How To Secure A Server
HTML-код
- Опубликовано: 26 авг 2024
- In this video, you will learn how to secure a web server. The parts of the video are ufw setup, ssh keys, system modifications for networking, and checking which ports are open.
Webpage Guide: www.christitus...
Upcloud VPS ($25 Credit): bit.ly/upcloud-ctt .
►► Digital Downloads ➜ www.cttstore.com
►► Reddit ➜ / christitustech
►► Titus Tech Talk ➜ / titustechtalk
►► Twitch ➜ / christitustech
If you need to know how to setup a Web Server. Here is the video I did that goes over setting it up from Scratch:
ruclips.net/video/1JBCKNIT2Ys/видео.html
Great video content! Forgive me for chiming in, I am interested in your initial thoughts. Have you heard the talk about - Mahorrla Defence Wisdom Method (just google it)? It is a good one off guide for securing your home from danger without the normal expense. Ive heard some super things about it and my friend got amazing results with it.
Perfect. I legit just searched "How to secure a web server" and got a modern, up to date way to do it. Thank you!
Security is a process, not a destination
So True!
Security is an obnoxious waste of resources that is best solved by addressing the root problem.
@@brettlaw920 could you expand?
@@potheadfromthefuture2450 I guess not. Probably a revolutionary type who argued in circles with either himself or someone else until he realized he can't explain himself concisely.
Just to Yin-Yang this/play devil's advocate (also apply a bit of Linux philosophy): if you find yourself performing the same measures over and over again, you can probably write a patch/script to your system that does these things automatically/faster, or notify-send the important stuff. BUT that's the thing about security; the important stuff is usually hidden in the not-so-important/easily ignored places.
Exactly!
disable root login; disable password authentification via ssh; use non-standard port for ssh; use fail2ban for ssh, httpd authentification(3-5 attempts -> ban for 30 minutes, 30-50 attempts -> ban for week); deny access to all ports except 80,443 and ssh port; avoid browsing Internet from server under root user; avoid using X on server from root user; hide web server version in its settings.
When I set up my home server last year I did the same thing you did and locked myself out of ssh, that was a pain in the ass to get fixed! It took me 3 hours to fix.
I use:
Shorewall - iptables management (great way to learn iptables rules).
Suricata IPS - Rule based network threat detection & prevention engine.
Firejail - To sandbox a few of the tools I use in namespaces.
Also, I create network namespaces with "ip netns" to isolate net traffic to different services/programs.
The first two, I really recommend.
Again, this is an older video, but here is some notes you could maybe update on your site:
- Use stronger SSH keys, preferably ed25519 or at least RSA with 2048 or 4096 bit length
- Enable SELinux, AppArmor or similar service to tighten up permissions
- Enable automatic security updates if possible
- Install and learn to use HIDS software like aide, snort or OSSEC
In addition from the previous comments I want to point out that you should keep another SSH session open when changing SSH configurations and the like, and that OWASP top 10 and Pyramid of Pain is worth checking out.
Cheers!
"Always double, triple, quadruple check"
- Chris, 2019
Accept when installing Debian
This is just great, the best I've seen in past few years. Thanks
I always come back and watch this from time to time- some very good fundamental information. Thought it'd make good practice for securing a local IRC daemon machine. Appreciate the detail you went into!
Careful when doing when redirecting to the fbi site, make sure it's actually routing and not nat
Very True! if you go through NAT you will be conducting the "attacks" yourself, which will get you into trouble.
wow thanks for tip :S
Would be really nice to have a video about how to do that!
I just saw another video you did on this and posted a comment that recommended making your rules before enabling ufw. Nice to see you've corrected that.
Have you also consider remapping SSH port to something else than port 22? I believe that majority of attacks are automated and not targeted at you specifically, so they won't bother to scan all your open ports.
Chris, ICMP redirect is not the same as ICMP echo request, that sysctl config thing got nothing to do with ping. Also, you might want to try out "sudo lynis audit system". But I'm glad you finally got around making a video about ssh key-based authentication.
My server just got attacked and hacked. It's time to really paying more attention to the security issue. Thank you for making this video.
Hey Chris,
Better late than never. I’m looking for ways to secure ssh against attacks mainly sobI can ssh between my machines. Your video is exactly what I was looking for. Thanks 2 year later. 😂
Much appreciated. Especially the SSH keys part as I've found the documentation a little confusing. Thanks!
Just don't close your SSH connection after changing SSH files. Keep at least one instance open to not lock you out.
You can run a 2nd sshd on another port while doing the change.
I have read this comment to late. Now I am blocked.
Seriously, the fact he didn't mention such an important thing is quite negligent.
Very helpful I will definitely use this advise.
nice on the redirect--wish I was that versed in how networking works
FYI, On ubuntu 20.04 sshd_config is located at /etc/ssh/sshd_config and setting 'UsePAM no' like in the tutorial will disable public key authentication if not ssh login in general. Also, in host.conf, if you replace 'multi on' with 'nospoof on', it will raise an error when you install fail2ban.
Please do the monitoring security video.
Great video! Lot's of great information, especially the parts about SSH and setting up the firewall. Thanks for posting!
Thanks for the video. This saved me from having to dig around on the internet. I set this up on my void linux server.
Chris! I've come back to this video as I'm starting up a minecraft server again. nearly the end of the video I realized I am not subscribed anymore, albeit I WAS subscribed with the bell rung to All. Just thought I should post this comment as this isn't the first time youtube has auto-unsubbed me. Also, thanks for all the various ways you have helped me!
I always always always recommend people set up a passphrase on their SSH keys. Being able to jump from box to box without entering a password is convenient, but I feel like people should remember that outside of SSH keys, we call that a backdoor.
Chris I use to support hundreds of servers when I worked in tech support. We used mtputty, what would be the equivalent for linux? Any recommendations?
13:06 I already did the root login no on my server. I also changed the SSH port because port 22 is a big target. Using limit like you did is another good way to limit the number of hits on the SSH port. Thanks for this video. Also Fail2ban is another option which temporarily bans an IP with to many wrong login attempts.
If you're on a RHEL-based system like Fedora, they use an alternative to ufw called firewalld. It has a (pretty good IMO) graphical frontend package called firewall-config.
Would appreciate a video on securing SSH. (Update: Oh, I guess this video covers that too :)
This is a really good point regarding RHEL. If you are running a server that is security audited by a 3rd party (for example HITRUST), you may need to demonstrate vendor support by a company like RedHat.
RHEL/CentOS are my favorite web servers.
Thanks Chris. Really enjoy your videos!
One important thing you forgot is to run apache2 on 8080 and 8443 as user and redirect it using iptables. This way apache2 doesn't run as root and really limits the attack surface if they get access to your server using the web service or something like php.
Thanks for explaining my tool, man. I really appreciate it.
One of your better presentations. Thanks for taking the time and effort to show and educate.
I just stumbled onto your video and want to say thank you! Very informative and understandable...... If there is a "better" way 2 years later.. would you do an update video on this topic?
You can put the ssh passphrase in a key chain on the local system so you don't have to enter it in. Also, you want to scan the box with Lynis and have some type of malware scanner like rkhunter
Nice one, though I'd recommend clamav and rkhunter as well, and I also add a few other things in there when I run servers as a managed environment to ensure the system is monitored and such.
@@flixwebtechnology clamav is generally available with the distrubtion. if you use debian based systems then apt-get install clamav should work nicely.
It has it's own update system which pulls definitions from their own servers frequently.
Hope that helps.
As I've said before, Chris always comes at Linux solutions from a Windows admin perspective. This over complicates everything he teaches.
1) He uses UFW when he could just use iptables, because not every distro has UFW, but most have iptables. (he claims it's degraded and complex, but it's no more complex than UFW).
2) He uses systemctl when he could use iptables to do the exact same things he's using systemctl for. Heck, it's easier to do with iptables
3) He suggests people create multiple SSH keys into a single user account from different boxes when it's much safer to use one key per user - because if that user is compromised, all of his keys are compromised.
4) He disables PAM after he disables password authentication - which is redundant. After you disable password authentication, PAM is useless.
5) He likes to reboot, not because he wants to make sure all his services come back up (which is very easy to verify), but because he comes from the world of Windows. That's what Windows admins do. Rebooting is wired into their brains.
You want to secure your server?
1) Put your SSH on an uncommon port. It keeps the script kiddies away.
2) Use iptables and build an iptables file. It's easier to manage and duplicate.
3) Installing fail2ban and removing ssh password authentication are good habits for securing a server.
4) Set up a cron job to auto install security updates every day. You don't want to secure your system only to get exploited by software that was fixed weeks or even days ago.
5) Lock your home folders using chmod 700. Prevents other users from snooping around other user's stuff (you could also use chmod jail too).
6) Keep only one super user and the rest regular users.
7) Make sure your web services run in their own user instance. That way, if they are compromised, the damage is limited to which ever user those services are running as. The last thing you want is a web service running as root getting exploited.
@Donald Mickunas
You mean nftables, and no, nftables isn't installed on most distros. Iptables is still widely available on, not only newer distros and kernels, but on old legacy kernels as well.
@Donald Mickunas
Notice how you had to install nftables. Most distros already have iptables. That's the point I'm making.
I mean, don't just take my word for it. I'm just a lowly Linux systems engineer at an ISP.
@Donald Mickunas
Got a link?
*Chris what is the ufw alternative for a more secure Linux server ?...ie... IPFIRE,CLEAROS, IPCOP, OPNSENSE. ....etc*
I typically use ufw as a "redundant" firewall. At the gateway / router level is where I would use Opnsense or pfsense, and other firewalls. There is a new one on the market that I'm about to try and see how it will do for a "perimeter" firewall called "VyOS". Looks interesting as it combines a bunch of different security features, but I have no clue how viable it will be.
Look up "Shorewall" firewall.
Great way to manage your iptables.
I'm just a home user using primarily MX ,I also distro hop .I just redid a older Aspire to linux.Should I be putting the LP to a server config using say Apache or Cent OS ?If yes do you have a how to video I can follow to set it up ?
been looking for a video like this ty @ Chris Titus Tech
Good point on the UFW ssh.
Thank you so much. This was extremely helpful
One good advice, always have some reverse proxy on other ip, so you don't expose your main server's ip. There are attacks you can't defend from because for example your channel isn't wide enough. If you're getting attacked you can just swap that proxy with some better solution without reinstalling everything
what abount Cloudflare I think, it does the same thing, it masks your real IP under their network
@@feruchio599 Problem is if cloudflare go down your site go with it!
@@petertremblay3725 that is not really valid argument for me personally, its almost as if I say what if google go down then my website can't be found, I have been using them like 5 years and so far I can say they go down as often as google goes down which is pretty much never
@@feruchio599 I have read a lot of forum talking about cloudflare and personally i wont use it.
@@petertremblay3725 yeah that is alright, for example there also many people who does not use google and they are perfectly fine with other search engine
Great video, tahnk you Chris. Saludos desde Honduras.
Thank you so much for this educational web security video! Just a quick question, would you recommend this should be applied to web servers hosted on the GCP platform?
Thanks, Chris for that tutorial.
Do you have a tripwire video?
Greatest takeaway i got from this was to make an IP table on the bad IP and send him to the gov't. lol Niceeeee
Yeah I kept getting attacked a while back and it didn't matter where I submitted the ip's it just kept happening. So, I did that and literally all the attacks stopped.
I doubt that the government agency would look kindly on people redirecting attack traffic to them once they work out how it's happening and who is redirecting the traffic.
I don't think I'd be recommending this course of action to anyone.
@@dingokidneys They'll get over it. lol
@@dingokidneys Why wouldnt they? Now they dont even have to search for the threats, we drop them off at the door.
Hi Chris, fabulous video. I have a question please.. I have followed your instructions and everything works like charm, but can I use the same steps to secure a DNS server? Will it have any impact on the functionality?
missing tons of basics of hardening... hardening pam.d, folder basics user:group 640 acl/perms on tree, change the ssh port (thats basic), HIDS ? like tripwire ?, what about armor ?.. too complex ? :)
This is a great video Chris.
Do you have any videos on how to secure a web app, i.e XSS and DOS attacks?
Thanks!
Thank you, Chris.
I added mod_security to apache and suricata intrusion detection
These are the kind of vids of yours I love. Brain dump vs opinion. I've actually learned that ssh-copy-id does a basic lockdown on ssh usr/pwd logins and only allow keys.. I'll have to check that out. I've always thought that you had to go do that manually.
Although, this was more of a general server lockdown, than specifically web server. ufw and fail2ban for instance applies to any server.
Q: Do you really need the -i parameter when using ssh-copy-id with a default named .ssh/id_rsa.pub file?
I honestly haven't tried it without the -i and after that messup I did the first time around, I'm a bit scared to try it without it lol.
@@ChrisTitusTech Dude you've apparently got a bunch of test servers and/or cloud instances to wipe do do these videos just for illustration. I'm sure you can test it in less time it takes you to record anything (I'm sure you do so anyway).
Apologies, I tend to be pedantic. I saw in a 3 second frame your .ssh/ dir which showed a bunch of non-standard named key files... as if, by specific server.
I too do this most of the time. I don't have a general private/public key pair that I use for all servers.. I have a pair for each server. Perhaps not what it was designed for, but, I just use the -i parameter for each.
TIP: (what I do) write a shell script (e.g. $PATH:/bin/ssh.sh) that takes an argument (e.g. 'minecraft') and connects to that serer with a named key file and -i parameter, or whatever more complex ssh args you get (like tunnels, reverse tunnels... etc):
#!/bin/bash
case $1 in
minecraft) ssh -i ~/.ssh/mcraft_rsa.pub admin@xx.xx.xx.xx
esac
... etc. Just add another entry like "minecraft).. or serverXYZ).. " for each server.
Then for each ssh session, just:
$ ssh.sh minecraft
-or-
$ ssh.sh serverXYZ
TAB-complete fills in "ssh.sh" if it's on the PATH
### .. You can refine it further if you want.. like to just add the ssh commands to a text file, and have the script read from that.. but it depends on how far you want to geek out about it. PS. Learn Python ;-) (Pre-installed on all linux systems.)
what do you do if brute force SSH is tried on your server but on different/random ports? Does UFW offer some filter by protocol instead of by port?
Thank you Chris for this great video.
I had one issue. When I changed multi on to nospoof on in /etc/host.conf it told me: etc/host.conf: line 3: bad command `nospoof on'
So I changed nospoof on back to multi on.
Is there a workaround for that or could I leave it as multi on?
Another thing I would hear your opinion on is I have a Nextcloud server which I secured with your help. The last command to check what is exposed to the internet shows a whole lot of things. Mostly my turn server which I installed on the same server as my Nextcloud. Is that a problem? There is also systemd-resolv, httpd, dns-publisher, systemd-networ.
I'm very much new to servers, so maybe I did something wrong.
Important to note is that I used snap to install Nextcloud.
Thank you a lot.
I know when I researched the answer i got this
None of those obsolete options you placed in /etc/host.conf have any effect anymore. And Google will prevent your IP from being spoofed; you don’t have to worry about it.
So in this case, as a minecraft server you would need first In ufw to open port TCP: 25565, right?
Passphrase on your private key does not add any security during authentication using public key. It only encrypts your private key locally.
Hey, you mentioned you were going to do a video after this one about monitoring. I can't find it on your channel..
Chris, am putting up virtualized servers, web & email & DNS. Should I consider a Sonicwall TZ-300 (my line is 300/25Mb) TZ can do 750Mb. Robust enough? Consider something like their NSA series instead?
HI Chris ,while doing "sudo systemctl start fail2ban" I gott an error message "/etc/host.conf: line 3: bad command `nospoof on'". is that command not needed anymore?
Hi, I also faced the same error message...
Hi there, thanks for sharing your knowledge, on pc the key is working good but on my laptop following the same process I'm getting id_rsa.pub: invalid format.Thanks.
Use sudo -i to login once in for all as the super user so you can omit all the subsequent sudos.
I know this is about security, but during these procedures, could you also install lets encrypt to install a SSL certificate "for free" ? Again reducing operating costs.
on my files /etc/host.conf, nospoof on is bad command, pls help
I have a server in my home that is having all the ssh access to my vps servers. Plus i have access on my desktop. I have regula passwordbauth on that server (its not facing the internet in any ways), use a unique password
Really good video! Let's say I'm starting at step 1 into learning Linux and security, do you have any link recommendations? Thanks
Check out "Shorewall" firewall and maybe also learn about network namespaces (command: ip netns) to isolate services/programs.
After installing Fail2Ban it says this code is bad /etc/host.conf
order bind,hosts
multi on
nospoof on
Can this be applied to an Open media Vault NAS? That has been made to be accessed on internet?
Got a noob question. What is the difference between limit and allow?... Ok the answer was literally 4 seconds later... but is there a way to put a number on the limit?
Please what can i do this is really urgent.
Great stuff 👍
Hi Chris, what about personal computer security? Excelent videos, saludos desde México.
This should apply to personal pcs too. That is what I’m using this for.
All hail CHRIS
does this hurt SEO?
please what can I do, mistakenly i set the "PermitRootLogin" to "yes", and now I can't log in telling me permission denied
Debian, CentOS, or Ubuntu for using an old PC/s for creating own home website storage and email server? Any tutorial on doing a secure setup for the same?
Would be highly appreciated.
Thanks for the videos👍🏼
This
Thanks for this useful tutorial!
I did have some issues with ufw and my dns, but got it working by poking a few more holes. It does work now, so I think I should be fine :-)
anyways, I'd really appreciate another tutorial on monitoring as well. Would like to know more about it, and your presentations are always on point :-)
Nice . How to use SSL for website !?
Good video Chris,
Does Linux have any Active Directory like applications and if they do could you make a video.
LDAP is Lightweight Directory Access Protocol, it is what Active Directory and Open Directory (Mac) are based on. Search for LDAP. Timely answer, only 4 years later.
21:05 fail2ban doesn't detect DDoS I think
Great video. It really helped me out.
I have 1 problem so far. After doing all this my ftp doesn't work anymore.
Using filezilla. Any thoughts whats wrong ?
Did you block the port you're trying to connect too?
Wow this is good. I was looking for something like this to connect with keys. I ending up copying the /etc/ssh from server to server that and that worked. If I seen this I could of did it like you did.
But I don't get it when you set up a key on the other PC never connected to seems like you made a new pub key why not the same key?
So if you don't log in as root what have to do a sudo su all the time to be root then?
Thank you for making videos like this!
Doesn't fail2ban require configuration for the jail file for it to do anything? Install and activate it does nothing for security
Just saw that there are upgrades available 😉
thank you Mr
I would not be so sure about redirecting random attacks to government websites... It sure sounds like a way to cause troubles to yourself.
Hi, this video is very helpful for securing server, and I have one issue, I created new user with sudo privileges
in ubuntu server , setup ssh key authentication
and RootPermitLogin = no, but
when login into the server using newly created user with ssh key, and logged in
from new user, and from there, I typed
su - root or sudo -i , it is successfully logins the root user, even RootPermitLogin = no,
how to block this? please I need help.
you have a typo on your website: "order bind,host". Your forgot the add the "s" for hosts.
Why doesn't "sudo ufw enable" work. I can't even get started with this... what is going on
Did u install ufw?
Do u get any output?
26:48 I've thought a lot about doing something like this, but I was worried the authorities might think that I AM the one doing the attacks. Do you actually do this and haven't had any negative repercussions?
That’s a pretty nice IP address
You are the best.
Please more 10 day challenge
Hehe the problem is it really isn't a challenge anymore.
This is nice, how can be an expert in this please
If you redirect someones traffic to the next address, like you said - to the governments website, will they not see your IP as the attacker?
I did everything you said and when at the reboot step, my server lost conection to the internet and SSH - no ping and no youtube. Any idea what happened?
I checked my ip (ip a command) and it says "...."
I don't know if you respond to questions like this here, but I would appreciate it. Thanks in advance if you do....
iptables became outdated? I'm not so sure ufw's a viable replacement for server/security administrators...
I see that you left the server port as 22. I had read in some places that many people recommend changing this port to something other than 22 but under 1024. What are your thoughts? Thanks for the great video!
Main advantage of changing this port is to have less attack since port 22 is heavily visit by bots!
You should make this an ansible script