Linux Lockdown and Proactive Security

Jay Beale | August 2-3 & 4-5


On This Page


Overview

System compromise is so common that it seems unavoidable. Even with perfect patching, our systems may be compromised through vulnerabilities that don't have patches yet or through "0-day" vulnerabilities that only the attackers know about! You don't have to stand for this kind of weakness, though. There are great defensive technologies and techniques that allow you to deflect attacks even when you're not patched. In this fully hands-on course, you will learn how to protect a Linux system from compromise and how to prove that your defense has worked. We'll even attack our systems, demonstrating how hard-core hardening can defeat them.

This course starts with core system lockdown, and then moves on to hardcore server application defense, where we create least-privileged and well-confined configurations that break exploits. Using defense in depth, we not only jail server programs but also tune their internal configurations to keep exploits from reaching the vulnerable code. For example, we'll configure PHP variables to better protect applications, chroot the Apache™ server, and deactivate Apache modules to reduce the chance that the next vulnerability in Apache comes from code we're running. Once we've accomplished all of this best practices work, the deep protection comes from applying the latest security technology to better deflect attacks.

The following are a few examples of that "next level" of defensive technology. We'll protect web applications from their own flaws using mod_security, the IPS module for Apache and Nginx. We'll build host-based and multi-leg firewalls with iptables and build on this by learning how to use port knocking to make our SSH daemon, web server, or VPN concentrator invisible to attackers. We'll learn how to apply the AppArmor to focus SELinux-style exploit disruption and containment on a few key programs without dramatically changing the way the system is configured. We'll learn how to detect attacks and compromises with OSSEC, a free program that includes file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Students will gain skills in performing system lockdown and applying defensive technology to prevent or contain a system compromise. While the course specifically covers Red Hat® , Ubuntu and SuSE™ Linux, it does apply very directly to all Linux distributions and broadly to all UNIX variants.

Students will leave this course with the ability to:
• Configure Linux for much greater resilience to attack.
• Configure Web, Mail, DNS, FTP, and proxy servers to break exploits against known and unknown vulnerabilities.
• Confine each of the above servers with chroot jails and AppArmor defense.
• Deploy mod_security to add IPS functionality to Apache.
• Configure transaction signatures (TSIG) and DNSSEC to protect against DNS spoofing and phishing attacks.
• Add mail filtration to Sendmail to thwart spammers and phishers.
• Create host-based Linux firewalls and multi-leg firewalls to protect internal servers from hostile users.
• Add port-knocking technology to dramatically reduce the exposure of hosting private services on the Internet.
• Deploy OSSEC for scalable compromise detection.
• Use encryption (SSH, PGP/GPG, openssl) to create safer processes and administration.


Who Should Take This Course

System administrators and IT Security professionals.


Student Requirements

Students should bring a working understanding of Linux or UNIX.


What Students Should Bring

Students should bring a laptop with VMware Player, Fusion or Workstation, with at least 8GB of RAM. The host operating system may be either 32 or 64-bit.


What Students Will Be Provided With

• Printed course materials
• USB thumb drives containing the virtual machines and tools used in the class


Trainers

Jay Beale has created several defensive security tools, including Bastille Linux/UNIX and the CIS Unix Scoring Tool, both of which are used throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. Jay is a founder and the COO of the information security consulting company InGuardians.