CS 78, Secure Server Installation & Administration    3 units

Transfer: CSU • Prerequisite: Computer Science 70.

In this course students will study network service administration. This course covers physical BIOS and bootloader security, password strength and cracking, file system permissions, authentication mechanisms, remote backup and logging, and installation strategies as machine-level security considerations. A variety of particular service applications like Apache (web service) and BIND (name service) are then studied, emphasizing their strengths, weaknesses, and how to configure them for security through wrappers, file system access jails, and other mechanisms.

 

Concrete list of target topics

“Target” means these topics are all relevant, and we would like to cover all of them. More realistically it is the “menu” from which the course will draw, with some input from students as to what interests them most. The course will include, as an imporant component, a series of live network activities you perform across the internet with a remote target network that I maintain.

 

LOCAL SECURITY

  physical security

  BIOS and bootloader security - GRUB

  user and group administration basics

  password cracking and security – Crack, John the Ripper

  user authentication control – PAM

  processes - vis-a-vis users and files

  filesystem permissions

  user variation - su, SUID, sudo

  backup – tar, rsync

  logging – syslog, syslog-ng

  keeping updated – rpm, yum

  avoiding unnecessary services

    avoiding superfluous installation

    avoiding superfluous execution

  cryptography and public  key infrastructure

  steganography

 

 NETWORK SECURITY

  networking basics

  udp and tcp protocols - ports

  services and sockets (denial-of-service)

  packet capture - tcpdump and wireshark

  netcat

  remote encrypted targeting for backups and logs – syslog-ng, ssh, stunnel

  port scanning, OS fingerprinting – nmap

  packet filter firewalling – iptables, Guarddog, Shorewall

  network statistics and monitoring – ntop

  packet injection – hping

  ssh

  tunnels, IPSec, vpns – stunnel, OpenVPN

  wireless

 

 APPLICATION SECURITY

  controlling service access

   wrappers

   mulitplexing services – xinetd

  stack overflow mechanics

  specific server application security features

     file transfer – vsftpd

     web service – apache

     name service - BIND

 

 PREVENTION, DETECTION, RECOVERY

  security scanning and auditing – nessus

  hardening - Bastille linux

  log analysis tools – swatch

  intrusion detection – snort

  rootkits - chrootkit