How to protect Linux from Hackers // My server security strategy!

One of the best posts on security, open source server security i've watched. Simply great!

Another of the most important thing is network security, and your home network design. Using pfSense at network level. You talked about some of the DMZ setup. Using VLAN to separate networks, home networks, IoT networks, server network and so on.

Thanks for bringing this topic up! This is what I needed so much.

Thanks for the quality content! You're such a wealth of information and we appreciate you sharing it

Another great video thanks!
It would be great if you could go into more detail on how to address the firewall security issue using UFW of the docker containers and how you address them for cloud hosted servers.

Once again, another great video. Thank you for your service ! :)

I honestly want to see your channel grow exponentially... May you get a few million subscribers real soon. Just keep maintaining your video's quality and pace...

I think you're awesome, man. Keep on keeping on!

In 2021, I would recommend creating a Ed25519 key instead of a RSA key. Ed25519 offers stronger encryption and shorter keys. Only downside is that it is incompatible with older systems (older then say, 5 or 6 years?)

Hi from London, I have subscribed and new to your channel. Thank you so much for tips and what I needed so much & very useful.

Awsome and on point as always
Thank you

broski explains things perfectly.. RESPECT AND LUV

Excellent Videos mate.... And thank you for sharing stuff like this..

Great video! Running ss or netstat as root (with sudo) will show the PID/Program name in the final column, which is helpful if you don't already know what ports services commonly use, for well known ports or registered ports, as well as for ephemeral ports

This video is super interesting. Especially the part about Docker and iptables couldn't be stated enough. However I think that you could have also mentioned how to prevent docker from opening ports, that seem to be closed in the UFW rules. I had this issue a couple of days ago with a production system which unfortuantely wasn't protected by an external firewall. I was able to fix this in a couple of minutes, but for the novice admins, who are probably the target audience of this video, it certainly isn't that trivial to fix.
btw: I only discovered your channel a few days ago and even for me as a professional linux admin, it's interesting content. I'm looking forward to seeing more from you 🙂

I hit the "subscribe" button and clicked "all" on the bell 🔔 great video sir!

very very very good and interesting video. Congrats!!!

Great video. What we do for security ? The best way is to install every server as a vm on a separate isolated vlan, apply all your suggestions. Hopefully nothing will infect your server, and even if it does, the infection will remain isolated and easily taken care of using snapshots or backups. We have applied this strategy and so far, so good, we are in safe heavens since 2 years. Not to forget, your virtualiser needs to be well protected as well.

Great video Christian

5:55 I run my containers via podman in systemd units and create the descriptions via quadlet.
That way I can just regularly let the system call "podman auto-update" and I am done (it also rolls it back in case the update doesn't work, but it relies on support from the containers here which may not necessarily be available).

Great Video! Curious what shell prompt are you using in your SSH tutorial? Really like that look...

Good video. dunno if its only me thinking the music in the background is a bit loud

you are awesome man!! thank you.

Great video, Thanks a lot.

Recently following you, great content. what have you used for the terminal, looks different?

Hi,
you can use Ssh-copy-id for copying SSH keys to servers.
nice video, thx

Hi, thanks for the video. Very good. Btw, what model of keyboard you are using? Regards

great video, thanks !.....don't forget, you could've used _ssh-copy-id_ @ 11:08

I learned so much on a single command line! 7:21

Wow. The quality.

Great video, I will have to watch it at least 10 times to implement all this.

Thank you.

Hi!
How should I use the DMZ? I have 2 server. One host all my services in docker (nginx proxy manager, website, cloud services, apps, etc...) and I have a Raspberry with Adguard (and my TLS DNS) and a plex server.
Should I move plex to the big one, and nginx to the small one and make the raspberry as dmz landzone to manage all traffic? Would it isolate the main server correctly?
Thanks for helping!

Thanks!

For 2FA in the shell I use DUO Security, with a free account you can do pretty much everything, I employ the least privilege access so I have a non sudo account for docker management and access with a pub key, for sudo I login with su to a local admin account, and for the actual sudo to execute a duo push is needed.

Subject: How to protect Linux from Hackers // My server security strategy!
Rule1: don't tell hackers about your server security strategy
Just joking :D great content Christian, keep on going! Regards from Czechia :)

@26:48 - how do you make fail2ban work on all running service or all open ports ?
@26:58 - what will it show if you removed the sshd

Something else you can do is move the ssh port. Port 22 is well known and thus hackers hit it all the time basically automatically. You can move ssh traffic to a different port and close 22. It's only security via obscurity I know, but it avoids those automated hacking attempts.

What the, so SSH doesn't block that tries too make wrong passwords out-of-the-box and I have install a third-party utility?

Great stuff

Thank you Christian.

Docker is a rabbithole, but such an interesting one. :)

What if we loose the SSH keys file ? We cannot log in any longer if we had disabled password login ?

Good video. But take a look at ed255... Ssh keys :)

How can I organize what needs to be updated like an apk file. Where should I save it to auto update?

how can i set the terminal with your same graphic theme. seems very cool!

Great

Hi Christian, I cant find a decent how to setup a XMPP server on AWS or Hetzner from scratch.
In the era of self-relying on privacy you might find it interesting to make such a video or post on your website.
Cheers!

Tailscale has also added tailscale ssh it Also is like An acces Proxy

Security is a journey, not a destination

what do you think about ufw-docker?

you the man, thank you.

Heftiger Typ!

Hi Christian, this video really helped me in my research prior to deploying my first home server. I do, however, have a few questions about securing my server and my data. Assuming I am running ubuntu: what would be the best way to share folders across my home network (to other Windows devices) and ensure that I'm protected from attacks outside my server. I will have a total of 3 users accessing these shared folders, including myself. Any help here would be greatly appreciated, or if you can provide a resource that would be helpful too. Thanks.

Hey Christian! Why don’t ya use ssh-copy-id -I keyfile hostnamelikeinssh???

5:26 there is a command that copy your ssh keys conveniently called ssh-copy-id

Nice SIr :D

Hallo Christian, tolle Videos! Du hast ja viele Videos zu Docker etc. Den Aspekt, dass Docker Container die Firewall aber umgehen, reißt Du aber nur hier kurz an. Ich denke das ist sehr wichtig. Viele installieren jetzt fleißig Docker Container und wiegen sich in Sicherheit, die so gar nciht gegeben ist. Kannst Du nicht mal ein Video dazu machen, wie man auch Docker mit der Firewall sicher absichern kann?

I added 2FA to my home ssh server when I want to log from somewhere else, works amazing... uses the key and fallback to password/2FA

I used to use UFW on all my servers - but, I ended up moving to iptables because UFW had a habit of dying after 30,000 plus IP addresses were blocked. I haven't run into that problem with iptables, but it's always possible it was a memory issue.

could you do a yubi key authentication integration on linux?

Do you set up TPM for Linux?

Yes. Some security feature will be always better than none. Of course not all secure server are unhackable but to at least leave less port open. Use longer time to get stolen or own. Similar to your car if you don't have car alarm or steering lock. Car theft can happen within 1 to 5 minutes but if you have the security wheel lock gear lock brake lock will at least waste some of the car theft time. Even pentagon or military still get hack this is most secure but still got hacked. Good share. Thank you.

Hi Chris, at 8:24 you forgot to tell us what is the string you used.

is there something called very very excellent video

What do the seemingly random numbers at the beginning of the files mean? I saw similar numbers in polkit configuration files.

I found your channel today and I am thrilled that you are so willing to share such pertinent information. One request I do have to ask is if you would just reduce your background music a bit. This should be a nuance addition to any video especially one's like yours with so much good info shared. The music is a bit too much at times and the mundane aspect of it distracts from your lessons and not in a good way. We want to hear what you have to say, not fight the music to hear you. Thanks Christian!

What is this Terminal you are using, it looks cool and seems to suggest things?

nice

Is there any web-based control panel for all of these mentioned security rules and concepts? I've heard, Portainer is able to some security tasks. But not all of my services are docker based containers. I need an overview, better than ss -ltpn

what time do you do a live streaming ? here from china, has a different timezone

Can you please share what you have in the ".bashrc" PS1 how you have the ubuntu logo and the directory upwards the terminal text, thank you

New Subscriber 129k :D

Is there any git repository for this tutorial? 🙂

Future video series idea... assessing the security benefits of NixOS and Guix OS as they compare to {insert mainstream Linux OS here}. To be fair, though, please note the considerable learning curves associated with each of the aforementioned OS'es... you have been warned. :-)

18:48 I thought that enabling a service would only make it active after the next startup of your computer and that you have to add --now to make it work immediately.
28:12 You speak so fluently(!), but the way you say "determine"...?

I am waiting for video

hello sir , can you please make a video about installing windows server on digital ocean vps ?

First step is to protect the server against compromise.
Next step is to have a reliable backup and disaster recovery plan in place,, for when it eventually happens despite everything you did right. ;)

For any other noob who got lost when they got to the intro to the 'ss' command, you need to use sudo to display the process IDs (what the p flag in -ltnp displays)

Can I ask why you are using "scp" to copy the key rather than "ssh-copy-id"?

thanks again christian. perhaps if you allow I'd like to add that limit instead of allow might be better on port 22 otherwise no one is held back from brut forcing although it might be hard anyway since you permit keys only but it is not reply more work

Hi, did my previous question get deleted?
Wanted to know if it works to install fail2ban via ecex console direcly in the container of bitwarden and nextcloud to protect them from brude force attacks or doesn't it work this way? But what would be the alternative?

Another good addition to reducing the attack surface is using non-standard ports i.e. anything above port 2048. Most scripts only poke around those ports and skip the rest as it significantly increases scanning time.
A practical way of doing that is running a honey pot on port 22 while moving your actual SSH service somewhere else.

What if I ignore security?

Vielen Dank Christian Grüsse von Arizona

ssh-copy-id, not scp. it will create remote files and permissions

Can I have opinions on some of strategy I use:
1. SSH Access only by key, no password
2. Use fail2ban, block 24 hours on 1st bad attempt
3. Optional (Only allow ssh from specific IP)
Thanks

Great video! I think you could speak a little bit slower, I feel slightly rushed when I try to comprehend what you are executing exactly. ;)

What software do you use to open the linux shells

Any reason for still using RSA for SSH key on modern server?

How do you lock down the back door built into system d

Hi, which terminal client are you using?

I don't undertand the the docker chain, Port 9000 Problem. Why does ufw allow 9000?

Is it possible to make a ssh connection available only when VPN is connected to the server?

Besides, system (Milkyway, Universe) is a simulated system inside virtual computer and your PC is a virtual computer inside that virtual computer, so from higher levels of system you can access any way you like the low level virtual computers. Bit like Russian children's toy: Matrychka doll.

There are few other things you should add to your strategy of protectiong your servers and network in general. First and foremost youn need to learn OSI layers of network and set up your security on each of the layers. I did mentioned layers didn't I? that's actualy second thing, set up your security as layers because it will help you keep track of attacker as he moves across layers to egt to destination. More layers of protection you have better it is for you because you can catch attacker sooner and respond faster, it will help you with revealing possible vunerabilty because you can see at which layer it happened. most of the time you'll connect to everything within your network for maintenance via ssh right? Yeah in that case change port you're gonna be using for ssh in your network because using default port for it is agains best practices. Now onto vlans. Fragment you network with vlans how ever one of the vlans should be designated as native vlan where everything untagged goes but that can't and shouldn't be vlan 0, also if you have unused prort assign them to unused vlan as security measure, doing what i said with vlans prevents attacker from using vlan hoping attack to get to your data. There are many more attacks but if i keep writing my comment will get too long so i will mention one that can result with DOS across your network and it's dhcp exaustion which happens as a result of dhcp receiving bunch of fake requests for ip to the point where dhcp server runs out of ip's and without ip devices cannot connect to network. There's a lot more you can do.

You are One Punch man with 1 hit K.O.? :O

Just use ssh-copy-id to copy your ssh key. Maybe someone else mentioned this already :)

Coole Socke, abonniert :-)