top of page

Linux Attack and Defense

Getting hacked is such a common experience as to seem unavoidable. Even if you apply patches immediately after their release, bad actors can exploit "zero-day" vulnerabilities held secret. You don't have to stand for this kind of weakness! There are effective defensive technologies and techniques allow security professionals, dev ops engineers and system administrators to deflect and contain attacks. In this hands-on course, be given a convertible laptop running vulnerable "Capture the Flag" virtual systems as Docker containers. You'll learn to attack the machines, then how to defend them. When the class is over, the laptop is yours to keep, along with the capability to apply proactive defenses and prove that they work.

This course begins with core system lockdown, then moves on to application defense, where we create least-privilege and well-confined configurations that break exploits. Using defense-in-depth, we'll not only create jails but also tune the server programs within them to keep exploits from reaching their vulnerable code. For example, we'll jail the a web server with SELinux, AppArmor and a Linux container, configure the server for increased resilience, and deactivate modules to remove vulnerable code. Then we'll use remote code execution exploits and compare before/after, seeing how our defense broke the attack. Once we've accomplished all of this best practice work, we'll get deeper protection from applying the latest security technology to better deflect attacks.

Here are a few examples of that deeper defensive technology. We'll protect web applications from their own flaws with ModSecurity, a free "web application firewall" tool for Apache and Nginx. We'll build Linux firewalls with iptables and firewalld, then build on this by using GPG-based port knocking to make our SSH daemon, web server or VPN concentrator inaccessible to attackers. We'll learn how to use SELinux, but also learn AppArmor, which can bring similar exploit disruption to a few key programs without dramatically changing the way you administer the system. We'll learn to detect and respond to attacks using OSSEC, a free program that includes file integrity checking, rootkit detection, real time alerting and active response. We'll add seccomp protection to containers, achieving incredibly granular containment of a vulnerability.

Students will gain skills in performing system lockdown and applying defensive technology to prevent and contain compromises. While the course specifically covers Red Hat® , Ubuntu and SuSE™ Linux, it does apply very directly to all Linux distributions and broadly to all UNIX variants.

Students will leave this course able to:

  • Configure Linux machines for much stronger attack resiliency.

  • Configure Web, Mail, FTP and other server applications to break exploits against known and unknown vulnerabilities.

  • Use SELinux and AppArmor to restrict and harden server programs.

  • Deploy ModSecurity to add web application firewall functionality to Apache and Nginx.

  • Create host-based firewalls, with optional GPG-backed port knocking.

  • Detect and respond to attacks with OSSEC.

  • Use encryption to create safer processes and administration.

  • Use Docker, Kubernetes and runc to create Linux containers to jail server programs

bottom of page