How to protect Linux from Hackers // My server security strategy!

Поделиться
HTML-код
  • Опубликовано: 29 дек 2024

Комментарии • 252

  • @CRK1918
    @CRK1918 Год назад +20

    Another of the most important thing is network security, and your home network design. Using pfSense at network level. You talked about some of the DMZ setup. Using VLAN to separate networks, home networks, IoT networks, server network and so on.

  • @unknowntechio
    @unknowntechio Год назад +1

    One of the best posts on security, open source server security i've watched. Simply great!

  • @NickBouwhuis
    @NickBouwhuis 3 года назад +83

    In 2021, I would recommend creating a Ed25519 key instead of a RSA key. Ed25519 offers stronger encryption and shorter keys. Only downside is that it is incompatible with older systems (older then say, 5 or 6 years?)

    • @christianlempa
      @christianlempa  3 года назад +39

      Yeah it's a good idea, the incompatiblity is the the major reason why I still don't include it, when RSA 4096 should be still fine. Second reason is I can't remember that stupid number 25519... who choose this name?!

    • @coolcax99
      @coolcax99 3 года назад +45

      @@christianlempa Its the prime number field used in the eliptical curve. 2^255 - 19.

    • @danilodistefanis5990
      @danilodistefanis5990 2 года назад +26

      Karthik Sriram oh, that makes it way easier.

    • @comic-typ5919
      @comic-typ5919 2 года назад +4

      @@danilodistefanis5990 xD

    • @l_shaun_bunds_l
      @l_shaun_bunds_l Год назад +2

      thanks for the information. the elliptical curve of erectile dysfunction is nothing to sublimate your libidinal acronyms by! That it is stupid is an easieer way to feel...

  • @hjsop1
    @hjsop1 3 года назад +15

    Thanks for bringing this topic up! This is what I needed so much.

  • @HosselBossel
    @HosselBossel 8 месяцев назад

    Thanks!

    • @christianlempa
      @christianlempa  8 месяцев назад

      Thank you so much bro for your support ❤️

  • @mithubopensourcelab482
    @mithubopensourcelab482 3 года назад +6

    Great video. What we do for security ? The best way is to install every server as a vm on a separate isolated vlan, apply all your suggestions. Hopefully nothing will infect your server, and even if it does, the infection will remain isolated and easily taken care of using snapshots or backups. We have applied this strategy and so far, so good, we are in safe heavens since 2 years. Not to forget, your virtualiser needs to be well protected as well.

    • @christianlempa
      @christianlempa  3 года назад +3

      Thanks mate! Great ideas

    • @minscj
      @minscj 2 года назад

      Please can you tell me how to do this for my servers

    • @carloslaguera8025
      @carloslaguera8025 2 года назад

      @@minscj Unfortunately, this is all a bit more complicated and inconvenient.
      On my Proxmox host I have looped each VM through to the firewall with its own vlan. All have their own IP range and are secured with all firewall rules to each other. So to say I have an independent DMZ for each VM. Any communication between the VMs has to go through the firewall by force and is allowed with filigree rules.
      As I said. Everything a „bit“ more complicated :)

  • @mrmotomoto
    @mrmotomoto 2 года назад +11

    Thanks for the quality content! You're such a wealth of information and we appreciate you sharing it

  • @g-net7646
    @g-net7646 3 года назад +18

    Another great video thanks!
    It would be great if you could go into more detail on how to address the firewall security issue using UFW of the docker containers and how you address them for cloud hosted servers.

    • @christianlempa
      @christianlempa  3 года назад +9

      Thanks mate! Yeah I thought about making a more in-depth video about UFW and IPTables, I'll put that on the backlog list ;)

    • @Asdasdas1337
      @Asdasdas1337 3 года назад +4

      If im not wrong docker doesnt play nice with UFW and tends to write its own rules in a way which supersedes ufw rules. I switched to firewalld because of this and I highly recommend it.

    • @LtdJorge
      @LtdJorge 3 года назад +1

      @@Asdasdas1337 yep, UFW writes iptables rules, and docker too. That's why they have conflicts.

  • @cookasaurus_rex
    @cookasaurus_rex 3 года назад +1

    I think you're awesome, man. Keep on keeping on!

  • @SimarMannSingh
    @SimarMannSingh 2 года назад

    I honestly want to see your channel grow exponentially... May you get a few million subscribers real soon. Just keep maintaining your video's quality and pace...

  • @nichdiekuh
    @nichdiekuh 2 года назад +12

    This video is super interesting. Especially the part about Docker and iptables couldn't be stated enough. However I think that you could have also mentioned how to prevent docker from opening ports, that seem to be closed in the UFW rules. I had this issue a couple of days ago with a production system which unfortuantely wasn't protected by an external firewall. I was able to fix this in a couple of minutes, but for the novice admins, who are probably the target audience of this video, it certainly isn't that trivial to fix.
    btw: I only discovered your channel a few days ago and even for me as a professional linux admin, it's interesting content. I'm looking forward to seeing more from you 🙂

    • @Pharaon2502
      @Pharaon2502 Год назад +5

      Any more info how you have done this?

  • @kuhluhOG
    @kuhluhOG Год назад

    5:55 I run my containers via podman in systemd units and create the descriptions via quadlet.
    That way I can just regularly let the system call "podman auto-update" and I am done (it also rolls it back in case the update doesn't work, but it relies on support from the containers here which may not necessarily be available).

  • @JoseFerreira-xm3zy
    @JoseFerreira-xm3zy 3 года назад +1

    Once again, another great video. Thank you for your service ! :)

  • @wildflowers465
    @wildflowers465 2 года назад +1

    Great video! Running ss or netstat as root (with sudo) will show the PID/Program name in the final column, which is helpful if you don't already know what ports services commonly use, for well known ports or registered ports, as well as for ephemeral ports

  • @andrewgraham6994
    @andrewgraham6994 Год назад

    broski explains things perfectly.. RESPECT AND LUV

  • @alfredoramos1450
    @alfredoramos1450 3 года назад

    I hit the "subscribe" button and clicked "all" on the bell 🔔 great video sir!

  • @Berkto00
    @Berkto00 Год назад

    Subject: How to protect Linux from Hackers // My server security strategy!
    Rule1: don't tell hackers about your server security strategy
    Just joking :D great content Christian, keep on going! Regards from Czechia :)

  • @BlackBot1986
    @BlackBot1986 3 месяца назад

    Great summary!
    Just something to mention here, to add a user to the docker group is considered as security risk. Somebody who has claimed the user rights but not the pw could just run anything on the server... For a dev environment that is imho absolutely fine but please not for the prod system😉

    • @christianlempa
      @christianlempa  3 месяца назад

      Thank you :) Thanks for sharing, that's a good tip

  • @michelangelop3923
    @michelangelop3923 3 года назад +1

    For 2FA in the shell I use DUO Security, with a free account you can do pretty much everything, I employ the least privilege access so I have a non sudo account for docker management and access with a pub key, for sudo I login with su to a local admin account, and for the actual sudo to execute a duo push is needed.

    • @Reiner030
      @Reiner030 2 года назад

      looks also interesting like Teleport does.
      But why relying on external services which can have connection/service problems while you need to login (independent they costs if not community edition is used) when you can do it with "Yubikey and SSH via PAM" by installing and configuring a package yourself and having only a Yubikey, Nitrokey or similar key buyed once for each user?
      Maybe only interesting solution could be to protect a suite of hard- and software by same 2FA service.

  • @gregm.6945
    @gregm.6945 3 года назад +7

    great video, thanks !.....don't forget, you could've used _ssh-copy-id_ @ 11:08

    • @christianlempa
      @christianlempa  3 года назад

      Thanks! Oh yeah, I'm still so used to the old way 🙈

  • @miraldoramos
    @miraldoramos 3 года назад +5

    Hi,
    you can use Ssh-copy-id for copying SSH keys to servers.
    nice video, thx

    • @christianlempa
      @christianlempa  3 года назад

      Thanks mate! Yeah I'm still so used to the old way :D

  • @Musician_Robert
    @Musician_Robert 2 года назад

    Great video Christian

  • @esra_erimez
    @esra_erimez 3 года назад +6

    Security is a journey, not a destination

  • @cybersecurehacks
    @cybersecurehacks 3 года назад +1

    Excellent Videos mate.... And thank you for sharing stuff like this..

    • @christianlempa
      @christianlempa  3 года назад +1

      Thank you so much :)

    • @wamiedabdel-rahman5389
      @wamiedabdel-rahman5389 3 года назад

      Nice and very useful video as usual. I liked your command prompt. How can I implement it on my Ubuntu system?

  • @manaberry
    @manaberry Год назад

    Hi!
    How should I use the DMZ? I have 2 server. One host all my services in docker (nginx proxy manager, website, cloud services, apps, etc...) and I have a Raspberry with Adguard (and my TLS DNS) and a plex server.
    Should I move plex to the big one, and nginx to the small one and make the raspberry as dmz landzone to manage all traffic? Would it isolate the main server correctly?
    Thanks for helping!

  • @andreydoichinov1683
    @andreydoichinov1683 11 месяцев назад

    Hi Chris, at 8:24 you forgot to tell us what is the string you used.

  • @fbifido2
    @fbifido2 3 года назад +1

    @26:48 - how do you make fail2ban work on all running service or all open ports ?
    @26:58 - what will it show if you removed the sshd

  • @wanessasilva4541
    @wanessasilva4541 2 года назад

    I learned so much on a single command line! 7:21

  • @moeinmhzg7827
    @moeinmhzg7827 3 года назад +1

    Awsome and on point as always
    Thank you

  • @salim444
    @salim444 Год назад

    5:26 there is a command that copy your ssh keys conveniently called ssh-copy-id

  • @sbrodriguez1980
    @sbrodriguez1980 3 года назад

    very very very good and interesting video. Congrats!!!

  • @burstfireno1617
    @burstfireno1617 7 месяцев назад

    Good video. dunno if its only me thinking the music in the background is a bit loud

  • @SvenTimmermann
    @SvenTimmermann 2 года назад +1

    Good video. But take a look at ed255... Ssh keys :)

    • @christianlempa
      @christianlempa  2 года назад +1

      Yeah, maybe if I remember next time :P

  • @LawrenceSingha
    @LawrenceSingha 3 года назад

    Hi from London, I have subscribed and new to your channel. Thank you so much for tips and what I needed so much & very useful.

  • @rscmcl
    @rscmcl 2 года назад +2

    I added 2FA to my home ssh server when I want to log from somewhere else, works amazing... uses the key and fallback to password/2FA

  • @VulcanOnWheels
    @VulcanOnWheels 3 года назад

    18:48 I thought that enabling a service would only make it active after the next startup of your computer and that you have to add --now to make it work immediately.
    28:12 You speak so fluently(!), but the way you say "determine"...?

  • @typingcat
    @typingcat 2 года назад +1

    What the, so SSH doesn't block that tries too make wrong passwords out-of-the-box and I have install a third-party utility?

  • @BrandonCallifornia
    @BrandonCallifornia 3 года назад +3

    Hey Christian! Why don’t ya use ssh-copy-id -I keyfile hostnamelikeinssh???

    • @christianlempa
      @christianlempa  3 года назад

      Good question, I guess I'm still used to the old way :D

  • @kjakobsen
    @kjakobsen Год назад

    Docker is a rabbithole, but such an interesting one. :)

  • @kcyeohmy
    @kcyeohmy 3 года назад +3

    Yes. Some security feature will be always better than none. Of course not all secure server are unhackable but to at least leave less port open. Use longer time to get stolen or own. Similar to your car if you don't have car alarm or steering lock. Car theft can happen within 1 to 5 minutes but if you have the security wheel lock gear lock brake lock will at least waste some of the car theft time. Even pentagon or military still get hack this is most secure but still got hacked. Good share. Thank you.

  • @bryanmontgomery610
    @bryanmontgomery610 5 месяцев назад

    For the SSH key gen part, are you creating the key on a separate Linux server? Looks like he is using WSL on a windows machine. So this would need to be the dedicated place the SSH keys? This was not explained well os just looking for clarification.

  • @mattplaygamez
    @mattplaygamez 2 года назад

    Tailscale has also added tailscale ssh it Also is like An acces Proxy

  • @manjunathreddy5966
    @manjunathreddy5966 Год назад

    Wow. The quality.

  • @HoshPak
    @HoshPak 3 года назад +6

    Another good addition to reducing the attack surface is using non-standard ports i.e. anything above port 2048. Most scripts only poke around those ports and skip the rest as it significantly increases scanning time.
    A practical way of doing that is running a honey pot on port 22 while moving your actual SSH service somewhere else.

    • @christianlempa
      @christianlempa  3 года назад +3

      Yeah you can think about that. I didn't include it as I generally avoid to expose this port directly, but still a good option to get rid of annoying logs ;)

    • @---GOD---
      @---GOD--- 2 года назад +5

      It takes half a second to scan all of your ports. Maybe you'll stop a few basic script kiddies who only target known ports like 22... but this literally does almost nothing to protect you.

  • @knightride9635
    @knightride9635 3 года назад +1

    Great video, I will have to watch it at least 10 times to implement all this.

  • @raughboy188
    @raughboy188 8 месяцев назад

    There are few other things you should add to your strategy of protectiong your servers and network in general. First and foremost youn need to learn OSI layers of network and set up your security on each of the layers. I did mentioned layers didn't I? that's actualy second thing, set up your security as layers because it will help you keep track of attacker as he moves across layers to egt to destination. More layers of protection you have better it is for you because you can catch attacker sooner and respond faster, it will help you with revealing possible vunerabilty because you can see at which layer it happened. most of the time you'll connect to everything within your network for maintenance via ssh right? Yeah in that case change port you're gonna be using for ssh in your network because using default port for it is agains best practices. Now onto vlans. Fragment you network with vlans how ever one of the vlans should be designated as native vlan where everything untagged goes but that can't and shouldn't be vlan 0, also if you have unused prort assign them to unused vlan as security measure, doing what i said with vlans prevents attacker from using vlan hoping attack to get to your data. There are many more attacks but if i keep writing my comment will get too long so i will mention one that can result with DOS across your network and it's dhcp exaustion which happens as a result of dhcp receiving bunch of fake requests for ip to the point where dhcp server runs out of ip's and without ip devices cannot connect to network. There's a lot more you can do.

    • @christianlempa
      @christianlempa  8 месяцев назад

      There’s always something more you can do, but in the end all of these strategies provide a strong foundation to cover 99% of the attacks you’re facing as a homelab dude :)

    • @raughboy188
      @raughboy188 8 месяцев назад

      @@christianlempa what i said about ssh,vlan and dhcp exhaustion comes from best practices recommended ny cisco systems.

  • @marcus3d
    @marcus3d 3 года назад +3

    The 5 second loop supposed to mimic "background music" is insufferably annoying

  • @itasev
    @itasev 3 года назад

    Hi Christian, I cant find a decent how to setup a XMPP server on AWS or Hetzner from scratch.
    In the era of self-relying on privacy you might find it interesting to make such a video or post on your website.
    Cheers!

    • @christianlempa
      @christianlempa  3 года назад +1

      Well that would be far down my priority list, to be honest :/

  • @abstractumx
    @abstractumx 2 года назад

    how can i set the terminal with your same graphic theme. seems very cool!

  • @Taragurung
    @Taragurung 3 года назад +2

    Recently following you, great content. what have you used for the terminal, looks different?

    • @christianlempa
      @christianlempa  3 года назад +1

      Thanks mate! I recently made a video about my development setup, how that is what you're searching for: ruclips.net/video/oF6gLyhQDdw/видео.html

  • @vahidmoradi9696
    @vahidmoradi9696 5 месяцев назад

    man this video was great and informative, I do have one small suggestion though. Pleeeeaaase remove the background music on these kind of videos! These are tech videos, they require concentration ...

    • @christianlempa
      @christianlempa  5 месяцев назад +1

      Thank you man! I like background music in my videos, but I agree it's way too loud here 🙈

    • @vahidmoradi9696
      @vahidmoradi9696 5 месяцев назад

      @@christianlempa I dunno, i looked at the comments, and apparently i am the only one bothered with it :)))) so, i guess my vote does not vount. but i really do believe that tech videos and tutorials should not have background music. nonetheless, thank you for the great content.

  • @nolmirk2267
    @nolmirk2267 3 года назад +5

    you the man, thank you.

  • @leopard3131
    @leopard3131 Год назад +1

    Another suggestion is to learn iptables. It takes a minute but iptables will do everything you are doing with multiple servers such as fail2ban and VPN. Iptables will also do your routing if you are not running a custom router already.

    • @ultravioletiris6241
      @ultravioletiris6241 Год назад

      You can get a VPN-like effect from using iptables? How ?

    • @leopard3131
      @leopard3131 Год назад

      @@ultravioletiris6241 What is a "VPN" effect? I believe I can certainly replace fail2ban with iptables rules as well as what he is doing in his use case of VPN.

    • @ultravioletiris6241
      @ultravioletiris6241 Год назад

      @@leopard3131 You said that iptables can do everything he is doing with a VPN. Did you literally mean everything, including the VPN tunnel itself? Or did you mean that only some things can be replicated by iptables?

    • @leopard3131
      @leopard3131 Год назад

      @ultraviolet iris What is "everything " ? What are you wanting to do with a VPN? Hide your ip? Adblock? But yes, you can restrict traffic with iptables.

    • @leopard3131
      @leopard3131 Год назад

      @ultraviolet iris I guess when I watched this video and commented yes I felt the tools I mentioned including iptables would accomplish the same goal as the use of VPN although obviously it is a different tool. I am not going to rewatch the video to answer your vague questions but if you have a specific question and the answer is brief I am willing to clarify.

  • @inlophe
    @inlophe 3 года назад +2

    Any reason for still using RSA for SSH key on modern server?

    • @christianlempa
      @christianlempa  3 года назад

      What would you suggest?

    • @inlophe
      @inlophe 3 года назад +1

      @@christianlempa Using ed25519 if your server update is not older than 5 years old.
      Sure, RSA 4096 is still good, but it's slow compared to elliptic curves.
      There is an option to use ed25519 in ssh-keygen, so you don't need to configure anything

    • @christianlempa
      @christianlempa  3 года назад

      @@inlophe last time I checked it wasn't supported on all devices, that’s why I still haven't used it. It might become relevant at some point, but I guess that would be worth a separate video in an unknown future 😊

  • @str0g
    @str0g Год назад

    could you do a yubi key authentication integration on linux?

  • @hx4791
    @hx4791 25 дней назад

    need a video on geo blocking

  • @anarchoN3rd
    @anarchoN3rd 3 года назад

    For any other noob who got lost when they got to the intro to the 'ss' command, you need to use sudo to display the process IDs (what the p flag in -ltnp displays)

    • @christianlempa
      @christianlempa  3 года назад +1

      thanks mate! Yeah I was a bit confused until realizing it in the editing :D

    • @anarchoN3rd
      @anarchoN3rd 3 года назад

      @@christianlempa no problem. As someone who's only knowledge of ports is that 22 is for ssh, having those descriptors was very helpful. I even tried removing the -n tag, but it seems like ss has some trouble resolving those names.

  • @popquizzz
    @popquizzz 3 года назад +2

    I found your channel today and I am thrilled that you are so willing to share such pertinent information. One request I do have to ask is if you would just reduce your background music a bit. This should be a nuance addition to any video especially one's like yours with so much good info shared. The music is a bit too much at times and the mundane aspect of it distracts from your lessons and not in a good way. We want to hear what you have to say, not fight the music to hear you. Thanks Christian!

    • @christianlempa
      @christianlempa  3 года назад +1

      Thanks mate! Awesome feedback :) Well, I need to admit that in this video the background music is louder than usual, don't know what was going on :D But you're right! I'll reduce it in next videos even more.

  • @ahmadmobaraki7371
    @ahmadmobaraki7371 3 года назад

    you are awesome man!! thank you.

  • @jojohnes5863
    @jojohnes5863 2 года назад

    Hallo Christian, tolle Videos! Du hast ja viele Videos zu Docker etc. Den Aspekt, dass Docker Container die Firewall aber umgehen, reißt Du aber nur hier kurz an. Ich denke das ist sehr wichtig. Viele installieren jetzt fleißig Docker Container und wiegen sich in Sicherheit, die so gar nciht gegeben ist. Kannst Du nicht mal ein Video dazu machen, wie man auch Docker mit der Firewall sicher absichern kann?

    • @christianlempa
      @christianlempa  2 года назад

      Hey danke für dein feedback! Ich werde wahrscheinlich kein eigenes video dazu machen, weil ich im Prinzip alles wichtige gesagt habe. Allerdings glaube ich dass ich es öfter in meinen Videos sagen muss, wenn auch immer es um firewalls und linux Sicherheit geht. Vielen Dank!

    • @jojohnes5863
      @jojohnes5863 2 года назад

      @@christianlempa Danke für die Antwort. Ich glaube allerdings nicht, dass Otto Normal user "ich schau das youtube video und schmeiß mir die Docker Container drauf" damit damit docker sicher absichern kann. Viele führen nur die Schritte im Video aus, und die reichen nicht..,.. Wenn kein eigenes Video, dann vll in Deine Anleitungen zu Docker im Blog, oder in den Artiel zum wireguard mit docker. Versteht mich nicht falsch, die Videos sind klasse, aber wenn Du zb Docker ausführlich vorstellst, solltest Du auch sagen, wie man es absichert. Sonst rennen die Leute ins Verderben:)

  • @pj6206
    @pj6206 11 месяцев назад

    Is there any git repository for this tutorial? 🙂

  • @scottamolinari
    @scottamolinari Год назад +1

    Something else you can do is move the ssh port. Port 22 is well known and thus hackers hit it all the time basically automatically. You can move ssh traffic to a different port and close 22. It's only security via obscurity I know, but it avoids those automated hacking attempts.

    • @E57det7I
      @E57det7I Год назад

      Yeah, this didn't used to really do much. But I can see this actually becoming more and more helpful the more and more automated bots just hit 22

  • @whylde7834
    @whylde7834 3 года назад

    Thank you Christian.

  • @KratomSyndicate
    @KratomSyndicate Год назад

    what do you think about ufw-docker?

  • @PoliceOurPolice
    @PoliceOurPolice 2 года назад

    How can I organize what needs to be updated like an apk file. Where should I save it to auto update?

  • @stephaneislistening6103
    @stephaneislistening6103 3 года назад

    What if we loose the SSH keys file ? We cannot log in any longer if we had disabled password login ?

  • @hpsfresh
    @hpsfresh Год назад

    ssh-copy-id, not scp. it will create remote files and permissions

  • @themadtux
    @themadtux 2 года назад

    Great Video! Curious what shell prompt are you using in your SSH tutorial? Really like that look...

    • @christianlempa
      @christianlempa  2 года назад +1

      Thanks mate! I'm now using a new prompt which is called starship, you can take a look here: ruclips.net/video/AK2JE2YsKto/видео.html

  • @UnixDaemonKiller
    @UnixDaemonKiller Год назад

    Do you set up TPM for Linux?

  • @ctheroux
    @ctheroux 3 года назад

    Hi, thanks for the video. Very good. Btw, what model of keyboard you are using? Regards

    • @christianlempa
      @christianlempa  3 года назад

      You're welcome, thanks! Currently the logitect G413 ;)

  • @kjakobsen
    @kjakobsen Год назад

    First step is to protect the server against compromise.
    Next step is to have a reliable backup and disaster recovery plan in place,, for when it eventually happens despite everything you did right. ;)

  • @Voigt_Analytics
    @Voigt_Analytics 9 месяцев назад

    Is there any web-based control panel for all of these mentioned security rules and concepts? I've heard, Portainer is able to some security tasks. But not all of my services are docker based containers. I need an overview, better than ss -ltpn

    • @christianlempa
      @christianlempa  9 месяцев назад

      I'm not aware of any UI for this, sorry

  • @GrindAlchemyTech
    @GrindAlchemyTech 4 месяца назад +1

    Thank you

  • @SamSam-ic7qm
    @SamSam-ic7qm 2 года назад

    Can I have opinions on some of strategy I use:
    1. SSH Access only by key, no password
    2. Use fail2ban, block 24 hours on 1st bad attempt
    3. Optional (Only allow ssh from specific IP)
    Thanks

  • @Becoming-Human
    @Becoming-Human 3 года назад

    Future video series idea... assessing the security benefits of NixOS and Guix OS as they compare to {insert mainstream Linux OS here}. To be fair, though, please note the considerable learning curves associated with each of the aforementioned OS'es... you have been warned. :-)

    • @christianlempa
      @christianlempa  3 года назад

      Well, I haven't looked at these distros, yet.

  • @masoudamiri7941
    @masoudamiri7941 3 года назад

    hello sir , can you please make a video about installing windows server on digital ocean vps ?

    • @christianlempa
      @christianlempa  3 года назад

      Hm that's probably not what I'm focussing on right now, I'm sorry.

  • @shuangliu2204
    @shuangliu2204 2 года назад

    what time do you do a live streaming ? here from china, has a different timezone

    • @christianlempa
      @christianlempa  2 года назад

      Hey bro, Usually Thursday 5pm CET, but recently I wasn't live a lot, unfortunately :( Btw, you see the scheduled ones in the subscription feed as well!

  • @GorkemYildirim
    @GorkemYildirim 3 года назад

    Great video, Thanks a lot.

  • @jwbonnett
    @jwbonnett 3 года назад +1

    Can I ask why you are using "scp" to copy the key rather than "ssh-copy-id"?

  • @marcello4258
    @marcello4258 2 года назад

    thanks again christian. perhaps if you allow I'd like to add that limit instead of allow might be better on port 22 otherwise no one is held back from brut forcing although it might be hard anyway since you permit keys only but it is not reply more work

  • @sysdrum
    @sysdrum 3 года назад

    Great stuff

  • @swipekonme
    @swipekonme 3 года назад

    is there something called very very excellent video

  • @JohnyDev
    @JohnyDev 2 года назад

    Can you please share what you have in the ".bashrc" PS1 how you have the ubuntu logo and the directory upwards the terminal text, thank you

    • @christianlempa
      @christianlempa  2 года назад +1

      It's in my dotfiles on github

    • @JohnyDev
      @JohnyDev 2 года назад

      @@christianlempa Thank you so much 😊

  • @johnnytank979
    @johnnytank979 3 года назад

    Great video! I think you could speak a little bit slower, I feel slightly rushed when I try to comprehend what you are executing exactly. ;)

    • @christianlempa
      @christianlempa  3 года назад

      Thanks' :D Yeah, I try to slow it down a little bit. But it's hard to find that perfect balance that everybody enjoys. Most stuff on YT is fast, otherwise people are just leaving :/

  • @mebeingme947
    @mebeingme947 3 года назад +3

    As always good video again. Just a little adder....change the port number for ssh from 22 into a non-standard like 24 e.g.. In many cases port 22 is looked for by server hackers. Another thing to check is on your IPS side. Which ports are visible by using a tool like shieldsup! This way you can also determine whether you still have port forwardings open which are no longer needed. If you need portforwardings, where possible use non-linear forwards....e.g. port 65 to port 22...this confuses exploids in many cases. Unfortunately the last one is not always possible. Personally I closed off all ports except for wireguard....second level on the server configured by ufw and 3rd level by fail2ban. I'm not running a webserver other than to accomodate nextcloud instance. I'm fine by doing that over wireguard first to connect.

    • @christianlempa
      @christianlempa  3 года назад

      Thanks mate! Great additions ;)

    • @patricknelson
      @patricknelson 3 года назад +2

      FWIW, if you just use key-based login and disable user/pass logins, you’re fine. It’s ok for you to change whatever port you want, but for people reading this that think it adds security, it doesn’t (really). It just reduces the likelihood that an automated bot might find your server, but an automated bot isn’t going to brute force your server if there are *zero* possible combinations that could ever possibly work anyway.

  • @Watsitsname08
    @Watsitsname08 2 года назад

    Hi Christian, this video really helped me in my research prior to deploying my first home server. I do, however, have a few questions about securing my server and my data. Assuming I am running ubuntu: what would be the best way to share folders across my home network (to other Windows devices) and ensure that I'm protected from attacks outside my server. I will have a total of 3 users accessing these shared folders, including myself. Any help here would be greatly appreciated, or if you can provide a resource that would be helpful too. Thanks.

    • @christianlempa
      @christianlempa  2 года назад

      Depends a lot on how you're securing your home network and who has access. I personally would not let anything unauthorized and unencrypted into my home network, I can just recommend use a firewall solution, VPNs or Access Proxies. From inside the network it's a bit more difficult, there it might be a good idea to isolate the server in a separate network (DMZ), I'm doing this right now in my Homelab, check out in the next 2 weeks there is a firewall video coming out, that will explain this.

    • @Watsitsname08
      @Watsitsname08 2 года назад

      @@christianlempa Awesome. Thanks for the response. There is still so much to learn about this and I'm loving it. All of your videos are so helpful.

  • @peterlemmington6585
    @peterlemmington6585 3 года назад

    Heftiger Typ!

  • @ricerob
    @ricerob 2 года назад

    How do you lock down the back door built into system d

  • @michaelgoehringer
    @michaelgoehringer 3 года назад

    Hi, did my previous question get deleted?
    Wanted to know if it works to install fail2ban via ecex console direcly in the container of bitwarden and nextcloud to protect them from brude force attacks or doesn't it work this way? But what would be the alternative?

    • @christianlempa
      @christianlempa  3 года назад

      Don't know why YT sometimes deletes comments.. well you can configure fail2ban to look at the logfiles from the containers. Usually docker stores the logfiles in the /var/lib/docker/containers//.json.log file.

    • @michaelgoehringer
      @michaelgoehringer 3 года назад

      @The Digital Life
      I meant something else. Where do I have to install fail2ban so that I can protect Bitwarden and nextcloud (in containers and in the public network via NGINX Proxy Manager) against brute force attacks. Directly on my raspberry pi? In the respective containers etc.?

  • @transflux-us
    @transflux-us 2 года назад

    I don't undertand the the docker chain, Port 9000 Problem. Why does ufw allow 9000?

    • @christianlempa
      @christianlempa  2 года назад

      That’s coming from the container engine

    • @transflux-us
      @transflux-us 2 года назад

      @@christianlempa yeah, but ufw shouldn't care where it's coming from...

  • @davidrichard1811
    @davidrichard1811 3 года назад

    Vielen Dank Christian Grüsse von Arizona

  • @typingcat
    @typingcat 2 года назад

    What do the seemingly random numbers at the beginning of the files mean? I saw similar numbers in polkit configuration files.

    • @Halomaster4ever
      @Halomaster4ever Год назад

      When dealing with newer programs that have multiple configuration files, you can use the numbers at the beginning to determine in which order they're read. One common example is the messages you get when you log into modern Ubuntu servers. It gives you information about your server, but actually they're made up of different scripts ran from a specified folder. You can then insert your own scripts before/after the existing scripts depending on the number you set the file to. Lowest number wins in this case. I'm not 100% sure, but in theory you probably don't NEED to use numbers, it's just a human way of ordering things.

  • @Exotelis-skydive
    @Exotelis-skydive 8 месяцев назад

    Just use ssh-copy-id to copy your ssh key. Maybe someone else mentioned this already :)

  • @ronm6585
    @ronm6585 Год назад

    Thank you.

  • @HonoraryBreathTaker
    @HonoraryBreathTaker 3 года назад

    Is it possible to make a ssh connection available only when VPN is connected to the server?

    • @christianlempa
      @christianlempa  3 года назад +2

      Yeah, in that case you'd need to change the listening IP address of the SSH server to the internal network, or you could enable the UFW and only allow traffic from the internal network.

    • @HonoraryBreathTaker
      @HonoraryBreathTaker 3 года назад

      @@christianlempa Thank you

  • @danholli123
    @danholli123 3 года назад

    What if I ignore security?

  • @atol71
    @atol71 3 года назад

    Besides, system (Milkyway, Universe) is a simulated system inside virtual computer and your PC is a virtual computer inside that virtual computer, so from higher levels of system you can access any way you like the low level virtual computers. Bit like Russian children's toy: Matrychka doll.

  • @Dahlah.FightMe
    @Dahlah.FightMe Год назад

    Nice SIr :D

  • @Dahlah.FightMe
    @Dahlah.FightMe Год назад

    New Subscriber 129k :D

  • @HahaHihi11111
    @HahaHihi11111 2 года назад

    You are One Punch man with 1 hit K.O.? :O