Won 20 bucks in a networking class. Another student told me he could get into any computer remotely. I accepted his challenge and turned off my network card in the drivers. He was pissed.
I just want to caution everyone from enabling automatic updates on production systems. The best practice is to use scheduled maintenance windows and to always test updates in a test/dev/QA environment before making changes to prod :)
You're right. The ideal situation is using a repository host, whether that's something like Red Hat Satellite, Oracle Spacewalker, or using simple webserver which synchronizes repositories. You then control your packages on the upstream, so that when they are downloaded by the host - only the packages that have been tested are applied. This is how we automate patching - determine what updates we want > synchronise packages to repo host > create test environment to mimic prod > schedule ansible jobs via Tower to auto patch test hosts with smoke tests > when smoke tests pass, execute job on prod > run smoke tests, and if it fails, execute a job to undo the patch.
This is a BS channel for wannabee network/linux/ansible people with bloated headlines and an eyecandy editing, he barely had any real life experience with these stuff, most of the stuff he teaches about are from official rtd.
@@viktatororban4407 Everything you listed is exactly what's appropriate to teach beginners and for enthusiasts to communicate to them. Beginners need enthusiasm to draw them onto the path of becoming an expert.
Definitely one of the top 3 videos of all time to date... changing TCP ports, encrypted authentication, and disabling ping. Love it... Thanks again Chuck!
You should use "apt upgrade" instead of "apt dist-upgrade" as the latter might also remove packages or change things in the system which might break your applications. "dist-upgrade" should be used if you want to upgrade to a new release of the distro, not if you just want the latest versions of your packages in order to get security fixes.
As a security professional I really found this video to be of good quality. You were to the point, informative but not overbearing, engaging while being authentic. Keep up the great work! ❤ 😍
20:41 - The line was already there (the last entry in that section). All he had to do was change the ACCEPT to DROP. ICMP ping may be blocked but hackers can still find his server using the nmap utility. Great video though. Love the channel!
The way you deliver content is outstanding. English is my second language, but you somehow manage to be quick, to the point, and very understandable. Kudos. Fantastic work.
Brilliant. Coming from a person who is very comfortable with Linux, is so nice to see the simple security aspects covered. And I always love how enthusiastic you are, making I.T fun!! Big fan here, over in London /UK! Keep it up, and great to see your channel growing as well. Keep you fed :)
It seems standard IT advice is to replace the password in ssh with the RSA key, but this thinking, I feel, is wrong. I would only do that if it was intranet only and I was feeling lazy. You can, and it's much better to, use both! What if a machine that had your RSA private key somehow gets compromised (I for one have multiple some of which are portable)? You would be done. Yes you can put a passphrase on the private key, but you are just buying yourself time, if you even know it was compromised in the first place. Having the password as well is a simple way to have MFA which is a must for any server you have on the internet. The RSA key is the thing you have, coupled with the thing you know i.e. password. Setup fail2ban on SSH, to protect against simple brute force, and you got a fairly strong setup. Even better is what I do and setup Google Authenticator on on that SSH stack, but I'll admit that maybe overkill :). Also another bit of SSH advice is make it so the SSH user has no administrative powers, don't even put them in the sudoers group. Remember sudo allows administrative privilege with the same password used to login. Once you login, you should elevate your privilege by using su to the an administrator account (someone who is in sudoers). This is the way cisco switches are by default and it's good practice. Security in layers :)
Add a layer of security with encrypting your home folder/even better your whole machine with luks. Loose it? The attacker will see nothing. Yeah even that could be hacked (extremly hard) but it makes it harder and add a layer.
Linode, just to tell you - A really good choice for sponsorship! Keep going, his style is a remarkable combination of useful information and energetic hype!
Just to be clear I love your videos. They are very informative and well produced. But I have to add some commentary on what you just showed (from a perspective of a professional pentester): - Although updates are crucial like you explained an automated update mechanism (even if it is just the stables) might break something upon updating. So you might consider automatic updates a risk depending on your situation. - The mac command to copy your public key to the server will also work on linux the exact same way (although your command is shorter and easier to remember) - Using a password upon generation of your key pair is recommended. So when your private key is getting hacked somehow it will be useless if the password is not easily guessable - In general just use strong (random) passwords and store them in a safe location like a password store. - Changing the port of your ssh listener is just security by obscurity. Any port scanner using a service scan can show you that ssh is listening on port 717 (like for example nmap -sSV ...) - Deactivating ping once again is security by obscurity. Nmap has the flag -Pn which will scan your ip address no matter if the server answers to a ping or not. Other than that your counter measures are very well designed and really good explained. Thanks for sharing that content.
I have another suggestion tho. there's a firewall option that allows your port to be neither "open" nor "closed" .. but instead "filtered" , making your server accepts incoming connections only from a known ip adress. it might not be useful for everyone since not everyone have static ip adresses. but hey, if you do, then that's just the best layer of security you might add to your server.
Good starting guide and well explained, still missing tons of hardening activities, for example unattended upgrades and other. But I guess these things are better than what 90% of the folks implement out there so it's not about out-running the hungry lion, just running faster than the guy behind you...
Oh my god, I need this so much, thanks you!!!! Edit: I need more... Moooreee. Lol, jokes away, I really like to see more about firewall managing. Great video, thanks!
Linux primarily relies on nftables and ip tables as the backend to their firewalls. Modern distros based on Ubuntu use ufw, while modern Red Hat based distros use firewalld. I personally prefer firewalld, but both are firewalls and can be configured to how you want (I find firewalld can be customised much more heavily). In most production on prem and cloud environments in the enterprise you'll have dedicated virtualised or hardware firewalls in between each network of hosts that further regulates traffic through firewall rules. Usually these rules are more lenient, while the software firewall rules act as more specific rules specific to the host. You can read more about them here: wiki.ubuntu.com/UncomplicatedFirewall firewalld.org/documentation/
This was great. I've just passed my Linux essentials exam and this helped learn a bit more about security. Btw, reloading the firewall did do the trick in my server. I didn't have to reboot .
I would always recommend protecting your private key. A private key with no protections on it is more commonly referred to as a back door. You can password protect your private key. Passwords are only useless in Windows these days, since Microsoft refuses to stop using unsalted MD4. Cracking a password for a 4096 bit RSA key, or a SHA512 hash? Yeah. Let me know how that works out for you. If you use a godawful password, sure, it can be done. If you take any steps to make a somewhat decent password, chances are extremely unlikely that someone's going to crack it. However, if you're taking all of these steps to secure your Linux boxen anyway, might as well step it up a notch. Get you a Yubikey, and use it to protect your private key, or use it as a 2nd factor. Yubico has some great documentation. Probably the hardest part about doing it is selecting which method you want to go with, since Yubikeys are extremely flexible.
spent a few hours trying to get key auth to work, found out Chuck left a part out in the video. You need to add the private key to the ssh agent so your computer knows which key to use. In windows, do these commands: Set-Service ssh-agent -StartupType Automatic Start-Service ssh-agent ssh-add NOW you should be able to log in :)
@networkchuck.. Thank you for this video! I know this is an older video but I needed to secure my ubuntu server and stumbled onto this gem. A couple of things. First... This is probably the best 1-2-3 video for securing Linux I've ever seen. It was presented in a fun way and your on camera presence kept it interesting and at the right technical level. It was neither too technical nor too basic. Just amazing info. Also, I am genuinely jealous of your epic beard. ;) Hope you keep posting great content.
Great video. On the linux servers I work on: Active Directory domain users; Certified with private and public key with password and 2FA with google-authenticator
Great video chuck. for ssh this is what I do . I change the port like you do but I lock it down so I can only ssh from my home ip address. ufw allow from to any port Even if your public ip address changes you can still ssh back in from the linode web console and change the firewall rules.
if you have any issue getting linux-headers and unable to find the correct one - make sure to type in apt-cache search linux-headers and find the correct one for you. Thanks. Thank you again for another amazing video. !!!!!! You are amazing my friend. Continue to inspire people !
One other thing I would suggest is editing /etc/hosts.allow and hosts.deny. I know you have ufw, but adding another layer will not damage anything. Make sure your passwd file is shadowed. I've been doing this since the 90's Any and every install get's that treatment.
@@wakeupNeo_ I don't think either one is better, they're just different. The biggest difference I've seen is that ufw seems to be easier at command line, but firewalld is easier with Ansible. At least until ufw gets an Ansible module (it might have already).
@@wakeupNeo_ ufw can also limit access to a certain port. For example, you can prevent someone from brute forcing port 22 by limiting the connection to 2 connections per 30 seconds.
I don't manage Linux servers but this was so informative. I am a maker and have been looking to set up a server for my IoT devices and this is awesome to make sure my server isn't going to be hackable. AWESOME!! Thank you Chuck!!
Steps 1-4 I can understand and recommend too but the ping part in step 5 is just so unnecessary in my opinion. Sure you can block pings but any "good" hacker has many other tools to check if your server is still running (ahem.... nmap... ahem) I would also recommend any linux admin to install and set up at leas a basic fail2ban config to automatically block any recurring SSH logins or any other brute force attacks trying to get into your services
Some good advice there. Security is always about layers. If one layer is breached the next should take over. I have found that limiting the allowed from address to SSH can make a big difference in how many break-in attempts you see. Even if you don't have a static IP, your ISP will only have a limited range of IPs he can give you and you can allow only that range. It's also a good idea to use something like fail2ban. It automatically bans IPs that e.g. have a certain number of failed SSH login attempts. Works rather well :-)
Super useful. Followed all the steps in Arch Linux (some minor differences) in Linode (simpler to set up than AWS and less invasive than Azure at collecting personal data). This is really cool.
I tried this and Linode wouldn't apply the $100 discount and was going to charge me the full amount of $36/month. Dedicated 4 GB - lowest priced package per month. I watched the rest of your video and found it useful. Thank you!
I'm watching it again for the 6th time. Running the few VPS I'm managing with the list and securing the new one while watching this video. Your energy is amazing and the sense of humor is awesome. Permit Root login - yes. ... NO ! ! ! !
The hacker well still connect to your pc on miniport and it wont even tell you they change the code with python so it make it look like it working but is on..
one more thing i would like to add is to get the linpeas enumeration script on your server and enumerate it, then try to secure as many attack vectors it can find
@@Andremzsptm its a shell script that shows all possible ways to privesc (become root without knowing root pass basically) and with a quick google search you can find the github repo by carlospolop that has linpeas
The activity in staring in a screen conglumerates that you want to have a correscending appleture of thought, recontextualizing the greatness that can be grown from that with the "Ryzen Five"
Please do more blue team stuff. Hacking into system as attacker is one thing, but at the end the whole idea of ethical hacking is to find vulnerability and then know how to secure them.
Another great video Chuck, turns out I have already done most of these on my two linux VMs at home. Oh yeah and guess who just landed a new job as a Cloud Engineer ... ?
I don't know if anyone else commented on this but you want to also NOT permit empty passwords, it's selected by default to "no" but just encase so ppl will know. /etc/ssh/sshd_config PermitEmptyPasswords no
thanks a lot network chuck. Did these steps in an Oracle server, broke it real nice like. no really, thanks, Chuck you have taught me a lot but cost me countless hours fix'n things i broke.
All excellent with one nitpick: changing ssh port from 22 is sort of useless, as anyone who cares already has a port scanner and doesn't even bother checking just the default. (And, yeah, like others have said, I'd add fail2ban to the list, but that's for another video where you can talk through the details and reasons behind them.)
@@konev13thebeast I've got to admit, though, that changing the port reduces the size of the log files. Just out of curiosity, I swapped between 22 and 1234 (I think it was) a few times, and the frequency difference is enormous. Drive-bys on 22 are about 20-30/hour for me, fell to about 2-3/day with the non-standard port.
@@d00dEEE how important is it to monitor ssh logs unless theres a massive spike though? From my experiences from windows servers, firewall can handle most flooding issues fine. Genuine question Ive never touched a linux server before
@JazzyOzzy What are you running on your server? These 5 things are a start on hardening but nowhere near being hardened to a security standard like NIST.
Nice one Chuck, very cool starter............Side topic, I recently managed to also configure 2FA using the google pluggable authentication module (PAM). This increases the security in the sense that you would also need to have a token using apps like Authy or Google Authenticator. So if somehow hackers get access to your private key, well their stuck for a while due to missing 2FA. 👍
This was awesome. I am classes right now and we just went over ssh and private and public keys. This lab definitely helped reinforced my learning and best of all I now have a server.
A good Linux tutorial by Chuck, yep these are the good measures discussed in this tutorial. I use ssl proxy (stunnel/nginx) to encapsulate SSH connection and also use SSLH to multiplex (more corrected ALPN based forwarding) ssl proxy encapsulated SSH connection through same port number as my web server (443).
I've had bad experiences with unattended updates, especially on a production server. They often tend to overwrite custom settings. For example, with PostgreSQL, an update might reset a custom database path, and similarly, Docker updates might alter the custom data path set for Docker.
Dude you are just awesome I`m a junior web developer who wants to keep learning about more fields from computers and software, Im about to study network administration and after that maybe some hardware grade or something. I see almost all your videos and I learn A LOT like wow. I just want to soy thank you for all this knowlegde. A hug from Spain!!
Very informative video. It's a very big misconception that Linux systems are secure from hackers.. Everything with an operating system and a signal is not 100% secure..
If anybody is having issues like me and the SSH key still requires a login check the ~/.ssh/config file on both machines and make sure it's sending the id_rsa.pub key instead of a different one. For example, my macbook was sending an ED25519 key, so it would fail each time
Many hackers use a bot to scan for port 22 and try a couple of common passwords, so moving to a different port is a very good defense against anything but a targeted attack.
@@thegalacticwarrior7113 good call, but then movong it in conjunction with deactivating root and disabling passwords is a bit of an overkill, isn't it? ;)
Thanks so much for another great video. I signed up on Linode. This is my first web hosting as I am just starting to toy around with servers, websites, and such. Your videos are fantastic and I always learn a lot. Thank you.
@@asificam1 it's common practice in network security to block echo replies and not send unreachable. No reply means you don't exist period. But yes good point in this scenario since he spun up Apache
Auto updates- you make a great suggestion, but I have had automatic updates automatically break stuff... usually in the middle of the night or Friday at 4:30p.
Openssh generating the key will create the folder, set the permission, you don't need to create the folder. On both side will create the .ssh automatically with the right permissions, if you are from Linux to Linux.
@@mihaidoboga Port 717 is not a standardized port. It won‘t interfere with anything. If you want to check all important/standardized ports, checkout this site: en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
I propose to leave the ssh port default to 22. Changing that is just security through obscurity. And people will anyhow portscan your device and find that port (eg. my ssh backend for gitea is on a random port, yet people from the Internet try to SSH-hack into that port, lol). The best practice anyhow would be, to only allow ssh over a VPN tunnel or use port-knocking to enable port 22 for a short timespan. And if you don't want to do that and still use port 22, add fail2ban and probably couple it with an SSH tarpit like endlessh, when they use (disabled) password auth.
Changing the SSH port will only take a script kiddy with nmap a few extra seconds to find. This also breaks some enterprise apps that are connecting via ssh to perform various audits. You would think it would be possible, but some apps cannot accept a different port for SSH, and you would require a separate service account for every non-standard ssh port you may have configured. Lets also factor in internal firewalls and routes between vlans.
sometimes nmap doesn't recognize an open port as an ssh port if it's not port 22 , it have personally happened to me , in my case nmap recognized an open ssh port on 8022 as an oa-system .. i'm not sure what that is. but looking it up on the internet didn't give me a good hint , and i was still able to use it because i know it's an ssh port. it might be a good layer of security to make your open port non usable unless you know what it's used for. let me know what you think
So first off thank you so much Chuck for these. These are amazing. I am retired Navy and currently in HR but want to make the switch to IT. I LOVE computers but always got frustrated so I didn’t want to do it as a job, but learning makes it better. So I did this and followed your steps and secured my server. Problem is, I like to connected through terminus remotely from my IPhone/iPad. I would love a video how to add multiple authorization keys. I guess I could make multiple users each with their own key (user-iPad, or user-iPhone) but I was wondering how you would trackle multiple keys for one user. Also is it possible to stick the keys on. Thumb drive to use from another machine? I am reversing the steps because my dumb ass created keys on my windows machine for another server and overwrote the old keys *face palm* so now at am having trouble ssh’ing in.
Your could just copy the private key to your iPhone maybe idk how that works from iPhone but there is ssh clients for iPhone so in sure they have the option for adding keys
Automatic updates is a BAD idea. I guess it could be okay on a home ubuntu system. But if you run any advanced distro at home, or any distro at all on a production server, you're asking for trouble. You have no idea what undiscovered bugs or vulnerabilities could break your system. Its best to check news updates on your distro and see what updates are coming out. If you see an important security update, probably best to install it. But if it looks like there is something that could potentially break your system or requires manual intervention, you don't want that happening automatically. Distros like Arch for example have a nice newsletter page where they have all that information easily accessible. So its better to be safe and keep those automatic updates off.
Respectfully, I think you missed the point for installing certificates AND disabling password logins. I suggest re-watching the video at th-cam.com/video/ZhMw53Ud2tY/w-d-xo.html and th-cam.com/video/ZhMw53Ud2tY/w-d-xo.html . Network Chuck is suggesting forcing the user(s) to use certificates AND disallow (simple) password logins. Since such a system forces the user to have a certificate installed AND can NOT log in via a simple password request there is no reason to use fail2ban. I've used fail2ban in the past - in fact, I was even -- initially -- thinking fail2ban would be a good addition to this video. However, in retrospect, using certs removes a user's/hacker's ability to brute force a password and, therefore, is not required. Peace. :) V/r
The best part of this is testing whether the website is accessible even though you knew that the firewall was going to be blocking port 80: expectations don't always match the reality of what will happen. That's how security bugs tend to be discovered. Just because something is expected to happen doesn't mean that it will happen so testing it doesn't hurt especially if it's something security related.
I completely agree with what Leo said here. This is why when I spin up a vm on linode everything is behind a VPN either openvpn or wireguard. I typically never leave anything exposed to the public internet. Or I write a ufw rule that only allows traffic from my home IP.
Legend!!! loving it every time I check your channel the subscribers are more every day. Looking forward to seeing you with 1M. You deserve it mate! all the best!
Won 20 bucks in a networking class.
Another student told me he could get into any computer remotely.
I accepted his challenge and turned off my network card in the drivers.
He was pissed.
Priceless..
🤣
😂😂😂
I bet that no-one can kill you after you've committed suicide*
clever...
I just want to caution everyone from enabling automatic updates on production systems. The best practice is to use scheduled maintenance windows and to always test updates in a test/dev/QA environment before making changes to prod :)
Perhaps create cronjobs to update one a month
You're right. The ideal situation is using a repository host, whether that's something like Red Hat Satellite, Oracle Spacewalker, or using simple webserver which synchronizes repositories.
You then control your packages on the upstream, so that when they are downloaded by the host - only the packages that have been tested are applied.
This is how we automate patching - determine what updates we want > synchronise packages to repo host > create test environment to mimic prod > schedule ansible jobs via Tower to auto patch test hosts with smoke tests > when smoke tests pass, execute job on prod > run smoke tests, and if it fails, execute a job to undo the patch.
Yes. I can't stress this enough. Upgrade on other environment first and test everything first.
This is a BS channel for wannabee network/linux/ansible people with bloated headlines and an eyecandy editing, he barely had any real life experience with these stuff, most of the stuff he teaches about are from official rtd.
@@viktatororban4407 Everything you listed is exactly what's appropriate to teach beginners and for enthusiasts to communicate to them. Beginners need enthusiasm to draw them onto the path of becoming an expert.
Definitely one of the top 3 videos of all time to date... changing TCP ports, encrypted authentication, and disabling ping. Love it... Thanks again Chuck!
Great video. I am Gonna subs.
You should use "apt upgrade" instead of "apt dist-upgrade" as the latter might also remove packages or change things in the system which might break your applications. "dist-upgrade" should be used if you want to upgrade to a new release of the distro, not if you just want the latest versions of your packages in order to get security fixes.
As a security professional I really found this video to be of good quality. You were to the point, informative but not overbearing, engaging while being authentic. Keep up the great work! ❤ 😍
He's literally the only TH-camr that breaks it down enough to where even my bricked brain understands
20:41 - The line was already there (the last entry in that section). All he had to do was change the ACCEPT to DROP. ICMP ping may be blocked but hackers can still find his server using the nmap utility. Great video though. Love the channel!
Just as a correction
for macOS the command ssh-copy-id @ does also work.
The way you deliver content is outstanding. English is my second language, but you somehow manage to be quick, to the point, and very understandable. Kudos. Fantastic work.
Same here! All of his videos are really understandable and easy to learn.
Brilliant. Coming from a person who is very comfortable with Linux, is so nice to see the simple security aspects covered. And I always love how enthusiastic you are, making I.T fun!! Big fan here, over in London /UK! Keep it up, and great to see your channel growing as well. Keep you fed :)
Thank you 😊
Chucks the man but I've always wondered how much coffee he really drinks everyday.
Can u do videos on selinux but with a different twist@@NetworkChuck
It seems standard IT advice is to replace the password in ssh with the RSA key, but this thinking, I feel, is wrong. I would only do that if it was intranet only and I was feeling lazy. You can, and it's much better to, use both! What if a machine that had your RSA private key somehow gets compromised (I for one have multiple some of which are portable)? You would be done. Yes you can put a passphrase on the private key, but you are just buying yourself time, if you even know it was compromised in the first place. Having the password as well is a simple way to have MFA which is a must for any server you have on the internet. The RSA key is the thing you have, coupled with the thing you know i.e. password. Setup fail2ban on SSH, to protect against simple brute force, and you got a fairly strong setup. Even better is what I do and setup Google Authenticator on on that SSH stack, but I'll admit that maybe overkill :).
Also another bit of SSH advice is make it so the SSH user has no administrative powers, don't even put them in the sudoers group. Remember sudo allows administrative privilege with the same password used to login. Once you login, you should elevate your privilege by using su to the an administrator account (someone who is in sudoers). This is the way cisco switches are by default and it's good practice.
Security in layers :)
Add a layer of security with encrypting your home folder/even better your whole machine with luks. Loose it? The attacker will see nothing.
Yeah even that could be hacked (extremly hard) but it makes it harder and add a layer.
Linode, just to tell you - A really good choice for sponsorship! Keep going, his style is a remarkable combination of useful information and energetic hype!
Perfect timing, man! Just fired up my first Linux server this week!
How did it go? What distro?
Just to be clear I love your videos. They are very informative and well produced. But I have to add some commentary on what you just showed (from a perspective of a professional pentester):
- Although updates are crucial like you explained an automated update mechanism (even if it is just the stables) might break something upon updating. So you might consider automatic updates a risk depending on your situation.
- The mac command to copy your public key to the server will also work on linux the exact same way (although your command is shorter and easier to remember)
- Using a password upon generation of your key pair is recommended. So when your private key is getting hacked somehow it will be useless if the password is not easily guessable
- In general just use strong (random) passwords and store them in a safe location like a password store.
- Changing the port of your ssh listener is just security by obscurity. Any port scanner using a service scan can show you that ssh is listening on port 717 (like for example nmap -sSV ...)
- Deactivating ping once again is security by obscurity. Nmap has the flag -Pn which will scan your ip address no matter if the server answers to a ping or not.
Other than that your counter measures are very well designed and really good explained. Thanks for sharing that content.
i love the "warning" it gives when adding users not as root - with great power comes great responsibility
I have another suggestion tho. there's a firewall option that allows your port to be neither "open" nor "closed" .. but instead "filtered" , making your server accepts incoming connections only from a known ip adress. it might not be useful for everyone since not everyone have static ip adresses. but hey, if you do, then that's just the best layer of security you might add to your server.
Good starting guide and well explained, still missing tons of hardening activities, for example unattended upgrades and other. But I guess these things are better than what 90% of the folks implement out there so it's not about out-running the hungry lion, just running faster than the guy behind you...
Oh my god, I need this so much, thanks you!!!!
Edit: I need more... Moooreee. Lol, jokes away, I really like to see more about firewall managing. Great video, thanks!
network chuck, i want you to networkfuq me.
Linux primarily relies on nftables and ip tables as the backend to their firewalls. Modern distros based on Ubuntu use ufw, while modern Red Hat based distros use firewalld.
I personally prefer firewalld, but both are firewalls and can be configured to how you want (I find firewalld can be customised much more heavily). In most production on prem and cloud environments in the enterprise you'll have dedicated virtualised or hardware firewalls in between each network of hosts that further regulates traffic through firewall rules. Usually these rules are more lenient, while the software firewall rules act as more specific rules specific to the host.
You can read more about them here: wiki.ubuntu.com/UncomplicatedFirewall
firewalld.org/documentation/
This was great. I've just passed my Linux essentials exam and this helped learn a bit more about security. Btw, reloading the firewall did do the trick in my server. I didn't have to reboot .
I would always recommend protecting your private key. A private key with no protections on it is more commonly referred to as a back door. You can password protect your private key. Passwords are only useless in Windows these days, since Microsoft refuses to stop using unsalted MD4. Cracking a password for a 4096 bit RSA key, or a SHA512 hash? Yeah. Let me know how that works out for you. If you use a godawful password, sure, it can be done. If you take any steps to make a somewhat decent password, chances are extremely unlikely that someone's going to crack it.
However, if you're taking all of these steps to secure your Linux boxen anyway, might as well step it up a notch. Get you a Yubikey, and use it to protect your private key, or use it as a 2nd factor. Yubico has some great documentation. Probably the hardest part about doing it is selecting which method you want to go with, since Yubikeys are extremely flexible.
spent a few hours trying to get key auth to work, found out Chuck left a part out in the video. You need to add the private key to the ssh agent so your computer knows which key to use. In windows, do these commands:
Set-Service ssh-agent -StartupType Automatic
Start-Service ssh-agent
ssh-add
NOW you should be able to log in :)
I've broken like 5 virtual machines already so far on this journey haha. I love this channel.
I've literally taken my SD card out of my raspberry pi and reinstalled Ubuntu Server with the pi imager several times.
if this is not one of the most essential (and well done) Linux 101 videos, I don't know what is
also, just ordered a Study Hoodie -- your rock Chuck!
12:41 "...and then I'll use my favorite text editor..."
Don't say VIM!
"Nano..."
*huge sigh of relief*
What's wrong with vim?
Gedit
actually i really prefer vim since things like ctrl+x and etc might not behave correctly sometimes specially when used in ssh sessions in bash
@@mohsenmirzaei3347 thanks for that explanation I didn't know that
@Premlez I learned VIM after awhile but because of the panic and embarrassment I suffered at the beginning I prefer nano.
@networkchuck.. Thank you for this video! I know this is an older video but I needed to secure my ubuntu server and stumbled onto this gem. A couple of things. First... This is probably the best 1-2-3 video for securing Linux I've ever seen. It was presented in a fun way and your on camera presence kept it interesting and at the right technical level. It was neither too technical nor too basic. Just amazing info. Also, I am genuinely jealous of your epic beard. ;) Hope you keep posting great content.
@14:08
PasswordAuthentication no is not enough to disable password for ssh login.
Make sure to set ChallengeResponseAuthentication no as well
Great video.
On the linux servers I work on:
Active Directory domain users;
Certified with private and public key with password
and 2FA with google-authenticator
Great video chuck. for ssh this is what I do . I change the port like you do but I lock it down so I can only ssh from my home ip address. ufw allow from to any port Even if your public ip address changes you can still ssh back in from the linode web console and change the firewall rules.
That’s a great step. Very secure.
if you have any issue getting linux-headers and unable to find the correct one - make sure to type in apt-cache search linux-headers and find the correct one for you. Thanks. Thank you again for another amazing video. !!!!!! You are amazing my friend. Continue to inspire people !
One other thing I would suggest is editing /etc/hosts.allow and hosts.deny.
I know you have ufw, but adding another layer will not damage anything.
Make sure your passwd file is shadowed.
I've been doing this since the 90's
Any and every install get's that treatment.
how do you do that? where do you guys learn this all?
The comments are a gold mine of knowledge.
ufw by default allow established connections, that's why reloading ufw is not helping. you need to drop all established connections, what reboot does.
I use FirewallD but I'm not sure if it's better though. I'm not running a server, just desktop for home use.
@@wakeupNeo_ I don't think either one is better, they're just different. The biggest difference I've seen is that ufw seems to be easier at command line, but firewalld is easier with Ansible. At least until ufw gets an Ansible module (it might have already).
@@wakeupNeo_ ufw can also limit access to a certain port. For example, you can prevent someone from brute forcing port 22 by limiting the connection to 2 connections per 30 seconds.
@@明智吾郎-e4b yeah I switched to ufw now and blocked access to port 22. You can probably do this with firewalld but ufw much more easy to use.
I don't manage Linux servers but this was so informative. I am a maker and have been looking to set up a server for my IoT devices and this is awesome to make sure my server isn't going to be hackable. AWESOME!! Thank you Chuck!!
Steps 1-4 I can understand and recommend too but the ping part in step 5 is just so unnecessary in my opinion.
Sure you can block pings but any "good" hacker has many other tools to check if your server is still running (ahem.... nmap... ahem)
I would also recommend any linux admin to install and set up at leas a basic fail2ban config to automatically block any recurring SSH logins or any other brute force attacks trying to get into your services
The only reason why i come back to watch your videos i seem to learn new things, commands, and get up to date with my passion for techstuff
3:53 "Coffee break"
Puts an ad
21:22 "Coffee break"
Puts another ad
Yeah, Coffee gives you lots of money.
@@b07x 😂
Yeah man 👍
Looks like you haven't implemented his pihole video ;)
hes definitely getting carried away with this shit....but man his videos are so good w/e
I always automatic update my servers and never see anyone talking about this (even in "how to security")
Quality content++
How do you update it automatically? unattended-upgrades?
Some good advice there. Security is always about layers. If one layer is breached the next should take over.
I have found that limiting the allowed from address to SSH can make a big difference in how many break-in attempts you see. Even if you don't have a static IP, your ISP will only have a limited range of IPs he can give you and you can allow only that range.
It's also a good idea to use something like fail2ban. It automatically bans IPs that e.g. have a certain number of failed SSH login attempts. Works rather well :-)
Great recommendations, Madeye.
Instructions unclear. Logged into Chuck's personal PC and traumatized by photo directory.
Super useful. Followed all the steps in Arch Linux (some minor differences) in Linode (simpler to set up than AWS and less invasive than Azure at collecting personal data). This is really cool.
I tried this and Linode wouldn't apply the $100 discount and was going to charge me the full amount of $36/month. Dedicated 4 GB - lowest priced package per month. I watched the rest of your video and found it useful. Thank you!
For mac you can use ssh-copy-id as well!
Nice, Thanks!
BETTER explanation than my linux teacher. Excellent bro 👊🏼
Can you please do a v2 of these security include more security like fail2ban, snort and even a .bashrc email alert when someone logged in ?
I'm watching it again for the 6th time. Running the few VPS I'm managing with the list and securing the new one while watching this video.
Your energy is amazing and the sense of humor is awesome.
Permit Root login - yes.
...
NO ! ! ! !
Awesome tutorial, chuck. You are the man! Thanks for all that you do to help us newbies.
The comments are allways great on Network Chuck's videos. Thanks for the content too..
8:14 - "chmod" actually stands for "change mode" intead of "change modification"
In min 20:52 shouldn't we comment the fifth line?
-A ufw-before-input -p -icmp --icmp-type echo-request -j ACCEPT
Great video by the way!
Also a million Chuck! You well deserve it!
I am learning more and more everytime...as soon as I finally move to linux, yours is the FIRST system I install as a firewall etc.
Automatic updates? Untested updates in a production environment?
yes you are correct!
@@thelearner761 I too was about to address that point. Good call Ezra & The Learner
Just released my own SaaS and now I'm trying to make it more secure 😁
How to be unhackable: do not connect to the internet.
Just don't use a computer
Just
J
The hacker well still connect to your pc on miniport and it wont even tell you they change the code with python so it make it look like it working but is on..
I've got my 1st server and checked out everything you showd us. Fine, it work. Hungry to learn more... Keep up with this great work
How is it going so far after a year
one more thing i would like to add is to get the linpeas enumeration script on your server and enumerate it, then try to secure as many attack vectors it can find
What is that?
@@Andremzsptm its a shell script that shows all possible ways to privesc (become root without knowing root pass basically) and with a quick google search you can find the github repo by carlospolop that has linpeas
@@ladyViviaen that's really nice. Thanks
Is it a script like Lynis?
@@Gunslinger088 from what i saw on google lynis is more overall security scans and whatnot while linpeas only scans for privesc weaknesses
The activity in staring in a screen conglumerates that you want to have a correscending appleture of thought, recontextualizing the greatness that can be grown from that with the "Ryzen Five"
13:48 this cracked me up 😂 Loved the tutorial. I'm gonna recommend it in my next video 👍
I’ve learned so much from chuck. Became a coding teacher and now learn great instructional etiquette through chuck. Thank you so much haha
$HOME also works as shorthand for your own user directory in Windows 10
%userprofile% is the one that tends to work across the board in windows
Not seeing anyone mention it, but that 'weird squiggly key' for those who don't know, is called the 'Tilde' key.
---> ~
Please do more blue team stuff. Hacking into system as attacker is one thing, but at the end the whole idea of ethical hacking is to find vulnerability and then know how to secure them.
Great video chuck. I'm gonna do this on all of my Linux boxes from now on.
Doesn't help. It's snake oil.
Another great video Chuck, turns out I have already done most of these on my two linux VMs at home. Oh yeah and guess who just landed a new job as a Cloud Engineer ... ?
I don't know if anyone else commented on this but you want to also NOT permit empty passwords, it's selected by default to "no" but just encase so ppl will know.
/etc/ssh/sshd_config
PermitEmptyPasswords no
Good tips, simple to implement and well explained. Thank you!
Apart from automatic updates, been doing the rest. Great video, I leaned something new.
Whenever "Chuck" says coffee break, I drink a beer. Cheers.
Thats like 20 beers per episode. I think you might have a problem, but who am I to judge.
thanks a lot network chuck. Did these steps in an Oracle server, broke it real nice like. no really, thanks, Chuck you have taught me a lot but cost me countless hours fix'n things i broke.
All excellent with one nitpick: changing ssh port from 22 is sort of useless, as anyone who cares already has a port scanner and doesn't even bother checking just the default. (And, yeah, like others have said, I'd add fail2ban to the list, but that's for another video where you can talk through the details and reasons behind them.)
Looked through the comments specifically for someone that agreed on this point
@@konev13thebeast I've got to admit, though, that changing the port reduces the size of the log files. Just out of curiosity, I swapped between 22 and 1234 (I think it was) a few times, and the frequency difference is enormous. Drive-bys on 22 are about 20-30/hour for me, fell to about 2-3/day with the non-standard port.
@@d00dEEE how important is it to monitor ssh logs unless theres a massive spike though? From my experiences from windows servers, firewall can handle most flooding issues fine. Genuine question Ive never touched a linux server before
this by far has to be the best video you have done...
every time I deploy a new server, I go through this
Exactly what I need
@JazzyOzzy What are you running on your server? These 5 things are a start on hardening but nowhere near being hardened to a security standard like NIST.
Nice one Chuck, very cool starter............Side topic, I recently managed to also configure 2FA using the google pluggable authentication module (PAM). This increases the security in the sense that you would also need to have a token using apps like Authy or Google Authenticator. So if somehow hackers get access to your private key, well their stuck for a while due to missing 2FA. 👍
This was awesome. I am classes right now and we just went over ssh and private and public keys. This lab definitely helped reinforced my learning and best of all I now have a server.
I think a good thing to add would be "ufw limit [ssh port]" to protect from ssh bruteforce attacks as well
A good Linux tutorial by Chuck, yep these are the good measures discussed in this tutorial.
I use ssl proxy (stunnel/nginx) to encapsulate SSH connection and also use SSLH to multiplex (more corrected ALPN based forwarding) ssl proxy encapsulated SSH connection through same port number as my web server (443).
I've had bad experiences with unattended updates, especially on a production server. They often tend to overwrite custom settings. For example, with PostgreSQL, an update might reset a custom database path, and similarly, Docker updates might alter the custom data path set for Docker.
Nice Video 👍. I would recommend Lynis to audit the system.
Dude you are just awesome I`m a junior web developer who wants to keep learning about more fields from computers and software, Im about to study network administration and after that maybe some hardware grade or something. I see almost all your videos and I learn A LOT like wow. I just want to soy thank you for all this knowlegde. A hug from Spain!!
Very informative video. It's a very big misconception that Linux systems are secure from hackers.. Everything with an operating system and a signal is not 100% secure..
If anybody is having issues like me and the SSH key still requires a login
check the ~/.ssh/config file on both machines and make sure it's sending the id_rsa.pub key instead of a different one. For example, my macbook was sending an ED25519 key, so it would fail each time
Is moving port 22 elsewhere really any good when nmap exists?
Many hackers use a bot to scan for port 22 and try a couple of common passwords, so moving to a different port is a very good defense against anything but a targeted attack.
@@thegalacticwarrior7113 good call, but then movong it in conjunction with deactivating root and disabling passwords is a bit of an overkill, isn't it? ;)
@@maciejkokot8396 I have an ssh server on the open internet; I'm not taking any chances.
Thanks so much for another great video. I signed up on Linode. This is my first web hosting as I am just starting to toy around with servers, websites, and such. Your videos are fantastic and I always learn a lot. Thank you.
I miss the twitch live streams
"Connection refused" is still saying "im here, scan my ports"
@@asificam1 it's common practice in network security to block echo replies and not send unreachable. No reply means you don't exist period. But yes good point in this scenario since he spun up Apache
It only slows hackers down rather like a locked door..
Criminals just go through Windows!
What is the general consensus/opinions of Port knocking or Single Packet Authorization (FWKNOP) to keep ports closed until actively ready to use?
Thanks, this really came in handy hardening the sever I just setup. We are living in amazing times when you can learn so much online these days.
Auto updates- you make a great suggestion, but I have had automatic updates automatically break stuff... usually in the middle of the night or Friday at 4:30p.
For basic servers auto updates should be ok. However, when you have stuffs like MariaDB, PHP, python and etc things can break.
Openssh generating the key will create the folder, set the permission, you don't need to create the folder. On both side will create the .ssh automatically with the right permissions, if you are from Linux to Linux.
Nice video! But you should have used a port number above 1024 :)
Why?
@@sterling1989 Because port numbers in the range 0 - 1023 are the well-known ports (system ports) which are mainly used by system processes.
@@mihaidoboga Port 717 is not a standardized port. It won‘t interfere with anything. If you want to check all important/standardized ports, checkout this site: en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
I propose to leave the ssh port default to 22. Changing that is just security through obscurity. And people will anyhow portscan your device and find that port (eg. my ssh backend for gitea is on a random port, yet people from the Internet try to SSH-hack into that port, lol). The best practice anyhow would be, to only allow ssh over a VPN tunnel or use port-knocking to enable port 22 for a short timespan. And if you don't want to do that and still use port 22, add fail2ban and probably couple it with an SSH tarpit like endlessh, when they use (disabled) password auth.
Good job dude. i hope you do a video about forensics one day
Hey, the way you explain things are fun, easy to understand and short to the point. simply amazing!!!
Maybe you can also make an Video to take the SSH Security to the next Level with fail2ban and totp authentication😉, would be nice to see this.
Fail2ban is nice!
Or SSH tarpit
@@abanoubmelad2919 GO 127.0.0.1
Port knocking or it's successor single packet authorization (fwknop)
this would be really nice to have this also explaind to go another step ahead.
Changing the SSH port will only take a script kiddy with nmap a few extra seconds to find. This also breaks some enterprise apps that are connecting via ssh to perform various audits. You would think it would be possible, but some apps cannot accept a different port for SSH, and you would require a separate service account for every non-standard ssh port you may have configured. Lets also factor in internal firewalls and routes between vlans.
sometimes nmap doesn't recognize an open port as an ssh port if it's not port 22 , it have personally happened to me , in my case nmap recognized an open ssh port on 8022 as an oa-system .. i'm not sure what that is. but looking it up on the internet didn't give me a good hint , and i was still able to use it because i know it's an ssh port. it might be a good layer of security to make your open port non usable unless you know what it's used for. let me know what you think
So first off thank you so much Chuck for these. These are amazing. I am retired Navy and currently in HR but want to make the switch to IT. I LOVE computers but always got frustrated so I didn’t want to do it as a job, but learning makes it better. So I did this and followed your steps and secured my server. Problem is, I like to connected through terminus remotely from my IPhone/iPad. I would love a video how to add multiple authorization keys. I guess I could make multiple users each with their own key (user-iPad, or user-iPhone) but I was wondering how you would trackle multiple keys for one user. Also is it possible to stick the keys on. Thumb drive to use from another machine? I am reversing the steps because my dumb ass created keys on my windows machine for another server and overwrote the old keys *face palm* so now at am having trouble ssh’ing in.
Your could just copy the private key to your iPhone maybe idk how that works from iPhone but there is ssh clients for iPhone so in sure they have the option for adding keys
2 factor auth! It can elevate your security by quite a bit and even potentially give you a heads up when someone is trying to break their way in
Don't forget fail2ban as well.
Yeah. Fail2bain is a must have I think.
Automatic updates is a BAD idea. I guess it could be okay on a home ubuntu system. But if you run any advanced distro at home, or any distro at all on a production server, you're asking for trouble. You have no idea what undiscovered bugs or vulnerabilities could break your system. Its best to check news updates on your distro and see what updates are coming out. If you see an important security update, probably best to install it. But if it looks like there is something that could potentially break your system or requires manual intervention, you don't want that happening automatically. Distros like Arch for example have a nice newsletter page where they have all that information easily accessible. So its better to be safe and keep those automatic updates off.
I think fail2ban is even more important than ufw
I was gonna say add fail2ban and apparmor or selinux and set those up
Tried it. Instead of having 1000 brute force attempts from 50 ips, I got 1000 brute force attempts from 350 different ips. Now I had 300+ ip blocked
Thanks Chuck. Can you also make a video about SELinux? How that works with some examples?
Respectfully, I think you missed the point for installing certificates AND disabling password logins. I suggest re-watching the video at th-cam.com/video/ZhMw53Ud2tY/w-d-xo.html and th-cam.com/video/ZhMw53Ud2tY/w-d-xo.html .
Network Chuck is suggesting forcing the user(s) to use certificates AND disallow (simple) password logins. Since such a system forces the user to have a certificate installed AND can NOT log in via a simple password request there is no reason to use fail2ban. I've used fail2ban in the past - in fact, I was even -- initially -- thinking fail2ban would be a good addition to this video. However, in retrospect, using certs removes a user's/hacker's ability to brute force a password and, therefore, is not required. Peace. :)
V/r
Agreed
21:10 No need for whole system to reboot, just type: sudo ufw disable && sudo ufw enable
The best part of this is testing whether the website is accessible even though you knew that the firewall was going to be blocking port 80: expectations don't always match the reality of what will happen. That's how security bugs tend to be discovered. Just because something is expected to happen doesn't mean that it will happen so testing it doesn't hurt especially if it's something security related.
I completely agree with what Leo said here. This is why when I spin up a vm on linode everything is behind a VPN either openvpn or wireguard. I typically never leave anything exposed to the public internet. Or I write a ufw rule that only allows traffic from my home IP.
Legend!!! loving it every time I check your channel the subscribers are more every day. Looking forward to seeing you with 1M. You deserve it mate! all the best!