Linux /UNIX Security by Jay Beal of Mandrake fame!! This fast-paced, hands-on class will teach you how to secure UNIX and lock down Linux to protect a system from compromise. You'll learn how the attacks work and how to use hard-core hardening to defeat the bulk of them. You'll learn how to take your machines to a state of minimum necessary risk. This hands-on class teaches you how to tighten all major aspects of the operating system for security, balancing this with with the purpose of the system and the needs of your organization. You'll learn how to tune kernel and operating system parameters, deactivate components, and tighten the components that remain. You'll examine major server applications tightening, including Apache, Sendmail, WU-FTPd, vsftpd, and BIND. Along the way, you'll understand how external and internal attackers use privilege escalation and how you can lessen their odds of gaining root. You'll also learn to apply key security concepts, from defense-in-depth to least privilege to risk evaluation, to determine what actions you should take and in what order of priority. Class Fee: $1,195 Time: 8:30 AM - 5:00PM Location: Click here to view the class schedule CPE Credits: 16 Prerequisites: TCP/IP and linux Who Should Attend: System administrators, security administrators, security auditors. Unix box owners. Anyone who has a vested interest in keeping their systems from being compromised. This course targets system or network administrators and security admins/auditors with an understanding of Unix commands and basic operating system functions. While others are welcome, complete lack of familiarity is too great a burden to overcome in a three day class. What You Will Learn: Students will gain a general understanding of how to harden systems to prevent or contain a system compromise. While we work on Linux and Solaris, the material does apply broadly to all Unix variants. Students will leave this class with the ability to: Configure Solaris and Linux for much greater resilience to attack. Understand each Solaris and Linux network service and be capable of judging which can or cannot be safely restricted or deactivated. Understand each Solaris and Linux boot script and be capable of judging which scripts can or cannot be safely deactivated. Audit the Solaris and Linux file permissions and Set-UID/GID programs to combat compromise and escape privilege escalation. Configure Apache Web servers for greater resistance to attack. Configure vsftpd FTP servers for greater resistance to attack. Configure a Linux-based firewall Passwords Attacks and Alternative Authentication Techniques Memory Attacks, Buffer Overflows Configure BIND DNS servers to greater resistance to attack. Trojan Horse Programs and Rootkits Network-Based Attacks Configure Sendmail Mail servers for greater resistance to attack. Configure POP and IMAP servers for greater resistance to attack. Vulnerability Scanning Tools Monitoring and Alerting Tools Audit systems with free tools to find better security settings, including Bastille, Titan and the Center for Internet Security's tools Network Security Tools Configure WU-FTPd FTP servers for greater resistance to attack. SSH for Secure Administration Forensic Investigation Understand and set kernel and operating system variables for best security Unix Logging and Kernel-Level Auditing Network Time Protocol Solaris and Linux Security Secure Configuration of BIND, Sendmail, Apache Common Issues with Users and Management Each student will practice the techniques learned on their own Linux system. A shared Solaris machine will also be available for Solaris practice. Students are welcome to harden their own laptop systems as well, in preparation for the hostile networks that can often be found at security conferences. Day 1: Core Operating Sytem Hardening   The first day of the course will focus on core operating system hardening, teaching students how to thoroughly audit and lock down a Linux system. This process is tailored very closely to a system’s purpose, such that it optimizes a system for the greatest security that is operationally possible. Single-purpose bastion hosts obviously see the most benefit, though general purpose sysadmin workstations still gain a good deal of resistance to break-in. This first day will cover the following major areas/tasks: Boot Security and Physical Security An attacker with physical access to a Linux machine can usually gain root with trivial attacks. Students will learn both the attacks and how to defend against them. The Vulnerability Cycle and Patching Recommendations Many vulnerabilities can be trivially countered by applying patches. On the other hand, applying patches is not easy in an enterprise environment. Students will learn the background required to make intelligent patching decisions and will be introduced to tools which automate this process. Network Daemon Audit Programs that listen to the network provide most outside attackers with their first access to a victim system. Students will learn how to audit the system for network-accessible daemons. By learning the purpose of each daemon, students will learn how to greatly decrease a hosts’ network presence. General Daemon Audit Once an attacker has some kind of access to a system, privileged system daemons present a primary avenue for further attack and privilege escalation. Students will learn to audit these daemons. By learning the purpose of each one, students will learn which daemons they can safely deactivate. Host-based Firewall Construction Once the system’s set of listening network daemons has been reduced, it’s accessibility to attackers via the network can be further shored up by adding a host-based firewall. Students will be introduced to simple stateful firewalling that can be applied to individual hosts. Set-UID Audit Outside of already-running system daemons, Set-UID programs represent the most commonly-used method of privilege escalation. These programs give a user a temporary privilege increase to perform a specific task -- unfortuntately, that privilege increase becomes general and non-temporary when these programs are successfully attacked. Students will learn how to audit these programs and maintainably reduce an attacker’s ability to use them to attack the system. Permissions Audit Poor file permissions can allow an ordinary user to gain system user privileges or to access/compromise data. Students will be introduced to a basic permissions audit. Day 2: Server Application Hardening The second day of the course will focus on server application hardening. Students will learn how to apply access control mechanisms to particular server functionalities, how to prune out server functionality that’s not in use, and how to confine server processes so that a compromised server application does not necessarily compromise the entire system. Students will also be introduced to real network/server architecture changes that can greatly increase security at a site. Learning to harden these servers is extremely important to the security of an organization, both because of their important functions and because they are widely accessible resources. Finally, students will learn to build a chroot prison for each network service, to prevent a compromised service on a system from turning into a fully-compromised system. Tightening DNS Servers An attacker who can compromise an organization’s internal DNS server can re-route much of the important traffic on a network. An attacker who can compromise an organization’s external DNS server can re-route traffic away from the organization. In either case, he can usually gain a foothold to attack the internal network. Students will learn how to configure Unix BIND DNS servers for much greater resiliency to attack. As a part of this, they will learn how to configure Split-Horizon DNS and BIND 9 “views,” to greatly reduce the external accessibility of internal DNS servers. They will also learn how to confine DNS server programs so that, if successfully attacked, they will not grant an attacker either the ability to easily modify data or to compromise the host operating system. Tightening FTP Servers FTP servers represent one of the more often-vulnerable Unix network daemons in the past five years. Students will learn how to configure an FTP server to be more resistant to attacks by learning how past attacks have worked and how best practices can defeat these attacks. This focuses on both vsftpd and wu-ftpd. Tightening Apache Web Servers Web servers represent the single most multipurpose publically-accessible server application in use today. Apache, in particular, has a lead in market share specifically because of the extremely wide array of functions that it can serve and the ease in which an increasing community of developers can add functionality. This wide scope of functionality, of course, comes with a cost -- it increases the probability that the server will contain vulnerable code. Students will learn how to configure Apache security modules and how to configure an Apache webserver to offer only what functionality is used by their site. They will also learn some of the weaknesses of the CGI model and how they can address them with programs like suexec and cgiwrap. Finally, they will learn how to greatly reduce their chances of having vulnerable code deployed by removing Apache modules that are not in use at their site. Tightening the Sendmail Mail Server Sendmail was traditionally one of the weakest components of any Unix operating system. While vulnerabilities are very uncommon, they tend to bring extreme consequences, both because Sendmail runs with root privilege and because so much sensitive data moves through e-mail. Students will learn how to tighten Sendmail’s configuration against attack, looking at jailing the Sendmail process, dropping its privilege level, and configuring it for better resistance to attack and spam. They’ll also learn how to deploy a split horizon (internal/external) model to their mail servers, to protect the internal mail server and its valuable data from external attack.