Hardening Access to Your Server | Linux Security Tutorial
ฝัง
- เผยแพร่เมื่อ 16 มิ.ย. 2024
- In this tutorial, we'll go over how to harden your Linux server against unauthorized access. With these basic security practices in place, your server will be more secure from outside attacks.
Chapters:
0:00 - Intro
0:41 - Updating Your System
4:34 - Using Automatic Updates
6:20 - Add a Limited User Account
10:22 - Harden SSH Access
16:12 - Remove Unused Ports
17:57 - Outro
New to Cloud Computing? Get started here with a $100 credit → www.linode.com/lp/youtube-vie...
Read the doc for more information on Securing Your Server→ www.linode.com/docs/guides/se...
Learn more about Security→ www.linode.com/docs/guides/se...
Subscribe to get notified of new episodes as they come out → th-cam.com/users/linode?sub_co...
#Security #Linode #ServerSecurity #Linux
Product: Linode, Server Security, Linux; Jay LaCroix; - วิทยาศาสตร์และเทคโนโลยี
5:00 Automatic updates with:
$ apt install unattended-upgrades
$ dpkg-reconfigure --priority-low unattended-upgrades
6:08 Confirm usage of unattended-upgrades
7:00 Create a new user
7:37 # ls /home
7:43 # cat /etc/passwd
7:55 Check whether sudo is installed or not: # which sudo
8:20 visudo
8:30 Make that new user a member of either those two groups (sudo or admin)
9:10 Otherwise # usermod -aG [sudo,admin,wheel] userName
9:36 # groups userName
9:52 Make sure that sudo works: # su - userName
10:02 Make sure sudo actually works: $ sudo apt update
14:23 allowUsers user1 user2 etc
15:15 $ sudo systemctl restart sshd
16:20 List all ports that are actually listening for outside connections $ sudo ss -atpu
17:20 $ sudo apt remove postfix
--priority-low is wrong it's --priority=low
00lĺ
I am so happy to see Jay on Linode channel. I started using Linode a year ago with his promo link, and I really like it. Going to set up more instance this year😍
Really Great and Useful Video! Thank you Linode!
I personally like how Linode is featuring some of my favorite TH-camrs. Wolfgang was also featured on Linode's channel. Thanks Linode!
Great to hear, thanks for the feedback!
Hi from Chile, in the last days i learn so much about linux distributions and configurations, thanks a lot.
Great video, really helpful content.
Fantastic video, Jay 👍
I´ve learned new stuff today. Thank you.
thanks so much i needed guidance for a project and your video helped me.
Thank you for this video.
Extremely helpful video, so many great examples to follow. A must view. Thank you.
Thanks, I was using putty to ssh into the server, and previously configured DigitalOcean to only accept connections with the private key, but it was only for root user. I had to manually create the ~/.ssh/authorized_keys file in my new user and paste the private key there so that it allowed me to enter to the server again. So now I can only log in with my user and not my root.
Thanks! so useful.
Very Nice. Greetings from Brazil.
Would be very helpful if u add those commands or in a TXT file linked. Nice stuff appreciated 👍🏻
Love from India, Great Help
Golden stuff
Hi Jay, thank you so much for all the content on your channel. It helps a lot. I'm following your process here but running into a problem. I created my user, and when I try to switch from root to the new one, I get this 'su: cannot open session: Cannot make/remove an entry for the specified session'. I tried to google it but can't really find a helpful answer. Can you help me with this?
Thank you for this, you are a great teacher. Will there be video on setting up firewall?
Thanks! We have 2 videos on firewalls.
First using the cloud manager: th-cam.com/video/H7wM5mDI1-k/w-d-xo.html
And using UFW: th-cam.com/video/XtRXm4FFK7Q/w-d-xo.html
Great Video! Thank you for this. Can you do one about firewall configuration.
Sure, stay tuned!
@@AkamaiDeveloper yeah it would be cool, ufw with dockers because there is something weird about it, thanks 👍
Very helpful, thank you.
5:00 One question concerning "automatic upgrades". Will the system reboot automatically? or do we still have to reboot it ourselves? What if automatic rebooting, as a result of unattended-upgrades, affects the web applications or containers?
You can use "sudo nano /etc/apt/apt.conf.d/50unattended-upgrades" to configure how reboots are handled on the server. You can change these lines for example:
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "02:38";
Hi, Is there anyway to block some port open by running docker-compose.
very useful tutorial. thank you. but i have a question. when we use SSH keys to login our Linux server , how can we have sftp connection and transfer files from / to our server ?
This thread might answer your question superuser.com/questions/1569467/how-to-connect-to-sftp-server-using-ssh-key-from-command-line-whats-the-comman
How can I get automatic updates on a RHEL clone distro, for example in AlmaLinux?
Hi there, I'm logged out of the ssh, how do I fix it on the Lish console?
will unattended-upgrades upgrade packages like django and postgres? I don't want this to happen because it could break my application.
The video was great, I have one issue, I use SecureCRT and windows. is there a way to transfer the key with Secure CRT? I was not able to run the same commands from the windows dos prompt.
You might find success using the method outlined in SecureCRT's documentation www.vandyke.com/support/tips/publickeyauth.html - however if you run into trouble, you can always install your key manually using the steps in our guide here: www.linode.com/docs/guides/use-public-key-authentication-with-ssh/#manually-copy-your-public-key
@@AkamaiDeveloper I ended up using power shell. It was the first time I had actually used it. I am kinda old school and slow to adapt some times. Thanks for your direction it helped me learn.
Where can I find info regarding specific lines of "ssh -v HostName" output. I want 2 learn what this output means.
Most of it I understand but 4 example:
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
or
debug1: identity file C:\\Users\
oeslermichal\\.ssh\\poczt_id_ed25519 type 3
What "type 3" means ???
nah doesn't work. Everytime I try to ssh in to my limited User I get permission denied. I even used the vid tutorial and the options given when creating the server. Both don't work.
How to do hardening via ansible play book
The copy of the public key is optional, right? On first connect it will be added to the known hosts by answering a prompt.
Can I ask how can i reset root password to connect with ssh
I've never come across a Debian Distro that DIDN'T have "sudo" installed!
where's fail2ban? those machines are bruteforced 24/7, you need to add fail2ban in order to minimize traffic and resource usage on bruteforce attempts
Hi thank you for this video. But i think i made something wrong while adding my user to sudo. Because it was writing "permitAsRoot Yes" I mean i couldnt locked ssh. How can i fix it? Thank you
Our Troubleshooting SSH guide is a good place to start to figure this out www.linode.com/docs/guides/troubleshooting-ssh/
Still waiting to see how to prevent ssh login without certificate
firewall and fan2ban ?
What is the purpose of adding a second user other than root? is the root account doesn't need an SSH Key,? Can we create ssh keys for the root user and second user on a same local system?
Since the root user, which has unlimited privileges, can execute any command - even one that could accidentally disrupt your server - It is recommended to limit access to root for security. More info on securing your server can be found here www.linode.com/docs/guides/securing-your-server/
@@AkamaiDeveloper Thank you :)
@@AkamaiDeveloper what's the difference between a root user and a user you've given sudo access to? Doesn't the "normal" user have root access but through the sudo group? This seems like faulty logic to me. What was the vulnerability in the first place?
@@mirorauhala The idea is that you grant privileges on a case by case basis with sudo, and every time you do an action with it you need to provide a password, or have authorized within a recent time frame. In a system with just one user, it doesn’t have as big an impact as a system with many users, some with sudo access and some not. There is also a great explanation here: unix.stackexchange.com/questions/291454/difference-between-sudo-user-and-root-user
@@AkamaiDeveloper You make no sense. Sudo is no better than root in a single user system. You have merely replaced a user with unlimited access with another, so how exactly is this hardening a server?
I've gone through this multiple times but can't figure out why mine only switch between root and my user@localhost, whereas yours has jay@webserver and jay@laptop. Whether that's relevant I do not know, but I get to the key and up to the point where you ssh into the linode is the same, but I still have to enter a password. I'm sure there's a detail I missing if my result is different but I'm at a complete loss.
Hello Lafayette, it sounds like you need to make sure that you are attempting to generate the SSH key on your home computer, then copy the public key onto your Linode. You might find the steps in this guide more helpful www.linode.com/docs/guides/securing-your-server/#create-an-authentication-key-pair
@@AkamaiDeveloper This helped exactly as I needed and I'll try to spend a bit more time digging through the foundational elements from respective sources before wandering too far in frustration. I certainly have plenty to look out for with no shortage of resources. Thank you very much for the response, it means a lot in my early days of Linux.
when I `$ exit ` it switches back to root and does not logged out. I also have to prepend the user with `@` and the ip address to log in. I can't log in just ssh and ip address... the latter after setting up ssh and testing on another terminal tab that it works the former right in the beginning when we first log out.
We think it was some video editing magic that caused Jay to be fully logged out upon typing "exit" at about 10:25. After using "su" to switch to another user, the first time running "exit" will close the shell created by "su", dropping you back into the previous shell.
@@AkamaiDeveloper Im also getting the same error, - I wish you could reply the comments like you did last year...
At 15:40, I am asked a password and then every time I get permission denied. Which password should I enter there? After multiple attempts, I get "Permission denied (publickey,password)" error.
Hello, did you ever find out the answer? ....because I am having the same issue as well.
@@epochseven4197 Yes, see, the person in the tutorial has the same username in VPS and laptop, but I had different usernames. So I had to specify my VPS username there. Instead of "ssh " I typed "ssh @" and it worked.
@@kamranibrahimov999 Thank you. That part was confusing for me also because he used the same name for both the VPS and laptop.
not a tutorial to get you to Sys Admin level, would like to see that
I have been through every guide and cannot figure out why its still prompting me for password entry. I'm accessing a linode that runs on ubuntu 18.04 LTS from my local device (laptop) using an ubuntu 20.04 LTS terminal.
I follow your steps exactly and it does not work.
I follow your steps exactly + going into /etc/ssh/sshd_config and deleting "#" next to "PubKeyAuthentication yes" and deleting the "#" next to "PasswordAuthentication no" to enable the lines then save, exit log back in and it still prompts me for a password.
My starting user in my laptop terminal is @ so I enter ssh root@ and it prompts for password. Do I need to copy the public key to my local device as well?
You'll need to restart the sshd service in order for the new sshd_config changes to be applied. Try "sudo systemctl restart sshd" and you should be golden.
Also, just in case - make sure you're editing /etc/ssh/sshd_config and not /etc/ssh/ssh_config. The latter is for your Linode's SSH client.
@@AkamaiDeveloper the restart command is coming back as not specific enough, I mean i read and save the lines afterwards then exit and log back in isnt't that the same result?
I will make sure im editing the correct config file i think that could have been a mistake on my part.
lastly I opened a supprt ticket and they recommeded I make a secure key from my local device (windows laptop) and copy the pub key onto my linode, since that seems to be a central issue as well imo. Again when I'm logging in and getting pw prompt it is initially from my local windows device name (i.e. logging in as ). Additionally, I can switch users from root and my sudo without pw prompt once im in. Does this sound like it could be another barrier?
Also thank you so much!
@@911ruinedbrendanfraserscar5 It sounds like you may have forgot the "sudo" from the command we sent you.
No, a user logging out and logging back and in does not apply the changes to the server's sshd service. It is not the same as changing the shell environment.
You can find some more info here: www.linode.com/docs/guides/securing-your-server/#ssh-daemon-options
@@AkamaiDeveloper i get Failed to restart sshd.service: Unit sshd.service not found.
Hi, I got a problem, when I try to access as you at 15:40 I can't access, ask me for a password, Wich I don't know what's the password
ssh "ip address"
"my user"@"linode-ip's password"
I followed all your steps what can I do?
When logged in as 'root', you will have the ability to change individual user passwords for your Linode. If you can't log in as root we recommend resetting the root password for your Linode:
www.linode.com/docs/guides/reset-the-root-password-on-your-linode/
💕💗💟💙💜❤️💛💝
Man, why do you have to say "Linode" instead of "server" every time? I already know it's a Linode channel. Seems like some psychological marketing trick to program people into using Linode when they need a server in the future? lol
They are pronounced "etsy" and "soo doo"? My life has been a lie. Also, why even within the same distro are there DIFFERENT instructions to do things? Ive been using "apt upgrade -yes" to upgrade, but here it is "apt dist-upgrade". Also, useradd AND adduser? Is that an inside joke at Linux Inc?
Avoid apt-get dist-upgrade unnecessarily as it can cause version mismatch incompatibilities between available updated software versions and kernel
If I’m not mistaken (I use arch btw so apt isn’t my forte), apt-get is the older package manager whereas apt is newer, but you can still use apt-get
😂cvbud😊😊😊 14:34 sanj😊❤
❤
Ttkjyyyyjy7