Now, I should say most desktop linux don't have these things configured because it WILL block things and applications good or bad. However, if you are security concise, it will be worth configuring these things in your system to open up any application that wants to use the internet. Article from Video: christitus.com/linux-security-mistakes/
This video is rather for the server-case than the desktop case. 1. Limiting ssh makes no sense - passwords are strong enough these days, and if not, you would have to manually forward the ssh port. SSH servers are usually not installed and enabled anyway. 2. repositories: I don't have any opinion on that. 3. not using apparmor or selinux: from my first comment to this video: "apparmor (and selinux) are pretty much useless in the desktop-case."
@@edwardmacnab354 You're not alone expensive cat makes sense to a non linux user moments away from being a n00b linux user. I have the boot stick primed and ready to go just wanting some security advice and Titus seems legit. I may skip the firewall setup until I have more experience. Last time I did anything that needed proper syntex was DOS 6.2 when I got my 1st version of windows and that was win 95. Not entirely true I had tried win 3 but, I had no software for it since all I had was DOS based and Comp USA let me return it.
Chris, thanks for the info, but before we can talk about individual computers on local network and their security we need to have a conversation about the most important device on your intranet: the router. This is a first line of defense and if it is not secure then your entire intranet is not secured. Please make a video about that.
I really gona assume you put the wrong spelling of internet 😅 but your point is right but we can't do much to a router I think so... Correct me if I'm wrong
@@gto4467 Hi, no I did not. "intranet" is term used to describe your home or company internal network structure. Internet, as you know, is Word Wide Web. Regarding routers, yes, you can do many things with them, but the first thing is to stop using your standard "jack of all trades and master of none" store purchased routers. I would recommend to investigate Netgate devices/routers and or utilizing your old PC and installing "pfSense" router software (FREE). One of these solutions are used by most of small to med-size companies.
Great video, thank you! I'm currently a Junior Penetration Tester, and I think this touches on something we don't generally get taught. Load up Kali, fire off nmap, poke a few ports and send off a fairly standard report full of accepted mitigations. More videos on general hardening for Mac, Linux and Windows (I know, Windows will take years off your life) would help to give something different back to clients on top of the usual advice. I don't know anyone at work who's ever mentioned it.
On the firewall - Fedora should come with firewalld / firewall-cmd running with FedoraWorkstation zone as the active zone. Using UFW on top of that wouldn't cause a conflict? I like UFW, but have been using / learning firewalld - usually I set a workstation to the 'public' zone which only has limited services.
Yeah true, I remember when I switched to Fedora a while ago (I just wanted to switch from Ubuntu). I was trying to ssh and ping my linux laptop, and I kept on seeing something like "host unreachable" or "no route to host". And then from looking up Fedora, I found out that it had a firewall. And before I just stopped the process, but then I saw an easier way to configure the firewall. And since I set ssh to listen on a different port (instead of port 22), I set the firewall to allow the port number I set and I was able to ssh into my computer.
Selinux is enabled by default in Fedora workstation it's not in permissive mode and the rules these days are generally pretty decent so you typically don't get spammed with alerts anymore. In terms of firewall, as a lot of people have already mentioned, Fedora comes with firewalld enabled and configured, you just need to set the profile (in KDE you can do it directly from the NIC configuration) and you can configure additional rules if needed using the firewall-cmd command
Before installing a firewall check if it is usefull. Do a portscan like this: 'lsof -i -P -n | grep -i listen'. This shows a list of all listening (ie open) tcp ports on your system. On my standard Ubuntu system this list is empty. So there are no open ports and installing a firewall is rather pointless.
I don't think regular users need to open any ports at all. They don't run web servers (80, 443) on their desktop computers and probably don't run ssh server (22) too. So its better to just deny all incoming ports without exceptions by default. And the techy people who does run servers, certainly already smart enough to open required ports.
Oh, when he said "80 and 443 is the web," he didn't mean like the world wide web? I assumed without those enabled/allowed I wouldn't be able to use a web browser. Is that not correct?
@@cameronmoore136 no, the shown rules is only for incoming connections. In fact most users won't receive any incoming connections from the internet anyway because of providers' NAT.
@@mk72v2oq I see. I guess I don't know enough about this. I assumed information being sent to your computer from a website you're trying to load would apply to this. But I appreciate the information!
@@cameronmoore136 this is true, packets travel in both directions of course, but *ufw* is just very simplified here on purpose. The only thing that matters here - who is the connection initiator. So when you are accessing a website (or any other resource/server) the whole connection counts as *outgoing* , so only respective rules applied.
If anyone wants to take a look at other utilities/features on Linux, here it is: - SECCOMP - no_new_privs bit - secure bits - Linux capabilities - Namespaces and pivot_root (not a security feature, but this is how container isolation works)
Thank you. It's awesome to see someone make a basic "hardening" video for Linux. There's not many creators I've found do a "for dummies" video yet. Legend.
Well, openSUSE comes with AppArmor and Fedora with SELinux. Neither comes with both. Also, if you want enterprise go with RHEL and SLE, not the upstream versions.
1. A firewall is useless if it doesn't have any listening services behind it. 2. Allowing ports 22, 80 and 443 is pointless unless you are running a server. 3. Fail2ban makes no sense on a desktop computer at all. Why would anyone run a SSH-server on their desktop? 4. To sum it up: No listening services = no firewall necessary. Opening up the firewall for all listening services means that the firewall blocks nothing.
@@ShrirajHegde aswell as SSH, which is just horrible because the default config allows any user except root to password-login. But a user with sudo might aswell be root in this case, considering you can just switch into root via sudo -i.
Are there any distributions that come configured, by default, with the setting that our host is recommending (or something similar)? For example, the Qubes distribution is highly, highly focused on privacy and security. I have never used it (seems you need qualified hardware to take full advantage of its security features). I am not savvy enough to configure all of the settings in Linux. Down the road, when I am able to obtain a computer that I can dedicate for using Linux, I would like to find a distribution that has its security settings already in place, because I will not remember what to do. I understand that no two people will agree on every security setting. But the big ones, such as "ufw" that was demonstrated in this video... are there distributions that have that already set? There are countless distributions. Too many for me to figure out which ones put security first. I thought that Qubes was the answer (maybe it is?). But they have a web page dedicated to scoring hardware, and not too many computers check all of the security boxes.
I know this is an older video but I'd like to say that, I diss 99 % of the Linux users out there. You're one of the 1 % I can respect. Just for context, I'm a system administrator for a large company. We use most of the OS'es out there.
Hey just wanted to say thank you for this video, I just switched from Ubuntu after moving from Window's 6 month's ago to Fedora and didn't realize UFW wasn't prepackaged. I'm still relatively new to Linux but, it is so much better than window's in my opinion and I love learning but security and open source was my main reason for switching. Anyway i'm rambling, but very thankful for the info, now i have UFW on my Fedora 38.!
1) F2b is painful to conf. 2) firewall very much so. 3) prioritizing repos, much worse the packages, is extremely painful to conf on top of keeping up with multiple repos (keeping up with repos ain't nearly as painful cuz they change rarely). 4) the pkg manager always uses the newest packages and will warn you when a dep conflict occurs (so I don't understand your point). 5) AppArmor/SEL is the worst pain to conf.
1. first time - maybe, so is almost anything on the server side 2. not really, again - maybe the first time you do it, just keep it simple, block everything except the services/ports you need, usually 22,80,443 is enough 3. that is very much true, that's a reason to limit 3rd party repos as much as possible 4. newest packages are not always desirable, there may be braking config changes between some versions of a program 5. true, fortunately most software from repo's comes with sane policies by default, custom/external apps ideally would come with configs for apparmor and/or selinux, but far too often they do not
@@starypiard 1) It won't be limited to 1st time, it takes a long time to figure out the settings perfectly since shit tends to not be documented. Nah, in my experience Server-side things are mostly pretty simple, but F2b ... 2) Admittedly I ain't sure if apps are allowed to start listening to ports when the firewall blocks that port (as in, the app can try to send a packet down the port, but the firewall just snags it in DROP mode), but if they don't you have to shut down the firewall, let the app start listening, find those port numbers, and allow them, since that info is nearly never mentioned; or go read the source code. 2.1) Worse yet when there's no 24h listening, so you need to keep the firewall disabled for a long time and somehow log the port ranges so you can allow them, since unlike in Window$ there's no way in the firewall to allow process-based firewalling, the lack of which just doesn't make sense to me. 2.2) With both of the above points in mind, it can become an endless cat-and-mouse game when you're starting new services, which is my point. 3) But when it ain't possible ... Just easier to do the updating manually (I do it every Friday 0600pm) and read what the pkg mng says. 4) Depends. Mostly not.
Thank you, Chris. Can you do a video on how to increase security on Windows? For 8.1 as well as the newer, barf, versions? I would greatly appreciate it.
@SomeoneOnlyWeKnow You're right. I know. I am one of the odd ones. That was the ironic part of my comment...but with a touch screen 8.1 is absolutely awesome, imho. Peace to you and opinions are like pie-holes, everybody's got one. ;)
Encrypt the drive with sensitive data on it, because like Windows, a live disk can get access. This is how data is stolen off of laptops stolen. If these drives were encrypted, then there would be a lot less data breaches out there from stolen laptops.
Thanks for the info! I may have watched this video before, applied the recommended UFW settings, and quickly forgot all about it (my system said that UFW was active), but just to be sure I set the settings you lay out anyway. It's very easy to get caught in the mindset, "I use Linux so I'm safe". You still have to take basic precautions, even if Linux might be safer in some ways than Windows.
On a laptop why not go with defaults: deny anything coming into this system? It's what I do... I get it if you have apps and processes that require it, but I'd lock it down until I found that I needed a config change.... (?)
Hi Chris. Thanks for the video, excellent work. Perhaps Safing Portmaster is a better firewall option for desktop users as it's got an excellent gui and can easily block individual apps.
I have the same issue! Seems that things are a bit different on the version that I have on Arch Linux. Are you on Arch too? I believe the developers must made some changes to the default behaviour of the CLI for this firewall: many commands appear to be about the incoming trafic by default. Or the issue is my knowledge, but then I really don't understand it. Same thing with the "ufw default deny" on the Arch wiki. It's also only the incoming trafic that you manage. You really need to explicitly add the outgoing and incoming words behind it to make it work as expected.
My upstream node is an IPFire Mini-Appliance with Red (external), Green(internal), Blue(WiFi) , and Orange(DMZ) zones and a nice web management interface.
Linux desktop by default is pretty much insecure. But almost none of these points matter. On a NAT network like home, firewall is not that useful. Also there is no point in allowing 80 and 443 incoming ports. Usually people doesn't run webserver on desktop. Repo pinning is a valid point but a better approach would be not to add repo at all. Use a container like podman for such softwares. Selinux or apparmour comes by default on standard desktops like Fedora or Ubuntu. These are MAC and has nothing to do with app security. For that use sandbox like bubblewrap (flatpak), landlock and secure display protocol like wayland.
Those firewalls rules are very easy to do with nftables and iptables. In nftables it takes less than 10 lines. Why would desktop users need to open incoming traffic to 80/443 ? Why would desktop users need to allow incoming SSH connections over IPv6? That makes it likely the SSH port is open to the whole world because IPv6 is not behind a NAT firewall and incoming connections on the router may not be blocked. LIMIT SSH in the firewall is not fail2ban, it is rate limiting connections to SSH. It's just slowing down the bruteforcing of SSH to where it's impractical. SSH needs to be secured on it's own. Logins with passwords disabled, root logins disabled, all cryptography algos that you don't use disabled. mDNS is not just DNS. It's zeroconf Apple stuff that is usually useless and an extra liability. It should be disabled in systemd-networkd and it's traffic blocked too.
Chris, thanks for this video. the funny thing is, after applying the UFW rules and for some odd reason, Brave was longer able to access certain websites! I thought it was something else but Firefox had no problems. have to keep an eye on that Brave browser!
Questions: What about setting up firewall rule on pfSense, which I use to manage my local network and WAN. Put it another way, what's the key difference/benefit between setting up firewall on network level and local machine?
One important security advice, don't be tempted to install whatever software from whatever places. Be conservative and instead use only the main OS repository. If you need more, maybe add Flatpak, but still be very conservative on what to get from it. If a software is available in your OS repo - just download that version, and not Flatpak's one.
Pretty sure that is wrong. I believe it was made just to be easy way to configure iptables and then was adapted for nftables when iptables became deprecated.
I still find it very bizarre that people easily add repositories and allow to install every package from there. Even limiting the names of the packages doesn't change that you simply trust every piece of software from this host address because you don't know what's inside the package. Shouldn't repositories at least provide signatures and public keys from the maintainers of packages? So as a user you could trust people instead of addresses or hosts which might get hacked or infected? I think Arch for example provides a keyring package which contains the public keys of the maintainers from the official repositories. So if the signatures don't match, you can't install a certain package. I think something like that should be the goal, right? Because a host providing a package doesn't really matter as long as it provides the official and signed content, you can verify. So in case any malware or vulnerability might to a user, it's transparent whom to blame. But something which I find missing in this video is far worse than bad verification processes. People still copy & paste code from the internet and execute it without asking questions. People on Windows do this, on macOS and on Linux... this is just plain bad when you don't know what it's doing. I also think this is worse than a missing firewall because a firewall is only necessary when you open ports. Obviously it's less hassle to setup good firewall rules than checking your ports to be sure. But in general there's far less software on Linux which randomly opens a port for arbitrary reasons than on Windows for example... that is the most reason you need to have a firewall on Windows. Because the OS itself will open so much backdoors, you could think it wants to be infiltrated.
@@ArniesTech Not exactly though... if the app is open-source you can technically verify everything. The PKGBUILDs are also audible. A random binary for Windows doesn't provide any transparency. But I agree it's dangerous to use it without verification.
"Shouldn't repositories at least provide signatures and public keys from the maintainers of packages?" I'm pretty sure all large package managers do this (pacman, apt, yum, and i suspect if you want to include odd sorta kinda package managers like what gentoo uses even they use public keys to verify source code). In fact, every time you download an install there is always the option to check it with some sort of public key encryption. Now, I think what he was talking about in the video was adding third party repositories, which is very different and don't necessarily have public key encryption to sign the software packages. "I also think this is worse than a missing firewall because a firewall is only necessary when you open ports." I completely agree with you here. Installing/using code that you're not familiar with is way worse than using firewalls.
@@ArniesTech Yeah, as Tobias already pointed out the AUR is not at all like an executable file on windows. The AUR does not *generally* distribute binaries, instead it usually builds a binary from source. Sure, this can still be dangerous because the PKGBUILD can be malicious or the source code could be malicious--which is why its always a good idea to give a quick scan of the PKGBUILD and make sure its downloading the source code from a good source (i.e. visit the repository its downloading the source from) and also make sure the script makes sense. I don't have many aur packages, but I do have a few, and they're all less than 50 lines of code (honestly, they're probably more like 20-30). Even something super complex like ungoogled-chromium is less than 300 lines of code in the PKG build (and something that is big like that generally already has lots of people looking at it). In either case, if you think the AUR is the "wild west," then we just have different ideas about what is actually dangerous, and I suppose if I didn't know how to read a bash script then I'd think it was the same as a binary executable too.
@@insidetrip101 Thats the point. Your last sentence. I wonder how many people actually can read bash script or the language the source code is written in. Yeah, in open source you can see everything but its of no use, if you dont understand what you see 🤗
Currently starting network administration associates, just installed Linux to force myself to learn it and having a lot of trouble so far but i want to stick with it!!
For desktop linux system you would not really allow web ports either unless you absolutely need it nor ssh (22) unless if you'd need to access your desktop remotely from different device/location. To have web ports and ssh port open in basic firewall rules is kinda ridiculous.
WTF are you talking about ? First neither selinux or apparmor are permissive by default at least not in RHEL, Fedora, or Ubuntu. They may be if you install them on a system that does not include these tools by default but installing and configuration of these tools is way beyond this video. UFW is a decent tool are other tools you mention but why install additional packages when iptables will do the same? It just doesn't make sense on servers. Also a firewall does nothing at all if you do not have a server installed or if you allow connections to the server. For example a firewall does nothing if you do not have a web server installed as nothing is listening on port 80 or if you are running a web server you then allow port 80 through the firewall so in this example a firewall does nothing. It is by far more important to learn to secure the servers you do install. Last although I now use rpm systems I have never seen problems with multiple repositories and pinning is not generally necessary nor does it add security. Either your repo is trustworthy or not and pinning is not a security feature. Instead don't add repos you do not use or trust. While I appreciate security you really need to do a little more homework.
Most users don't use a public ip address. So it is quite safe from the gecko. Furthermore most routers have a firewall. In addition if you activate a firewall on your computer you are in a good territory.
Thanks for this video. Please make a video about AppArmor, how do use it in the correct way. This application is on my linux system and I does not notice it, before I watch your video. So, I hope there is time for do that. otherwise give me a hint - where I can looking at. The right way. Thanks for helping - to understanding linux better.
I use gufw and I block the host and all my VMs, except one, for all inbound traffic. All PCs and VMs are connected to an own router and also there all inbound traffic is blocked, password and user name are changed and admin access is only allowed from the MAC addresses from my laptop and desktop. The backup server and laptop have a few open ports, but they are connected to my own router and they are only powered on for 1 to 2 hours per week. The easiest way to get into a desktop is of course through email; social media or the browser, basically everything that could seduce you to click on an infected file.
Thanks for the information, I'm always learning from your videos. I wonder if you might be able to comment on the proper configuration when running virtual machines on a Linux desktop using QEMU / KVM. Is it sufficient to run a firewall on only the host machine? Are there any special considerations when setting up QEMU? Perhaps the subject for another video.... Thanks again!
I think this depends on how the networking for the VM is set up. If all networking is done layered on top of your host machine, the firewall should also apply for the VM. If the VM has it's own networking independent from the host (e. g. the host gives the VM full access to an Ethernet Controller via USB / PCIe Passthrough) the VM needs it's own firewall.
selinux is very useful, bud damn it's painful to use. you see, by default everything (at least on fedora) runs unconfined, and you'll have to do a lot of hand work to lock it down while not borking half of the system
Glad I don't have to worry as much on this with my firewalla router/firewall. 🤪 Pretty much all inbound traffic is blocked on my network and my devices won't respond back at all on outside pings/probes. It's best practice to not respond at all and make the attacker/hacker think the IP/port they're pinging doesn't exist.
The GUI for firewalld in Fedora is a nightmare to try to explain to new Linux users. I've gotten lots of people to switch from Windows and several to Fedora specifically and the firewalld GUI presents them with something designed for high level IT networking professionals. I know Fedora is upstream to Red Hat so this makes sense. But to a Linux newbie running Fedora on a home desktop, it is terrible. I actually laugh out loud when I see the firewalld GUI referred to as simple or easy.
I also like to lock down SSH by using the /etc/sshd_config such that root can't login through ssh, only certain users can login via ssh, and disable password authentication in favor of public key authentication. Then if I want to get real spicy I'll use my distros firewall to restrict incoming ssh requests by admin computer IP.
Good info, you definitely hit the big three. Also, it may not be a bad idea to do some follow up videos on each of those with some more in-depth explanations and examples of what they do. Based on on I'm seeing in the comments it looks like it may benefit a lot of folks.
4:50 Linux repositories. Excellent point on multiple repository conflicts (which repository updates my system to which program version). Beyond this I feel a giant gaping hole in Linux security is the lack of corporate oversight for updates to the repository. Assume you are a hacker that wants to infect a system with malware. Would it make more sense to devote time to persuading users to install your malware or push the malware to a Linux repository? Beyond repositories consider there are more than 600 Linux distributions. Who is inspecting all of the distributions, all of the respins, all of the distribution/respin releases, and every update to all of the repositories which Linux distribution owners might create? So why the concern over a corporately maintained repository and for that matter distros? A corporation has the finances to assign technical resources to review submissions to their repository, pay for external audits, and secure the repository from infiltration. This corporate repository would immediately come under the scrutiny of security and privacy advocates. Currently there are over 600 distros out there. How much security/privacy advocate attention are each of these distributions, much less their repositories, receiving? Who would want a corporately distributed Linux offering? Someone like me. I purchased a notebook from a Microsoft Store location in December 2015 and 6 years later MS won’t allow me to upgrade to Windows 11 as my processor is not an eighth-generation or higher processor. Running Windows 10, my Microsoft Store notebook will simultaneously run VirtualBox Windows 11 and Windows 10 VMs. In 17 months, MS will provide no option for this hardware purchased at one of their store. For me, a Linux variant would be more than sufficient but where do you get a Linux variant with corporate oversight that compares favorably on a cost basis to Microsoft. Consider MS Windows 10-year life cycle with a free upgrade to Windows 11. BestBuy sells Windows 11 for $130. Considering a Windows 10 purchase will get you about 20 years of support, remember the Windows 11 free upgrade, you’re paying about $130/20 years = $6.5 per year for software, updates, and limited support. I would literally pay a corporation providing secured access to their distros/repositories $10/year vs bending the knee to MS and saving a few bucks per year.
Red hat is probably worth looking into for your user case. I'm no expert but I know they caught a lot of flack from the community for exactly what you're asking for. The most popular distro from them I'm aware of is Fedora, but that's upstream of their corporate releases.
Chris, can you please update your The Ultimate Linux Gaming Guide on your site for fedora 36 because I want to install nvidia drivers and optimus but every tutorial I found is for x-org and/or for older version of fedora and I'm on fedora 36 kde spin and it uses wayland.
what's wrong with firewalld? Use that. Allow the ports and deny incoming. There is a gui for firewalld . Opening a port using the command line. Get a list of allowed ports in the current zone: $ firewall-cmd --list-all Add a port to the allowed ports to open it for incoming traffic: $ sudo firewall-cmd --add-port=port-number/port-type Make the new settings persistent: $ sudo firewall-cmd --runtime-to-permanent To remove port sudo firewall-cmd --remove-port=port-number/port-type Make the new settings persistent: $ sudo firewall-cmd --runtime-to-permanent The port types are either tcp, udp, sctp, or dccp. The type must match the type of network communication.
fedora use firewalld no ufw, at least by default. That's why you didn't find ufw. (well I think you are using fedora because of your wallpaper). Well, bacause I know nothing of security, I guess I should stop firewalld and install ufw.
I don't think it's worth watching this video. 1. Limiting ssh is not required in the desktop case - usually there's no ssh server running, and if, then hacking the user password would take ages, and still not possible because the port is not forwarded; 2. adding repositories: It doesn't really matter, using any non-free repository can have a potential virus and usually repositories aren't even running if they're outdated - the creator lost interrest; 3. not using apparmor or selinux: apparmor (and selinux) are pretty much useless in the desktop-case.
2) Non-free is just half the cake, you'll need something like Launchpad PPA to have the newest versions for almost everything else, too. And no, viruses and such are extremely rare in this context. 3) It's gonna useful when you're infected.
@@rautamiekka Apparmor and Selinux will only prevent specific applications from accessing some files and doing simillar stuff. That's it - and because there are no profiles for Firefox etc. (there can't really) it is useless. I don't think that you understand the basic concept of Selinux and Apparmor, it won't help when you're infected - but maybe I missed some features of it. Usually the kernel is the only protection in the desktop case, selinux and apparmor profiles don't exist for the desktop-case.
I let pfsense handle all my Firewall rules as its firewall protects you in your local network and on the internet and frankly its a pain in the arse to be double firewalled.
Thanks for making short videos. People out hear really stretch their videos for view time adding unnecessary stuff. Especially really long intros which is not right
I actually completely disagree with you when it comes to fail2ban and firewalls. While neither of those things are bad, they're honestly secondary defenses. Fail2ban is kinda pointless if you're using rsa key login. The universe will likely already have suffered a heat death before someone bruteforces an ssh key. Unless you're using a super high entropy password, you're better off generally just disabling password login in ssh or any other service you're using and going along with rsa keys. But, if you are using password login, then fail2ban can really help (but again, why use password login in the first place? the better, more secure option is to use rsa keys). Firewalls give people a false sense of security and are (almost) completely pointless. About the only time that a firewall actually helps is when someone has already in some way infiltrated your server and opens up an application listening (or phoning home) on an unused port. Firewalls will mitigate that--and basically only that--one single attack vector. In fact, if someone is able to actually hack your server, say by using some server side attack by some vulnerability in your php application and gain root access, your firewall isn't going to do anything because they can just disable it. Even more, if you don't have any applications listening on those ports, then there's not really even a need to shut down those ports (except see the earlier attack I was talking about, which is actually a pretty niche case). Honestly, for me, the most helpful thing about a firewall is that it forces me to think about what applications are critical to the server or not, and that can be solved by just planning better rather than relying on a complex piece of software to do your thinking for you. Fail2ban and firewalls are the absolute most over rated security "hardening" tips. They do more to make you feel safe rather than actually make you safe.
Firewalls don't just allow to drop or not drop all connections to ports. If you have a static IP or a properly segmented network you can drop everything but that static IP or that network block and and that would really help locking things down. Linux firewalls also have all kinds of targets that can further reduce the attack surface. But when you don't know what you're doing and you're using a ready made firewall script, yeah you're right it's not going to help much.
@@KnutBluetooth That's fair. However, most people who are just running a desktop computer or are running a single webserver, a fire wall isn't really going to do much. Like you rightly point out, its actually way better to use on a network wide scale rather than just on a single computer. Actually, docker makes use of iptables the way you're describing. Every time you network a docker container it literally creates an entry in iptables for it. Essentially what docker does is kind of create a "pseudo-network" inside of your machine. But again, merely using docker and this functionality honestly isn't very much of a security benefit as the individual containers (or computers) are still the largest risk and by mitigating what can contact them from the outside only reduces the surface to the one machine that must be exposed to the external internet (in the case of docker, your machine, in the case of a real network the server you're connecting to). So again, unless you're a large company with a rather large network, a fire wall isn't really going to do much.
![[#2024MAMA] ROSÉ (로제), Bruno Mars - APT. | Mnet 241122 방송](http://i.ytimg.com/vi/dgGqD28J6aQ/mqdefault.jpg)
Now, I should say most desktop linux don't have these things configured because it WILL block things and applications good or bad. However, if you are security concise, it will be worth configuring these things in your system to open up any application that wants to use the internet.
Article from Video: christitus.com/linux-security-mistakes/
bruh
This video is rather for the server-case than the desktop case. 1. Limiting ssh makes no sense - passwords are strong enough these days, and if not, you would have to manually forward the ssh port. SSH servers are usually not installed and enabled anyway. 2. repositories: I don't have any opinion on that. 3. not using apparmor or selinux: from my first comment to this video: "apparmor (and selinux) are pretty much useless in the desktop-case."
Chris, more Linux security videos please!
@@expensivecats yeah so now I'm really confused
@@edwardmacnab354 You're not alone expensive cat makes sense to a non linux user moments away from being a n00b linux user. I have the boot stick primed and ready to go just wanting some security advice and Titus seems legit. I may skip the firewall setup until I have more experience. Last time I did anything that needed proper syntex was DOS 6.2 when I got my 1st version of windows and that was win 95. Not entirely true I had tried win 3 but, I had no software for it since all I had was DOS based and Comp USA let me return it.
Mr. Titus, I watch all of your videos. I am battling stage 4 cancer, and I keep my mind off it with your fantastic computer insight! Thank you!
Best of luck! Hang in there!
Wish you best m8
@@cameronmoore136 Thank you!
@@paw565 Thank you!
I was stage 4 with lymphoma... So far in remission. What do you have if you dont mind me asking?
Chris, thanks for the info, but before we can talk about individual computers on local network and their security we need to have a conversation about the most important device on your intranet: the router. This is a first line of defense and if it is not secure then your entire intranet is not secured. Please make a video about that.
I really gona assume you put the wrong spelling of internet 😅 but your point is right but we can't do much to a router I think so... Correct me if I'm wrong
@@gto4467 No, internet and intranet are 2 different things bro
@@gto4467 just use a router with e.g. OpenWRT installed, its effectively full-featured Linux.
So true, a bad router or mis configured gateway and its just a bad time no matter what in today's environment.
@@gto4467 Hi, no I did not. "intranet" is term used to describe your home or company internal network structure. Internet, as you know, is Word Wide Web. Regarding routers, yes, you can do many things with them, but the first thing is to stop using your standard "jack of all trades and master of none" store purchased routers. I would recommend to investigate Netgate devices/routers and or utilizing your old PC and installing "pfSense" router software (FREE). One of these solutions are used by most of small to med-size companies.
Great video, thank you! I'm currently a Junior Penetration Tester, and I think this touches on something we don't generally get taught.
Load up Kali, fire off nmap, poke a few ports and send off a fairly standard report full of accepted mitigations.
More videos on general hardening for Mac, Linux and Windows (I know, Windows will take years off your life) would help to give something different back to clients on top of the usual advice. I don't know anyone at work who's ever mentioned it.
On the firewall - Fedora should come with firewalld / firewall-cmd running with FedoraWorkstation zone as the active zone. Using UFW on top of that wouldn't cause a conflict? I like UFW, but have been using / learning firewalld - usually I set a workstation to the 'public' zone which only has limited services.
Yeah true, I remember when I switched to Fedora a while ago (I just wanted to switch from Ubuntu). I was trying to ssh and ping my linux laptop, and I kept on seeing something like "host unreachable" or "no route to host". And then from looking up Fedora, I found out that it had a firewall. And before I just stopped the process, but then I saw an easier way to configure the firewall. And since I set ssh to listen on a different port (instead of port 22), I set the firewall to allow the port number I set and I was able to ssh into my computer.
Selinux is enabled by default in Fedora workstation it's not in permissive mode and the rules these days are generally pretty decent so you typically don't get spammed with alerts anymore. In terms of firewall, as a lot of people have already mentioned, Fedora comes with firewalld enabled and configured, you just need to set the profile (in KDE you can do it directly from the NIC configuration) and you can configure additional rules if needed using the firewall-cmd command
Before installing a firewall check if it is usefull. Do a portscan like this: 'lsof -i -P -n | grep -i listen'. This shows a list of all listening (ie open) tcp ports on your system. On my standard Ubuntu system this list is empty. So there are no open ports and installing a firewall is rather pointless.
'ss -tuna' also shows al that is listening.
Chris, Fedora comes with a firewall already-firewalld. Could you show us how to use what the operating ships with instead?
Yes! I was just about to comment about this.
Exactly, and firewalld is very good and there is a GUI and CLI interface for it!!
I don't think regular users need to open any ports at all. They don't run web servers (80, 443) on their desktop computers and probably don't run ssh server (22) too. So its better to just deny all incoming ports without exceptions by default.
And the techy people who does run servers, certainly already smart enough to open required ports.
Oh, when he said "80 and 443 is the web," he didn't mean like the world wide web? I assumed without those enabled/allowed I wouldn't be able to use a web browser. Is that not correct?
@@cameronmoore136 no, the shown rules is only for incoming connections. In fact most users won't receive any incoming connections from the internet anyway because of providers' NAT.
@@mk72v2oq I see. I guess I don't know enough about this. I assumed information being sent to your computer from a website you're trying to load would apply to this. But I appreciate the information!
@@cameronmoore136 this is true, packets travel in both directions of course, but *ufw* is just very simplified here on purpose. The only thing that matters here - who is the connection initiator. So when you are accessing a website (or any other resource/server) the whole connection counts as *outgoing* , so only respective rules applied.
@@mk72v2oq Ohhhh okay, that makes sense. Thanks! 😄
If anyone wants to take a look at other utilities/features on Linux, here it is:
- SECCOMP
- no_new_privs bit
- secure bits
- Linux capabilities
- Namespaces and pivot_root (not a security feature, but this is how container isolation works)
Thank you. It's awesome to see someone make a basic "hardening" video for Linux. There's not many creators I've found do a "for dummies" video yet. Legend.
SELinux and AppArmor are standard in OpenSUSE and Fedora. Two very enterprise focussed distros 💪😌
And firewalld also.
@@operius2385 Yes. Just Fedora comes with firewalld, not ufw. Chris TItus Tech choose the wrong distro for this topic.
Well, openSUSE comes with AppArmor and Fedora with SELinux. Neither comes with both. Also, if you want enterprise go with RHEL and SLE, not the upstream versions.
rocky linux comes with what firewall?
@@budliquor6972openSUSE MicroOS and deriatives like SLE Micro come with SELinux instead of AppArmor
1. A firewall is useless if it doesn't have any listening services behind it.
2. Allowing ports 22, 80 and 443 is pointless unless you are running a server.
3. Fail2ban makes no sense on a desktop computer at all. Why would anyone run a SSH-server on their desktop?
4. To sum it up: No listening services = no firewall necessary. Opening up the firewall for all listening services means that the firewall blocks nothing.
pls give a hint where to read/watch about right installing listening services with firewall
0:47 100% agreed
Security is a journey not a destination
- Chris Titus
RPM based distros use firewalld out of the box not ufw
ufw on fedora? Why? Also allow ports 80 and 443 on a workstation? Why? Also you got 3 errors while editing your ufw configuration.
Fedora comes with firewalld.
I think he totally missed the point that ufw isn't the only firewall.
Also seems like he's confused between incoming and outgoing ports because he opened ports 80 and 443
@@ShrirajHegde aswell as SSH, which is just horrible because the default config allows any user except root to password-login. But a user with sudo might aswell be root in this case, considering you can just switch into root via sudo -i.
Are there any distributions that come configured, by default, with the setting that our host is recommending (or something similar)?
For example, the Qubes distribution is highly, highly focused on privacy and security. I have never used it (seems you need qualified hardware to take full advantage of its security features).
I am not savvy enough to configure all of the settings in Linux. Down the road, when I am able to obtain a computer that I can dedicate for using Linux, I would like to find a distribution that has its security settings already in place, because I will not remember what to do.
I understand that no two people will agree on every security setting. But the big ones, such as "ufw" that was demonstrated in this video... are there distributions that have that already set?
There are countless distributions. Too many for me to figure out which ones put security first. I thought that Qubes was the answer (maybe it is?). But they have a web page dedicated to scoring hardware, and not too many computers check all of the security boxes.
Hi Chris, thank you for these great tips. Can you do a video (or two videos, one on each) about how to configure and use SELinux and AppArmor?
I know this is an older video but I'd like to say that, I diss 99 % of the Linux users out there. You're one of the 1 % I can respect. Just for context, I'm a system administrator for a large company. We use most of the OS'es out there.
Hey just wanted to say thank you for this video, I just switched from Ubuntu after moving from Window's 6 month's ago to Fedora and didn't realize UFW wasn't prepackaged. I'm still relatively new to Linux but, it is so much better than window's in my opinion and I love learning but security and open source was my main reason for switching. Anyway i'm rambling, but very thankful for the info, now i have UFW on my Fedora 38.!
Fedora comes with firewalld though, you can use it through firewall-cmd.
The default configuration does leave everything open though
1) F2b is painful to conf.
2) firewall very much so.
3) prioritizing repos, much worse the packages, is extremely painful to conf on top of keeping up with multiple repos (keeping up with repos ain't nearly as painful cuz they change rarely).
4) the pkg manager always uses the newest packages and will warn you when a dep conflict occurs (so I don't understand your point).
5) AppArmor/SEL is the worst pain to conf.
1. first time - maybe, so is almost anything on the server side
2. not really, again - maybe the first time you do it, just keep it simple, block everything except the services/ports you need, usually 22,80,443 is enough
3. that is very much true, that's a reason to limit 3rd party repos as much as possible
4. newest packages are not always desirable, there may be braking config changes between some versions of a program
5. true, fortunately most software from repo's comes with sane policies by default, custom/external apps ideally would come with configs for apparmor and/or selinux, but far too often they do not
@@starypiard
1) It won't be limited to 1st time, it takes a long time to figure out the settings perfectly since shit tends to not be documented. Nah, in my experience Server-side things are mostly pretty simple, but F2b ...
2) Admittedly I ain't sure if apps are allowed to start listening to ports when the firewall blocks that port (as in, the app can try to send a packet down the port, but the firewall just snags it in DROP mode), but if they don't you have to shut down the firewall, let the app start listening, find those port numbers, and allow them, since that info is nearly never mentioned; or go read the source code.
2.1) Worse yet when there's no 24h listening, so you need to keep the firewall disabled for a long time and somehow log the port ranges so you can allow them, since unlike in Window$ there's no way in the firewall to allow process-based firewalling, the lack of which just doesn't make sense to me.
2.2) With both of the above points in mind, it can become an endless cat-and-mouse game when you're starting new services, which is my point.
3) But when it ain't possible ... Just easier to do the updating manually (I do it every Friday 0600pm) and read what the pkg mng says.
4) Depends. Mostly not.
I learned a lot from you keep doing everything you're doing TH-cam Chris
Thank you, Chris. Can you do a video on how to increase security on Windows? For 8.1 as well as the newer, barf, versions? I would greatly appreciate it.
@SomeoneOnlyWeKnow You're right. I know. I am one of the odd ones. That was the ironic part of my comment...but with a touch screen 8.1 is absolutely awesome, imho. Peace to you and opinions are like pie-holes, everybody's got one. ;)
on a desktop you almost never need ssh leave it off
I am too lazy to walk to another room so I need openssh
Why do you open up incoming ports on your client?
Encrypt the drive with sensitive data on it, because like Windows, a live disk can get access. This is how data is stolen off of laptops stolen. If these drives were encrypted, then there would be a lot less data breaches out there from stolen laptops.
@2:54 you talk about limiting SSH but you mark the 22/TCP, so SSH should be limited and not 22/TCP?
Thanks for the info! I may have watched this video before, applied the recommended UFW settings, and quickly forgot all about it (my system said that UFW was active), but just to be sure I set the settings you lay out anyway. It's very easy to get caught in the mindset, "I use Linux so I'm safe". You still have to take basic precautions, even if Linux might be safer in some ways than Windows.
Thanks for this video. I am learning and loving linux now. Using Nobara 36 distro based on Fedora 36.
On a laptop why not go with defaults: deny anything coming into this system? It's what I do... I get it if you have apps and processes that require it, but I'd lock it down until I found that I needed a config change.... (?)
Priceless info, always! Thanks again Chris!
Hi Chris. Thanks for the video, excellent work. Perhaps Safing Portmaster is a better firewall option for desktop users as it's got an excellent gui and can easily block individual apps.
Fedora has always been enforce mode by default when I've used it
Why are those ports allowed INTO the system if you are not a server? shoudnt those be outgoing only?
I have the same issue! Seems that things are a bit different on the version that I have on Arch Linux. Are you on Arch too? I believe the developers must made some changes to the default behaviour of the CLI for this firewall: many commands appear to be about the incoming trafic by default. Or the issue is my knowledge, but then I really don't understand it.
Same thing with the "ufw default deny" on the Arch wiki. It's also only the incoming trafic that you manage. You really need to explicitly add the outgoing and incoming words behind it to make it work as expected.
I'll take a look at that apparmor docs right away. Thanks for the heads up Chris! ✌😎
Good video, but not sure why you would need ports 80 and 443 open if you are not running a web server.
I gonna remember your quote "security is a journey not a destination" 😋👍
Always use a VPN and a proxy chain!
My upstream node is an IPFire Mini-Appliance with Red (external), Green(internal), Blue(WiFi) , and Orange(DMZ) zones and a nice web management interface.
Fedora uses firewalld by default iirc, on the fail2ban recommendation I'd urge you to look into crowdsec, amazing project!
Linux desktop by default is pretty much insecure. But almost none of these points matter.
On a NAT network like home, firewall is not that useful. Also there is no point in allowing 80 and 443 incoming ports. Usually people doesn't run webserver on desktop.
Repo pinning is a valid point but a better approach would be not to add repo at all. Use a container like podman for such softwares.
Selinux or apparmour comes by default on standard desktops like Fedora or Ubuntu. These are MAC and has nothing to do with app security. For that use sandbox like bubblewrap (flatpak), landlock and secure display protocol like wayland.
NFT Table :))
Btw
You're using fedora, firewalld comes by default, not ufw.
Those firewalls rules are very easy to do with nftables and iptables. In nftables it takes less than 10 lines. Why would desktop users need to open incoming traffic to 80/443 ? Why would desktop users need to allow incoming SSH connections over IPv6? That makes it likely the SSH port is open to the whole world because IPv6 is not behind a NAT firewall and incoming connections on the router may not be blocked. LIMIT SSH in the firewall is not fail2ban, it is rate limiting connections to SSH. It's just slowing down the bruteforcing of SSH to where it's impractical. SSH needs to be secured on it's own. Logins with passwords disabled, root logins disabled, all cryptography algos that you don't use disabled. mDNS is not just DNS. It's zeroconf Apple stuff that is usually useless and an extra liability. It should be disabled in systemd-networkd and it's traffic blocked too.
Chris, thanks for this video. the funny thing is, after applying the UFW rules and for some odd reason, Brave was longer able to access certain websites! I thought it was something else but Firefox had no problems. have to keep an eye on that Brave browser!
Questions: What about setting up firewall rule on pfSense, which I use to manage my local network and WAN. Put it another way, what's the key difference/benefit between setting up firewall on network level and local machine?
IT security should always be defence in depth
One important security advice, don't be tempted to install whatever software from whatever places. Be conservative and instead use only the main OS repository. If you need more, maybe add Flatpak, but still be very conservative on what to get from it. If a software is available in your OS repo - just download that version, and not Flatpak's one.
In the video you are using fedora which comes with firewall-d by default so I don't see any need to install ufw
As I understand, UFW is not a firewall, but an interface. The actual firewall is part of the kernel. Am I missing something?
And aren't most ports closed even before you enable them??? In particular I am thinking about the incoming ports for Samba/SMB?!🤔
Yeah. ufw is just a front end, and Fedora does not use ufw but uses firewalld instead.
Pretty sure that is wrong. I believe it was made just to be easy way to configure iptables and then was adapted for nftables when iptables became deprecated.
@@fookingsog I've read that that is the case, but I've never looked into in any depth.
I still find it very bizarre that people easily add repositories and allow to install every package from there. Even limiting the names of the packages doesn't change that you simply trust every piece of software from this host address because you don't know what's inside the package.
Shouldn't repositories at least provide signatures and public keys from the maintainers of packages? So as a user you could trust people instead of addresses or hosts which might get hacked or infected? I think Arch for example provides a keyring package which contains the public keys of the maintainers from the official repositories. So if the signatures don't match, you can't install a certain package.
I think something like that should be the goal, right? Because a host providing a package doesn't really matter as long as it provides the official and signed content, you can verify. So in case any malware or vulnerability might to a user, it's transparent whom to blame.
But something which I find missing in this video is far worse than bad verification processes. People still copy & paste code from the internet and execute it without asking questions. People on Windows do this, on macOS and on Linux... this is just plain bad when you don't know what it's doing.
I also think this is worse than a missing firewall because a firewall is only necessary when you open ports. Obviously it's less hassle to setup good firewall rules than checking your ports to be sure. But in general there's far less software on Linux which randomly opens a port for arbitrary reasons than on Windows for example... that is the most reason you need to have a firewall on Windows. Because the OS itself will open so much backdoors, you could think it wants to be infiltrated.
Especially AUR, which is basically a wild west just as installing some random .exe under Windows 🤣😅
@@ArniesTech Not exactly though... if the app is open-source you can technically verify everything. The PKGBUILDs are also audible. A random binary for Windows doesn't provide any transparency.
But I agree it's dangerous to use it without verification.
"Shouldn't repositories at least provide signatures and public keys from the maintainers of packages?"
I'm pretty sure all large package managers do this (pacman, apt, yum, and i suspect if you want to include odd sorta kinda package managers like what gentoo uses even they use public keys to verify source code).
In fact, every time you download an install there is always the option to check it with some sort of public key encryption.
Now, I think what he was talking about in the video was adding third party repositories, which is very different and don't necessarily have public key encryption to sign the software packages.
"I also think this is worse than a missing firewall because a firewall is only necessary when you open ports."
I completely agree with you here. Installing/using code that you're not familiar with is way worse than using firewalls.
@@ArniesTech Yeah, as Tobias already pointed out the AUR is not at all like an executable file on windows. The AUR does not *generally* distribute binaries, instead it usually builds a binary from source. Sure, this can still be dangerous because the PKGBUILD can be malicious or the source code could be malicious--which is why its always a good idea to give a quick scan of the PKGBUILD and make sure its downloading the source code from a good source (i.e. visit the repository its downloading the source from) and also make sure the script makes sense.
I don't have many aur packages, but I do have a few, and they're all less than 50 lines of code (honestly, they're probably more like 20-30). Even something super complex like ungoogled-chromium is less than 300 lines of code in the PKG build (and something that is big like that generally already has lots of people looking at it).
In either case, if you think the AUR is the "wild west," then we just have different ideas about what is actually dangerous, and I suppose if I didn't know how to read a bash script then I'd think it was the same as a binary executable too.
@@insidetrip101 Thats the point. Your last sentence. I wonder how many people actually can read bash script or the language the source code is written in. Yeah, in open source you can see everything but its of no use, if you dont understand what you see 🤗
Currently starting network administration associates, just installed Linux to force myself to learn it and having a lot of trouble so far but i want to stick with it!!
For desktop linux system you would not really allow web ports either unless you absolutely need it nor ssh (22) unless if you'd need to access your desktop remotely from different device/location. To have web ports and ssh port open in basic firewall rules is kinda ridiculous.
Thank you! I was looking for something like this!
WTF are you talking about ?
First neither selinux or apparmor are permissive by default at least not in RHEL, Fedora, or Ubuntu. They may be if you install them on a system that does not include these tools by default but installing and configuration of these tools is way beyond this video.
UFW is a decent tool are other tools you mention but why install additional packages when iptables will do the same? It just doesn't make sense on servers.
Also a firewall does nothing at all if you do not have a server installed or if you allow connections to the server. For example a firewall does nothing if you do not have a web server installed as nothing is listening on port 80 or if you are running a web server you then allow port 80 through the firewall so in this example a firewall does nothing.
It is by far more important to learn to secure the servers you do install.
Last although I now use rpm systems I have never seen problems with multiple repositories and pinning is not generally necessary nor does it add security. Either your repo is trustworthy or not and pinning is not a security feature. Instead don't add repos you do not use or trust.
While I appreciate security you really need to do a little more homework.
Most users don't use a public ip address. So it is quite safe from the gecko. Furthermore most routers have a firewall. In addition if you activate a firewall on your computer you are in a good territory.
Thanks for this video. Please make a video about AppArmor, how do use it in the correct way. This application is on my linux system and I does not notice it, before I watch your video. So, I hope there is time for do that. otherwise give me a hint - where I can looking at. The right way. Thanks for helping - to understanding linux better.
Thanks for the info- as desktop users numbers go up we will be a larger target.
thanks for the great video, at the 2:29, it should be sudo dnf install ufw and sudo dnf install fail2ban not apt
Setting up arch as we speak. Cool vid
I use gufw and I block the host and all my VMs, except one, for all inbound traffic. All PCs and VMs are connected to an own router and also there all inbound traffic is blocked, password and user name are changed and admin access is only allowed from the MAC addresses from my laptop and desktop. The backup server and laptop have a few open ports, but they are connected to my own router and they are only powered on for 1 to 2 hours per week. The easiest way to get into a desktop is of course through email; social media or the browser, basically everything that could seduce you to click on an infected file.
Thanks Chris for the info, definitely learned a few things.
Thanks for the information, I'm always learning from your videos. I wonder if you might be able to comment on the proper configuration when running virtual machines on a Linux desktop using QEMU / KVM. Is it sufficient to run a firewall on only the host machine? Are there any special considerations when setting up QEMU? Perhaps the subject for another video.... Thanks again!
I think this depends on how the networking for the VM is set up. If all networking is done layered on top of your host machine, the firewall should also apply for the VM.
If the VM has it's own networking independent from the host (e. g. the host gives the VM full access to an Ethernet Controller via USB / PCIe Passthrough) the VM needs it's own firewall.
Good stuff as always Chris!
In Fedora is Firewalld...
Thanks again. Maybe a future vid could delv more deeply into other issues that are the next big 3.
Does UFW uses nftable backend since iptables was remove from Debian ?
selinux is very useful, bud damn it's painful to use. you see, by default everything (at least on fedora) runs unconfined, and you'll have to do a lot of hand work to lock it down while not borking half of the system
Very helpful video, thank you once again for the great content!!! :)
hmm isn't fedora shipped with firewalld by default? would explain why ufw was not present...
Great advice. Thanks Chris
Can't I just configure Firewalld the same way as UFW?
Glad I don't have to worry as much on this with my firewalla router/firewall. 🤪 Pretty much all inbound traffic is blocked on my network and my devices won't respond back at all on outside pings/probes. It's best practice to not respond at all and make the attacker/hacker think the IP/port they're pinging doesn't exist.
Does a HARDWARE FIREWALL, in your router or modem sufficient to protect you, or do you need software as well?
fedora uses by default firewalld the command is firewall-cmd
i acutally have port 20 denied as i dont use SSH or Telnet(deny that one and use ssh if you do) rember to customize your firewall to your min needs
Chris, what do you think abt feasibility of free antivirus soft (Clam for example) on workstations?
The GUI for firewalld in Fedora is a nightmare to try to explain to new Linux users. I've gotten lots of people to switch from Windows and several to Fedora specifically and the firewalld GUI presents them with something designed for high level IT networking professionals. I know Fedora is upstream to Red Hat so this makes sense. But to a Linux newbie running Fedora on a home desktop, it is terrible. I actually laugh out loud when I see the firewalld GUI referred to as simple or easy.
Thanks for good lessons today Chris
Great info as usual much appreciated 🙏
I also like to lock down SSH by using the /etc/sshd_config such that root can't login through ssh, only certain users can login via ssh, and disable password authentication in favor of public key authentication. Then if I want to get real spicy I'll use my distros firewall to restrict incoming ssh requests by admin computer IP.
Good info, you definitely hit the big three. Also, it may not be a bad idea to do some follow up videos on each of those with some more in-depth explanations and examples of what they do. Based on on I'm seeing in the comments it looks like it may benefit a lot of folks.
4:50 Linux repositories. Excellent point on multiple repository conflicts (which repository updates my system to which program version).
Beyond this I feel a giant gaping hole in Linux security is the lack of corporate oversight for updates to the repository. Assume you are a hacker that wants to infect a system with malware. Would it make more sense to devote time to persuading users to install your malware or push the malware to a Linux repository?
Beyond repositories consider there are more than 600 Linux distributions. Who is inspecting all of the distributions, all of the respins, all of the distribution/respin releases, and every update to all of the repositories which Linux distribution owners might create?
So why the concern over a corporately maintained repository and for that matter distros? A corporation has the finances to assign technical resources to review submissions to their repository, pay for external audits, and secure the repository from infiltration. This corporate repository would immediately come under the scrutiny of security and privacy advocates. Currently there are over 600 distros out there. How much security/privacy advocate attention are each of these distributions, much less their repositories, receiving?
Who would want a corporately distributed Linux offering? Someone like me. I purchased a notebook from a Microsoft Store location in December 2015 and 6 years later MS won’t allow me to upgrade to Windows 11 as my processor is not an eighth-generation or higher processor. Running Windows 10, my Microsoft Store notebook will simultaneously run VirtualBox Windows 11 and Windows 10 VMs. In 17 months, MS will provide no option for this hardware purchased at one of their store. For me, a Linux variant would be more than sufficient but where do you get a Linux variant with corporate oversight that compares favorably on a cost basis to Microsoft. Consider MS Windows 10-year life cycle with a free upgrade to Windows 11. BestBuy sells Windows 11 for $130. Considering a Windows 10 purchase will get you about 20 years of support, remember the Windows 11 free upgrade, you’re paying about $130/20 years = $6.5 per year for software, updates, and limited support. I would literally pay a corporation providing secured access to their distros/repositories $10/year vs bending the knee to MS and saving a few bucks per year.
Red hat is probably worth looking into for your user case. I'm no expert but I know they caught a lot of flack from the community for exactly what you're asking for. The most popular distro from them I'm aware of is Fedora, but that's upstream of their corporate releases.
Great work 🥳🥳🥳 Thank you 💜💜💜
but what about firewalld? it's pre intalled in my fedora.
What is your take on RPM Fusion Chris?
2:35 Why did it say "error problem running" and why did he not react to that? Was that expected? Is it not an issue?
Chris, can you please update your The Ultimate Linux Gaming Guide on your site for fedora 36 because I want to install nvidia drivers and optimus but every tutorial I found is for x-org and/or for older version of fedora and I'm on fedora 36 kde spin and it uses wayland.
good video,today i learn new things about linux
Hey, Will UFW work on fedora with firewalld allready installed? Should i remove firewalld and use UFW? And what is a good setup for firewalld?
what's wrong with firewalld? Use that. Allow the ports and deny incoming. There is a gui for firewalld .
Opening a port using the command line. Get a list of allowed ports in the current zone:
$ firewall-cmd --list-all
Add a port to the allowed ports to open it for incoming traffic:
$ sudo firewall-cmd --add-port=port-number/port-type
Make the new settings persistent:
$ sudo firewall-cmd --runtime-to-permanent
To remove port
sudo firewall-cmd --remove-port=port-number/port-type
Make the new settings persistent:
$ sudo firewall-cmd --runtime-to-permanent
The port types are either tcp, udp, sctp, or dccp. The type must match the type of network communication.
fedora use firewalld no ufw, at least by default. That's why you didn't find ufw. (well I think you are using fedora because of your wallpaper). Well, bacause I know nothing of security, I guess I should stop firewalld and install ufw.
Doesn't Fedora use firewalld?
hmm...so I guess if I want a quick list of ppl with port 80 open for probably no reason I should just check CTT subscriber list
I don't think it's worth watching this video. 1. Limiting ssh is not required in the desktop case - usually there's no ssh server running, and if, then hacking the user password would take ages, and still not possible because the port is not forwarded; 2. adding repositories: It doesn't really matter, using any non-free repository can have a potential virus and usually repositories aren't even running if they're outdated - the creator lost interrest; 3. not using apparmor or selinux: apparmor (and selinux) are pretty much useless in the desktop-case.
2) Non-free is just half the cake, you'll need something like Launchpad PPA to have the newest versions for almost everything else, too. And no, viruses and such are extremely rare in this context.
3) It's gonna useful when you're infected.
@@rautamiekka Apparmor and Selinux will only prevent specific applications from accessing some files and doing simillar stuff. That's it - and because there are no profiles for Firefox etc. (there can't really) it is useless. I don't think that you understand the basic concept of Selinux and Apparmor, it won't help when you're infected - but maybe I missed some features of it. Usually the kernel is the only protection in the desktop case, selinux and apparmor profiles don't exist for the desktop-case.
I let pfsense handle all my Firewall rules as its firewall protects you in your local network and on the internet and frankly its a pain in the arse to be double firewalled.
Good the other point is to think in layers but glad you stated that. BTW did you see the github shenanigans?
What github shenanigans?
Awesome thanks for sharing!
Thanks for making short videos. People out hear really stretch their videos for view time adding unnecessary stuff. Especially really long intros which is not right
I actually completely disagree with you when it comes to fail2ban and firewalls. While neither of those things are bad, they're honestly secondary defenses.
Fail2ban is kinda pointless if you're using rsa key login. The universe will likely already have suffered a heat death before someone bruteforces an ssh key. Unless you're using a super high entropy password, you're better off generally just disabling password login in ssh or any other service you're using and going along with rsa keys. But, if you are using password login, then fail2ban can really help (but again, why use password login in the first place? the better, more secure option is to use rsa keys).
Firewalls give people a false sense of security and are (almost) completely pointless. About the only time that a firewall actually helps is when someone has already in some way infiltrated your server and opens up an application listening (or phoning home) on an unused port. Firewalls will mitigate that--and basically only that--one single attack vector. In fact, if someone is able to actually hack your server, say by using some server side attack by some vulnerability in your php application and gain root access, your firewall isn't going to do anything because they can just disable it. Even more, if you don't have any applications listening on those ports, then there's not really even a need to shut down those ports (except see the earlier attack I was talking about, which is actually a pretty niche case). Honestly, for me, the most helpful thing about a firewall is that it forces me to think about what applications are critical to the server or not, and that can be solved by just planning better rather than relying on a complex piece of software to do your thinking for you.
Fail2ban and firewalls are the absolute most over rated security "hardening" tips. They do more to make you feel safe rather than actually make you safe.
Firewalls don't just allow to drop or not drop all connections to ports. If you have a static IP or a properly segmented network you can drop everything but that static IP or that network block and and that would really help locking things down. Linux firewalls also have all kinds of targets that can further reduce the attack surface. But when you don't know what you're doing and you're using a ready made firewall script, yeah you're right it's not going to help much.
@@KnutBluetooth That's fair. However, most people who are just running a desktop computer or are running a single webserver, a fire wall isn't really going to do much. Like you rightly point out, its actually way better to use on a network wide scale rather than just on a single computer.
Actually, docker makes use of iptables the way you're describing. Every time you network a docker container it literally creates an entry in iptables for it. Essentially what docker does is kind of create a "pseudo-network" inside of your machine. But again, merely using docker and this functionality honestly isn't very much of a security benefit as the individual containers (or computers) are still the largest risk and by mitigating what can contact them from the outside only reduces the surface to the one machine that must be exposed to the external internet (in the case of docker, your machine, in the case of a real network the server you're connecting to).
So again, unless you're a large company with a rather large network, a fire wall isn't really going to do much.
I think I need to go find a video Linux for beginners because this stuff went right over my head
Question. How is Linux properly pronounced.?
Lynn-ux or Line-ux ?. Or something other?
Great VID!