Red Hat Linux Internet Server
Authors: Paul Sery and Jay Beale
Wiley, 2003

Red Hat Linux Internet Server is a fairly weighty book which sets out to show you how to offer services on the Internet, using a Red Hat system (or systems). This is a worthy task: there are a lot of GNU/Linux systems out there, serving Internet content, and there will hopefully be more as time goes on. I should probably point out now that there's no distribution called "Red Hat Internet Server". This book is targeted at Red Hat systems in general, and linux systems even more generally; it is not particular to a specific Red Hat distribution or version.

The book is well structured, at the top level: they split this job into the process of building linux networks, building a web server, providing basic internet services, managing servers and increasing security. This seems to me a very good way to break it down.

Within those divisions, things are broken down further. For example, providing basic internet services breaks down into a chapter on DNS, one on SMTP (mail servers), one on FTP and one on SaMBa. I don't know if I would have picked those as my sample services, but they illustrate the point pretty well. So far, I have no quibbles.

But the devil, as ever in these cases, is in the details. I don't want this review to turn into a series of nitpicks, but it's impossible to explain my general dissatisfactions honestly without explaining some particulars. Don't get me wrong, it's not a bad book; but with a little more care it could have been a lot better than it is.

In the first section, Building a Linux Network, they do a good job of explaining networking basics. Internetworking in general is covered, the concept of the DMZ is introduced and recommended (separate your world-accessible boxes from your private boxes). Configuring a basic Red Hat system is covered (without restricting themselves to Red Hat's tools, which endears them to me; some of these techniques will work on other Linuces). Basic firewalling concepts are covered and an example firewall is built, and network troubleshooting techniques are considered.

But although they explain how to subnet your intranet, and the benefits, they don't discuss the performance cost of the extra routed hop. Ifconfig is used to bring interfaces up and down, but the netmask option is never discussed; in a chapter on subnetting, this seems an unwise omission. It is true that they discuss Classless Inter-Domain Routing (CIDR) and variable-length subnet masks much later, but you need to know this stuff now if you're going to start subnetting your intranet. They discuss the distinction between UDP and TCP, but since they define "reliable delivery" as "possibly unacknowledged", they completely duck the major distinction between the two protocols.

When they discuss firewalling, they descend into basic factual errors; the "-b" and "-y" options of ipchains are presented as if they were still in iptables, which they aren't. Had they tried a couple of lines of test code, they would have found this out; it makes me worry how many other untested code chunks are presented as recipes. In some cases, double dashes have been turned into single dashes, which renders them syntactically useless, but then Wiley have done exactly the same thing to me, so I can't blame them for this.

I am less inclined to forgive them for their handling of hybrid firewalls. It is true that application-layer firewalls are more secure than packet-layer firewalls, state engines notwithstanding. It may also be true that a hybrid combination of the two may be the best bet for getting the strengths (as well as the weaknesses) of both approaches. But what they present as a hybrid firewall is nothing of the sort - it's a packet-filtering firewall with a remote access solution shoved down its throat.

Another more general complaint is the unstated US-centric nature of the book. Some of their arguments in preference of ADSL over cable modem are invalidated by the oversubscription of the uplink in European ADSL; their analysis of serial lines ignores the E1 bandwidth class but goes at some length into the definition of an RBOC (Baby Bell). Later, they discuss top-level domains in the DNS while completely ignoring all the country-code top level domains; if you try to rectify this oversight, you founder on their home-grown terminology of "major domains". It's completely fine to ignore complexity at any level, but not without clarifying your assumptions. Many times throughout this book, complexity - whether national or technical - is mentioned and then skated over, and this is not a good idea in a technical work.

The next major section, Building a World Wide Web Server, breaks down into a chapter on apache, one on database connectivity, and one on simple audio streaming.

The chapter on apache includes a discussion about SSL, and some consequent discussion of certificates and Certificate Authorities, which is well handled. It's a complex field, and they have done well to pull the worms of vital data from the compost heap of, well, compost. That said, they specifically say they will discuss the use of VirtualHost under SSL, which they don't, and they ignore the often-misunderstood problems of SSL in a NameVirtualHost context.

When they discuss the vital concept of database connectivity, they present some sample web pages written in perl. This is definitely a good thing. PHP, however, is a major player in the dynamic content and database interaction market, and more mention of it than a single passing sentence would have been nice.

I can only assume that the chapter on streaming audio is supposed to be another example of content that can be served from a web server. If I'm wrong, I have less than no idea why it's in the book; I can't believe we're all setting up pirate internet radio stations. If I'm right, and it's there as an example of http technology, then I applaud the desire to show how HTTP can really deliver, but wouldn't a chapter on PHP, or some other dynamic scripting language, have been a better example - and a better investment of the reader's time?

The section on basic internet services is good; they have a chapter apiece on DNS, SMTP, FTP and SaMBa. Some of these choices are excellent; DNS is core to any internet operation, and their discussion of split-site DNS tackles an issue far too often skated over. However, they go straight from an in-principle discussion of the DNS into BIND configuration details without bothering to tell you what BIND is, or mention that there are other name server packages you could use. During the configuration discussion, they completely omit to mention the possibility of forwarding nameservers, until on p231 they start telling you how to build one - but the configuration they then provide is for a recursive-resolving nameserver, not a forwarding one.

The chapter on SMTP addresses a very common need - corporate email. Again, it's a choice I can't fault. To their further credit, the authors then straightly lay out the major SMTP package - sendmail - before giving a good justification of their decision to ignore it in favour of postfix. As it happens, I like sendmail, and I think it's a good Mail Transport Agent; but there are others, and they do have strengths where sendmail doesn't. In any case, heterogeneity in the software population is always a strength; in persuading us to consider alternatives, the authors have done the Internet good service. The passing note on spamassassin will alert the conscientious reader to a whole class of software she probably needs to know about.

Sadly, this good sense doesn't last. In the chapter on ftp servers, they pick wu-ftpd - also known as the Internet Bug of the Month Club's favourite ftp server. There are others much better suited to the task of an Internet-facing ftp server - ProFTPd probably being the best of the bunch. All of the features they later denigrate as bad for security - reliance on external code, overcomplexity, monolithic software that does a plurality of jobs - are present in wu-ftpd, and the configuration's tricky as well. I cannot commend their sense in choosing that package.

The choice of SaMBa is even more strange. By their own admission, you should never run this on an Internet-facing server, which is completely true. So what's it doing in this book, guys?

The section on Managing Your Linux Servers is, again, an excellent idea marred by small oversights. Of the two chapters, the first (Automating Network Backups) introduces the popular and excellent AMANDA package, and does a good review of it whilst omitting to tell you how to drill AMANDA service through a firewall; the second (Increasing the Reliability of a Linux Server) gives a good discussion of Single Point of Failure analysis and redundant file systems, before marring it with code that simply won't do what they say it will (section 3 on p366). Their RAID analysis is worthy, but doesn't address how to RAID an existing partition - especially the root partition. Not covering that is fine, but your working sysadmin will need to do it. Mentioning that it's a lot more difficult than setting up a clean, new RAID device seem to me to be the minimum decent level of helpfulness, and a pointer to the HOWTO would have been nice.

The final section is on Increasing Security. This breaks down into Basic Server Security, Hardening the System, Introducing Simple Intrusion Detection Systems and, finally, Log Monitoring and Incident Response. The first of these four chapters is fluff, but it's good fluff. Anyone trying to secure an Internet-facing server would do well to think about the issues they discuss here. I'm a bit less enthusiastic about their spelling in "coup de gras", which along with their choice of domain name throughout - - makes me think they're having a dig at me!

Hardening the System is another good chapter. They rightly note that systems shouldn't run anything that isn't needed, and they give concrete examples on how to audit your system for unwanted cruft, and remove it.

Introducing Simple Intrusion Detection Systems spends more time on fluff and less time on code than I would like, if I were trying to set one up. They waste time telling me, yet again, what the DNS is doing - something I can probably go back to Chapter 9 for if I really need to - and then try to shoot through SNORT configuration in two pages. This isn't a good use of paper.

Log Monitoring is handled fairly well; syslog is presented in some detail (although important details like the use of "=" and "-" in syslog.conf are ignored). Log analysis software is discussed, although mostly in a forensic (how did it all happen so badly?) rather than a real-time (what's happening?) sense.

In summary, this is a well-intentioned book. The authors have hit their mark more often than they've missed it, but they frequently mar their good aim by failure to check small, but vital, details. The writing style is less turgid than it might be, in a book of this length, and a clear structure helps the readability. But where there is depth, there is insufficient depth, and the tricky deeps are often ignored in silence. I cannot really recommend the book; it could have been done so much better.

© Tom Yates, 2003