Linux part 2: Security, services and administration topics

Duration: 5 days

Prerequisites:

Linux and linux networking for network administrators
or
Linux usage and administration fundamentals

This course follows courses Linux and linux networking for network administrators/ Linux usage and administration fundamentals. The goal is to provide deep understanding and solid hands-on knowledge of frequently used topics such as crypto and certificates and their use in typical services (e.g apache2). Next, set of standard services are covered like web/proxy/reverse proxy as well as network security topics ( firewall ) . Finally, administration topic that are important to understand but are skipped for previous course due to time restriction like disk partitioning, creating/mounting file system and similar are also covered.
This course can be benefitial for various reasons: first, it will provide solid linux overall knowledge for participants working on linux on daily basis. Next, it will provide deep understanding on some topics used not just on linux rather in e.g. network environment like crpyto, ssl, certificates, so this generic knowledge can be used on directly on such equipment or in interaction with linux.

Note: There is a playllist on youtube with videos in Croatian language that cover theoretical part of cryptography and algorithms from the this course. During the course, these parts will also be covered, but mostly in a shortened form in order to leave enough time for labs and implementation-specific details for particular software. Therefore, it is recommended to go through these videos separately in addition to the course. The topics on youtube videos are related to general cryptography and does not cover all theory from this course. E.g. TLS part is not covered as well as many other topics and this will be presented during the course.

Content:
HTTP server, reverse and forward proxy implementations

Principles of operation

HTTP 1.X protocols

HTTP 2

HTTPS: HTTP over TLS

HTTP 3

Implementations

Apache as http server

Securing directory, allowing access only from specific address. Config in .htaccess

Securing directory, basic authentication required

Controlling directory listing if there is no index.html or alternatives

Following symbolic links

Nginx as http server

Limiting access using ip address range

Try files

Location directive in configuration: possibilities

Limiting access using basic authentication

Apache as reverse proxy server

Logging and X-Forwarded-For, configuration for nginx

Nginx as reverse proxy server

Logging and X-Forwarded-For, configuration for apache

Apache as forward proxy server

Crypto and linked alghorithms, certificates, TLS/SSL versions: theory and examples

Hash (message digest) alghorithms

Message signing using hash algorithm and common secret:

HMAC

Symmetric encryption algorithms

Modes of operation

Asymmetric encryption algorithms

Key exchange algorithms

Signature algorithms

Certificates

TLS

TLS 1.2

SNI

ALPN

OCSP

OCSP stappling

OCSP must-stapple

TLS 1.3

QUIC and http3

QUIC and DNS HTTPS record

TLS Session resumption

TLS 1.3 early data with session resumption

Internal CA implementation using openssl, use certificate on nginx/apache

Create CA

Generete keypair

Create CA (selfsigned) certificate

Example with default command line

Example with command line and params for DN

Example with config file

openssl – generate self signed, root CA certificate

openssl – show certificate

Create certificate for web server

Create keypair

Prepare config file and create cerificate signing request

Display certificate signing request

Prepare v3 extended data data for request

Transfer request to CA, issue certificate

Transfer issued certificate to server

Display certificate

Transfer CA certificate to server

Add CA certificate to trusted root certificates

Create certificate chain

Use certificate with nginx, basic setup

Test with s_client and display ceritficate

openssl AS OCSP server

Create keypair

Prepare config file and create request

Prepare v3 extended data data for request

Issue certificate

Revoke certificate

crl

Renew certificate

Use certificate with apache server, basic setup

Prepare certificates for lin1 and lin4 for following labs

Web server setup, standard

apache2

nginx

Reverse proxying with SSL termination

Apache: single certificate, url redirect

Apache: multiple certificates

nginx: single certificate, url redirect

nginx: multiple certificates

Reverse proxying without SSL termination

Use Letsencrypt to obtain public certificate
SSH use with user and server certificates

Preparation

Creating ssh CA

Creating keypair for hosts and users ca

Creating CA for users and hosts :

Issuing certificate for some host

Preparing keypair to sign on host

Transfer public key to CA

Issue certificate for host

Transfer signed certificate to host

Check content of ceritficate before use

Configuring SSHd to use and present host certificate

Configuring SSHc to use host certificates

Adding users for test

Enabling password authentication for test

Testing access to server presenting certitficate, user authentication via password

Prepare and test certificate for lin2

Issuing and using certificates for users

Creating user keypair

Issuing user certificate

Check certificates

Configure SSHd to accept user certificates

Test connectivity

Additionally limit allowed users on server

Revoking certficates

Revoke user certificate

Revocation using krl files

Revoke host certificate

Revoke host certificate using krl file

Disk partitioning, file systems , booting

Partitioning MBR disk

Setting fs type on MBR disk

Creating filesystem on partition

Mounting filesystem

Partitioning GPT disks, creating filesystem on partition, mounting partititon

Using LVM

Creating partition to be used as PV

Creating PV, VG, LV

Creating filesystem on LV, mounting

Extending VG, LV, FS

BIOS and UEFI booting, grub

BIOS booting, grub with GPT partition

Explaining boot process

Customizing GRUB

Installing grub on another disk and making another disk bootable

BIOS booting, grub with MBR partition

UEFI booting

Other tools and services

Cron

Rsync

rsync all important files, potentialy of other users

Backup with rsnapshot

Linux, firewall possibilites

IP tables

IPtables tables, chains, policy

Passing input traffic, rules and actions

Additional chains

Sessions

NAT: masquerade example (port translation using one address)

Ufw

Example of iptables (or nftables) based firewall software: ufw

Firewalld

Example of iptables (or nftables) based firewall software: firewalld

nf tables

iptables in nft mode: iptables-nft

Inserting rules with nft, interaction with iptables-nft

Deleting rules with nft, clearing all rules

Creating tables, chains and rules using nft

Connections and nft

Additional chains in nft

Masquerade with nft

Ubuntu nftables service

Firewalld with nftables

firewalld and nft