Second layer – platform layer

The platform layer is basically the OS layer that is exposed to the network.

Every server has some kind of service listening on specific ports. If due to some reason an attacker is able to connect to the services running on these ports, it may well mean that if the attack has a proper exploit, he will be able to break into the system.

However, if the system is fully patched with the latest updates, there is proper server hardening implemented, SELinux is enabled, and host-based intrusion detection systems are present, then it will lead to a tough time for the attacker even if the first layer of defense is bypassed.

For example, due to a misconfiguration in the firewall, port 22 is now open to the world. Taking advantage of this, the attacker has launched a brute force attack against the SSH service running on port 22.

As a surprise, SSH is only configured with a public key authentication, and it has OSSEC (HIDS) installed that automatically blocks the IP of the user who failed multiple login attempts.

Due to multiple failed login attempts, OSSEC has blocked the IP of the attacker with a host-based firewall (iptables) and the attacker is no longer able to connect.