On This Page

Aikido on the Command Line: Linux Hardening and Containment

Jay Beale | August 1-2 & 3-4


System compromise is so common that it seems unavoidable. Even with perfect patching, our systems may be compromised through vulnerabilities that don't have patches yet or through "0-day" vulnerabilities that only the attackers know about! You don't have to stand for this kind of weakness, though. There are great defensive technologies and techniques that allow security professionals and system administrators to deflect attacks. In this fully hands-on course, you will learn how to protect a Linux system from compromise and how to prove that your defense has worked. We'll even attack our systems, demonstrating how hard-core hardening can defeat them.

This course starts with core system lockdown, and then moves on to hardcore server application defense, where we create least-privileged and well-confined configurations that break exploits. Using defense in depth, we not only jail server programs but also tune their internal configurations to keep exploits from reaching the vulnerable code. For example, we'll configure PHP variables to better protect applications, chroot the Apache server, and deactivate Apache modules to reduce the chance that the next vulnerability in Apache comes from code we're running. Once we've accomplished all of this best practices work, the deep protection comes from applying the latest security technology to better deflect attacks.

The following are a few examples of that "next level" of defensive technology. We'll use Docker and Linux containers to contain server programs. We'll protect web applications from their own flaws using mod_security, the IPS module for Apache and Nginx. We'll build host-based and multi-leg firewalls with iptables and firewalld and build on this by learning how to use port knocking to make our SSH daemon, web server, or VPN concentrator invisible to attackers. We'll learn how to apply AppArmor to focus SELinux-style exploit disruption and containment on a few key programs without dramatically changing the way the system is configured. We'll also work with SELinux. We'll learn how to detect attacks and compromises with OSSEC, a free program that includes file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Students will gain skills in performing system lockdown and applying defensive technology to prevent or contain a system compromise. While the course specifically covers Red Hat and Ubuntu Linux, it does apply very directly to all Linux distributions and broadly to all UNIX variants.

Students will leave this course with the ability to:
  • Configure Linux for much greater resilience to attack.
  • Configure Web, Mail, DNS, FTP, and proxy servers to break exploits against known and unknown vulnerabilities.
  • Contain each of the above servers with defenses like Docker and Linux containers, backed by AppArmor or SELinux

  • Deploy mod_security to add IPS functionality to Apache.
  • Configure transaction signatures (TSIG) and DNSSEC to protect against DNS spoofing and phishing attacks.
  • Add mail filtration to Sendmail to thwart spammers and phishers.
  • Create host-based Linux firewalls and multi-leg firewalls to protect internal servers from hostile users.
  • Add port-knocking technology to dramatically reduce the exposure of hosting private services on the Internet.
  • Deploy OSSEC for scalable compromise detection.
  • Use encryption (SSH, PGP/GPG, openssl) to create safer processes and administration.
  • Bonus session on Security-Enhanced Linux (SELinux)

Who Should Take this Course

System administrators and IT Security professionals.

Student Requirements

Students should bring a working understanding of Linux or UNIX.

What Students Should Bring

Students should bring a laptop with VMware Player, Fusion or Workstation, with at least 8GB of RAM. The host operating system may be either 32 or 64-bit.

What Students Will Be Provided With

USB thumb drives containing the slides, virtual machines and tools used in the class.


Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Unix Scoring Tool, both of which are used throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. Jay is a founder and the Chief Operating Officer of the information security consulting company InGuardians.