Linux Security and Hardening

Agenda

1. Wireshark / tcpdump / nmap

   • Examples tcpdump
   • Example nmap
   • Detect nmap scans on server

2. Network Intrusion Detection

   • Overview

3. Host Intrusion Detection

   • Overview
   • Installation ossec on Ubuntu
   • Installation/Walkthrough ossec on Centos 8
   • AIDE on Ubuntu/Debian

4. Logging

   • Overview Logging Systems
   • Remote logging with rsyslog
   • Remote logging with rsyslog and tls
   • Systemd Remote Logging

5. Local Security

   • sgid - bit on files
   • xattr - special permissions
   • cgroups on Redhat
   • Using otp-authentication

6. Disk Managemenet

   • Install partprobe/parted on Debian
   • Verschlüsselung mit Cryptsetup
   • Self Encryption Hard Disks (SED) vs. LUKS

7. SELinux / appArmor

   • Install selinux on Debian
   • SELinux including Walkthrough
   • SELinux - working with booleans
   • Managing SELinux Policies
   • Troubleshoot with sealert on Centos/Redhat
   • SELinux Troubleshooting on Debian
   • SELinux Troubleshooting on Centos

8. Docker / Podman with Seccomp

   • Restricting Syscall in Docker/Podman

9. Attacks

   • Slow loris Attack - apache

10. Firewall

    • nftables
    • firewalld

11. Kernel Hardening

    • modules_disabled,unprivileged_bpf_disabled,kexec_load_disabled
    • Disable TCP timestamps

12. Vulnerability Scans

    • OpenVAS Installation on Ubuntu
    • OpenVAS Background
    • Nikto - commandline

13. Securing Network Services

    • Securing Tomcat (Standalone)
    • Securing apache (Centos 8)
    • SSL with letsencrypt apache (Centos 8)
    • SSL Testing / Config Hints
    • SSH
    • ssh-ca

14. Virtualization

    • Security Docker

15. Hacking

    • Install Metasploitable 2
    • Install Metasploit on Digitalocean - Version 1 (Ubuntu)
    • Install Metasploit on Digitalocean - Version 2 (Ubuntu)
    • ReverseShell
    • Hacking I - ShellShock (unprivileged permissions)
    • Hacking II - privilege escalation

16. Basics

    • Type of Attackers
    • Basic Principles
    • Kill Chain

17. Server Automation

    • gitops by example (Ansible)

18. Starting

    • How to begin with security/securing

19. Documentation

    • Telekom Compliance Guideline
    • Linux Security

Change language on Ubuntu

dpkg-reconfigure locales 
# see locales that are current configured
locale 
# place where it is configured 
/etc/default/locale 

# After that relogin or do 
# su student 
locale 

Patching of packages (e.g.)

• Ubuntu will patch packages when CVE's occur
• https://ubuntu.com/security/CVE-2020-11984

Search - Engine IoT

• https://www.shodan.io/

Secure grub with password (not at boot but for changes and subentries

#  Create password 
#  e.g. password 
grub-mkpasswd-pbkdf2

# /etc/grub.d/01_password 
#!/bin/sh
set -e 

cat << EOF 
set superusers='grub'
password_pbkdf2 grub grub.pbkpdf2.sha512.....
EOF

##
chmod a+x /etc/grub.d/01_password 

## Datei 10_linux 
## Variable CLASS
## at then 
## 
CLASS="--class gnu-linux ..... --unrestricted" 

update-grub 

rsyslog

Basics

# Hyphen before filename : -/..... 
# is for syncing but enabled by default since 
https://serverfault.com/questions/463170/what-does-filepath-action-mean-in-rsyslog-configuration
## it is set on by default anyways 
# You may prefix each entry with the minus “-‘’ sign to omit syncing the file after every logging.

Bug on ubuntu kern.* logs to user.*

logger -p kern.debug "Testmessage"
# that one logs to user.*