Welcome to Maximum Security, Fourth Edition. This introduction covers the following topics:
The Maximum Security series, which debuted in 1997, has thus far enjoyed relative success. I use the term “relative success,” because security title sales have historically trickled, rather than gushed. For altering this and fostering a new market, the editors at Sams deserve kudos. Their insights have proven providential: Today, Maximum Security titles sell in five countries, five languages, and on four continents. Furthermore, the Maximum Security series has inspired many fine similar books from seasoned security professionals here and abroad.
The success of the Maximum Security series is no mystery. Security has never before been so sensitive an issue, nor an issue so vital to business. Many firms have now evolved well beyond mere Web presences and incorporate sophisticated e-commerce functionality into their systems. These developments have increased the demand for books that help administrators shield their enterprises from crackers, and Maximum Security titles have—in varying degrees—satisfied that need.
This section addresses what hardware, software, and documentation you’ll need to reap the maximum benefit from this book. I’ve divided these into four sections:
Absolute requirements—. Things you must have.
Archiving tools—. Tools to unpack source code, archives, and packages that can enhance and secure your servers and network.
Text and typesetting viewers—. Tools that will substantially enhance and widen your knowledge by enabling you to read relevant online documents.
Programming languages—. Tools to use source code, packages, and utilities that enhance your network’s security and functionality.
To benefit from this book, you’ll need at least the following:
Unix, Linux, Windows, Amiga, OS/2, or BeOS
A dedicated box running one of these platforms
A network or Ethernet connection
Your network or Ethernet connection is not a strict requirement (you can use simple loopback), but without it, you won’t be able to exploit some of the examples. However, loopback enables you to simulate many conditions and configurations that would normally exist only on the Internet or in intranet environments. Thus, even a single machine not connected to a network provides you with a microcosmic version of the Internet, and this, for the most part, will suffice.
You’ll also need document and file utility support. This book points you to many Net-based resources, and even now not all Web sites or researchers provide documents in a standardized format (although Adobe’s Portable Document Format (PDF) seems to be rapidly filling that gap).
Also, many utilities, source code, and packages originate from disparate platforms. Some are compressed on Unix, some are packaged on Windows, and so on. Therefore, you will need to have at least the tools mentioned in Table I.1.
Table I.1. Popular Archive Utilities
Utility | Platform | Description and Location |
|---|---|---|
Winzip | Windows | Winzip decompresses files compressed to |
| Unix | |
| Unix | |
StuffIt | Macintosh | StuffIt decompresses ARC, Arj, BinHex, |
Many commercial word processors and editors read and write data to proprietary formats. Plain text viewers seldom read such formats, which often contain control characters, unprintable characters, and sometimes even machine language. Although this situation is changing (because most text and word processors are now migrating to XML), many documents I reference are not backward compatible or don’t open cleanly in plain text viewers. Thus, you’ll need one or more readers to examine them.
NOTE
Readers decode documents written in formats not supported by your native application set. For example, Adobe’s free PDF reader enables you to read PDF documents, and Microsoft’s Word reader enables users that don’t own Word to read Word-encoded documents.
Table I.2 lists several such utilities and their locations.
Table I.2. Readers for Popular Word-Processing Formats
Reader | Description and Location |
|---|---|
Adobe Acrobat | Adobe Acrobat Reader decodes PDF files. Acrobat Reader is available for DOS, Windows, Windows 95, Windows NT, Unix, Macintosh, and OS/2. Get it at http://www.adobe.com/supportservice/custsupport/download.html. |
GSView | GSView reads PostScript and GhostScript files. GSView is available for OS/2, Windows, Windows 3.11, Windows NT, and Windows NT. Get it at http://www.cs.wisc.edu/~ghost/gsview/index.html. |
Word Viewer | Word Viewer reads Microsoft Word files. Word Viewer is available for Windows (16-bit) and Windows 95/NT. You can get either version here: http://www.asia.microsoft.com/word/internet/viewer/viewer97/default.htm. |
PowerPoint Viewer | PowerPoint Viewer decodes Microsoft PowerPoint presentations. PowerPoint Viewer for Windows 95 is available here: http://www.gallaudet.edu/~standard/presentation/pptvw32.exe. PowerPoint Viewer for Windows NT is available here: http://www.gallaudet.edu/~standard/presentation/pptvw32.exe. |
Some examples in this book reference source code. To use the source code in this book, you’ll need one or more compilers or interpreters.
Table I.3 lists these languages and tools.
Table I.3. Compilers and Interpreters
Tool | Description and Location |
|---|---|
C and C++ | The Free Software Foundation offers freeware C/C++ compilers for both Unix and DOS. The Unix version can be downloaded here: http://www.gnu.org/software/gcc/gcc.html. The DOS version can be downloaded here: http://www.delorie.com/djgpp/. Also, any recently released native or third-party C/C++ compiler will do, including CygWin, Watcom, Borland, and so on. |
Perl | The Practical Extraction and Report Language (Perl) is often used in network programming (and especially Common Gateway Interface programming). Perl runs on Unix, Macintosh, and Windows NT, and is freely available here: http://www.perl.com/latest.html. |
Java | Java (a Sun Microsystems programming language) is free and available here: http://www.javasoft.com/. |
JavaScript | JavaScript is a language embedded in Microsoft Internet Explorer (MSIE), Netscape Navigator, and many other Web clients. To use JavaScript scripts, you should have MSIE, Netscape Navigator, or Netscape Communicator. These are free for noncommercial use and are available at either http://www.microsft.com or http://home.netscape.com. |
PHP | PHP, the Hypertext Pre-Processor, is a lightweight but powerful in-line scripting language that interfaces through Web servers to MySQL and other database packages. If you don’t already have it, get PHP here: http://www.php.net. |
Python | Python is an object-oriented scripting language now commonly used in system administration and CGI work. Like PHP, it also interfaces with Web servers and even low-level operating system administrative utilities. Only a few examples in this book use Python, but to try them, you’ll need a Python interpreter. Get one here: http://www.python.org/. |
SQL | Structured Query Language (SQL) is for interacting with databases. SQL is not strictly required. However, even a shallow knowledge of SQL might help, as some examples briefly touch on it. For this, you needn’t obtain any particular utility, but rather an introductory primer (book, Web site, and so on) for reference purposes. |
VBScript | VBScript is a Microsoft scripting language that manipulates Web browser environments. VBScript itself and VBScript documentation are freely available at http://msdn.microsoft.com/scripting/vbscript/default.htm. |
If you’re like me, you buy computer titles for their examples. Often, such examples instruct you to execute a command or compile source code. It is through such examples and exercises—even more than by attending formal classes—that we learn to administrate our systems, achieve competence in various technologies, and write solid code.
Unfortunately, many computer titles contain examples that for one reason or another don’t enlighten us, or worse, don’t work properly.
Some familiar scenarios:
Authors sometimes demonstrate a command but include only its abbreviated output. They omit additional output, including unexpected output, errors, and so on. Books that omit such data leave you stranded when things go wrong. You’re unfamiliar with the unexpected output, and you don’t know how to proceed.
Authors also sometimes generate examples on custom platforms and configurations, using custom tools. They might use shared libraries, for example, which you haven’t yet installed, or libraries that your operating system doesn’t natively support. If authors fail to warn you about these conditions, you may encounter unexpected or negative results.
Other authors, faced with impending deadlines, work in haste and sometimes fail to double-check that their examples work as intended. Although most such authors have excellent technical editors charged with nixing unacceptable code, such errors can still slip through to printed editions. (This is especially so when multiple authors and/or editors work on the same title).
Finally, many authors assume that their readers have long experience in advanced subjects (such as compilation), and therefore skip details that, when absent, can materially affect your project (or even flatly prevent you from achieving the desired result).
Publishers invariably correct these issues by posting errata and patch code on their Web sites. However, these corrections emerge weeks or months after the title’s initial release. In the interim, readers angrily voice their complaints on Amazon, in newsgroups, and in other public places—and rightly so. Computer titles are expensive, after all, and at a minimum, their examples should work as promised.
Hence, starting with Maximum Linux Security, I have taken a fastidious approach to examples and program output:
If an example worked only on exotic configurations, I omitted it.
If, when testing a program, utility, or configuration, I found that it behaved strangely or in an unintended manner, I omitted it.
When documenting examples, I often include exhaustive output. This isn’t to seed the book with superfluous filler (raising the page count, and therefore the price). Rather, I do it to ensure that what you see is precisely what you’ll see when you implement an example. My aim is to show you exactly what to expect. If your output differs from mine, an abnormal condition arose. And, more times than not, if you skip ahead a paragraph or two beyond the example, I explain possible alternatives, output, and the likely cause.
This approach guarantees that some examples and their accompanying commentary will seem inordinately verbose. However, it also guarantees that this book will give you a more holistic understanding of security than most others in its class. Indeed, after reading this book, you’ll find errors, output, and general system behavior far less perplexing. You’ll proceed competently, armed with implacable confidence.
Like all Maximum Security titles, Maximum Security, Fourth Edition provides many links to online resources. I (and my coauthors) do this for several reasons. First, no book can impart everything about a given subject. Rather, books at best offer an overview, point you in the proper direction, and give you hands-on experience through examples. But in IT—a rapidly evolving field you must constantly update your skill set—even these generous gifts are insufficient. Today’s computer books must do more than merely explain technologies; they must serve as springboards that not only inform you, but also inspire and enable you to conduct further, independent research.
Also, after you ace installation or configuration of a given operating system or application, you’re ready to move on. If the application is extensible, you’ll want to extend it; if it needs a patch, you’ll want to patch it; if other tools collaborate with it, you’ll want them, as well.
Finally, today, time is money. Each time you spend an hour or more searching for an online tool, advisory, or article, you lose money (not to mention precious minutes of life). In the meantime, you could be doing something else, something productive. Maximum Security titles provide innumerable pointers at your fingertips and alleviate the need for you to search for anything. This saves you time, money, and aggravation.
So, I always include in my titles long resource lists pertaining to the present subject matter. Thus, my titles serve not merely as treatises, but also references and road maps to detailed information located elsewhere.
Some facts about this book’s links:
I and the Sams editorial team took exhaustive measures to ensure that this book’s links were valid at press time. This doesn’t mean that every link will be valid, though. The WWW is dynamic, documents move, some Web masters are flaky, and some ISPs fold. Hence, it’s likely that a small percentage of the URLs I reference will be invalid by the time you read this. Regrettably, this is beyond our control. For this reason (and to further reduce the likelihood of you drowning in 404 errors), I have provided at least one alternative URL for each link whenever possible.
Regarding URLs built from CGI strings: These strings can be incredibly long and inconvenient to manually enter. I approached this in two ways. First, if a document resided at such a URL, I used the filename to search for an alternative location, one with a shorter URL. Whenever possible, I provided the alternative URL instead. In cases where the 130-character CGI-based URL was the only source available, I added that URL to
long-urls.htmlon the accompanying CD-ROM. Thus, when you surf URLs from this book, if you encounter an impossibly long one, throw in the CD, pull up the file, and click away.Regarding commercial, shareware, and freeware products: My coauthors and I point to hundreds (or sometimes, thousands) of applications, tools, and utilities. We often comment on these, too, sometimes praising their functionality and developers. If we mention a product, we do so merely because it’s useful or because we generated examples with it (and not because we want to commercially endorse the product). Having related that, we do thank vendors and developers that rendered technical support on their products—their help was indispensable.
In this fourth edition (as with its predecessor), I’m proud to have excellent and highly competent coauthors aboard. I’m indebted to Billy Barron, Brooke Paul, Greg Vaughn, Rob Blader, David Harley, Jim Cooper, Nicholas Raba, Cyrus Peikari, Brett Neilsen, Craig Balding, Greg Shipley, Jonathan Feldman, Chad Cook, L.J. Locher, Joe Jenkins, Toby Miller, and Gregory White for enhancing this edition of Maximum Security.
Maximum Security starts with general security issues common to any server and ends with security issues surrounding very specific configurations, operating systems, and technologies. We hope you find it useful.
—Anonymous