Compromise is so common as to seem unavoidable. Even with perfect patching, systems can be compromised by "zero-day" vulnerabilities that only a few people even know exist. You don't have to stand for this kind of weakness! There are effective defensive technologies and techniques allow security professionals and system administrators to deflect and contain attacks. In this hands-on course, you'll learn how to protect a Linux system from compromise and then prove that your defense succeeded. We'll even attack our systems, demonstrating how hard-core hardening can defeat attacks.
This course begins with core system lockdown, then moves on to application defense, where we create least-privilege and well-confined configurations that break exploits. Using defense-in-depth, we'll not only create jails but also tune the server programs within them to keep exploits from reaching their vulnerable code. For example, we'll jail the Apache web server with SELinux, AppArmor and a Linux container. Then we'll set PHP variables to restrict what a vulnerable PHP application can do. Finally, we'll deactivate whole modules, reducing the odds that the next Apache vulnerability is even present on our machine. Once we've accomplished all of this best practice work, we'll get deeper protection from applying the latest security technology to better deflect attacks.
Here are a few examples of that deeper defensive technology. We'll protect web applications from their own flaws with ModSecurity, the intrusion prevention system (IPS) for Apache and Nginx. We'll build Linux firewalls with iptables and firewalls, then build on this by using GPG-based port knocking to make our SSH daemon, web server or VPN concentrator inaccessible to attackers. We'll learn how to use SELinux, but also learn AppArmor, which can bring similar exploit disruption to a few key programs without dramatically changing the way you administer the system. We'll learn to detect and respond to attacks using OSSEC, a free program that includes file integrity checking, rootkit detection, real time alerting and active response.
Students will gain skills in performing system lockdown and applying defensive technology to prevent and contain compromises. While this class focuses on Red Hat and Ubuntu Linux, it applies directly to all Linux distributions and broadly to all UNIX variants.
Students will leave this course able to:
- Configure Linux machines for much stronger attack resiliency.
- Configure Web, Mail, DNS, FTP, and Proxy server applications to break exploits against known and unknown vulnerabilities.
- Use SELinux and AppArmor to restrict and harden server programs.
- Use Docker and LXD to create Linux containers to jail server programs.
- Deploy ModSecurity to add web application firewall functionality to Apache and Nginx.
- Configure DNS encryption (TSIG and DNSSEC) to protect against DNS spoofing and phishing attacks.
- Thwart spammers and phishers with anti-malicision mail tools and techniques, including SpamAssassin.
- Create host-based and multi-leg firewalls, with optional GPG-backed port knocking.
- Detect and respond to attacks with OSSEC.
- Use encryption to create safer processes and administration.
System administrators and IT Security professionals.
Students should bring a working understanding of Linux or UNIX.
Students should bring a laptop with VMware Player, Fusion or Workstation, with at least 8GB of RAM. The host operating system may be either 32 or 64-bit.
USB thumb drives containing the slides, virtual machines and tools used in the class.
