01 # 02:42 # Number 1 : Adjust your mindset 02 # 04:59 # Number 2 : Patch your servers (and no excuses) 03 # 07:59 # Number 3 : Strengthen your passwords 04 # 09:10 # Number 4 : Don't open services to the public internet (unless you have no other choice) 05 # 11:32 # Number 5 : Lock down SSH 06 # 13:41 # Number 6 : Implement as many as layers of security as possible 07 # 15:12 # Number 7 : Implement reliable backups that are fully tested 08 # 16:57 # Number 8 : Take advantage of monitoring tools 09 # 18:41 # Number 9 : Consider a third party security audit 10 # 20:02 # Number 10 : Implement a business continuity plan
I love it that you think of backups and continuity as security issues. I've worked for too many companies where that wasn't the case. However there was one that I worked that was in the process of designing their own self-healing environment. Really appreciate that they were pushing forward with that idea.
Going into my second year into System Administration, I'm very much thankful for your information. I will be looking forward to apply them in my company's servers.
Thanks Jay! One of the big questions I've always had is around item 7--tested backups. I have basic systems like Deja Dup that does my desktop backups to a second disk in the machine and to a NAS on my network (still need an offsite/cloud option in the mix), but my question around this is always about testing the backups. How? Do I just run the restore and wait to see if it throws an error? Does that risk corrupting my existing data? What other way is there to test a backup properly then? Love the idea for this latest series!
10:40 I learned this lesson today. I was setting up an instance to test for database replication. I don't have much knowledge about all the ports setting, so I set it to listen to public. In just few hours my log files were filled with all kinds of suspicious activities. After googled I realized these are mining virus. Public internet is scary. 😂
Enjoy your content Jay - as always. One of the best Linux channels on TH-cam, and with recent content - probably the best IMHO. Really looking forward to this series.
Before locking down SSH (or messing with login or sudo) is to have, running in another terminal window, an SSH/root connection active. Then, when you lock EVERYBODY out (oops, did that mean me, too?), you can restore the original configuration (you preserved it?) or fix.
18:09 This is what I do for public facing servers. Basically no one should be logged into them, so I've got NCPA running a user check every 30 seconds, and sending that information back to Nagios. For the reverse scenario, a server where you expect a lot of user traffic, you can enable State Stalking on a User List service check, that way when someone does log in, Nagios records who logged in, and you have it down to inside of a minute when they logged in, and what the username was.
Keeping server up to date is important, although it's worth noting auto-updates can break your server and your service could be down for some time before fixing it
A note about patching. many patches open new security holes. it's really a double edge sword. if a patch breaks business continuity then it could be just as costly as getting hacked, and if the patch opens up another security issue, doing nothing and "taking the gamble" (risk acceptance) is what business owners try to do.
I think the wording you were looking for is that you were not looking to incite baseles panic. It is always good to know that you don't know what you don't know, which can be scary when you have a lot hanging on the line.
Your videos are really good and help us (Linux learners). I would love to see a deep dive on various Linux services such as Apache, Nginx, OpenSSL, Bind9, some email server, etc. Thanks very much.
The DISA STIGS and Center for Internet Security have security checklists that go into enough detail to configure security settings to make a grown man cry.
If it was only (not) patching the servers... I so hate it that at my new workplace their lifecycling policies just plain suck. E.g. distributions such as Ubuntu 14.04 and Debian 7.x have been EOL+EOS for quite some time now.... but there are still tons of those servers around, still allowed to run :( It's a tiring uphill battle I'm fighting here. :´(
In windows I have administrative policies, where I change the rules for remote users. My rules is 3 wrong passwords and then block a user account. What the Linux have on his board?
One moment I configured My Linux work machine, after I upgraded my Linux machine and after she had problems with programs that have stopped working. It's ok, or did I something wrong?
How can I block certain countries from hacking into my linux machine. Using Iptables and Ipset. For example blocking China, Russia and India completely. Is this possible! !!!
Adjust your mindset? Really? Patch your servers? Obviously! Strengthen your passwords? No shit! Don't open services to the public internet (unless...) Sure, fine. Still obvious though. Lock down SSH. Good, we got a decent tip here. Now we got a banger tip... Implement as many as layers of security as possible. ARE YOU JOKING!?! Aren't you supposed to tell us these security layers right now!? That is like saying "How to harden you system: Step one, take as many hardening steps as possible" That is like saying "How to get stronger: Step one, do as many strength exercises as possible" After that you either give us more basic tips that has barley anything to do with hardening a system if anything at al, or you give us business tips... The video is titled "10 Tips for Hardening your Linux Servers" and not "10 Tips for basic security and some business advice for dummy's". Where are tips for settings to change, software to install, things to disable/enable, deep things to look out for? This video was 50% life advice and 50% how to basic. Somehow I got triggered enough by this shit to write my first hate comment ever that I have spend valuable time on because this is way to long. Have a very nice day
No chapter marks, no meaningful description about the content. One has to skip through the video to learn what these "great" 10 tips are. I wouldn't call it hardening, but consumer-ish admins who never thought twice about what they install and run have to start somewhere. Very clickbaity. Of course you have to have lighting like a dance club or a brothel. Day in, day out, sustainability doesn't matter.
![BOWKYLION - วิงวอน (ex-change) [Official MV]](http://i.ytimg.com/vi/cLdnZWDaO-w/mqdefault.jpg)
01 # 02:42 # Number 1 : Adjust your mindset
02 # 04:59 # Number 2 : Patch your servers (and no excuses)
03 # 07:59 # Number 3 : Strengthen your passwords
04 # 09:10 # Number 4 : Don't open services to the public internet (unless you have no other choice)
05 # 11:32 # Number 5 : Lock down SSH
06 # 13:41 # Number 6 : Implement as many as layers of security as possible
07 # 15:12 # Number 7 : Implement reliable backups that are fully tested
08 # 16:57 # Number 8 : Take advantage of monitoring tools
09 # 18:41 # Number 9 : Consider a third party security audit
10 # 20:02 # Number 10 : Implement a business continuity plan
thanks node, that list summarizes it nicely.
I love it that you think of backups and continuity as security issues. I've worked for too many companies where that wasn't the case. However there was one that I worked that was in the process of designing their own self-healing environment. Really appreciate that they were pushing forward with that idea.
Doing vulnerability scans should be on this list.
Jay, a video on monitoring tools would be nice. Thanks and keep up the great work.
NMap is good, but a WiFi adapter in monitor mode can be more useful not only for hacking but assessing the security and testing the security too
As an aspiring Linux System Administrator, this video is invaluable. Thank you
great..but plz add timeline in future videos
Going into my second year into System Administration, I'm very much thankful for your information. I will be looking forward to apply them in my company's servers.
16:00 Gitlab in 2017
Great video Jay. A multi part on Locking down a public facing server to maybe DOD levels would be great. Your common sense approach is refreshing.
Thanks Jay! One of the big questions I've always had is around item 7--tested backups. I have basic systems like Deja Dup that does my desktop backups to a second disk in the machine and to a NAS on my network (still need an offsite/cloud option in the mix), but my question around this is always about testing the backups. How? Do I just run the restore and wait to see if it throws an error? Does that risk corrupting my existing data? What other way is there to test a backup properly then?
Love the idea for this latest series!
Good growth of the channel. Hard work and consistency paying of.
i feel Patching techniques for different servers should be the next
Automatic patching vs manual. All patches vs security only.
You really found your speciality.. Excellent videos. Best for your success!
Very helpful video sir. May I have the link of next videos in this series?
10:40 I learned this lesson today. I was setting up an instance to test for database replication. I don't have much knowledge about all the ports setting, so I set it to listen to public. In just few hours my log files were filled with all kinds of suspicious activities. After googled I realized these are mining virus. Public internet is scary. 😂
In addition to patching the OS, don't forget about driver & firmware updates.
Great video 👍 you could elaborate on the 10 points more in the upcoming videos.
Enjoy your content Jay - as always. One of the best Linux channels on TH-cam, and with recent content - probably the best IMHO. Really looking forward to this series.
Before locking down SSH (or messing with login or sudo) is to have, running in another terminal window, an SSH/root connection active. Then, when you lock EVERYBODY out (oops, did that mean me, too?), you can restore the original configuration (you preserved it?) or fix.
18:09 This is what I do for public facing servers. Basically no one should be logged into them, so I've got NCPA running a user check every 30 seconds, and sending that information back to Nagios. For the reverse scenario, a server where you expect a lot of user traffic, you can enable State Stalking on a User List service check, that way when someone does log in, Nagios records who logged in, and you have it down to inside of a minute when they logged in, and what the username was.
Plans vs accessibility: in the DMZ [needs a public IP] vs behind a NAT firewall vs only accessed externally via VPN.
Keeping server up to date is important, although it's worth noting auto-updates can break your server and your service could be down for some time before fixing it
Looking forward to it! Great first video.
A note about patching. many patches open new security holes. it's really a double edge sword. if a patch breaks business continuity then it could be just as costly as getting hacked, and if the patch opens up another security issue, doing nothing and "taking the gamble" (risk acceptance) is what business owners try to do.
I think the wording you were looking for is that you were not looking to incite baseles panic. It is always good to know that you don't know what you don't know, which can be scary when you have a lot hanging on the line.
nice sum up thanks Jay !!! have a nice week !!!
Have you considered doing a desktop hardening, for those who use Linux as a daily driver?
This is gold. Thanks!
Hi and thx a lot for your tips! I would like to hear more about High Availability in Linux.
Sounds like a great idea. I'm already planning a video on that, but it may be some time before I have it done.
10:55 I would argue that even then, there are ways to create private access points for clients, instead of exposing the entire brick to the world.
Do you have any plan to make a video about SELinux?
Great work 🥳 Thank you 💜
Your videos are really good and help us (Linux learners). I would love to see a deep dive on various Linux services such as Apache, Nginx, OpenSSL, Bind9, some email server, etc.
Thanks very much.
Thank you for your lessons.
for point 10, that's why kubernetes (and harvester) are there as a true solution for HA and self remedy ;)
Nice, well presented and common sense. Thanks!
Very helpful, thanks Jay!
Port scanning and what to shut off as determined by the server's role.
The DISA STIGS and Center for Internet Security have security checklists that go into enough detail to configure security settings to make a grown man cry.
Video chapters would be nice. That way viewers can rewatch topics they need to refresh themselves on.
3:33 Sarcasm....! :-)
Anyway I am a big fan of you. for your videos. Great work. Keep posting.
great series, i cant wait for more videos :)
tip 11 Run the free Lynis auditing tool and change the ssh port. I used all 10 tips on my servers. I hope episode two will be more useful.
Thanks Jay!
Thank you, Jay.
If it was only (not) patching the servers... I so hate it that at my new workplace their lifecycling policies just plain suck. E.g. distributions such as Ubuntu 14.04 and Debian 7.x have been EOL+EOS for quite some time now.... but there are still tons of those servers around, still allowed to run :( It's a tiring uphill battle I'm fighting here. :´(
U r doing a good job with these videos my friend.. keep it up..
I've actually experienced failed no-boot backups (not on my own environment and none I was in charge of, luckily). Not fun.
What the program for backups Linux have on his board?
The best joke ever without emotion. 3:48
Is there any real content in this video except Ads?
In windows I have administrative policies, where I change the rules for remote users. My rules is 3 wrong passwords and then block a user account. What the Linux have on his board?
One moment I configured My Linux work machine, after I upgraded my Linux machine and after she had problems with programs that have stopped working. It's ok, or did I something wrong?
how about some examples?
Pls consider timestamps
Can you make traps too
I am using deepin how to secure it ?
How can I block certain countries from hacking into my linux machine. Using Iptables and Ipset. For example blocking China, Russia and India completely. Is this possible! !!!
The term you are searching for is "geoblocking" ;)
quality stuff
#3 Number 3, best is no passwords at all...
1.5x speed is just right
Adjust your mindset? Really?
Patch your servers? Obviously!
Strengthen your passwords? No shit!
Don't open services to the public internet (unless...) Sure, fine. Still obvious though.
Lock down SSH. Good, we got a decent tip here.
Now we got a banger tip...
Implement as many as layers of security as possible.
ARE YOU JOKING!?!
Aren't you supposed to tell us these security layers right now!?
That is like saying "How to harden you system: Step one, take as many hardening steps as possible"
That is like saying "How to get stronger: Step one, do as many strength exercises as possible"
After that you either give us more basic tips that has barley anything to do with hardening a system if anything at al, or you give us business tips...
The video is titled "10 Tips for Hardening your Linux Servers" and not "10 Tips for basic security and some business advice for dummy's".
Where are tips for settings to change, software to install, things to disable/enable, deep things to look out for?
This video was 50% life advice and 50% how to basic.
Somehow I got triggered enough by this shit to write my first hate comment ever that I have spend valuable time on because this is way to long.
Have a very nice day
No chapter marks, no meaningful description about the content. One has to skip through the video to learn what these "great" 10 tips are. I wouldn't call it hardening, but consumer-ish admins who never thought twice about what they install and run have to start somewhere. Very clickbaity. Of course you have to have lighting like a dance club or a brothel. Day in, day out, sustainability doesn't matter.