Hardening a web-server for the modern internet

From SdNOG wiki
Jump to navigation Jump to search


Introduction

Hands on how to secure your network Three day course – Philip Paeps

Objectives

By the end of the workshop, everyone should know how to run secure services in jails on FreeBSD and use the pf firewall to keep malicious people on the internet out of their jails.

Prerequisites

Participants should be familiar with Unix-style operating systems. The course is taught on FreeBSD but the environment will be familiar to people with a systems administration background on Linux or Solaris. Participants should bring their own laptops.

Participants

Systems administrators and network operators who are running Network services in their organization.

Workshop Requirements

  • Knowledge of Linux/UNIX command line
  • Good understanding of network basics (IP networking)
  • All participants will need to bring a laptop with WiFi access. You cannot use a tablet for this workshop.

Instructors

Philip Paeps

Registration

The registration is closed

  • Please note there will be a selection process, and selected candidates will be contacted to confirm their participation.

Agenda

Time Day 1: Sunday 14 August Day 2: Monday 15 August Day 3: Tuesday 16 August
08:30 – 09:15 (45 minutes) Registration and coffee Registration and coffee Registration and coffee
09:15 – 11:15 (120 minutes) • Installing FreeBSD in a VM
• Where to find installation media
• Which installation to choose
•Installing on a clean machine
• Advanced jails
• Installing a jail from scratch
• Isolating jails with pf
• Nested jails
• Jailing the Postfix mailserver
• Installing Postfix from a package
• Configuring a basic Postfix in a jail
• letsencrypt.org certificate for SMTP
11:15 – 11:30 (15 minutes) Coffee break Coffee break Coffee break
11:30 – 13:00 (90 minutes) • FreeBSD is not Linux
• Filesystem overview
• init(8) and rc(8) (NO SYSTEMD!)
•Starting and stopping processes
• Package management with pkg(8)
• Using ezjail for easier management
• Installing a dozen jails in two minutes
•Upgrading jails
• Deleting and archiving jails
• Package management across many jails
• Hardening Postfix against spammers
• DNS blacklists and whitelists
•Sender and recipient restrictions
•Fun tricks with multiple IP addresses
13:00 – 14:00 (60 minutes) Lunch Lunch Lunch
14:00 – 15:30 (90 minutes) • pf: the BSD firewall
• Default-deny ruleset
• Allowing services
• NAT and port forwarding
• Jailing and securing nginx
• Installing nginx in a fresh jail
• Tuning nginx for maximum security
•Obtaining and managing letsencrypt.org certificates
•Online tools for confirming webserver security
• Building your own custom packages
• Introduction to Poudriere
• Installing Poudriere in a jail
15:30 – 15:45 (15 minutes) Coffee break Coffee break Coffee break
15:45 – 16:30 (45 minutes) •Introduction to jails
• Lightweight virtualisation
• Jails vs. virtual machines
• Mention bhyve
•Exercises with nginx
• Reverse proxies across multiple jails
•Dodgy services locked up in nested jails
• Putting it all together
• ezjail, poudriere, nested jails
•Mostly automated installations
•Using multiple package repositories