KERNEL — Linux Security Simulator

Module 01 — Reference

Linux Command Library

All commands from the IBM reading organized by category. Each includes the security lesson it teaches. Click any command to see it in action.

Run Levels — System States

Level	Name	Description
0	HALT	Stop all system operations
1	Single User	Root only — maintenance mode
2	Multi-User	Multiple users, no NFS sharing
3	Full Multi-User	Text-based, full capabilities
4	Undefined	Reserved for custom use
5	Full GUI	Multi-user with graphical UI
6	Reboot	Restart all operations

init — Run Level Control

// KERNEL Linux Security Simulator initialized
// Click any command card to see a live demo
root@server:~# █

Module 02 — File System

File System Adventure

Navigate a virtual compromised Linux server. Use ls, cd, cat, pwd, and sudo to find hidden files and flags. Every discovery teaches a security lesson.

⚠ MISSION BRIEFING

A web server has been compromised. Intelligence suggests the attacker left traces in hidden files and directories. Your objective: navigate the filesystem, find the hidden flag, and understand HOW the attacker concealed their presence.

PWD: /home/investigator

USER: investigator

FLAGS: 0 / 3

THREAT LEVEL: HIGH

forensic-server — /home/investigator

investigator@forensic-server:~$

Objectives

Run ls -la to see hidden files (dotfiles)

Navigate to /var/log directory

Discover suspicious private/ directory

Examine the hidden .shell.sh script

Use find to locate all .sh scripts

Capture all 3 flags

Security Lessons

→ Dotfiles (starting with ".") are hidden from regular ls

→ Always use ls -la to reveal ALL files

→ Attackers hide scripts in system directories

→ find can traverse the entire filesystem

Module 03 — chmod / chown

Permission Challenges

Identify dangerously misconfigured file permissions and fix them using chmod. Learn why chmod 777 is a critical security risk.

⚠ SECURITY AUDIT ACTIVE

A security audit has flagged 4 files with dangerous permission settings. Use chmod to fix each one. The attacker exploited world-writable files to inject malicious code.

permissions-lab

user@server:~$

Permission Reference — Octal System

Octal	Binary	Permissions	Use Case
777	111 111 111	rwxrwxrwx	DANGEROUS — never use
755	111 101 101	rwxr-xr-x	Executables, directories
644	110 100 100	rw-r--r--	Regular files, HTML
640	110 100 000	rw-r-----	Config with group read
600	110 000 000	rw-------	Private keys, passwords
400	100 000 000	r--------	Read-only private files

Fixed Files

⚠ deploy.sh — 777 WORLD WRITABLE

⚠ config.env — 666 WORLD WRITABLE

⚠ index.html — 777 WORLD WRITABLE

⚠ .ssh/id_rsa — 644 KEY EXPOSED

Module 04 — ps / kill

Process Hunter

Use ps aux to identify malicious processes running on the compromised server. Find the cryptominer, the backdoor listener, and the data exfiltration script — then terminate them.

⚠ ANOMALOUS PROCESSES DETECTED

System monitoring flagged unusual CPU and network activity. Three malicious processes are running. Use ps aux to identify them, then kill -9 <PID> to terminate. Check with netstat -tlnp for backdoor ports.

process-monitor

user@server:~$

Process Watch — Live

PID	USER	CPU%	COMMAND	THREAT

Eliminated Processes

PID 1337 — cryptominer (99% CPU)

PID 1338 — nc backdoor (port 4444)

PID 1339 — data exfil script

Module 05 — grep / journalctl

Log Detective

Analyze auth.log to uncover a brute-force SSH attack. Use grep with patterns to filter log entries, identify the attacker's IP, and block it with fail2ban.

⚠ INTRUSION DETECTION ALERT

The auth.log shows suspicious activity starting at 03:15 AM. An attacker has been systematically brute-forcing SSH. Find the attack pattern, identify the source IP, confirm the breach, and ban the attacker.

log-analysis — /var/log/auth.log

investigator@server:~$

Investigation Progress

View raw auth.log contents

Use grep to filter failed logins

Count total failed attempts

Identify the successful breach

Ban the attacker's IP with fail2ban

Attack Pattern Analysis

→ Run grep "Failed" to see brute force attempts

→ Brute force: many failures from same IP, short timeframe

→ grep "Accepted" confirms if attack succeeded

→ fail2ban automatically bans IPs after threshold

Module 06 — iptables

Firewall Builder

Configure iptables rules to secure the server. Block all unnecessary ports, allow only SSH (22) and HTTP (80), and drop everything else. Close unused ports to minimize attack surface.

⚠ ALL PORTS OPEN — CRITICAL RISK

The server's firewall shows no rules — policy ACCEPT on all ports. The attacker connected on port 4444 (backdoor) which should have been blocked. Build iptables rules to secure this server.

firewall-config — iptables

root@server:~#

Active Firewall Rules

// No rules configured — all ports open
// Chain INPUT (policy ACCEPT)

Port Security Status

Port 22 (SSH) — not configured

Port 80 (HTTP) — not configured

Port 443 (HTTPS) — not configured

Default DROP rule — not set

Module 07 — Security Measures

Linux Security Hardening

Walk through all 8 essential security measures from the IBM reading. Run each command simulation to see how to implement them and understand why each one matters.

HARDENING SCORE: 0 / 8

STATUS: VULNERABLE

Module 08 — Assessment

Linux Security Quiz

Test your knowledge from all three IBM readings: Linux Commands, Run Levels, and Securing Linux. 10 questions with instant feedback.