from the original book and replaced them with longer hacker-eye-views of real attacks which are an interesting read, and really tie the book together.This book is Linux specific in it's countermeasures, but I'd recommend this to any unix user. They do a good job of discussing differences between Linux variants as well, they don't just assume everyone has a RedHat box on their desk. Very refreshing.This book is great for both the theory and practical uses. I could spend weeks implementing all the suggestions they have, but they seem to have thought of this because their risk ratings let you know where you should concentrate as you secure your systems.Like Hacking Exposed, this book also has a website, (...) but it seems more up-to-date -- for example when the ptrace bug in older kernels came out, they posted a kernel module you could compile to protect your system until you could upgrade -- and includes all the source code contained in the book.I bought two of these, one for home and one for the office, and I suggest you do the same.
on July 7, 2001
I am in charge of network security for a large firm. We use largely FreeBSD and OpenBSD machines instead of Linux whenever possible. One of the junior folks was trying to convince us that Linux isn't all that bad, and pointed to this book as proof that it can be secured.
Well, we're not about to switch. However this book covered so many unexpected issues that affected our *BSD boxen that we spent a solid week implementing changes on all our systems. The detail of this book was superb, and it was easy to figure out the differences between their Linux-specific solutions and what was needed on our *BSD systems when they weren't exactly the same.
Got Unix? Buy this book.
on March 10, 2003
I'm a big fan of the Hacking Exposed style of writing. All offensive theory is backed up by command line examples, followed by defensive countermeasures. Hacking Exposed: Linux, 2nd Ed (HE:L2E) follows this tradition, updating the content of the first edition and adding 200 pages of new content. Although I reviewed the first edition in Sep 01, reading the second edition reminded me of the challenges posed by securely configuring and deploying Linux systems.
The best way to learn while reading HE:L2E is to try the sample commands. I also recommend visiting the links mentioned and installing many of the tools described by the authors. I found programs like raccess, nsat (ch. 3), sslsniff (ch. 7), nstx, and httptunnel (ch. 15) particularly interesting from an attacker's point of view. From a system administration standpoint, coverage of passlogd (ch. 2), lilo and grub (ch. 5), and X (ch. 6) were very helpful.
The authors share many novel ways to abuse Linux systems, but counter those exploits with little-known features or third-party tools. I never knew I could use bash's HISTCONTROL feature to selectively remove entries from shell history files. HE:L2E goes the extra mile to help secure your system, such as including sample C code in ch. 13 to allow one to compile TCP Wrappers support into one's own programs. Other clear, concise defensive measures were introduced in excellent chapters on keeping the kernel and packages current (appendix B) and pro-active security measures (ch. 2). The last appendix gives a short yet powerful description of the damage an intruder can perform, showing how he hid unauthorized programs and how those programs were discovered.
If you use Linux, you'll find HE:L2E indispensable. I even applied many of the tools and techniques to my FreeBSD system, showing that that good security advice can be a cross-platform endeavor.
on May 17, 2002
Hacking Linux Exposed by Brian Hatch, James Lee and George Kurtz, is a nice follow-up to their bestselling Hacking Exposed . While not as groundshaking as its predecessor, the new book does provide a good reference for people just starting with Linux. Anyone who is setting up or planning to set up a Linux network should consider owning it, together with the appropriate Linux administration manuals.
Hacking Linux Exposed covers security administration issues such as FTP, sendmail (but for some reason, not POP3/IMAP servers) and web server setup; it also discusses local user security issues and touches lightly on Linux firewalling and other network access controls (TCP wrappers).
The book includes a big section on keeping your system updated, which outlines methods used by several popular Linux distributions (rpm from RedHat, apt-get from Debian and pkgtool from Slackware). This information is essential to the security of any Linux machine, whether a home workstation or company server.
The focus is Linux, but the book also covers some other important security areas. It attempts to offer a total solution for Linux security, starting with general infosec philosophy (such as proactive security), and moving on to physical security, social engineering, Trojan programs, access control, user security and server setup. Each security problem is rated for global risk on a 1 to 10 scale, factoring in frequency, simplicity and impact. In general, the book is more encyclopedia than detailed guide, as it strives toward breadth over depth.
on December 27, 2002
Hacking Linux comes in six parts, each of which is worth the price of the book in whole. Part one: security overview covers all the basics like file permissions, setuserid problems, buffer overflows/format string attacks, tools to use before you go online, and mapping tools like nmap. Part two comes in from more of the hacker angle with social engineering and trojans, attacks from the console, and then concludes with two excellent chapters about netowrk attacks and TCP/IP vulnerabilities.
All the stuff to this point assumes the hacker is on the outside. Part three takes over and shows you what the hacker will do once they've gotten on, such as attacking other local users including root, and cracking passwords. It becomes obvious that you need to protect things from insiders as much as from the outsider, because the outsider will usually get in as a normal user first, and if you can prevent him or her from getting root access, the damage cannot be nearly as severe. A lot of books don't cover this angle at all, and it's done superbly here.
Part four covers common problems in internet services. First they discuss mail servers. Sendmail, Qmail, Postfix, and Exim each get covered in detail - it's nice to see more than just Sendmail discussed in a security book. Of course, it'd be even nicer to see something other than Sendmail installed on a Linux machine by default. Next they cover problems with FTP software and problems with the FTP protocol. I'd never seen "beneath the hood" and realized how wierd FTP really was, and why it's not supported by firewalls very well, and the authors show you the inner workings of it so anyone can understand the problems. They continue with Apache and CGI/mod_perl/PHP/etc problems, both from a coding standpoint and how to secure against outsiders and your own web developers. Next it's on to Firewalls (iptables and TCP wrappers) and lastly (distributed) denial of service attacks. The countermeasures for the DOS problems are excellent, and a must for anyone with a server.
Part five covers everything a hacker can do once they've broken in. They describe trojan programs, trojan kernel modules, and configuration changes that can be used to keep root access, or hide the hacker activity, or let them get back in should the computer be partially fixed. This was not only complete, but scary in how many different things they showed. It works both as a blueprint for what you need to defend against, how to clean up after a hacker has gotten in, and also how you could back door a machine if you get in. I'll leave the ethics up to you.
Lastly we have part six, which is the appendicies. While most times I ignore appendicies, these are really an integral part of the book, and are referenced throughout the book all over. (This very good, because it keeps the book from having too much repeated countermeasures.) They discuss post-breakin cleanup, updating your software and kernel, and turning off daemons (both local and network ones) and a new case study. The book is good about covering Linux from a distribution-agnostic standpoint (it doesn't assume you use RedHat, unlike everything else out there) but in these appendicies they cover the differences you may encounter. They show you how to use dpkg/apt-get as much as RPM as much as .tgz packages, discuss both inetd and xinetd, and even svscan/supervise. They are extreemly complete.
Hacking Linux Exposed 2nd Edition is required reading for anyone with a Linux machine, period.
on March 7, 2003
Hacking Linux Exposed proves itself the leader again in this, the Second Edition . The authors go into great depth showing you every nuance of Linux from a secur ity standpoint, showing you the potential chinks in the armor and the locks wait ing to be picked. You get an excellent view of exactly how an attacker can get i nto your computer, and at each step you learn the configuration changes you can make to keep them out. I don't think there's a better way to explain the dangers than by watching how the attacks work, and this book sets the standard. I find the appendicies to be extreemly valuable, because they detail how to reco ver a compromised system, how to keep your software up to date, even how to patc h and recompile your kernel with the exact same functionality of the one you're running, to avoid configuration changes, crashes, or other suprising results. No Linux administrator can survive without a copy of Hacking Linux Exposed, Seco nd Edition on their bookshelf.
on July 16, 2001
Most technical books are either detailed and unreadable, or wordy and lack depth. This book is more like a conversation between the authors and the readers. Instead of pointing at things and letting you read other people's code, it walks you through the theory and exploits, letting you try out the attack manually on your own system as you read the book.
I actually wrote Mr. Hatch about a question, and he was extreemly helpful. Through a long conversation we had, I found that the authors taught classes at Northwestern University, which is probably where their communication skills came from. Unlike many experts out there who sit in a 30 minute session with 5 minutes of questions afterwards, these guys have had to actually teach students from the ground up for an entire term. Their skill in communicating, rather than just talking, really shows in their book.
Anyway, if you want a list of attacks against Linux systems, there are many books out there you'll be fine with. However if you want a book that will truely teach you what they are, how they work, and how to defend against them, there is only one option: Hacking Linux Exposed.
on January 11, 2003
"Hacking Linux Exposed", 2nd edition does what few books do - it exceeds its first edition in both the extent of coverage and presentation style. Note that the first book was already a great resource.
The book now appeals not only to Linux beginners, but for more advanced users and developers as well. It provides wonderfully detailed and correct technical descriptions, gives sounds and simple-to-use advice and entertains with great writing style and authors' sense of humor. The content of the book is also very current (late 2002). It shines brilliantly on the background of vaporous and unoriginal security books published today.
Wireless, physical attacks and social engineering are woven into the fabric of Linux security. There are fun descriptions for classic attacks, which provide worthwhile reading even for people who already know them. Attacks against network clients sections is especially interesting as those attacks were used in some recent high -profile penetrations.
Kernel security (including capabilities) gets the coverage it deserves. An entire loadable kernel module (LKM) code is included. Several common malicious LKMs are analyzed in the book. In addition, the authors show how attackers can easily modify the Linux kernel itself to hide programs and get extra privileges.
A nice summary of attack methods against many network protocols is very useful as a reference. For example, many attacks against FTP are described analyzed and practical protection techniques are outlined. Description of security of various mail servers is detailed and comprehensive. I also liked the well-supported argument of DJBDNS vs BIND.
An overview of classic backdoor methods is similarly useful. Crontab backdoors, .forward abuse and other techniques are all in the book. Also, a well-written overview of CGI abuses that delves into the realm of security programming is provided.
Another advantage is that authors uncovered many great little known security tools for Linux and provided useful descriptions for their use. Overall, tool descriptions are kept to a reasonable size, add value to the tool included documentation and give pointers to learn more by using them.
Book appendices contain a fun case study, and a great section on "Discovering and Recovering from Attacks". Be sure to read the appendix and keep the book handy as a reference.
Overall, the book is necessary tool for security professionals and others dealing with Linux security. I suspect that even the most advanced Linux security experts will pick up a thing or two from the book. The book's information delivery is flawless.
Anton Chuvakin, Ph.D., GCIA is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org
on July 9, 2001
I was beefing up my outdated security bookshelf, and thought I'd snag the latest in the Hacking Exposed series. I figured that since it was only covering one OS it would be able to have more depth, one of the chief failings of Hacking Exposed.
Well, I was not disapointed. This book covered aspects of Linux and network security that I had not ever thought of. It makes very appropriate use of source code to illustrate problems, and shows you the attacks in both manual and automated forms so you can actually see what's going on, rather than just saying "run the blah program" as so many other books do.
This book has information that will be useful for the newbie, but excells in including detail appropriate for all audiences. In that respect, this book almost reads like a textbook on how to hack and secure. If you're a new Linux user, you'll find good starter information, and want to come back to this periodically as you learn more. If you think you know Linux security, then this is the book against which you should test yourself. I doubt most folks have tried half the things listed in chapter 10.