System compromise is so common that it seems unavoidable. Even with perfect patching, our systems may be compromised through vulnerabilities that don't have patches yet or through "0-day" vulnerabilities that only the attackers know about! You don't have to stand for this kind of weakness, though. There are great defensive technologies and techniques that allow security professionals and system administrators to deflect attacks. In this fully hands-on course, you will learn how to protect a Linux system from compromise and how to prove that your defense has worked. We'll even attack our systems, demonstrating how hard-core hardening can defeat them.
This course starts with core system lockdown, and then moves on to hardcore server application defense, where we create least-privileged and well-confined configurations that break exploits. Using defense in depth, we not only jail server programs but also tune their internal configurations to keep exploits from reaching the vulnerable code. For example, we'll configure PHP variables to better protect applications, chroot the Apache server, and deactivate Apache modules to reduce the chance that the next vulnerability in Apache comes from code we're running. Once we've accomplished all of this best practices work, the deep protection comes from applying the latest security technology to better deflect attacks.
The following are a few examples of that "next level" of defensive technology. We'll use Docker and Linux containers to contain server programs. We'll protect web applications from their own flaws using mod_security, the IPS module for Apache and Nginx. We'll build host-based and multi-leg firewalls with iptables and firewalld and build on this by learning how to use port knocking to make our SSH daemon, web server, or VPN concentrator invisible to attackers. We'll learn how to apply AppArmor to focus SELinux-style exploit disruption and containment on a few key programs without dramatically changing the way the system is configured. We'll also work with SELinux. We'll learn how to detect attacks and compromises with OSSEC, a free program that includes file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Students will gain skills in performing system lockdown and applying defensive technology to prevent or contain a system compromise. While the course specifically covers Red Hat and Ubuntu Linux, it does apply very directly to all Linux distributions and broadly to all UNIX variants.
Students will leave this course with the ability to:
- Configure Linux for much greater resilience to attack.
- Configure Web, Mail, DNS, FTP, and proxy servers to break exploits against known and unknown vulnerabilities.
- Contain each of the above servers with defenses like Docker and Linux containers, backed by AppArmor or SELinux
- Deploy mod_security to add IPS functionality to Apache.
- Configure transaction signatures (TSIG) and DNSSEC to protect against DNS spoofing and phishing attacks.
- Add mail filtration to Sendmail to thwart spammers and phishers.
- Create host-based Linux firewalls and multi-leg firewalls to protect internal servers from hostile users.
- Add port-knocking technology to dramatically reduce the exposure of hosting private services on the Internet.
- Deploy OSSEC for scalable compromise detection.
- Use encryption (SSH, PGP/GPG, openssl) to create safer processes and administration.
- Bonus session on Security-Enhanced Linux (SELinux)
System administrators and IT Security professionals.
Students should bring a working understanding of Linux or UNIX.
Students should bring a laptop with VMware Player, Fusion or Workstation, with at least 8GB of RAM. The host operating system may be either 32 or 64-bit.
USB thumb drives containing the slides, virtual machines and tools used in the class.
