Hands-on Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 1 of 2)
Rik Farrow, Security Consultant
9:00 a.m.5:00 p.m.
Who should attend: System administrators of Linux and other UNIX systems; anyone who runs a public UNIX server.
Few people enjoy learning how to swim by being tossed into the ocean, but that's what happens if a system you manage gets hacked. You often have little choice other than to reload that system, patch it, and get it running again. This two-day class gives you a chance to work with systems that have been "hacked," letting you search for hidden files or services or other evidence of the intrusion. Examples are taken from real, recent attacks on Linux systems. You will perform hands-on exercises with dual-use tools to replicate what intruders do as well as with tools dedicated to security. The tools vary from the ordinary, such as find and strings, to less familiar but very important ones, such as lsof, scanners, sniffers, and the Sleuth Kit.
The lecture portion of this class covers the background you need to understand UNIX security principles, TCP/IP, scanning, and popular attack strategies.
Day Two will explore the defenses for networks and individual systems. The class will end with a discussion of the use of patching tools for Linux, including cfengine.
Class exercises will require that you have an x86-based laptop
computer that can be booted from a KNOPPIX CD. Students will receive
a version of Linux on CD that includes the tools, files, and exercises
used in the course. If you have a laptop but don't know whether it
can run a bootable Linux CD (that will not have an impact on your
installed hard drive or operating systems), please download a copy
of KNOPPIX (http://www.knoppix.org), burn it, and try it out. KNOPPIX
support for wireless is the same as common Linux kernels (not
exciting), but KNOPPIX does a superb job of handling most other
hardware found in laptops.
- Finding hidden files and evidence of intrusion
- TCP/IP and its abuses
- hping2 probes, or xprobe with ethereal again
- nmap while watching with ethereal or tcpdump (connect and SYN scans)
- Working with buffer-overflow exploit examples
- Apache servers and finding bugs in scripts
- John the Ripper, password cracking
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.
- Elevation of privilege and suid shells
- Rootkits, and finding rootkits (chkrootkit)
- Sleuth Kit (looking at intrusion timelines)
- iptables and netfilter
- Tracking down DoS floods
- cfengine configuration
- Vulnerability scanning with nessus
S3 System Log Aggregation, Statistics, and Analysis
Marcus Ranum, Tenable Security, Inc.
9:00 a.m.5:00 p.m.
Who should attend: System and network administrators who are interested in
learning what's going on in their firewalls, servers, network,
and systems; anyone responsible for security and audit or
This tutorial covers techniques and software tools for
building your own log analysis system, from aggregating
all your data in a single place, through normalizing it,
searching, and summarizing, to generating statistics and
alerts and warehousing it. We will focus primarily on
open source tools for the UNIX environment, but will
also describe tools for dealing with Windows systems
and various devices such as routers and firewalls.
Marcus Ranum (S3) is Chief Security Officer at Tenable Security, Inc., and a world-renowned expert
on security system design and implementation.
He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.
- Estimating log quantities and log system requirements
- Syslog: mediocre but pervasive logging protocol
- Back-hauling your logs
- Building a central loghost
- Dealing with Windows logs
- Logging on Windows loghosts
- Parsing and normalizing
- Finding needles in haystacks: searching logs
- I'm dumb, but it works: artificial ignorance
- Bayesian spam filters for logging
- Storage and rotation
- Databases and logs
- Leveraging the human eyeball: graphing log data
- Legalities of logs as evidence
S4 Network Security Monitoring with Open Source Tools
Richard Bejtlich, TaoSecurity.com
9:00 a.m.5:00 p.m.
Who should attend: Engineers and analysts
who detect and respond to security incidents. Participants should be
familiar with TCP/IP. Command-line knowledge of BSD, Linux, or another
UNIX-like operating system is a plus. A general knowledge of offensive
and defensive security principles is helpful.
This tutorial will equip participants with the theory, tools, and
techniques to detect and respond to security incidents. Network
Security Monitoring (NSM) is the collection, analysis, and escalation of
indications and warnings to detect and respond to intrusions. NSM
relies upon alert data, session data, full content data, and statistical
data to provide analysts with the information needed to achieve network
awareness. Whereas intrusion detection cares more about identifying
successful and usually known attack methods, NSM is more concerned with
providing evidence to scope the extent of an intrusion, assess its
impact, and propose efficient, effective remediation steps.
NSM theory will help participants understand the various sorts of data
that must be collected. This tutorial will bring theory to life by
introducing numerous open source tools for each category of NSM data.
Attendees will be able to deploy these tools alongside existing
commercial or open source systems to augment their network awareness and
Material in the class is supported by the author's book The Tao of
Network Security Monitoring: Beyond Intrusion Detection
(Addison-Wesley, 2005; http://www.taosecurity.com/books.html).
- NSM theory
- Building and deploying NSM sensors
- Accessing wired and wireless traffic
- Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger
- Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude
- Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP
- Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records
- Sguil (sguil.sf.net)
- Case studies, personal war stories, and attendee participation
Richard Bejtlich (S4, M4) is founder of TaoSecurity, a company
that helps clients detect, contain, and remediate intrusions using network
security monitoring (NSM) principles. He was previously a principal
consultant at Foundstone, performing incident response, emergency NSM, and
security research and training. He has created NSM operations for ManTech
International Corporation and Ball Aerospace & Technologies Corporation. From
1998 to 2001, Richard defended global American information assets
in the Air Force Computer Emergency Response Team (AFCERT), performing and
supervising the real-time intrusion detection mission.
Formally trained as an intelligence officer, he holds degrees from Harvard
University and the United States Air Force Academy. Richard wrote The Tao of Network
Security Monitoring: Beyond Intrusion Detection and the forthcoming
Extrusion Detection: Security Monitoring for Internal Intrusions and Real
Digital Forensics. He also wrote original material for Hacking
Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular
Web log resides at http://taosecurity.blogspot.com.