Well... you lost my trust very quickly. Proton Mail is NOT as secure as you lead on. They now track IP addresses and allow access to government agencies. Plus, you need an even more traceable email to tie it to in order to get an account. It's a bullshit smokescreen.
@@None17555 The chance of breaking an update in linux is very small if you use a stable and well maintained distro like Debian. If you use Manjaro or Arch Linux well then it's mostly just a matter of time for it to happen.
Isn't bulletproof, but Windows has much more holes and attack vectors. Windows if full of complexity due to legacy support and has closed code. When someone finds a vulnerability, sometimes it is exploited for quite some time before someone finds out. Linux is open source. People are constantly auditing the code for vulnerabilities and it's much quicker to find a vulnerability. So, yes, Linux is definetly more secure by default, but I agree that Windows is also more targeted. But remember that the vast majority of servers in the world are running Linux and those are the ones usually targeted by the most advanced hackers.
@@rallealytI'm a Windows user but the defaults in Windows are very bad for security and privacy. They may be fancy and cool and animated and convenient.....but they cause a security risk too. But I'm an advanced user, so virus or malware attacks on my machine have never happened.
I mean, all the large-scale attacks on webservers are servers with linux behind, the applications installed are more likely to have vulnerabilities then the OS, I've never rly heard of any big websites running on Windows.
I like the defaults on Fedora, firewall on by default, selinux on by default, root login disabled by default, only official repositories enabled by default
11:00 with usbguard you can allow and block USB ports based in plugged in devices, so you can create a whitelist with your devicea, and block anything else.
IMO it's also worth to pay attention to secure boot configuration, especially on laptops. Many distros do not implement initrd checking during boot, so attacker can easily modify it and intercept password for encrypted partition. To avoid this there's a thing called "unified kernel image", which combines kernel and initrd into a single file and adds SB digital signature. The main problem is that it is NOT configured out of the box on most systems. Canonical has plans to implement it in next Ubuntu release (thanks to systemd-ukify), so hopefully this will be changed in a future.
I'd love to enable secure boot, but I also rely on being able to hibernate my device, which for some reason is disabled when secure boot is enabled as a part of the kernel lockdown afaik I'm already using UKIs with dracut and systemd-boot, so I'm well prepared for hibernation and secure boot to be easy For context I am running Debian Unstable, with a manually compiled updated dracut
@@Sqaaakoi I'm not sure about your device (laptop, right?), but most modern laptops don't drain too much battery while in sleep mode, aka suspend-to-ram. Personally I use only this option and my laptop remains cold and charged for a long time. At least, more than 3 days. Also it does not require a big swap file/partition. I did a quick google search and seems like newer kernels should allow hibernation after adding "lockdown_hibernate=1" to a kernel cmdline. I did not test, but hope it helps
One thing I thought I should mention - although primarily effective for windows/Mac users, even just having an adblocker (unlock origin being my FOSS choice) can have a huge impact at web based attacks - not only malware, but web based tracking and information gathering.
uBlock also supports disabling JS. Most dangerous browser vulnerabilities are because of JS (there's some HTML and CSS too). I use whitelist mode, so all websites are static, except for some domains where I need JS
@@TheLinuxEXP as a casual linux user wanting to find easy ways to run more securely, the most frustrating thing about security on any system (windows is worse obviously) is how fundamentally mixed up everything is at a low level, making it impossibly difficult to troubleshoot or make a security profile from simple, rational concepts. If you could make a video on how to get just deep enough into something, maybe like SELinux or Apparmor but not overwhelming... I would appreciate that a lot. An example of something I would love it if you made a video about is how I can most easily run insecure things securely. For example - I want to install an new notepad program, so I find one and install it. At a very basic level I know a few things, like when I'm not using it it shouldn't have any processes running. And it should never connect to a network, unless it's doing some cloud saving, for example. How can I easily manage security flip switches to turn those abilities on and off? Don't even give that process a sign there is a network card until I flip a switch? Same for executing in the background, writing to anything, etc. If that can be done in a video, I would be grateful and impressed. As for how... allow me to ramble on how I've found this impossible... Like trying to accomplish application container/sandbox style security.. I need to setup apparmor or SELinux... okay, maybe there's a GUI profile manager? Nope.. I haven't been able to find anything. And it seems intentional. For apparmor, supposedly easier to use but being less 'fundamentally' secure than SEL, had a GUI, premsde profiles... but now all that is gone, they're all paywalled. A bad trend for linux recently. SELinux on the other hand just seems to be ideologically against GUIs and profile tools because you *must* understand / accept full responsibility for all the nuanced complexity it has, in which case you aren't going to be some GUI using slob, you'll obviously live and die by CLI. It pains me I can't just install a new program I kind of trust but not fully and use linux to 'watch it' for abnormal behavior, because whenever anything uses any system services/resources they just "have access" or "don't have access". For a super common example - application specific network limitations and/or traffic monitoring / firewall is literally not a thing. It seems insane to me from a not-a-kernel-dev perspective that there is simply no fundamental way to watch / attribute all network traffic to specific processes. I get it that the way the architecture of the system is.. it's just hard or impossible to trace the source back into userspace from the kernel. But if you COULD simply monitor application traffic and behavior, profile 'normal' behavior, it would make it so easy to spot, or even automate spotting, abnormal / compromised process behavior. That would make malicious intrusion incredibly difficult, having to move around within other proceedes. Instead if you want to do that for network traffic you'll have to become an expert at ip/port/packet analysis to... make best guesses? Or start down the rabbit hole that is various tools to approximate this idea. I get that a fundamental problem arises from granular control (SELinux being the ultimate granularity) and config gets more and more complex as you get granular in a system with a complex web of interlocking parts... but I mean, why aren't basic, best practices and profiles easiee to make? Get me an 80/20 profile. We know one of if not the most common attack vectors is a malicious or infected process, so why are the tools to control, isolate, and analyze process behavior so arcane? /rant
Besides obvious things like applying security updates: I think most critical is that you have control over open ports. You don't want other people to get remote access to your system. So either close ports by disabling services or via firewall. For servers I recommend fail2ban as well. That bans IP addresses by amount of failed attempts which can prevent primitive DoS attacks by single attackers. Additionally you can improve internal security by dividing services and applications into containers, users and groups. So you don't run software with permissions they don't need or shouldn't have in general. Another thing for SSH: If your server is public, you should only allow access via public keys and disable root login as well. Otherwise people will brute-force it...
I'd love to have a noob understandable video about firewalld and selinux configuration for an average Steam gaming and internet browsing pc! Also Clamav on access scanning and/or commercial antivirus software for consumer desktops would be nice.
4:53 you can also do `sudo systemctl disable --now service` to disable a service and stop it at the same time. saves you from typing out a second command
Thanks! Good vid. Always interested in the security side for the user. Not so much for the server but never hurts to learn. You do a really good job of explaining "how to" and "why". Please continue...
Updates are just as likely to break things on linux as well. currently, Linux 6.5.5 seems to produce segfaults in FIO with BTRFS, and Mesa 23.2 breaks HEVC and H264 encoding in OBS Studio, again, for now. The difference with updates in linux, is you can scrutinize each package, update individually, and find exactly what's causing the problems, and then not update that package until it's fixed. Timeshift and BTRFS subvolumes make this pretty quick and easy, vs System Restore and Windows Update, and use much less disk space for more restore points. Linux updates are not bug free, and you should always have a backup to fall back to before updating.
@@a-yon_n and it is that way because there aren't any really user friendly configuration/management tools. Which sucks but makes sense.. people went through all the trouble of writing the actual firewall code for free and now some normie wants them to do more work to dumb it down and make it easy for them to use? Leave it for someone else...
Love to see some security related content. It's such a confusing and noobie-unfriendly territory to get into when learning Linux, whe need more videos like those. The firewall is specially important: it's the first line of defense past the Router, and it's frequently off by default. Full Disk encryption is also a must. For me, the most important thing to learn right now is to learn how to setup full disk encryption together with secure boot, and if possible along with the TPM (Trusted Platform Module) so I have the option of setting it up without entering the password every time I boot. Tips on troublesshoting it when making changes to the system (changing partitions, distro hopping without losing files) would also be welcome. I haven't been able to crack down linux security by myself yet. If this series does goes on, maybe I'll finally be able to do it.
@@lince4824 In some sense you would want fewer pieces of software to use TPM, so its functionality can be kept minimal and stable. More usage = new requirements = new bugs.
@@generic694 it must be used WHERE it is needed and WHENEVER it is needed. If you store critical passwords in RAM to avoid using the TPM module that's a security hole, as it happened to a serious widely exploited to the own Microsoft Servers network, because they decided to keep that password in RAM. It didn't need any high tech tool or software to abuse it, just a crash report sent to the development team, which in fact happened to include that CRITICAL Microsoft Exchange password. Do you think it cannot happen in Linux? TPM must be used whenever it is needed, not more, NOT LESS
Another thing you can do for hardening is renaming the root account, then anyone looking for root login will need to overcome another hurdle. The downside is it could get confusing and some scripts and programs might be hardcoded with the name, possibly causing more problems than it's worth.
@@Rudxain This highlights the biggest issue. Educate yourself about how linux actually works. Then act accordingly. Misconceptions are what get people in trouble. Whether that's trusting something that shouldn't be trusted, or the example you give here.
"Linux isn't as secure as you think" _Most people rejected his message. They hated him because he spoke the truth._ Seriously though, the "linux community's", both users' and developers', indifference and trivialization of security concerns is one of the worst things about both using linux oneself and dealing with others who do. With increasing frequency, it occurs to me that windows power-users have developed a greater sense of responsibility purely from necessity.
Strangest comment I've ever read. Very passive aggressive dig at Linux users dude. All the relatives and friends I've moved over to Linux have had zero security issues after having had regular attacks on Windows, and all they do is let the system run automatic updates whenever it asks. I've been using Linux 100% (no dual boot) for almost 20 years now and I have never had security issues regardless of my "indifference".
Yeah, i have been using linux by a year, and i found interesting how the SO (At least the few i tested) have the firewall turn off by default. It is dangerously strange to say the least.
@@howiecourt3445 lmao, Linux users suck and they have a terrible attitude in general. You are a part of the problem. If you think Linux has perfect security you are wrong. Every OS in the world needs to be aware and step up their security game these days, you can have malicious attacks on linux, macos, windows. It does not matter as long as someone constructs a program that is cross-platform, if you click on the wrong link it will hit you too.
@@howiecourt3445 Not a passive aggressive dig at anyone. I'm a linux user myself, obviously, as I suspect are more than 99% of Nick's subscribers and viewers. What I am criticizing, is the -widespread- omnipresent blasé nonchalance among linux users and developers towards security. In passing, I am also espousing Luke Smith's confutation of the term "linux community".
@@howiecourt3445 this is the strangest comment you've ever read? Well, let me be the first one to welcome you to the world wide web, you're in for a wild ride.
what security does this actually add? an attacker just needs my user's password to use sudo if they have an ssh session which i think is harder to obtain than the password.
Can you elaborate why? Wouldn't running the entire docker as sudo make it even worse if the image/contrainer was compromised? What about passing UID to the container, rather than making it run as root by default)?
@@SirRFI Docker daemon (server) is always running as root. The only thing you can decide about is whether client software is running as root or not. Having docker command available in your command line without sudo is like having sudo without password. With reasonably simple docker run invocation you can modify host files of your OS which is very big security hole.
allthough there can be an emphasis on protecting your computer from outside attackers, which does require action, especially on servers, it is also worth mentioning that some security like drive encription makes it harder to recover data, so for a number of people it is less secure having encripted drives because they are more likely to loose their data due to forgetting passwords or hardware problems, that to some random person stealing their computer to look at their files.
Don't forget to have ssh jump host which adds additional security. And port randomizer both on jump host and real server. Good luck guessing: current IP for the SSH jump host (with random IP pool that you will have schedule for the next IP), and it's port, and the ssh port of the real server. That it doesn't matter if you have root or not. You can use different certificates for both jump host and real server. Each devop will have own account with least neede permissions and groups.
i recently started dual-booting again (thanks pc games), and i have to say hardening on windows is relatively easy compared to linux. though i still believe i am the greatest security to my own device, it is great to know all of this just in case of a lapse of judgement.
On the basic level. Windows still has FAR more services running as SYSTEM user (higher privileges than Administrator) than on Linux as root user. That said, I think it would be great to have Linux further develop with running less things as root. And as you mentioned have better defaults, or make it easy to have a distribution package called hardening. A huge missing feature of Windows is proper container support. That said I think Linux containers are still behind on Solaris Zones security level.
@@autohmae containers are definitely a linux security perk. i agree that you can do more in depth hardening with linux. but windows gives you simpler options and intuitive defaults
The problem with Linux is the user base, not the software. You can lock down Linux tighter than a nuns nasty, and you can achieve bulletproof (nearly) tin foil hat status, but, you need to know how, and that's where 9x% of people get in trouble. I've run dozens, maybe in the lower 100 counts of Linux servers, and I've the number of times I've seen an “experienced IT professional” do something that causes a head smack to crack your skull, is countless. My list of stuff to check as a first pass. This won't bulletproof the tin foil, but it will shine. (Nick brought some of these up) 1. The first biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS. 2. The second-biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS. 3. The third-biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS. 4. Lock down SSH, and DO NOT change the port. Changing the port is not going to help you. If you're at the point that moving from 22 to 9022 is going to polish the top of your security walking stick, then fine, but if that's the case you're also going to agree it's usually pointless. 5. Lock down user accounts. Make sure user accounts are properly controlled, groups are reviewed, passwords policies are in effect, and review system permissions. 6. Use SELinux or another security framework, if SELinux is fighting you, in 9X% of cases, you've done something wrong. 7. Use IPTables, BPF Tables, and other tools to build the proper routing settings! 8. Sweep for kernel modules! 9. Manage keys correctly, don't have users with a single SSH key that use the same key on everything. 1 key = 1 service. 10. Use multifactor authentication. You are NOT too busy to have additional factors, PERIOD! 11. Monitor, Monitor, Monitor, oh and make sure you monitor. All logs should be sent to a remote server. 12. (Nick brought this up), remove the stupid GUI! It's a server, learn to use it. 13. Use VM's, for isolation. 14. Disable services you don't need, and close ports that shouldn't be open. 15. If you use an email server, FULLY ISOLATE IT. Seriously! Do not install an email server with other services. If you follow these points, you'll be at least in a good default state, from there have fun polishing the tin foil even more.
You're very wrong . I stopped reading at paragraph 2. Tin foil hat please, just kidding, but you're very very wrong. You are right that most people, experts and admins will make a barely secure system much much more insecure on the first day though.
@@lince4824 What do you feel I got wrong and why? I don't mind disagreement, but I really don't see much wrong with my list as a basic first pass. Keep in mind you can do much more, and should. Oh, and the #1 thing admins do, usually by accident or because they're busy, give everyone sudo, and sudo ALL=ALL. Actually, in a lot of case I recommend removing sudo, it's a very powerful tool, and you almost certainly don't actually need it.
One thing you really should have mentioned about securing SSH server is fail2ban, that reduces change of getting bruteforced a lot and doesn't interfere normal usage almost at all. Other than if you manage to typo password few times in a row you might have to login from some other IP address to unban your IP (or just wait until automatic unban after set unban time). Though I would suggest to tighten the settings a little bit from the defaults, which are too loose if you ask me. For example I think unban time is usually too low with the default settings. EDIT: After continuing the video I noticed you did mention faillock in later part of the video, but I think fail2ban is more useful for SSH because it blocks all access from that IP instead of "attacked user account". Both ways has something good and bad of course, but overall I prefer fail2ban because then you can have long unban time without yourself being blocked completely out of the system.
I have security cameras going to a computer using FTP, and not all the images and videos would record. The camera company wanted me to disable the firewall, which I didn't like at all. What I found out is that you can allow all access through the UFW from only one other computer. I did this for each camera, and the problem went away. This is a very special case, but it allowed keeping the firewall up, while solving the problem.
"2 or 3 word combos"? Like, for example, My1Password2Sucks3? For a proper password use a mix of upper and lower case letters, numbers, and symbols: Gx72&tP9kW28%5+Zz3F$28Q-14Rs. Use something similar as the user name, and wish every brute force attack good luck.
Consider placing your web browsers into a container and using a watchdog on the browser. That way you can make a script that watches the browser and if anything goes wrong you can kill the container and delist any permissions and rm -rf the contents or the container itself. There's a performance and resource hit for this though. Good luck with TH-cam and similar sites, as they tend to run at 3/4 or less overall speed/response/however you want to call it.
Also instead of selinux or app armor you may want to consider SNORT or Suricata. They all utilize a similar rules based method for partition to partition, app to app, system to network, and network to system management and logging. The only benefit of Suricata is that it can make use of GPU tech. So those with a dual/multi GPU setup can get a tiny performance boost. So if you're one of those with a dedicated GPU and a CPU with integrated graphics (Intel k series or AMD APU) you can run Suricata without too much of a system performance hit.
Browsers are one of most secure softwares there can be on desktop OS. I fail to see how this adds anything. Containers aren't a security boundary. GPU processes, audio processes are all vectors for attack. And you do not contain those with a simple container.
@@WarkWarbly, browsers have dedicated security teams with people on payroll. A browser executes remote untrusted code. It's a miracle they don't pwn their users every day. Sure, some zero days existed and do exist.
Thanks for video. Regarding firewall, selinux and apparmor is good topics for future videos. I would add that firewall is more relevant topic, since I think it is sort of must have for desktop and server.
i have changed the default ssh port for security reasons; i also use "howdy' facial recognition tool to avoid entering password manually with every move
Superbe vidéo comme d’habitude, des vidéos sur la sécurité sont toujours instructives . Configuration de Firewall, AppArmor,SE Linux, Kicksecure, Fail2ban, etc… seraient des sujets qui je pense pourrait aider beaucoup d’utilisateurs. Bonne continuation
there is of course one option to keep it really secure. don't have just one machine for everything. we all access websites that are less than optimally trustworthy. some are somewhat shady. and we all have an old laptop or PC sitting around, not fast enough for everyday use, but still quite good (especially with linux, since there are linux distros out there that are pretty light on the computer). just have one machine with high securty dedicated for online banking, email etc. and your main PC is for everything else. even a VM is helpful and better than nothing. a lot of malware just goes the easy route and scans for passwords and logins to the really important stuff. oh, and that machine you dedicated to the most important tasks? just keep it turned off. it's hard to hack a computer that is physically without power.
I use an expanded version of this idea.. buy 4x (or find them lying around, like that old laptop) flash drives. You can run a live distro on each drive, completely separated operating systems. Even 16GB is enough to run the basics, GUI, web browsing and all the other basic apps.. 32GB is much more comfortable for Firefox's crappy memory leaks. 128GB you'll never run into a space issue if you just use external storage for large downloads. These drives are < 20$ now, fairly small price to pay. What I wish is that they had something I could 'hot swap' between these OSs.. like VMs, but without emulation losses. You can hibernate and swap to estimate that behavior though... if you can get hibernation working (need more space also, 128GB is plenty for it).
@@craigslist6988 oh yes. the most insane variant of using old laptops was from around 20 years ago. knew a guy who bought a bunch of old laptops from his employer just for surfing in somewhat risky situations. to be more precise: he loved surfing in the internet while being on an air mattress. sometimes, a laptop met the bottom of his pool. no problem, he took the next laptop from the stack of laptops he had.
No offence intended here but changing ports is generally considered useless, bots are not probing any ports specifically, they mostly probe for any open port. The protocol is then as simple as a packet sniff. You can get better results by disabling ping requests from unknown sources.
Disabling a systemd service (and timer, etc.) won't completely prevent one from running, you need `mask` as well (to compare with Window$, `disable` is roughly equivalent to setting a service to `Manual` start, and `mask` is totally equivalent to `Disabled`), and you should `stop` one as the last step instead of before, so that if a service/etc. is being run on a trigger/timer, it won't be able to start it and thus make your attempt useless until the next reboot. ^ So, in this order: disable, mask, stop.
>You can also logout users after multiple login failures. I think you may want to say "You can also disable login attempts after multiple login attempts failures". Logout does not happen in that context because the user wasn't able to login at any point. Hope can help.
Yes please, a firewall video would be great. Lately I had to disable mine, every time I turn it on I can't seed any torrents and as much as I try to configure it, the torrent client stays idle. I don't know what I'm doing wrong.
The easiest thing to do for a desktop is just use an immutable distro and mount your home partition or folder as noexec, then you'll have a system that's pretty much bulletproof.
I expected Safing Portmaster sponsor spot for video like this, meanwhile it wasn't even shown as firewall or something. Anyway, + for firewall or SELinux/AppArmor video. Likewise, I would like to see video on backups (preferably not online ones) and password managers.
You missed a big one. single user mode allows root access without needing a password in most distros. You gotta change your grub config to force a login instead of jumping right into root.
Totally agree! Just wanted to share some thoughts: Let's imagine an attacker has physical access. Since grub config is not signed nor encrypted, an attacker can change it by using live usb. What's next? Disable usb boot? It is still possible to remove a disk and make modifications on another computer. It would be better to encrypt /boot then. But how to configure it and where to store a key? Ok, grub supports luks1, but it doesn't support tpm yet. So it will require a password from user. Even modern Linux distros need a LOT of work to make boot process secure.
@@alexk4894 Your points are the kind of things that keep me up at night. I have luks encryption on my drives. What I'm trying to prevent is access from a digital forensics specialist if my tech ever gets seized.
Use ssh key with a passphrase. Disallow password login. Dont save any password to your browser use lastpass or bitwarden disallow root login Only allow server to accessed via certain IP addresses. Must connect to a VPN. more advance setup intrusion detection and prevention. Snort or next gen firewalls enable firewall on desktop encrypt hard drive. move servers logs to a SIEM and set filters with alerts. Monitor Service alerts add filter.
Hey Nick. Please make a video showing how to use the fingerprint that comes with a number of laptops esp the Lenovo ones. I have a Lenovo x1 Yoga Gen2 and that fingerprint i have never managed to get it to work
I mentioned earlier that a "passwordless" key ssh login protects one from a camera recording password entries. I neglected to mention another reason why it's a good idea to use: if routing to your server should ever get compromised, on login you could be talking to a password harvester. With key exchange, your ssh client will say: BS! That compromise of routing could occur at your ISP, your home LAN, or even over the Internet! There have been cases where large swathes of the Internet got rerouted through rogue countries by means of a compromise of the BGP routing protocol (it had been set up sloppy...)
Solid advice, but a public key will not make a server more secure. It is a matter of convenience, not security. If your laptop is hacked, the server is also hacked. Try instead to only allow SSH login from LAN and (as you mentioned) disallow root logins.
If the private key is password encrypted on your client it's much harder to steal the actual key. If it is stolen you can disable that single key. Of course if you're paranoid I believe you can set up sshd to require key _and_ password.
Feels like this was a long time coming. I'm still just glad Linux can smoothly separate admin and user! 😅 No end of trouble on Windows when some changes stick to the admin account instead of the user. 💀
would love a video on firewall and seLinux not sure if you already did make one as i couldnt find it in search. firewalld is confusing a bit and just now am hearing about SE
Try out Proton Mail, the secure email that protects your privacy: proton.me/mail/TheLinuxEXP
Since switching to Linux a few months ago, Windows feels completely unusable and unstable.
Updates can't break a Linux install huh? I guess my time spent with Manjaro was just some fever dream!
Well... you lost my trust very quickly. Proton Mail is NOT as secure as you lead on. They now track IP addresses and allow access to government agencies. Plus, you need an even more traceable email to tie it to in order to get an account. It's a bullshit smokescreen.
@@None17555 The chance of breaking an update in linux is very small if you use a stable and well maintained distro like Debian. If you use Manjaro or Arch Linux well then it's mostly just a matter of time for it to happen.
that moment when Proton Mail isn't nearly as private as you would think
As usual, LE speaks the truth that others are afraid to say. Linux isn't bulletproof. Any OS is only as secure as the effort the admins put into it.
Yep! It all depends on the distro and how much you’ve configured it to resist the threats you’re most afraid of!
Isn't bulletproof, but Windows has much more holes and attack vectors. Windows if full of complexity due to legacy support and has closed code. When someone finds a vulnerability, sometimes it is exploited for quite some time before someone finds out. Linux is open source. People are constantly auditing the code for vulnerabilities and it's much quicker to find a vulnerability. So, yes, Linux is definetly more secure by default, but I agree that Windows is also more targeted. But remember that the vast majority of servers in the world are running Linux and those are the ones usually targeted by the most advanced hackers.
@@rallealytI'm a Windows user but the defaults in Windows are very bad for security and privacy.
They may be fancy and cool and animated and convenient.....but they cause a security risk too.
But I'm an advanced user, so virus or malware attacks on my machine have never happened.
Yeah, but he only realised it last week when he got sick by virus and (as reminded him) he still needs an antivirus... At least he is well now
I mean, all the large-scale attacks on webservers are servers with linux behind, the applications installed are more likely to have vulnerabilities then the OS, I've never rly heard of any big websites running on Windows.
I like the defaults on Fedora, firewall on by default, selinux on by default, root login disabled by default, only official repositories enabled by default
Don't forget, every time you disable SELinux, you make Dan Walsh weep.
Dan is a nice guy and he certainly doesn't deserve that.
I use Fedora after a 25 year career using Windows. Thanks for everything you guys do, your OS rocks
11:00 with usbguard you can allow and block USB ports based in plugged in devices, so you can create a whitelist with your devicea, and block anything else.
IMO it's also worth to pay attention to secure boot configuration, especially on laptops. Many distros do not implement initrd checking during boot, so attacker can easily modify it and intercept password for encrypted partition. To avoid this there's a thing called "unified kernel image", which combines kernel and initrd into a single file and adds SB digital signature. The main problem is that it is NOT configured out of the box on most systems. Canonical has plans to implement it in next Ubuntu release (thanks to systemd-ukify), so hopefully this will be changed in a future.
The way I see it, if someone has physical access to my system it's game over anyway.
@@Ryan-ct3rv This hasn't been the case for smartphones for over a decade, and the same approach can be adopted on the desktop.
Great knowledge. Thanks for sharing.
I'd love to enable secure boot, but I also rely on being able to hibernate my device, which for some reason is disabled when secure boot is enabled as a part of the kernel lockdown afaik
I'm already using UKIs with dracut and systemd-boot, so I'm well prepared for hibernation and secure boot to be easy
For context I am running Debian Unstable, with a manually compiled updated dracut
@@Sqaaakoi I'm not sure about your device (laptop, right?), but most modern laptops don't drain too much battery while in sleep mode, aka suspend-to-ram. Personally I use only this option and my laptop remains cold and charged for a long time. At least, more than 3 days. Also it does not require a big swap file/partition.
I did a quick google search and seems like newer kernels should allow hibernation after adding "lockdown_hibernate=1" to a kernel cmdline. I did not test, but hope it helps
More security videos are always good!
Even an introduction to firewall configuration covering the most important points would be excellent!
Agreed.
Yes please!
exactly
One thing I thought I should mention - although primarily effective for windows/Mac users, even just having an adblocker (unlock origin being my FOSS choice) can have a huge impact at web based attacks - not only malware, but web based tracking and information gathering.
So much this. uBlock Origin is a must, back then i used to have Adblock Plus but that thing was a RAM hog.
uBlock also supports disabling JS. Most dangerous browser vulnerabilities are because of JS (there's some HTML and CSS too).
I use whitelist mode, so all websites are static, except for some domains where I need JS
UBO is my go to. I use it on both Firefox and Vivaldi. (I don't trust anything else.)
very interesting and a video about SElinux or firewall would be amazing
Yeah, I really wanted to explore them more, but they definitely will need their own video, there’s a lot to talk about!
@@TheLinuxEXP Might wanna start of with SELinux vs AppArmor and what theyre used for and where the differences advantages and downsides are
@@TheLinuxEXP as a casual linux user wanting to find easy ways to run more securely, the most frustrating thing about security on any system (windows is worse obviously) is how fundamentally mixed up everything is at a low level, making it impossibly difficult to troubleshoot or make a security profile from simple, rational concepts. If you could make a video on how to get just deep enough into something, maybe like SELinux or Apparmor but not overwhelming... I would appreciate that a lot.
An example of something I would love it if you made a video about is how I can most easily run insecure things securely. For example - I want to install an new notepad program, so I find one and install it. At a very basic level I know a few things, like when I'm not using it it shouldn't have any processes running. And it should never connect to a network, unless it's doing some cloud saving, for example.
How can I easily manage security flip switches to turn those abilities on and off? Don't even give that process a sign there is a network card until I flip a switch? Same for executing in the background, writing to anything, etc. If that can be done in a video, I would be grateful and impressed.
As for how... allow me to ramble on how I've found this impossible...
Like trying to accomplish application container/sandbox style security.. I need to setup apparmor or SELinux... okay, maybe there's a GUI profile manager?
Nope.. I haven't been able to find anything. And it seems intentional.
For apparmor, supposedly easier to use but being less 'fundamentally' secure than SEL, had a GUI, premsde profiles... but now all that is gone, they're all paywalled. A bad trend for linux recently. SELinux on the other hand just seems to be ideologically against GUIs and profile tools because you *must* understand / accept full responsibility for all the nuanced complexity it has, in which case you aren't going to be some GUI using slob, you'll obviously live and die by CLI.
It pains me I can't just install a new program I kind of trust but not fully and use linux to 'watch it' for abnormal behavior, because whenever anything uses any system services/resources they just "have access" or "don't have access".
For a super common example - application specific network limitations and/or traffic monitoring / firewall is literally not a thing. It seems insane to me from a not-a-kernel-dev perspective that there is simply no fundamental way to watch / attribute all network traffic to specific processes. I get it that the way the architecture of the system is.. it's just hard or impossible to trace the source back into userspace from the kernel. But if you COULD simply monitor application traffic and behavior, profile 'normal' behavior, it would make it so easy to spot, or even automate spotting, abnormal / compromised process behavior. That would make malicious intrusion incredibly difficult, having to move around within other proceedes. Instead if you want to do that for network traffic you'll have to become an expert at ip/port/packet analysis to... make best guesses? Or start down the rabbit hole that is various tools to approximate this idea.
I get that a fundamental problem arises from granular control (SELinux being the ultimate granularity) and config gets more and more complex as you get granular in a system with a complex web of interlocking parts... but I mean, why aren't basic, best practices and profiles easiee to make? Get me an 80/20 profile.
We know one of if not the most common attack vectors is a malicious or infected process, so why are the tools to control, isolate, and analyze process behavior so arcane?
/rant
@@stevenwinderlich2891 wrong channel
@@TheLinuxEXP Would still love to see a dedicated firewall video from you. You explain things really good und easy to follow.
Besides obvious things like applying security updates:
I think most critical is that you have control over open ports. You don't want other people to get remote access to your system. So either close ports by disabling services or via firewall. For servers I recommend fail2ban as well. That bans IP addresses by amount of failed attempts which can prevent primitive DoS attacks by single attackers.
Additionally you can improve internal security by dividing services and applications into containers, users and groups. So you don't run software with permissions they don't need or shouldn't have in general.
Another thing for SSH: If your server is public, you should only allow access via public keys and disable root login as well. Otherwise people will brute-force it...
Fail2ban is much more about passwd brute forcing than DOS blocks
"either disabling services or via firewall". No, you don't do only either, you must do both (assuming the service ain't used).
@@rautamiekka What do you expect a firewall to do when there is no actual service running?
I'd love to have a noob understandable video about firewalld and selinux configuration for an average Steam gaming and internet browsing pc! Also Clamav on access scanning and/or commercial antivirus software for consumer desktops would be nice.
❤ I second this as well. Make it so.
Me too! 🤚
Second this as well :)
4:53 you can also do `sudo systemctl disable --now service` to disable a service and stop it at the same time. saves you from typing out a second command
True!
Oh sweet, ty for the tip lol
Finally, a useful video that actually helps enhancing the security side by side making linux use less resources.
Thanks! Good vid. Always interested in the security side for the user. Not so much for the server but never hurts to learn. You do a really good job of explaining "how to" and "why". Please continue...
Updates are just as likely to break things on linux as well. currently, Linux 6.5.5 seems to produce segfaults in FIO with BTRFS, and Mesa 23.2 breaks HEVC and H264 encoding in OBS Studio, again, for now.
The difference with updates in linux, is you can scrutinize each package, update individually, and find exactly what's causing the problems, and then not update that package until it's fixed. Timeshift and BTRFS subvolumes make this pretty quick and easy, vs System Restore and Windows Update, and use much less disk space for more restore points. Linux updates are not bug free, and you should always have a backup to fall back to before updating.
A firewall video would be great!
It’s conflicting that by default, the firewall is turned off on most Linux desktops.
@@a-yon_n and it is that way because there aren't any really user friendly configuration/management tools. Which sucks but makes sense.. people went through all the trouble of writing the actual firewall code for free and now some normie wants them to do more work to dumb it down and make it easy for them to use? Leave it for someone else...
And the other topics like SELinux and App armour would also be great.
@@craigslist6988isn't the firewall gui on mint pretty straight forward even for noobs?
@@craigslist6988I’d argue that end user experience is an important part of any software project
I have watched a security video where they also suggested CalmAV to regularly scan your system especially if you dual boot with Windows.
That’s also a very good tip, yeah!
@@TheLinuxEXP Sadly ClamAv gives false positives a LOT of the time. I won't use it anymore. It's a known problem.
I think doing a video series on security is a great idea
A video on AppArmor or SELinux would be very useful.
I second that.
Feel pretty secure with openSuSE's default but I too enjoy having secure machines.
Love to see some security related content. It's such a confusing and noobie-unfriendly territory to get into when learning Linux, whe need more videos like those.
The firewall is specially important: it's the first line of defense past the Router, and it's frequently off by default.
Full Disk encryption is also a must. For me, the most important thing to learn right now is to learn how to setup full disk encryption together with secure boot, and if possible along with the TPM (Trusted Platform Module) so I have the option of setting it up without entering the password every time I boot. Tips on troublesshoting it when making changes to the system (changing partitions, distro hopping without losing files) would also be welcome.
I haven't been able to crack down linux security by myself yet. If this series does goes on, maybe I'll finally be able to do it.
Having a TPM module is nice, software using it rare though. The more rare when the most needed.
@@lince4824 In some sense you would want fewer pieces of software to use TPM, so its functionality can be kept minimal and stable. More usage = new requirements = new bugs.
@@generic694 it must be used WHERE it is needed and WHENEVER it is needed. If you store critical passwords in RAM to avoid using the TPM module that's a security hole, as it happened to a serious widely exploited to the own Microsoft Servers network, because they decided to keep that password in RAM. It didn't need any high tech tool or software to abuse it, just a crash report sent to the development team, which in fact happened to include that CRITICAL Microsoft Exchange password. Do you think it cannot happen in Linux? TPM must be used whenever it is needed, not more, NOT LESS
Another thing you can do for hardening is renaming the root account, then anyone looking for root login will need to overcome another hurdle. The downside is it could get confusing and some scripts and programs might be hardcoded with the name, possibly causing more problems than it's worth.
AFAIK, it's possible to login by user ID. root must always be 0. So even if the name is unknown, you can still login to user 0
@@Rudxain This highlights the biggest issue. Educate yourself about how linux actually works. Then act accordingly. Misconceptions are what get people in trouble. Whether that's trusting something that shouldn't be trusted, or the example you give here.
@@that_heretic exactly!
...
wait, you mean I'm ignorant or OP is ignorant? I'm genuinely confused. I could be wrong about the UID
Linux user have time
"Linux isn't as secure as you think"
_Most people rejected his message. They hated him because he spoke the truth._
Seriously though, the "linux community's", both users' and developers', indifference and trivialization of security concerns is one of the worst things about both using linux oneself and dealing with others who do. With increasing frequency, it occurs to me that windows power-users have developed a greater sense of responsibility purely from necessity.
Strangest comment I've ever read. Very passive aggressive dig at Linux users dude.
All the relatives and friends I've moved over to Linux have had zero security issues after having had regular attacks on Windows, and all they do is let the system run automatic updates whenever it asks.
I've been using Linux 100% (no dual boot) for almost 20 years now and I have never had security issues regardless of my "indifference".
Yeah, i have been using linux by a year, and i found interesting how the SO (At least the few i tested) have the firewall turn off by default. It is dangerously strange to say the least.
@@howiecourt3445 lmao, Linux users suck and they have a terrible attitude in general. You are a part of the problem. If you think Linux has perfect security you are wrong. Every OS in the world needs to be aware and step up their security game these days, you can have malicious attacks on linux, macos, windows. It does not matter as long as someone constructs a program that is cross-platform, if you click on the wrong link it will hit you too.
@@howiecourt3445 Not a passive aggressive dig at anyone.
I'm a linux user myself, obviously, as I suspect are more than 99% of Nick's subscribers and viewers.
What I am criticizing, is the -widespread- omnipresent blasé nonchalance among linux users and developers towards security.
In passing, I am also espousing Luke Smith's confutation of the term "linux community".
@@howiecourt3445 this is the strangest comment you've ever read?
Well, let me be the first one to welcome you to the world wide web, you're in for a wild ride.
If using Docker, don't add your user account into "docker" group, don't configure your OS to use "docker" and "docker-compose" commands without sudo.
what security does this actually add? an attacker just needs my user's password to use sudo if they have an ssh session which i think is harder to obtain than the password.
Can you elaborate why? Wouldn't running the entire docker as sudo make it even worse if the image/contrainer was compromised? What about passing UID to the container, rather than making it run as root by default)?
@@SirRFI Docker daemon (server) is always running as root. The only thing you can decide about is whether client software is running as root or not. Having docker command available in your command line without sudo is like having sudo without password. With reasonably simple docker run invocation you can modify host files of your OS which is very big security hole.
allthough there can be an emphasis on protecting your computer from outside attackers, which does require action, especially on servers, it is also worth mentioning that some security like drive encription makes it harder to recover data, so for a number of people it is less secure having encripted drives because they are more likely to loose their data due to forgetting passwords or hardware problems, that to some random person stealing their computer to look at their files.
Oh that is totally true. I’m an absolute goof and am being honest for the sake of agreeing with your posts’ accuracy.
Don't forget to have ssh jump host which adds additional security. And port randomizer both on jump host and real server. Good luck guessing: current IP for the SSH jump host (with random IP pool that you will have schedule for the next IP), and it's port, and the ssh port of the real server. That it doesn't matter if you have root or not. You can use different certificates for both jump host and real server. Each devop will have own account with least neede permissions and groups.
Sometimes it's too painful to use random ports. Personally, I think that port knocking and limiting login attempts will be good enough in most cases
Yes more tool and security video please especially SELinux & AppArmour
i recently started dual-booting again (thanks pc games), and i have to say hardening on windows is relatively easy compared to linux. though i still believe i am the greatest security to my own device, it is great to know all of this just in case of a lapse of judgement.
On the basic level. Windows still has FAR more services running as SYSTEM user (higher privileges than Administrator) than on Linux as root user. That said, I think it would be great to have Linux further develop with running less things as root. And as you mentioned have better defaults, or make it easy to have a distribution package called hardening. A huge missing feature of Windows is proper container support. That said I think Linux containers are still behind on Solaris Zones security level.
@@autohmae containers are definitely a linux security perk. i agree that you can do more in depth hardening with linux. but windows gives you simpler options and intuitive defaults
On my end, I am still trying to harden my Windows using Sandboxie and custom rules. And damn, I am still not done.
The problem with Linux is the user base, not the software.
You can lock down Linux tighter than a nuns nasty, and you can achieve bulletproof (nearly) tin foil hat status, but, you need to know how, and that's where 9x% of people get in trouble. I've run dozens, maybe in the lower 100 counts of Linux servers, and I've the number of times I've seen an “experienced IT professional” do something that causes a head smack to crack your skull, is countless.
My list of stuff to check as a first pass. This won't bulletproof the tin foil, but it will shine. (Nick brought some of these up)
1. The first biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS.
2. The second-biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS.
3. The third-biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS.
4. Lock down SSH, and DO NOT change the port. Changing the port is not going to help you. If you're at the point that moving from 22 to 9022 is going to polish the top of your security walking stick, then fine, but if that's the case you're also going to agree it's usually pointless.
5. Lock down user accounts. Make sure user accounts are properly controlled, groups are reviewed, passwords policies are in effect, and review system permissions.
6. Use SELinux or another security framework, if SELinux is fighting you, in 9X% of cases, you've done something wrong.
7. Use IPTables, BPF Tables, and other tools to build the proper routing settings!
8. Sweep for kernel modules!
9. Manage keys correctly, don't have users with a single SSH key that use the same key on everything. 1 key = 1 service.
10. Use multifactor authentication. You are NOT too busy to have additional factors, PERIOD!
11. Monitor, Monitor, Monitor, oh and make sure you monitor. All logs should be sent to a remote server.
12. (Nick brought this up), remove the stupid GUI! It's a server, learn to use it.
13. Use VM's, for isolation.
14. Disable services you don't need, and close ports that shouldn't be open.
15. If you use an email server, FULLY ISOLATE IT. Seriously! Do not install an email server with other services.
If you follow these points, you'll be at least in a good default state, from there have fun polishing the tin foil even more.
Good tips, thanks!
You're very wrong . I stopped reading at paragraph 2. Tin foil hat please, just kidding, but you're very very wrong. You are right that most people, experts and admins will make a barely secure system much much more insecure on the first day though.
@@lince4824 What do you feel I got wrong and why? I don't mind disagreement, but I really don't see much wrong with my list as a basic first pass. Keep in mind you can do much more, and should.
Oh, and the #1 thing admins do, usually by accident or because they're busy, give everyone sudo, and sudo ALL=ALL. Actually, in a lot of case I recommend removing sudo, it's a very powerful tool, and you almost certainly don't actually need it.
One thing you really should have mentioned about securing SSH server is fail2ban, that reduces change of getting bruteforced a lot and doesn't interfere normal usage almost at all. Other than if you manage to typo password few times in a row you might have to login from some other IP address to unban your IP (or just wait until automatic unban after set unban time). Though I would suggest to tighten the settings a little bit from the defaults, which are too loose if you ask me. For example I think unban time is usually too low with the default settings.
EDIT: After continuing the video I noticed you did mention faillock in later part of the video, but I think fail2ban is more useful for SSH because it blocks all access from that IP instead of "attacked user account". Both ways has something good and bad of course, but overall I prefer fail2ban because then you can have long unban time without yourself being blocked completely out of the system.
Propper!!
Just forbid password login and use key only.
@@generic694 Amen to that.
You're the best Linux desktop channel in my opinion.
I would really like a SELinux video from you.
I have security cameras going to a computer using FTP, and not all the images and videos would record. The camera company wanted me to disable the firewall, which I didn't like at all. What I found out is that you can allow all access through the UFW from only one other computer. I did this for each camera, and the problem went away. This is a very special case, but it allowed keeping the firewall up, while solving the problem.
Your firewall is only as good as how hard it is to pretend to be those camera's then. I hope they use an SSH-key to provide host identity
Yes, a selinux and firewall configuration video with solid fundamentals and some advanced tips would be great and pretty much unique in YT.
Would absolutely love a firewall tutorial
Pass phrase, the key to having a great password. Use 2 or 3 word combos. Thanks thr video covers a lot. Great video.
"2 or 3 word combos"?
Like, for example, My1Password2Sucks3?
For a proper password use a mix of upper and lower case letters, numbers, and symbols: Gx72&tP9kW28%5+Zz3F$28Q-14Rs.
Use something similar as the user name, and wish every brute force attack good luck.
the securing SSH tip was a big one for me as I am new to setting up SBC running lite weight apps that I only access through SSH. thanks for that.
I am very interested for a firewall and SElinux video
Consider placing your web browsers into a container and using a watchdog on the browser. That way you can make a script that watches the browser and if anything goes wrong you can kill the container and delist any permissions and rm -rf the contents or the container itself.
There's a performance and resource hit for this though. Good luck with TH-cam and similar sites, as they tend to run at 3/4 or less overall speed/response/however you want to call it.
Also instead of selinux or app armor you may want to consider SNORT or Suricata. They all utilize a similar rules based method for partition to partition, app to app, system to network, and network to system management and logging.
The only benefit of Suricata is that it can make use of GPU tech. So those with a dual/multi GPU setup can get a tiny performance boost. So if you're one of those with a dedicated GPU and a CPU with integrated graphics (Intel k series or AMD APU) you can run Suricata without too much of a system performance hit.
Browsers are one of most secure softwares there can be on desktop OS. I fail to see how this adds anything. Containers aren't a security boundary. GPU processes, audio processes are all vectors for attack. And you do not contain those with a simple container.
@@WarkWarbly, browsers have dedicated security teams with people on payroll. A browser executes remote untrusted code. It's a miracle they don't pwn their users every day. Sure, some zero days existed and do exist.
For the algae rhythm! Also, a firewall episode would be welcome.
PS the main reason root shh is disabled in favor of sudo for Admins is that the attacker needs to also find their username
Yep!
Oh yeah, I would love to see videos on firewalls, you explain things in a good way.
Yes please! I would love to see a deeper dive into hardening Linux!
I would appreaciate some basics of firewalls. Thanks!
Noted!
12:58 SELinux is also used on Android.
Finally a video on security I can follow....more please👍
more of this please ! You answered my query i have been searching for
Thanks for video. Regarding firewall, selinux and apparmor is good topics for future videos. I would add that firewall is more relevant topic, since I think it is sort of must have for desktop and server.
Yes! I’d love to see another video on this please
i have changed the default ssh port for security reasons;
i also use "howdy' facial recognition tool to avoid entering password manually with every move
Superbe vidéo comme d’habitude, des vidéos sur la sécurité sont toujours instructives . Configuration de Firewall, AppArmor,SE Linux, Kicksecure, Fail2ban, etc… seraient des sujets qui je pense pourrait aider beaucoup d’utilisateurs. Bonne continuation
There is also bubblewrap! It's used by flatpak under the hood.
Hi Nick, great video as always! I'd definitely love to see a more in-depth video on SELinux, AppArmor and Firewall!
Thanks for the vid. I'd be interested in a firewall video!
Great tips. Thanks for taking the time and making this video.
there is of course one option to keep it really secure. don't have just one machine for everything. we all access websites that are less than optimally trustworthy. some are somewhat shady.
and we all have an old laptop or PC sitting around, not fast enough for everyday use, but still quite good (especially with linux, since there are linux distros out there that are pretty light on the computer). just have one machine with high securty dedicated for online banking, email etc. and your main PC is for everything else.
even a VM is helpful and better than nothing. a lot of malware just goes the easy route and scans for passwords and logins to the really important stuff.
oh, and that machine you dedicated to the most important tasks? just keep it turned off. it's hard to hack a computer that is physically without power.
I use an expanded version of this idea.. buy 4x (or find them lying around, like that old laptop) flash drives. You can run a live distro on each drive, completely separated operating systems. Even 16GB is enough to run the basics, GUI, web browsing and all the other basic apps.. 32GB is much more comfortable for Firefox's crappy memory leaks. 128GB you'll never run into a space issue if you just use external storage for large downloads. These drives are < 20$ now, fairly small price to pay.
What I wish is that they had something I could 'hot swap' between these OSs.. like VMs, but without emulation losses. You can hibernate and swap to estimate that behavior though... if you can get hibernation working (need more space also, 128GB is plenty for it).
@@craigslist6988 oh yes. the most insane variant of using old laptops was from around 20 years ago. knew a guy who bought a bunch of old laptops from his employer just for surfing in somewhat risky situations. to be more precise: he loved surfing in the internet while being on an air mattress. sometimes, a laptop met the bottom of his pool.
no problem, he took the next laptop from the stack of laptops he had.
Yes, please! Firewalls & Selinux videos!
Little tip on systemctl: if you do systemctl disable service-name --now it stops and disables with the same command
The "in the process" pun had a pause just long enough for me to stop eating and give the phone a meaningful look from my lunch. 😏
Sure. Any tips to protect my data and work is appreciated. It will also help explain why IT does the crazy things they do (soft of). Thanks Nick.
Can you please one day make a guide on how to make your own virtual VPN, without needing to buy a physical device? Thanks a lot!
Lynis auditing tool. It scans your system and shows options on how to harden your system after it's finished. Needs to run as root.
Great Video. I would also recommend changing the SSH default port to something random as most bot probe 22.
No offence intended here but changing ports is generally considered useless, bots are not probing any ports specifically, they mostly probe for any open port. The protocol is then as simple as a packet sniff. You can get better results by disabling ping requests from unknown sources.
Tip 101 : unplug internet 😂
On a server? 😅
@@MarcinTrybuson the router 😈
tip 102: if you need internet, tor
Very interested in knowing how to setup security on for different types of users like beginners or if i need to setup for other users like family
Make a video on SeLinux and Apparmor configuration and how to add or remove policy 😊
Disabling a systemd service (and timer, etc.) won't completely prevent one from running, you need `mask` as well (to compare with Window$, `disable` is roughly equivalent to setting a service to `Manual` start, and `mask` is totally equivalent to `Disabled`), and you should `stop` one as the last step instead of before, so that if a service/etc. is being run on a trigger/timer, it won't be able to start it and thus make your attempt useless until the next reboot.
^ So, in this order: disable, mask, stop.
Great video and as I’m still learning I’m all for a video on firewall config and SELInux.
On servers, you also should deny remote root logins and escalate if you need root privileges
I recommend adding one-time passcode step for the SSH login. That way, even if someone ever steals your password, they still won't be able to log in.
Firewall configuration would be pretty interesting to see!
>You can also logout users after multiple login failures.
I think you may want to say "You can also disable login attempts after multiple login attempts failures". Logout does not happen in that context because the user wasn't able to login at any point.
Hope can help.
It would be amazing to have a firewall config video
You missed the hint to lynis which checks how secure a system is and suggests ways to improve that
Yes please, a firewall video would be great. Lately I had to disable mine, every time I turn it on I can't seed any torrents and as much as I try to configure it, the torrent client stays idle. I don't know what I'm doing wrong.
The easiest thing to do for a desktop is just use an immutable distro and mount your home partition or folder as noexec, then you'll have a system that's pretty much bulletproof.
I expected Safing Portmaster sponsor spot for video like this, meanwhile it wasn't even shown as firewall or something. Anyway, + for firewall or SELinux/AppArmor video. Likewise, I would like to see video on backups (preferably not online ones) and password managers.
You missed a big one. single user mode allows root access without needing a password in most distros. You gotta change your grub config to force a login instead of jumping right into root.
Totally agree! Just wanted to share some thoughts:
Let's imagine an attacker has physical access. Since grub config is not signed nor encrypted, an attacker can change it by using live usb. What's next? Disable usb boot? It is still possible to remove a disk and make modifications on another computer. It would be better to encrypt /boot then. But how to configure it and where to store a key? Ok, grub supports luks1, but it doesn't support tpm yet. So it will require a password from user.
Even modern Linux distros need a LOT of work to make boot process secure.
@@alexk4894 Your points are the kind of things that keep me up at night. I have luks encryption on my drives. What I'm trying to prevent is access from a digital forensics specialist if my tech ever gets seized.
Yes, please do all security videos. Thanks.**
as a linux beginner that's overwhelming
Use ssh key with a passphrase. Disallow password login.
Dont save any password to your browser use lastpass or bitwarden
disallow root login
Only allow server to accessed via certain IP addresses. Must connect to a VPN.
more advance setup intrusion detection and prevention. Snort or next gen firewalls
enable firewall on desktop
encrypt hard drive.
move servers logs to a SIEM and set filters with alerts.
Monitor Service alerts add filter.
I know this is not necessarily a very hardcore, into the miserable details kind of channel, but I would love some deep dives on this topic!
Hey Nick. Please make a video showing how to use the fingerprint that comes with a number of laptops esp the Lenovo ones. I have a Lenovo x1 Yoga Gen2 and that fingerprint i have never managed to get it to work
Mostly not possible, most fingerprint readers don’t have drivers for Linux :/
I mentioned earlier that a "passwordless" key ssh login protects one from a camera recording password entries. I neglected to mention another reason why it's a good idea to use: if routing to your server should ever get compromised, on login you could be talking to a password harvester. With key exchange, your ssh client will say: BS!
That compromise of routing could occur at your ISP, your home LAN, or even over the Internet! There have been cases where large swathes of the Internet got rerouted through rogue countries by means of a compromise of the BGP routing protocol (it had been set up sloppy...)
ALSA is the backend. Pipewire and Pulseaudio are built on ALSA
a video on Linux firewalls would be great! please consider doing so in the future
Yes, I would like to see another video going more in-depth.
It'd be great to see some more security videos from you :)
Solid advice, but a public key will not make a server more secure. It is a matter of convenience, not security. If your laptop is hacked, the server is also hacked. Try instead to only allow SSH login from LAN and (as you mentioned) disallow root logins.
If the private key is password encrypted on your client it's much harder to steal the actual key. If it is stolen you can disable that single key. Of course if you're paranoid I believe you can set up sshd to require key _and_ password.
I would like to see a firewall setup video.
I would like to see a video on firewalld, backup software, and logging software/logging analysis software. Thanks.
I'm interested in seeing a video on SE Linux.
SELinux and firewall video? Yes please. I think it would be helpful
@Linux Experiment, there are no links in the description box regarding topics you talked about in this video
Thanks LE. I’m relatively new to Linux so this is very good info.
Hi Nick. i think many people would like to know how to set up firewalls and Selinux/Apparmor for a generic use case
Feels like this was a long time coming. I'm still just glad Linux can smoothly separate admin and user! 😅 No end of trouble on Windows when some changes stick to the admin account instead of the user. 💀
Now i’m curious. How exactly does that work on windows?
Thanks. I really need this episode.
You’re welcome!
Nice Video. Can you do a Video how did you customize your KDE System?
It’s planned!
@@TheLinuxEXP When will it be published? I’m very excited.
would love a video on firewall and seLinux not sure if you already did make one as i couldnt find it in search. firewalld is confusing a bit and just now am hearing about SE
At 15:04 what's the UI there based on? I really like the dark theme and the way everything is presented
Id quite like to learn a bit more about the fire wall