I just want to caution everyone from enabling automatic updates on production systems. The best practice is to use scheduled maintenance windows and to always test updates in a test/dev/QA environment before making changes to prod :)
You're right. The ideal situation is using a repository host, whether that's something like Red Hat Satellite, Oracle Spacewalker, or using simple webserver which synchronizes repositories. You then control your packages on the upstream, so that when they are downloaded by the host - only the packages that have been tested are applied. This is how we automate patching - determine what updates we want > synchronise packages to repo host > create test environment to mimic prod > schedule ansible jobs via Tower to auto patch test hosts with smoke tests > when smoke tests pass, execute job on prod > run smoke tests, and if it fails, execute a job to undo the patch.
This is a BS channel for wannabee network/linux/ansible people with bloated headlines and an eyecandy editing, he barely had any real life experience with these stuff, most of the stuff he teaches about are from official rtd.
@@viktatororban4407 Everything you listed is exactly what's appropriate to teach beginners and for enthusiasts to communicate to them. Beginners need enthusiasm to draw them onto the path of becoming an expert.
Won 20 bucks in a networking class. Another student told me he could get into any computer remotely. I accepted his challenge and turned off my network card in the drivers. He was pissed.
Definitely one of the top 3 videos of all time to date... changing TCP ports, encrypted authentication, and disabling ping. Love it... Thanks again Chuck!
You should use "apt upgrade" instead of "apt dist-upgrade" as the latter might also remove packages or change things in the system which might break your applications. "dist-upgrade" should be used if you want to upgrade to a new release of the distro, not if you just want the latest versions of your packages in order to get security fixes.
As a security professional I really found this video to be of good quality. You were to the point, informative but not overbearing, engaging while being authentic. Keep up the great work! ❤ 😍
The way you deliver content is outstanding. English is my second language, but you somehow manage to be quick, to the point, and very understandable. Kudos. Fantastic work.
Brilliant. Coming from a person who is very comfortable with Linux, is so nice to see the simple security aspects covered. And I always love how enthusiastic you are, making I.T fun!! Big fan here, over in London /UK! Keep it up, and great to see your channel growing as well. Keep you fed :)
Linode, just to tell you - A really good choice for sponsorship! Keep going, his style is a remarkable combination of useful information and energetic hype!
20:41 - The line was already there (the last entry in that section). All he had to do was change the ACCEPT to DROP. ICMP ping may be blocked but hackers can still find his server using the nmap utility. Great video though. Love the channel!
It seems standard IT advice is to replace the password in ssh with the RSA key, but this thinking, I feel, is wrong. I would only do that if it was intranet only and I was feeling lazy. You can, and it's much better to, use both! What if a machine that had your RSA private key somehow gets compromised (I for one have multiple some of which are portable)? You would be done. Yes you can put a passphrase on the private key, but you are just buying yourself time, if you even know it was compromised in the first place. Having the password as well is a simple way to have MFA which is a must for any server you have on the internet. The RSA key is the thing you have, coupled with the thing you know i.e. password. Setup fail2ban on SSH, to protect against simple brute force, and you got a fairly strong setup. Even better is what I do and setup Google Authenticator on on that SSH stack, but I'll admit that maybe overkill :). Also another bit of SSH advice is make it so the SSH user has no administrative powers, don't even put them in the sudoers group. Remember sudo allows administrative privilege with the same password used to login. Once you login, you should elevate your privilege by using su to the an administrator account (someone who is in sudoers). This is the way cisco switches are by default and it's good practice. Security in layers :)
Add a layer of security with encrypting your home folder/even better your whole machine with luks. Loose it? The attacker will see nothing. Yeah even that could be hacked (extremly hard) but it makes it harder and add a layer.
This was great. I've just passed my Linux essentials exam and this helped learn a bit more about security. Btw, reloading the firewall did do the trick in my server. I didn't have to reboot .
Just to be clear I love your videos. They are very informative and well produced. But I have to add some commentary on what you just showed (from a perspective of a professional pentester): - Although updates are crucial like you explained an automated update mechanism (even if it is just the stables) might break something upon updating. So you might consider automatic updates a risk depending on your situation. - The mac command to copy your public key to the server will also work on linux the exact same way (although your command is shorter and easier to remember) - Using a password upon generation of your key pair is recommended. So when your private key is getting hacked somehow it will be useless if the password is not easily guessable - In general just use strong (random) passwords and store them in a safe location like a password store. - Changing the port of your ssh listener is just security by obscurity. Any port scanner using a service scan can show you that ssh is listening on port 717 (like for example nmap -sSV ...) - Deactivating ping once again is security by obscurity. Nmap has the flag -Pn which will scan your ip address no matter if the server answers to a ping or not. Other than that your counter measures are very well designed and really good explained. Thanks for sharing that content.
Oh my god, I need this so much, thanks you!!!! Edit: I need more... Moooreee. Lol, jokes away, I really like to see more about firewall managing. Great video, thanks!
Linux primarily relies on nftables and ip tables as the backend to their firewalls. Modern distros based on Ubuntu use ufw, while modern Red Hat based distros use firewalld. I personally prefer firewalld, but both are firewalls and can be configured to how you want (I find firewalld can be customised much more heavily). In most production on prem and cloud environments in the enterprise you'll have dedicated virtualised or hardware firewalls in between each network of hosts that further regulates traffic through firewall rules. Usually these rules are more lenient, while the software firewall rules act as more specific rules specific to the host. You can read more about them here: wiki.ubuntu.com/UncomplicatedFirewall firewalld.org/documentation/
Good starting guide and well explained, still missing tons of hardening activities, for example unattended upgrades and other. But I guess these things are better than what 90% of the folks implement out there so it's not about out-running the hungry lion, just running faster than the guy behind you...
I have another suggestion tho. there's a firewall option that allows your port to be neither "open" nor "closed" .. but instead "filtered" , making your server accepts incoming connections only from a known ip adress. it might not be useful for everyone since not everyone have static ip adresses. but hey, if you do, then that's just the best layer of security you might add to your server.
@@wakeupNeo_ I don't think either one is better, they're just different. The biggest difference I've seen is that ufw seems to be easier at command line, but firewalld is easier with Ansible. At least until ufw gets an Ansible module (it might have already).
@@wakeupNeo_ ufw can also limit access to a certain port. For example, you can prevent someone from brute forcing port 22 by limiting the connection to 2 connections per 30 seconds.
I would always recommend protecting your private key. A private key with no protections on it is more commonly referred to as a back door. You can password protect your private key. Passwords are only useless in Windows these days, since Microsoft refuses to stop using unsalted MD4. Cracking a password for a 4096 bit RSA key, or a SHA512 hash? Yeah. Let me know how that works out for you. If you use a godawful password, sure, it can be done. If you take any steps to make a somewhat decent password, chances are extremely unlikely that someone's going to crack it. However, if you're taking all of these steps to secure your Linux boxen anyway, might as well step it up a notch. Get you a Yubikey, and use it to protect your private key, or use it as a 2nd factor. Yubico has some great documentation. Probably the hardest part about doing it is selecting which method you want to go with, since Yubikeys are extremely flexible.
@networkchuck.. Thank you for this video! I know this is an older video but I needed to secure my ubuntu server and stumbled onto this gem. A couple of things. First... This is probably the best 1-2-3 video for securing Linux I've ever seen. It was presented in a fun way and your on camera presence kept it interesting and at the right technical level. It was neither too technical nor too basic. Just amazing info. Also, I am genuinely jealous of your epic beard. ;) Hope you keep posting great content.
Steps 1-4 I can understand and recommend too but the ping part in step 5 is just so unnecessary in my opinion. Sure you can block pings but any "good" hacker has many other tools to check if your server is still running (ahem.... nmap... ahem) I would also recommend any linux admin to install and set up at leas a basic fail2ban config to automatically block any recurring SSH logins or any other brute force attacks trying to get into your services
Some good advice there. Security is always about layers. If one layer is breached the next should take over. I have found that limiting the allowed from address to SSH can make a big difference in how many break-in attempts you see. Even if you don't have a static IP, your ISP will only have a limited range of IPs he can give you and you can allow only that range. It's also a good idea to use something like fail2ban. It automatically bans IPs that e.g. have a certain number of failed SSH login attempts. Works rather well :-)
Great video chuck. for ssh this is what I do . I change the port like you do but I lock it down so I can only ssh from my home ip address. ufw allow from to any port Even if your public ip address changes you can still ssh back in from the linode web console and change the firewall rules.
spent a few hours trying to get key auth to work, found out Chuck left a part out in the video. You need to add the private key to the ssh agent so your computer knows which key to use. In windows, do these commands: Set-Service ssh-agent -StartupType Automatic Start-Service ssh-agent ssh-add NOW you should be able to log in :)
Great video. On the linux servers I work on: Active Directory domain users; Certified with private and public key with password and 2FA with google-authenticator
One other thing I would suggest is editing /etc/hosts.allow and hosts.deny. I know you have ufw, but adding another layer will not damage anything. Make sure your passwd file is shadowed. I've been doing this since the 90's Any and every install get's that treatment.
Super useful. Followed all the steps in Arch Linux (some minor differences) in Linode (simpler to set up than AWS and less invasive than Azure at collecting personal data). This is really cool.
I don't manage Linux servers but this was so informative. I am a maker and have been looking to set up a server for my IoT devices and this is awesome to make sure my server isn't going to be hackable. AWESOME!! Thank you Chuck!!
one more thing i would like to add is to get the linpeas enumeration script on your server and enumerate it, then try to secure as many attack vectors it can find
@@Andremzsptm its a shell script that shows all possible ways to privesc (become root without knowing root pass basically) and with a quick google search you can find the github repo by carlospolop that has linpeas
if you have any issue getting linux-headers and unable to find the correct one - make sure to type in apt-cache search linux-headers and find the correct one for you. Thanks. Thank you again for another amazing video. !!!!!! You are amazing my friend. Continue to inspire people !
@JazzyOzzy What are you running on your server? These 5 things are a start on hardening but nowhere near being hardened to a security standard like NIST.
A good Linux tutorial by Chuck, yep these are the good measures discussed in this tutorial. I use ssl proxy (stunnel/nginx) to encapsulate SSH connection and also use SSLH to multiplex (more corrected ALPN based forwarding) ssl proxy encapsulated SSH connection through same port number as my web server (443).
If anybody is having issues like me and the SSH key still requires a login check the ~/.ssh/config file on both machines and make sure it's sending the id_rsa.pub key instead of a different one. For example, my macbook was sending an ED25519 key, so it would fail each time
Another great video Chuck, turns out I have already done most of these on my two linux VMs at home. Oh yeah and guess who just landed a new job as a Cloud Engineer ... ?
Many hackers use a bot to scan for port 22 and try a couple of common passwords, so moving to a different port is a very good defense against anything but a targeted attack.
@@thegalacticwarrior7113 good call, but then movong it in conjunction with deactivating root and disabling passwords is a bit of an overkill, isn't it? ;)
Please do more blue team stuff. Hacking into system as attacker is one thing, but at the end the whole idea of ethical hacking is to find vulnerability and then know how to secure them.
The activity in staring in a screen conglumerates that you want to have a correscending appleture of thought, recontextualizing the greatness that can be grown from that with the "Ryzen Five"
Auto updates- you make a great suggestion, but I have had automatic updates automatically break stuff... usually in the middle of the night or Friday at 4:30p.
I've had bad experiences with unattended updates, especially on a production server. They often tend to overwrite custom settings. For example, with PostgreSQL, an update might reset a custom database path, and similarly, Docker updates might alter the custom data path set for Docker.
@@asificam1 it's common practice in network security to block echo replies and not send unreachable. No reply means you don't exist period. But yes good point in this scenario since he spun up Apache
This was awesome. I am classes right now and we just went over ssh and private and public keys. This lab definitely helped reinforced my learning and best of all I now have a server.
All excellent with one nitpick: changing ssh port from 22 is sort of useless, as anyone who cares already has a port scanner and doesn't even bother checking just the default. (And, yeah, like others have said, I'd add fail2ban to the list, but that's for another video where you can talk through the details and reasons behind them.)
@@konev13thebeast I've got to admit, though, that changing the port reduces the size of the log files. Just out of curiosity, I swapped between 22 and 1234 (I think it was) a few times, and the frequency difference is enormous. Drive-bys on 22 are about 20-30/hour for me, fell to about 2-3/day with the non-standard port.
@@d00dEEE how important is it to monitor ssh logs unless theres a massive spike though? From my experiences from windows servers, firewall can handle most flooding issues fine. Genuine question Ive never touched a linux server before
Changing the SSH port will only take a script kiddy with nmap a few extra seconds to find. This also breaks some enterprise apps that are connecting via ssh to perform various audits. You would think it would be possible, but some apps cannot accept a different port for SSH, and you would require a separate service account for every non-standard ssh port you may have configured. Lets also factor in internal firewalls and routes between vlans.
sometimes nmap doesn't recognize an open port as an ssh port if it's not port 22 , it have personally happened to me , in my case nmap recognized an open ssh port on 8022 as an oa-system .. i'm not sure what that is. but looking it up on the internet didn't give me a good hint , and i was still able to use it because i know it's an ssh port. it might be a good layer of security to make your open port non usable unless you know what it's used for. let me know what you think
The hacker well still connect to your pc on miniport and it wont even tell you they change the code with python so it make it look like it working but is on..
I propose to leave the ssh port default to 22. Changing that is just security through obscurity. And people will anyhow portscan your device and find that port (eg. my ssh backend for gitea is on a random port, yet people from the Internet try to SSH-hack into that port, lol). The best practice anyhow would be, to only allow ssh over a VPN tunnel or use port-knocking to enable port 22 for a short timespan. And if you don't want to do that and still use port 22, add fail2ban and probably couple it with an SSH tarpit like endlessh, when they use (disabled) password auth.
So first off thank you so much Chuck for these. These are amazing. I am retired Navy and currently in HR but want to make the switch to IT. I LOVE computers but always got frustrated so I didn’t want to do it as a job, but learning makes it better. So I did this and followed your steps and secured my server. Problem is, I like to connected through terminus remotely from my IPhone/iPad. I would love a video how to add multiple authorization keys. I guess I could make multiple users each with their own key (user-iPad, or user-iPhone) but I was wondering how you would trackle multiple keys for one user. Also is it possible to stick the keys on. Thumb drive to use from another machine? I am reversing the steps because my dumb ass created keys on my windows machine for another server and overwrote the old keys *face palm* so now at am having trouble ssh’ing in.
Your could just copy the private key to your iPhone maybe idk how that works from iPhone but there is ssh clients for iPhone so in sure they have the option for adding keys
I tried this and Linode wouldn't apply the $100 discount and was going to charge me the full amount of $36/month. Dedicated 4 GB - lowest priced package per month. I watched the rest of your video and found it useful. Thank you!
@@mihaidoboga Port 717 is not a standardized port. It won‘t interfere with anything. If you want to check all important/standardized ports, checkout this site: en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
I'm watching it again for the 6th time. Running the few VPS I'm managing with the list and securing the new one while watching this video. Your energy is amazing and the sense of humor is awesome. Permit Root login - yes. ... NO ! ! ! !
Very informative video. It's a very big misconception that Linux systems are secure from hackers.. Everything with an operating system and a signal is not 100% secure..
Nice one Chuck, very cool starter............Side topic, I recently managed to also configure 2FA using the google pluggable authentication module (PAM). This increases the security in the sense that you would also need to have a token using apps like Authy or Google Authenticator. So if somehow hackers get access to your private key, well their stuck for a while due to missing 2FA. 👍
Respectfully, I think you missed the point for installing certificates AND disabling password logins. I suggest re-watching the video at th-cam.com/video/ZhMw53Ud2tY/w-d-xo.html and th-cam.com/video/ZhMw53Ud2tY/w-d-xo.html . Network Chuck is suggesting forcing the user(s) to use certificates AND disallow (simple) password logins. Since such a system forces the user to have a certificate installed AND can NOT log in via a simple password request there is no reason to use fail2ban. I've used fail2ban in the past - in fact, I was even -- initially -- thinking fail2ban would be a good addition to this video. However, in retrospect, using certs removes a user's/hacker's ability to brute force a password and, therefore, is not required. Peace. :) V/r
Openssh generating the key will create the folder, set the permission, you don't need to create the folder. On both side will create the .ssh automatically with the right permissions, if you are from Linux to Linux.
Great video! I've learned much things. You always explain the things simple and understandable. If you don't mind, I just saw that in the final step you've added existing rule at the top for the `--icmp-type echo-request -j DROP`. I've tested it with simply changing that rule at the bottom and it works. Is it for a reason done this way? Also after the `ufw reload`, I've tried with just restarting the ping and it worked - for this I thing there is no need to reboot the whole server, except if it is under some kind of attack already.
@@grapesalt no idea account was compromised. No less by someone that is a fool. Just which one of is? The fool who cannot spell whilst attacking someone or the fool who allowed the fool who cannot spell gain control of his account? Good question. Regardless, carry on nothing to see here.
Thanks so much for another great video. I signed up on Linode. This is my first web hosting as I am just starting to toy around with servers, websites, and such. Your videos are fantastic and I always learn a lot. Thank you.
Michael S. can you summarise fail2ban? I only know it from ZNC. I am googling it but I often appreciate the input from people who use it and recommend it. Thanks in advance !
@@danilodistefanis5990 its mostly for ip banning/time out's when it notices repeated login attemps. so you can make a 'jail' for lets say ssh login attempts
The best part of this is testing whether the website is accessible even though you knew that the firewall was going to be blocking port 80: expectations don't always match the reality of what will happen. That's how security bugs tend to be discovered. Just because something is expected to happen doesn't mean that it will happen so testing it doesn't hurt especially if it's something security related.
I completely agree with what Leo said here. This is why when I spin up a vm on linode everything is behind a VPN either openvpn or wireguard. I typically never leave anything exposed to the public internet. Or I write a ufw rule that only allows traffic from my home IP.
Nice video, but just changing the default ssh port doesn't make it that much harder for hackers to find the new ssh port. Nmap allows for service scan which will make your new ssh port be discovered very easily. That said, the tip about using a ssh key pair is indeed good practice :)
I just want to caution everyone from enabling automatic updates on production systems. The best practice is to use scheduled maintenance windows and to always test updates in a test/dev/QA environment before making changes to prod :)
Perhaps create cronjobs to update one a month
You're right. The ideal situation is using a repository host, whether that's something like Red Hat Satellite, Oracle Spacewalker, or using simple webserver which synchronizes repositories.
You then control your packages on the upstream, so that when they are downloaded by the host - only the packages that have been tested are applied.
This is how we automate patching - determine what updates we want > synchronise packages to repo host > create test environment to mimic prod > schedule ansible jobs via Tower to auto patch test hosts with smoke tests > when smoke tests pass, execute job on prod > run smoke tests, and if it fails, execute a job to undo the patch.
Yes. I can't stress this enough. Upgrade on other environment first and test everything first.
This is a BS channel for wannabee network/linux/ansible people with bloated headlines and an eyecandy editing, he barely had any real life experience with these stuff, most of the stuff he teaches about are from official rtd.
@@viktatororban4407 Everything you listed is exactly what's appropriate to teach beginners and for enthusiasts to communicate to them. Beginners need enthusiasm to draw them onto the path of becoming an expert.
Won 20 bucks in a networking class.
Another student told me he could get into any computer remotely.
I accepted his challenge and turned off my network card in the drivers.
He was pissed.
Priceless..
🤣
😂😂😂
I bet that no-one can kill you after you've committed suicide*
clever...
Definitely one of the top 3 videos of all time to date... changing TCP ports, encrypted authentication, and disabling ping. Love it... Thanks again Chuck!
Great video. I am Gonna subs.
You should use "apt upgrade" instead of "apt dist-upgrade" as the latter might also remove packages or change things in the system which might break your applications. "dist-upgrade" should be used if you want to upgrade to a new release of the distro, not if you just want the latest versions of your packages in order to get security fixes.
As a security professional I really found this video to be of good quality. You were to the point, informative but not overbearing, engaging while being authentic. Keep up the great work! ❤ 😍
He's literally the only TH-camr that breaks it down enough to where even my bricked brain understands
The way you deliver content is outstanding. English is my second language, but you somehow manage to be quick, to the point, and very understandable. Kudos. Fantastic work.
Same here! All of his videos are really understandable and easy to learn.
Brilliant. Coming from a person who is very comfortable with Linux, is so nice to see the simple security aspects covered. And I always love how enthusiastic you are, making I.T fun!! Big fan here, over in London /UK! Keep it up, and great to see your channel growing as well. Keep you fed :)
Thank you 😊
Chucks the man but I've always wondered how much coffee he really drinks everyday.
Can u do videos on selinux but with a different twist@@NetworkChuck
Perfect timing, man! Just fired up my first Linux server this week!
How did it go? What distro?
Just as a correction
for macOS the command ssh-copy-id @ does also work.
Linode, just to tell you - A really good choice for sponsorship! Keep going, his style is a remarkable combination of useful information and energetic hype!
20:41 - The line was already there (the last entry in that section). All he had to do was change the ACCEPT to DROP. ICMP ping may be blocked but hackers can still find his server using the nmap utility. Great video though. Love the channel!
It seems standard IT advice is to replace the password in ssh with the RSA key, but this thinking, I feel, is wrong. I would only do that if it was intranet only and I was feeling lazy. You can, and it's much better to, use both! What if a machine that had your RSA private key somehow gets compromised (I for one have multiple some of which are portable)? You would be done. Yes you can put a passphrase on the private key, but you are just buying yourself time, if you even know it was compromised in the first place. Having the password as well is a simple way to have MFA which is a must for any server you have on the internet. The RSA key is the thing you have, coupled with the thing you know i.e. password. Setup fail2ban on SSH, to protect against simple brute force, and you got a fairly strong setup. Even better is what I do and setup Google Authenticator on on that SSH stack, but I'll admit that maybe overkill :).
Also another bit of SSH advice is make it so the SSH user has no administrative powers, don't even put them in the sudoers group. Remember sudo allows administrative privilege with the same password used to login. Once you login, you should elevate your privilege by using su to the an administrator account (someone who is in sudoers). This is the way cisco switches are by default and it's good practice.
Security in layers :)
Add a layer of security with encrypting your home folder/even better your whole machine with luks. Loose it? The attacker will see nothing.
Yeah even that could be hacked (extremly hard) but it makes it harder and add a layer.
This was great. I've just passed my Linux essentials exam and this helped learn a bit more about security. Btw, reloading the firewall did do the trick in my server. I didn't have to reboot .
Just to be clear I love your videos. They are very informative and well produced. But I have to add some commentary on what you just showed (from a perspective of a professional pentester):
- Although updates are crucial like you explained an automated update mechanism (even if it is just the stables) might break something upon updating. So you might consider automatic updates a risk depending on your situation.
- The mac command to copy your public key to the server will also work on linux the exact same way (although your command is shorter and easier to remember)
- Using a password upon generation of your key pair is recommended. So when your private key is getting hacked somehow it will be useless if the password is not easily guessable
- In general just use strong (random) passwords and store them in a safe location like a password store.
- Changing the port of your ssh listener is just security by obscurity. Any port scanner using a service scan can show you that ssh is listening on port 717 (like for example nmap -sSV ...)
- Deactivating ping once again is security by obscurity. Nmap has the flag -Pn which will scan your ip address no matter if the server answers to a ping or not.
Other than that your counter measures are very well designed and really good explained. Thanks for sharing that content.
Oh my god, I need this so much, thanks you!!!!
Edit: I need more... Moooreee. Lol, jokes away, I really like to see more about firewall managing. Great video, thanks!
network chuck, i want you to networkfuq me.
Linux primarily relies on nftables and ip tables as the backend to their firewalls. Modern distros based on Ubuntu use ufw, while modern Red Hat based distros use firewalld.
I personally prefer firewalld, but both are firewalls and can be configured to how you want (I find firewalld can be customised much more heavily). In most production on prem and cloud environments in the enterprise you'll have dedicated virtualised or hardware firewalls in between each network of hosts that further regulates traffic through firewall rules. Usually these rules are more lenient, while the software firewall rules act as more specific rules specific to the host.
You can read more about them here: wiki.ubuntu.com/UncomplicatedFirewall
firewalld.org/documentation/
@14:08
PasswordAuthentication no is not enough to disable password for ssh login.
Make sure to set ChallengeResponseAuthentication no as well
12:41 "...and then I'll use my favorite text editor..."
Don't say VIM!
"Nano..."
*huge sigh of relief*
What's wrong with vim?
Gedit
actually i really prefer vim since things like ctrl+x and etc might not behave correctly sometimes specially when used in ssh sessions in bash
@@mohsenmirzaei3347 thanks for that explanation I didn't know that
@Premlez I learned VIM after awhile but because of the panic and embarrassment I suffered at the beginning I prefer nano.
Good starting guide and well explained, still missing tons of hardening activities, for example unattended upgrades and other. But I guess these things are better than what 90% of the folks implement out there so it's not about out-running the hungry lion, just running faster than the guy behind you...
I have another suggestion tho. there's a firewall option that allows your port to be neither "open" nor "closed" .. but instead "filtered" , making your server accepts incoming connections only from a known ip adress. it might not be useful for everyone since not everyone have static ip adresses. but hey, if you do, then that's just the best layer of security you might add to your server.
i love the "warning" it gives when adding users not as root - with great power comes great responsibility
ufw by default allow established connections, that's why reloading ufw is not helping. you need to drop all established connections, what reboot does.
I use FirewallD but I'm not sure if it's better though. I'm not running a server, just desktop for home use.
@@wakeupNeo_ I don't think either one is better, they're just different. The biggest difference I've seen is that ufw seems to be easier at command line, but firewalld is easier with Ansible. At least until ufw gets an Ansible module (it might have already).
@@wakeupNeo_ ufw can also limit access to a certain port. For example, you can prevent someone from brute forcing port 22 by limiting the connection to 2 connections per 30 seconds.
@@明智吾郎-e4b yeah I switched to ufw now and blocked access to port 22. You can probably do this with firewalld but ufw much more easy to use.
I would always recommend protecting your private key. A private key with no protections on it is more commonly referred to as a back door. You can password protect your private key. Passwords are only useless in Windows these days, since Microsoft refuses to stop using unsalted MD4. Cracking a password for a 4096 bit RSA key, or a SHA512 hash? Yeah. Let me know how that works out for you. If you use a godawful password, sure, it can be done. If you take any steps to make a somewhat decent password, chances are extremely unlikely that someone's going to crack it.
However, if you're taking all of these steps to secure your Linux boxen anyway, might as well step it up a notch. Get you a Yubikey, and use it to protect your private key, or use it as a 2nd factor. Yubico has some great documentation. Probably the hardest part about doing it is selecting which method you want to go with, since Yubikeys are extremely flexible.
For mac you can use ssh-copy-id as well!
Nice, Thanks!
I've broken like 5 virtual machines already so far on this journey haha. I love this channel.
I've literally taken my SD card out of my raspberry pi and reinstalled Ubuntu Server with the pi imager several times.
3:53 "Coffee break"
Puts an ad
21:22 "Coffee break"
Puts another ad
Yeah, Coffee gives you lots of money.
@@b07x 😂
Yeah man 👍
Looks like you haven't implemented his pihole video ;)
hes definitely getting carried away with this shit....but man his videos are so good w/e
@networkchuck.. Thank you for this video! I know this is an older video but I needed to secure my ubuntu server and stumbled onto this gem. A couple of things. First... This is probably the best 1-2-3 video for securing Linux I've ever seen. It was presented in a fun way and your on camera presence kept it interesting and at the right technical level. It was neither too technical nor too basic. Just amazing info. Also, I am genuinely jealous of your epic beard. ;) Hope you keep posting great content.
Steps 1-4 I can understand and recommend too but the ping part in step 5 is just so unnecessary in my opinion.
Sure you can block pings but any "good" hacker has many other tools to check if your server is still running (ahem.... nmap... ahem)
I would also recommend any linux admin to install and set up at leas a basic fail2ban config to automatically block any recurring SSH logins or any other brute force attacks trying to get into your services
Some good advice there. Security is always about layers. If one layer is breached the next should take over.
I have found that limiting the allowed from address to SSH can make a big difference in how many break-in attempts you see. Even if you don't have a static IP, your ISP will only have a limited range of IPs he can give you and you can allow only that range.
It's also a good idea to use something like fail2ban. It automatically bans IPs that e.g. have a certain number of failed SSH login attempts. Works rather well :-)
Great recommendations, Madeye.
Great video chuck. for ssh this is what I do . I change the port like you do but I lock it down so I can only ssh from my home ip address. ufw allow from to any port Even if your public ip address changes you can still ssh back in from the linode web console and change the firewall rules.
That’s a great step. Very secure.
spent a few hours trying to get key auth to work, found out Chuck left a part out in the video. You need to add the private key to the ssh agent so your computer knows which key to use. In windows, do these commands:
Set-Service ssh-agent -StartupType Automatic
Start-Service ssh-agent
ssh-add
NOW you should be able to log in :)
8:14 - "chmod" actually stands for "change mode" intead of "change modification"
if this is not one of the most essential (and well done) Linux 101 videos, I don't know what is
also, just ordered a Study Hoodie -- your rock Chuck!
Also a million Chuck! You well deserve it!
Great video.
On the linux servers I work on:
Active Directory domain users;
Certified with private and public key with password
and 2FA with google-authenticator
Automatic updates? Untested updates in a production environment?
yes you are correct!
@@thelearner761 I too was about to address that point. Good call Ezra & The Learner
One other thing I would suggest is editing /etc/hosts.allow and hosts.deny.
I know you have ufw, but adding another layer will not damage anything.
Make sure your passwd file is shadowed.
I've been doing this since the 90's
Any and every install get's that treatment.
how do you do that? where do you guys learn this all?
13:48 this cracked me up 😂 Loved the tutorial. I'm gonna recommend it in my next video 👍
Can you please do a v2 of these security include more security like fail2ban, snort and even a .bashrc email alert when someone logged in ?
Super useful. Followed all the steps in Arch Linux (some minor differences) in Linode (simpler to set up than AWS and less invasive than Azure at collecting personal data). This is really cool.
I don't manage Linux servers but this was so informative. I am a maker and have been looking to set up a server for my IoT devices and this is awesome to make sure my server isn't going to be hackable. AWESOME!! Thank you Chuck!!
one more thing i would like to add is to get the linpeas enumeration script on your server and enumerate it, then try to secure as many attack vectors it can find
What is that?
@@Andremzsptm its a shell script that shows all possible ways to privesc (become root without knowing root pass basically) and with a quick google search you can find the github repo by carlospolop that has linpeas
@@ladyViviaen that's really nice. Thanks
Is it a script like Lynis?
@@Gunslinger088 from what i saw on google lynis is more overall security scans and whatnot while linpeas only scans for privesc weaknesses
Instructions unclear. Logged into Chuck's personal PC and traumatized by photo directory.
$HOME also works as shorthand for your own user directory in Windows 10
%userprofile% is the one that tends to work across the board in windows
if you have any issue getting linux-headers and unable to find the correct one - make sure to type in apt-cache search linux-headers and find the correct one for you. Thanks. Thank you again for another amazing video. !!!!!! You are amazing my friend. Continue to inspire people !
Exactly what I need
@JazzyOzzy What are you running on your server? These 5 things are a start on hardening but nowhere near being hardened to a security standard like NIST.
I always automatic update my servers and never see anyone talking about this (even in "how to security")
Quality content++
How do you update it automatically? unattended-upgrades?
A good Linux tutorial by Chuck, yep these are the good measures discussed in this tutorial.
I use ssl proxy (stunnel/nginx) to encapsulate SSH connection and also use SSLH to multiplex (more corrected ALPN based forwarding) ssl proxy encapsulated SSH connection through same port number as my web server (443).
If anybody is having issues like me and the SSH key still requires a login
check the ~/.ssh/config file on both machines and make sure it's sending the id_rsa.pub key instead of a different one. For example, my macbook was sending an ED25519 key, so it would fail each time
Another great video Chuck, turns out I have already done most of these on my two linux VMs at home. Oh yeah and guess who just landed a new job as a Cloud Engineer ... ?
In min 20:52 shouldn't we comment the fifth line?
-A ufw-before-input -p -icmp --icmp-type echo-request -j ACCEPT
Great video by the way!
Is moving port 22 elsewhere really any good when nmap exists?
Many hackers use a bot to scan for port 22 and try a couple of common passwords, so moving to a different port is a very good defense against anything but a targeted attack.
@@thegalacticwarrior7113 good call, but then movong it in conjunction with deactivating root and disabling passwords is a bit of an overkill, isn't it? ;)
@@maciejkokot8396 I have an ssh server on the open internet; I'm not taking any chances.
I think a good thing to add would be "ufw limit [ssh port]" to protect from ssh bruteforce attacks as well
Whenever "Chuck" says coffee break, I drink a beer. Cheers.
Thats like 20 beers per episode. I think you might have a problem, but who am I to judge.
12:45 "etsie" is one of my favourite Linux-typical-directory nick names😄
Please do more blue team stuff. Hacking into system as attacker is one thing, but at the end the whole idea of ethical hacking is to find vulnerability and then know how to secure them.
The activity in staring in a screen conglumerates that you want to have a correscending appleture of thought, recontextualizing the greatness that can be grown from that with the "Ryzen Five"
Awesome tutorial, chuck. You are the man! Thanks for all that you do to help us newbies.
Just released my own SaaS and now I'm trying to make it more secure 😁
Auto updates- you make a great suggestion, but I have had automatic updates automatically break stuff... usually in the middle of the night or Friday at 4:30p.
For basic servers auto updates should be ok. However, when you have stuffs like MariaDB, PHP, python and etc things can break.
I've had bad experiences with unattended updates, especially on a production server. They often tend to overwrite custom settings. For example, with PostgreSQL, an update might reset a custom database path, and similarly, Docker updates might alter the custom data path set for Docker.
Good job dude. i hope you do a video about forensics one day
Great video chuck. I'm gonna do this on all of my Linux boxes from now on.
Doesn't help. It's snake oil.
Nice Video 👍. I would recommend Lynis to audit the system.
Most coolest thing other than hacking is the Coffee Break 🔥🔥🔥🔥🔥🔥
I miss the twitch live streams
"Connection refused" is still saying "im here, scan my ports"
@@asificam1 it's common practice in network security to block echo replies and not send unreachable. No reply means you don't exist period. But yes good point in this scenario since he spun up Apache
It only slows hackers down rather like a locked door..
Criminals just go through Windows!
What is the general consensus/opinions of Port knocking or Single Packet Authorization (FWKNOP) to keep ports closed until actively ready to use?
I've got my 1st server and checked out everything you showd us. Fine, it work. Hungry to learn more... Keep up with this great work
How is it going so far after a year
This was awesome. I am classes right now and we just went over ssh and private and public keys. This lab definitely helped reinforced my learning and best of all I now have a server.
The comments are allways great on Network Chuck's videos. Thanks for the content too..
All excellent with one nitpick: changing ssh port from 22 is sort of useless, as anyone who cares already has a port scanner and doesn't even bother checking just the default. (And, yeah, like others have said, I'd add fail2ban to the list, but that's for another video where you can talk through the details and reasons behind them.)
Looked through the comments specifically for someone that agreed on this point
@@konev13thebeast I've got to admit, though, that changing the port reduces the size of the log files. Just out of curiosity, I swapped between 22 and 1234 (I think it was) a few times, and the frequency difference is enormous. Drive-bys on 22 are about 20-30/hour for me, fell to about 2-3/day with the non-standard port.
@@d00dEEE how important is it to monitor ssh logs unless theres a massive spike though? From my experiences from windows servers, firewall can handle most flooding issues fine. Genuine question Ive never touched a linux server before
Changing the SSH port will only take a script kiddy with nmap a few extra seconds to find. This also breaks some enterprise apps that are connecting via ssh to perform various audits. You would think it would be possible, but some apps cannot accept a different port for SSH, and you would require a separate service account for every non-standard ssh port you may have configured. Lets also factor in internal firewalls and routes between vlans.
sometimes nmap doesn't recognize an open port as an ssh port if it's not port 22 , it have personally happened to me , in my case nmap recognized an open ssh port on 8022 as an oa-system .. i'm not sure what that is. but looking it up on the internet didn't give me a good hint , and i was still able to use it because i know it's an ssh port. it might be a good layer of security to make your open port non usable unless you know what it's used for. let me know what you think
How to be unhackable: do not connect to the internet.
Just don't use a computer
Just
J
The hacker well still connect to your pc on miniport and it wont even tell you they change the code with python so it make it look like it working but is on..
Could you make a video on how a hacker could break through this security?
Good tips, simple to implement and well explained. Thank you!
I propose to leave the ssh port default to 22. Changing that is just security through obscurity. And people will anyhow portscan your device and find that port (eg. my ssh backend for gitea is on a random port, yet people from the Internet try to SSH-hack into that port, lol). The best practice anyhow would be, to only allow ssh over a VPN tunnel or use port-knocking to enable port 22 for a short timespan. And if you don't want to do that and still use port 22, add fail2ban and probably couple it with an SSH tarpit like endlessh, when they use (disabled) password auth.
So first off thank you so much Chuck for these. These are amazing. I am retired Navy and currently in HR but want to make the switch to IT. I LOVE computers but always got frustrated so I didn’t want to do it as a job, but learning makes it better. So I did this and followed your steps and secured my server. Problem is, I like to connected through terminus remotely from my IPhone/iPad. I would love a video how to add multiple authorization keys. I guess I could make multiple users each with their own key (user-iPad, or user-iPhone) but I was wondering how you would trackle multiple keys for one user. Also is it possible to stick the keys on. Thumb drive to use from another machine? I am reversing the steps because my dumb ass created keys on my windows machine for another server and overwrote the old keys *face palm* so now at am having trouble ssh’ing in.
Your could just copy the private key to your iPhone maybe idk how that works from iPhone but there is ssh clients for iPhone so in sure they have the option for adding keys
I tried this and Linode wouldn't apply the $100 discount and was going to charge me the full amount of $36/month. Dedicated 4 GB - lowest priced package per month. I watched the rest of your video and found it useful. Thank you!
Nice video! But you should have used a port number above 1024 :)
Why?
@@sterling1989 Because port numbers in the range 0 - 1023 are the well-known ports (system ports) which are mainly used by system processes.
@@mihaidoboga Port 717 is not a standardized port. It won‘t interfere with anything. If you want to check all important/standardized ports, checkout this site: en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
I'm watching it again for the 6th time. Running the few VPS I'm managing with the list and securing the new one while watching this video.
Your energy is amazing and the sense of humor is awesome.
Permit Root login - yes.
...
NO ! ! ! !
Very informative video. It's a very big misconception that Linux systems are secure from hackers.. Everything with an operating system and a signal is not 100% secure..
21:10 No need for whole system to reboot, just type: sudo ufw disable && sudo ufw enable
Maybe you can also make an Video to take the SSH Security to the next Level with fail2ban and totp authentication😉, would be nice to see this.
Fail2ban is nice!
Or SSH tarpit
@@abanoubmelad2919 GO 127.0.0.1
Port knocking or it's successor single packet authorization (fwknop)
this would be really nice to have this also explaind to go another step ahead.
Nice one Chuck, very cool starter............Side topic, I recently managed to also configure 2FA using the google pluggable authentication module (PAM). This increases the security in the sense that you would also need to have a token using apps like Authy or Google Authenticator. So if somehow hackers get access to your private key, well their stuck for a while due to missing 2FA. 👍
I think fail2ban is even more important than ufw
I was gonna say add fail2ban and apparmor or selinux and set those up
Tried it. Instead of having 1000 brute force attempts from 50 ips, I got 1000 brute force attempts from 350 different ips. Now I had 300+ ip blocked
Thanks Chuck. Can you also make a video about SELinux? How that works with some examples?
Respectfully, I think you missed the point for installing certificates AND disabling password logins. I suggest re-watching the video at th-cam.com/video/ZhMw53Ud2tY/w-d-xo.html and th-cam.com/video/ZhMw53Ud2tY/w-d-xo.html .
Network Chuck is suggesting forcing the user(s) to use certificates AND disallow (simple) password logins. Since such a system forces the user to have a certificate installed AND can NOT log in via a simple password request there is no reason to use fail2ban. I've used fail2ban in the past - in fact, I was even -- initially -- thinking fail2ban would be a good addition to this video. However, in retrospect, using certs removes a user's/hacker's ability to brute force a password and, therefore, is not required. Peace. :)
V/r
Agreed
Openssh generating the key will create the folder, set the permission, you don't need to create the folder. On both side will create the .ssh automatically with the right permissions, if you are from Linux to Linux.
Don't forget fail2ban as well.
Yeah. Fail2bain is a must have I think.
BETTER explanation than my linux teacher. Excellent bro 👊🏼
I AM A BIG FAN OF YOU.I HAVE LEARNED A LOT OF THINGS BY YOU.YOU ARE A GREAT TEACHER FOR ME....
BTW CAN I GET A HEART FROM NETWORK CHUCK??
Not seeing anyone mention it, but that 'weird squiggly key' for those who don't know, is called the 'Tilde' key.
---> ~
Great video! I've learned much things. You always explain the things simple and understandable.
If you don't mind, I just saw that in the final step you've added existing rule at the top for the `--icmp-type echo-request -j DROP`. I've tested it with simply changing that rule at the bottom and it works. Is it for a reason done this way?
Also after the `ufw reload`, I've tried with just restarting the ping and it worked - for this I thing there is no need to reboot the whole server, except if it is under some kind of attack already.
The only reason why i come back to watch your videos i seem to learn new things, commands, and get up to date with my passion for techstuff
PowerShell is sooo two months ago. Windows Terminal is all the rage now.
Sounds legit.
@@alexandertheepic7572 tf you saying bro?
@@grapesalt no idea
account was compromised. No less by someone that is a fool. Just which one of is? The fool who cannot spell whilst attacking someone or the fool who allowed the fool who cannot spell gain control of his account? Good question. Regardless, carry on nothing to see here.
Thanks so much for another great video. I signed up on Linode. This is my first web hosting as I am just starting to toy around with servers, websites, and such. Your videos are fantastic and I always learn a lot. Thank you.
Next step : fail2ban, then Cloudflare.
fail2ban is such a necessity
Michael S. can you summarise fail2ban? I only know it from ZNC. I am googling it but I often appreciate the input from people who use it and recommend it. Thanks in advance !
@@danilodistefanis5990 its mostly for ip banning/time out's when it notices repeated login attemps. so you can make a 'jail' for lets say ssh login attempts
I’ve learned so much from chuck. Became a coding teacher and now learn great instructional etiquette through chuck. Thank you so much haha
The best part of this is testing whether the website is accessible even though you knew that the firewall was going to be blocking port 80: expectations don't always match the reality of what will happen. That's how security bugs tend to be discovered. Just because something is expected to happen doesn't mean that it will happen so testing it doesn't hurt especially if it's something security related.
I completely agree with what Leo said here. This is why when I spin up a vm on linode everything is behind a VPN either openvpn or wireguard. I typically never leave anything exposed to the public internet. Or I write a ufw rule that only allows traffic from my home IP.
2 factor auth! It can elevate your security by quite a bit and even potentially give you a heads up when someone is trying to break their way in
I thought I'm gonna learn a new tricks, I guess I already done with all of that setup
add one time pad encrption to your network its hackable
@@scott32714keiser 2FA
I just code for fun I'm nobody professional
Oh, I kinda like the padlock & the little key drew on the screen. Much appreciated!
Nice video, but just changing the default ssh port doesn't make it that much harder for hackers to find the new ssh port. Nmap allows for service scan which will make your new ssh port be discovered very easily. That said, the tip about using a ssh key pair is indeed good practice :)
True, but with 65535 ports and a 3 or 5 attempt ip banhammer, you can decrease your risk by a reasonable margin.
Using this on my RazPi!!! Great content as always.!!!
Awesome! And thank you.