AIKIDO ON THE COMMAND LINE: LINUX HARDENING AND CONTAINMENT

Jay Beale | July 22-23 & July 24-25



Overview

Compromise is so common as to seem unavoidable. Even with perfect patching, systems can be compromised by "zero-day" vulnerabilities that only a few people even know exist. You don't have to stand for this kind of weakness! There are effective defensive technologies and techniques allow security professionals and system administrators to deflect and contain attacks. In this hands-on course, you'll learn how to protect a Linux system from compromise and then prove that your defense succeeded. We'll even attack our systems, demonstrating how hard-core hardening can defeat attacks.

This course begins with core system lockdown, then moves on to application defense, where we create least-privilege and well-confined configurations that break exploits. Using defense-in-depth, we'll not only create jails but also tune the server programs within them to keep exploits from reaching their vulnerable code. For example, we'll jail the Apache web server with SELinux, AppArmor and a Linux container. Then we'll use Suhosin to restrict what a vulnerable PHP application can do. Finally, we'll deactivate whole modules, reducing the odds that the next Apache vulnerability is even present on our machine. Once we've accomplished all of this best practice work, we'll get deeper protection from applying the latest security technology to better deflect attacks.

Here are a few examples of that deeper defensive technology. We'll protect web applications from their own flaws with ModSecurity, the intrusion prevention system (IPS) for Apache and Nginx. We'll build Linux firewalls with iptables and firewalls, then build on this by using GPG-based port knocking to make our SSH daemon, web server or VPN concentrator inaccessible to attackers. We'll learn how to use SELinux, but also learn AppArmor, which can bring similar exploit disruption to a few key programs without dramatically changing the way you administer the system. We'll learn to detect and respond to attacks using OSSEC, a free program that includes file integrity checking, rootkit detection, real time alerting and active response.

Students will gain skills in performing system lockdown and applying defensive technology to prevent and contain compromises. While this class focuses on Red Hat and Ubuntu Linux, it applies directly to all Linux distributions and broadly to all UNIX variants.

Students will leave this course able to:

  • Configure Linux machines for much stronger attack resiliency.
  • Configure Web, Mail, DNS, and FTP server applications to break exploits against known and unknown vulnerabilities.
  • Use Suhosin to protect PHP applications
  • Use SELinux and AppArmor to restrict and harden server programs.
  • Use Docker and LXD to create Linux containers to jail server programs.
  • Deploy ModSecurity to add web application firewall functionality to Apache and Nginx.
  • Configure DNS encryption (TSIG and DNSSEC) to protect against DNS spoofing and phishing attacks.
  • Thwart spammers and phishers with anti-malicious mail tools and techniques, including SpamAssassin.
  • Create host-based firewalls, with optional GPG-backed port knocking.
  • Use encryption to create safer processes and administration.
  • Detect and respond to attacks with OSSEC.

Who Should Take this Course

System administrators, IT Security professionals and DevOps engineers.

Student Requirements

Students should bring a working understanding of Linux or UNIX.

What Students Should Bring

Students should bring a laptop with VMware Player, Fusion or Workstation, with at least 8GB of RAM. The host operating system must be 64-bit. Students should also download the virtual machines and confirm that they run before the class begins.

What Students Will Be Provided With

Students will be provided with virtual machines and free tools via download or USB thumb drive.

Trainers

Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which were used widely throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. Jay is a founder and the Chief Operating Officer of the information security consulting company InGuardians.