Linux Skills and Linux Security
This fast-paced, hands-on class will teach you how to secure UNIX and lock down Linux to protect a system from compromise. You'll learn how the attacks work and how to use hard-core hardening to defeat the bulk of them. You'll learn how to take your machines to a state of minimum necessary risk. This hands-on class teaches you how to tighten all major aspects of the operating system for security, balancing this with the purpose of the system and the needs of your organization. You'll learn how to tune kernel and operating system parameters, deactivate components, and tighten the components that remain. You'll examine major server applications tightening, including Apache, Sendmail, WU-FTPd, vsftpd, and BIND. Along the way, you'll understand how external and internal actors use privilege escalation and how you can lessen their odds of gaining root. You'll also learn to apply key security concepts, from defense-in-depth to least privilege to risk evaluation, to determine what actions you should take and in what order of priority.
|Contact Hours:||41 hr Lecture 35 hr labs|
|Prerequisites:||Understanding of TCP/IP Protocols|
|Credits:||72 CPE / 3 CEU|
|Method of Delivery:||Residential (100% face-to-face) or Hybrid|
|Method of Evaluation:||95 % attendance 2. 100 % completion of Lab|
|Grading:||Pass = Attendance+ labs & quizzes Fail > 95% Attendance|
Sample Job Titles:
Information Assurance (IA) Operational Engineer
Information Assurance (IA) Security Officer
Information Security Analyst/Administrator
Information Security Manager or Specialist
Information Systems Security Engineer
Information Systems Security Manager
Platform Specialist/ Security Administrator
Security Analyst/ Security Control Assessor
This 72 hour accelerated class is taught using face to face modality or hybrid modality. Class includes 72 hours of contact studies, labs, reading assignments and final exam - passing the final exam is a requirement for graduation.
Who Should Attend: System administrators, security administrators, Security auditors. Unix box owners. Anyone who has a vested interest in keeping their systems from being compromised. This course targets system or network administrators and security admins/auditors with an understanding of Unix commands and basic operating system functions. While others are welcome, complete lack of familiarity is too great a burden to overcome in 72 hr class.
Text Materials: labs, SU Pen Testing &nLinux Testing Materials, resource CD’s and attack handouts.Machines a Dual Core 4M Ram, 350 Gig drives, running MS OS, linux, and VMWare Workstation Tools for class -Whois, Google Hacking, Nslookup , Sam Spade, Traceroute , NMap , HTTrack , Superscan , Nessus, PSTool, Nbtstat, Solarwinds ,Netcat , John the ripper , Nikto/Wikto ,Web Scarab , HTTP Tunnel (hts.exe) , LCP ,Cain and Abel, Ettercap system hacking ,John the Ripper Wireshark sniffers, TCP dump, D sniff , tcpdump, Metasploit, ISS exploit, web app,Core Impact , Snort , Infostego, Etherape ,Firefox with plugins (Hackbar, XSSme...) ,, ebgoat, X Wget, Cyrpto tool, 'Curl'
- Students will be able to describe potential system attacks and the actors that might perform them.
- Students will be able to describe cyber defense tools, methods and components.
- Students will be able to apply cyber defense methods to prepare a system to repel attacks.
- Students will be able to describe appropriate measures to be taken should a system compromise occur.
Learning Objectives: 41 hrs Lecture 31 hr Labs:
Students will gain a general understanding of how to harden systems to prevent or contain a system compromise.
- Configure Solaris and Linux for much greater resilience to attack.
- Understand each Solaris and Linux network service and be capable of judging which can or cannot be safely restricted or deactivated.
- Understand each Solaris and Linux boot script and be capable of judging which scripts can or cannot be safely deactivated.
- Audit the Solaris and Linux file permissions and Set-UID/GID programs to combat compromise and escape privilege escalation.
- Configure Apache Web servers for greater resistance to attack.
- Configure vsftpd FTP servers for greater resistance to attack.
- Configure a Linux-based firewall
- Passwords Attacks and Alternative Authentication Techniques
- Memory Attacks, Buffer Overflows
- Configure BIND DNS servers to greater resistance to attack.
- Trojan Horse Programs and Rootkits
- Network-Based Attacks
- Configure Sendmail Mail servers for greater resistance to attack.
- Configure POP and IMAP servers for greater resistance to attack.
- Vulnerability Scanning Tools
- Monitoring and Alerting Tools
- Audit systems with free tools to find better security settings, including Bastille, Titan and the Center for Internet Security's tools
- Network Security Tools
- Configure WU-FTPd FTP servers for greater resistance to attack.
- SSH for Secure Administration
- Forensic Investigation
- Understand and set kernel and operating system variables for best security
- Unix Logging and Kernel-Level Auditing
- Network Time Protocol
- Solaris and Linux Security
- Secure Configuration of BIND, Sendmail, Apache
- Common Issues with Users and Management
Each student will practice the techniques learned on their own Linux system. A shared Solaris machine will also be available for Solaris practice. Students are welcome to harden their own laptop systems as well, in preparation for the hostile networks that can often be found at security conferences.
Day 1 6 hrs Lecture 2 hr Labs
Core Operating System Hardening
The first day of the course will focus on core operating system hardening, teaching students how to thoroughly audit and lock down a Linux system. This process is tailored very closely to a system’s purpose, such that it optimizes a system for the greatest security that is operationally possible. Single-purpose bastion hosts obviously see the most benefit, though general purpose sysadmin workstations still gain a good deal of resistance to break-in. This first day will cover the following major areas/tasks:
Boot Security and Physical Security
An actor with physical access to a Linux machine can usually gain root with trivial attacks. Students will learn both the attacks and how to defend against them.
The Vulnerability Cycle and Patching Recommendations
Many vulnerabilities can be trivially countered by applying patches. On the other hand, applying patches is not easy in an enterprise environment. Students will learn the background required to make intelligent patching decisions and will be introduced to tools which automate this process.
Lesson 2: 3 hrs Lecture 5 hr Labs
Network Daemon Audit
Programs that listen to the network provide most outside actors with their first access to a victim system. Students will learn how to audit the system for network-accessible daemons. By learning the purpose of each daemon, students will learn how to greatly decrease a hosts’ network presence.
General Daemon Audit
Once an actor has some kind of access to a system, privileged system daemons present a primary avenue for further attack and privilege escalation. Students will learn to audit these daemons. By learning the purpose of each one, students will learn which daemons they can safely deactivate.
Host-based Firewall Construction Once the system’s set of listening network daemons has been reduced, it’s accessibility to actors via the network can be further shored up by adding a host-based firewall. Students will be introduced to simple stateful firewalling that can be applied to individual hosts.
Outside of already-running system daemons, Set-UID programs represent the most commonly-used method of privilege escalation. These programs give a user a temporary privilege increase to perform a specific task -- unfortunately, that privilege increase becomes general and non-temporary when these programs are successfully attacked. Students will learn how to audit these programs and maintainably reduce an actor’s ability to use them to attack the system.
Poor file permissions can allow an ordinary user to gain system user privileges or to access/compromise data. Students will be introduced to a basic permissions audit.
Lesson 3: 4 hrs Lecture 4 hr Labs Server Application Hardening
The second day of the course will focus on server application hardening. Students will learn how to apply access control mechanisms to particular server functionalities, how to prune out server functionality that’s not in use, and how to confine server processes so that a compromised server application does not necessarily compromise the entire system. Students will also be introduced to real network/server architecture changes that can greatly increase security at a site. Learning to harden these servers is extremely important to the security of an organization, both because of their important functions and because they are widely accessible resources. Finally, students will learn to build a chroot prison for each network service, to prevent a compromised service on a system from turning into a fully-compromised system.
Tightening DNS Servers An actor who can compromise an organization’s internal DNS server can re-route much of the important traffic on a network. An actor who can compromise an organization’s external DNS server can re-route traffic away from the organization. In either case, he can usually gain a foothold to attack the internal network. Students will learn how to configure Unix BIND DNS servers for much greater resiliency to attack. As a part of this, they will learn how to configure Split-Horizon DNS and BIND 9 “views,” to greatly reduce the external accessibility of internal DNS servers. They will also learn how to confine DNS server programs so that, if successfully attacked, they will not grant an actor either the ability to easily modify data or to compromise the host operating system.
Say 5 Tightening FTP Servers 3 hrs Lecture 5 hr Labs FTP servers represent one of the more often-vulnerable Unix network daemons in the past five years. Students will learn how to configure an FTP server to be more resistant to attacks by learning how past attacks have worked and how best practices can defeat these attacks. This focuses on both vsftpd and wu-ftpd.
Tightening Apache Web Servers Web servers represent the single most multipurpose publically-accessible server application in use today. Apache, in particular, has a lead in market share specifically because of the extremely wide array of functions that it can serve and the ease in which an increasing community of developers can add functionality. This wide scope of functionality, of course, comes with a cost -- it increases the probability that the server will contain vulnerable code. Students will learn how to configure Apache security modules and how to configure an Apache webserver to offer only what functionality is used by their site. They will also learn some of the weaknesses of the CGI model and how they can address them with programs like suexec and cgiwrap. Finally, they will learn how to greatly reduce their chances of having vulnerable code deployed by removing Apache modules that are not in use at their site.
Lesson 5 TighteningMail Servers 2 hrs Lecture 6 hr Labs
Webmail on Unix operating system. While vulnerabilities are very uncommon, they tend to bring extreme consequences, both because Webmail l runs with root privilege and because so much sensitive data moves through E-mail.
Students will learn how to tighten Webmail configuration against attack, looking at jailing the Webmail process, dropping its privilege level, and configuring it for better resistance to attack and spam. They’ll also learn how to deploy a split horizon (internal/external) model to their mail servers, to protect the internal mail server and its valuable data from external attack.
Grades - All students must ordinarily take all quizzes, labs, final exam and submit the class practical in order to be eligible for a Q/ISP, Q/IAP, Q/SSE, or Q/WP credential unless granted an exception in writing by the President. Books - No books are required for this course. However, you may want to supplement your preparation for or review of some lectures with self-assigned readings relevant to those lectures' content from either of the books below.