Won 20 bucks in a networking class. Another student told me he could get into any computer remotely. I accepted his challenge and turned off my network card in the drivers. He was pissed.
I just want to caution everyone from enabling automatic updates on production systems. The best practice is to use scheduled maintenance windows and to always test updates in a test/dev/QA environment before making changes to prod :)
You're right. The ideal situation is using a repository host, whether that's something like Red Hat Satellite, Oracle Spacewalker, or using simple webserver which synchronizes repositories. You then control your packages on the upstream, so that when they are downloaded by the host - only the packages that have been tested are applied. This is how we automate patching - determine what updates we want > synchronise packages to repo host > create test environment to mimic prod > schedule ansible jobs via Tower to auto patch test hosts with smoke tests > when smoke tests pass, execute job on prod > run smoke tests, and if it fails, execute a job to undo the patch.
This is a BS channel for wannabee network/linux/ansible people with bloated headlines and an eyecandy editing, he barely had any real life experience with these stuff, most of the stuff he teaches about are from official rtd.
@@viktatororban4407 Everything you listed is exactly what's appropriate to teach beginners and for enthusiasts to communicate to them. Beginners need enthusiasm to draw them onto the path of becoming an expert.
You should use "apt upgrade" instead of "apt dist-upgrade" as the latter might also remove packages or change things in the system which might break your applications. "dist-upgrade" should be used if you want to upgrade to a new release of the distro, not if you just want the latest versions of your packages in order to get security fixes.
Definitely one of the top 3 videos of all time to date... changing TCP ports, encrypted authentication, and disabling ping. Love it... Thanks again Chuck!
20:41 - The line was already there (the last entry in that section). All he had to do was change the ACCEPT to DROP. ICMP ping may be blocked but hackers can still find his server using the nmap utility. Great video though. Love the channel!
I'm kind of surprised the 2nd line doesn't overwrite what the first one did. I guess the behavior is to only check for the entry once and ignore additional entries.
I have another suggestion tho. there's a firewall option that allows your port to be neither "open" nor "closed" .. but instead "filtered" , making your server accepts incoming connections only from a known ip adress. it might not be useful for everyone since not everyone have static ip adresses. but hey, if you do, then that's just the best layer of security you might add to your server.
As a security professional I really found this video to be of good quality. You were to the point, informative but not overbearing, engaging while being authentic. Keep up the great work! ❤ 😍
It seems standard IT advice is to replace the password in ssh with the RSA key, but this thinking, I feel, is wrong. I would only do that if it was intranet only and I was feeling lazy. You can, and it's much better to, use both! What if a machine that had your RSA private key somehow gets compromised (I for one have multiple some of which are portable)? You would be done. Yes you can put a passphrase on the private key, but you are just buying yourself time, if you even know it was compromised in the first place. Having the password as well is a simple way to have MFA which is a must for any server you have on the internet. The RSA key is the thing you have, coupled with the thing you know i.e. password. Setup fail2ban on SSH, to protect against simple brute force, and you got a fairly strong setup. Even better is what I do and setup Google Authenticator on on that SSH stack, but I'll admit that maybe overkill :). Also another bit of SSH advice is make it so the SSH user has no administrative powers, don't even put them in the sudoers group. Remember sudo allows administrative privilege with the same password used to login. Once you login, you should elevate your privilege by using su to the an administrator account (someone who is in sudoers). This is the way cisco switches are by default and it's good practice. Security in layers :)
Add a layer of security with encrypting your home folder/even better your whole machine with luks. Loose it? The attacker will see nothing. Yeah even that could be hacked (extremly hard) but it makes it harder and add a layer.
Linode, just to tell you - A really good choice for sponsorship! Keep going, his style is a remarkable combination of useful information and energetic hype!
spent a few hours trying to get key auth to work, found out Chuck left a part out in the video. You need to add the private key to the ssh agent so your computer knows which key to use. In windows, do these commands: Set-Service ssh-agent -StartupType Automatic Start-Service ssh-agent ssh-add NOW you should be able to log in :)
The way you deliver content is outstanding. English is my second language, but you somehow manage to be quick, to the point, and very understandable. Kudos. Fantastic work.
I would always recommend protecting your private key. A private key with no protections on it is more commonly referred to as a back door. You can password protect your private key. Passwords are only useless in Windows these days, since Microsoft refuses to stop using unsalted MD4. Cracking a password for a 4096 bit RSA key, or a SHA512 hash? Yeah. Let me know how that works out for you. If you use a godawful password, sure, it can be done. If you take any steps to make a somewhat decent password, chances are extremely unlikely that someone's going to crack it. However, if you're taking all of these steps to secure your Linux boxen anyway, might as well step it up a notch. Get you a Yubikey, and use it to protect your private key, or use it as a 2nd factor. Yubico has some great documentation. Probably the hardest part about doing it is selecting which method you want to go with, since Yubikeys are extremely flexible.
Steps 1-4 I can understand and recommend too but the ping part in step 5 is just so unnecessary in my opinion. Sure you can block pings but any "good" hacker has many other tools to check if your server is still running (ahem.... nmap... ahem) I would also recommend any linux admin to install and set up at leas a basic fail2ban config to automatically block any recurring SSH logins or any other brute force attacks trying to get into your services
This was great. I've just passed my Linux essentials exam and this helped learn a bit more about security. Btw, reloading the firewall did do the trick in my server. I didn't have to reboot .
Brilliant. Coming from a person who is very comfortable with Linux, is so nice to see the simple security aspects covered. And I always love how enthusiastic you are, making I.T fun!! Big fan here, over in London /UK! Keep it up, and great to see your channel growing as well. Keep you fed :)
I've had bad experiences with unattended updates, especially on a production server. They often tend to overwrite custom settings. For example, with PostgreSQL, an update might reset a custom database path, and similarly, Docker updates might alter the custom data path set for Docker.
@@wakeupNeo_ I don't think either one is better, they're just different. The biggest difference I've seen is that ufw seems to be easier at command line, but firewalld is easier with Ansible. At least until ufw gets an Ansible module (it might have already).
@@wakeupNeo_ ufw can also limit access to a certain port. For example, you can prevent someone from brute forcing port 22 by limiting the connection to 2 connections per 30 seconds.
This is the greatest presentation I've seen on hardening a cloud linux server. You're fast paced, but the whole video was understandable and easy to follow. Thank you so much for making this video. I've shared it with people and included links to it on my blog posts.
if you have any issue getting linux-headers and unable to find the correct one - make sure to type in apt-cache search linux-headers and find the correct one for you. Thanks. Thank you again for another amazing video. !!!!!! You are amazing my friend. Continue to inspire people !
Oh my god, I need this so much, thanks you!!!! Edit: I need more... Moooreee. Lol, jokes away, I really like to see more about firewall managing. Great video, thanks!
Linux primarily relies on nftables and ip tables as the backend to their firewalls. Modern distros based on Ubuntu use ufw, while modern Red Hat based distros use firewalld. I personally prefer firewalld, but both are firewalls and can be configured to how you want (I find firewalld can be customised much more heavily). In most production on prem and cloud environments in the enterprise you'll have dedicated virtualised or hardware firewalls in between each network of hosts that further regulates traffic through firewall rules. Usually these rules are more lenient, while the software firewall rules act as more specific rules specific to the host. You can read more about them here: wiki.ubuntu.com/UncomplicatedFirewall firewalld.org/documentation/
The hacker well still connect to your pc on miniport and it wont even tell you they change the code with python so it make it look like it working but is on..
Just to be clear I love your videos. They are very informative and well produced. But I have to add some commentary on what you just showed (from a perspective of a professional pentester): - Although updates are crucial like you explained an automated update mechanism (even if it is just the stables) might break something upon updating. So you might consider automatic updates a risk depending on your situation. - The mac command to copy your public key to the server will also work on linux the exact same way (although your command is shorter and easier to remember) - Using a password upon generation of your key pair is recommended. So when your private key is getting hacked somehow it will be useless if the password is not easily guessable - In general just use strong (random) passwords and store them in a safe location like a password store. - Changing the port of your ssh listener is just security by obscurity. Any port scanner using a service scan can show you that ssh is listening on port 717 (like for example nmap -sSV ...) - Deactivating ping once again is security by obscurity. Nmap has the flag -Pn which will scan your ip address no matter if the server answers to a ping or not. Other than that your counter measures are very well designed and really good explained. Thanks for sharing that content.
One other thing I would suggest is editing /etc/hosts.allow and hosts.deny. I know you have ufw, but adding another layer will not damage anything. Make sure your passwd file is shadowed. I've been doing this since the 90's Any and every install get's that treatment.
Good starting guide and well explained, still missing tons of hardening activities, for example unattended upgrades and other. But I guess these things are better than what 90% of the folks implement out there so it's not about out-running the hungry lion, just running faster than the guy behind you...
I don't manage Linux servers but this was so informative. I am a maker and have been looking to set up a server for my IoT devices and this is awesome to make sure my server isn't going to be hackable. AWESOME!! Thank you Chuck!!
Great video chuck. for ssh this is what I do . I change the port like you do but I lock it down so I can only ssh from my home ip address. ufw allow from to any port Even if your public ip address changes you can still ssh back in from the linode web console and change the firewall rules.
Some good advice there. Security is always about layers. If one layer is breached the next should take over. I have found that limiting the allowed from address to SSH can make a big difference in how many break-in attempts you see. Even if you don't have a static IP, your ISP will only have a limited range of IPs he can give you and you can allow only that range. It's also a good idea to use something like fail2ban. It automatically bans IPs that e.g. have a certain number of failed SSH login attempts. Works rather well :-)
one more thing i would like to add is to get the linpeas enumeration script on your server and enumerate it, then try to secure as many attack vectors it can find
@@Andremzsptm its a shell script that shows all possible ways to privesc (become root without knowing root pass basically) and with a quick google search you can find the github repo by carlospolop that has linpeas
I tried this and Linode wouldn't apply the $100 discount and was going to charge me the full amount of $36/month. Dedicated 4 GB - lowest priced package per month. I watched the rest of your video and found it useful. Thank you!
Super useful. Followed all the steps in Arch Linux (some minor differences) in Linode (simpler to set up than AWS and less invasive than Azure at collecting personal data). This is really cool.
A good Linux tutorial by Chuck, yep these are the good measures discussed in this tutorial. I use ssl proxy (stunnel/nginx) to encapsulate SSH connection and also use SSLH to multiplex (more corrected ALPN based forwarding) ssl proxy encapsulated SSH connection through same port number as my web server (443).
The activity in staring in a screen conglumerates that you want to have a correscending appleture of thought, recontextualizing the greatness that can be grown from that with the "Ryzen Five"
Please do more blue team stuff. Hacking into system as attacker is one thing, but at the end the whole idea of ethical hacking is to find vulnerability and then know how to secure them.
This was awesome. I am classes right now and we just went over ssh and private and public keys. This lab definitely helped reinforced my learning and best of all I now have a server.
Very informative video. It's a very big misconception that Linux systems are secure from hackers.. Everything with an operating system and a signal is not 100% secure..
Another great video Chuck, turns out I have already done most of these on my two linux VMs at home. Oh yeah and guess who just landed a new job as a Cloud Engineer ... ?
@JazzyOzzy What are you running on your server? These 5 things are a start on hardening but nowhere near being hardened to a security standard like NIST.
@@asificam1 it's common practice in network security to block echo replies and not send unreachable. No reply means you don't exist period. But yes good point in this scenario since he spun up Apache
Nice one Chuck, very cool starter............Side topic, I recently managed to also configure 2FA using the google pluggable authentication module (PAM). This increases the security in the sense that you would also need to have a token using apps like Authy or Google Authenticator. So if somehow hackers get access to your private key, well their stuck for a while due to missing 2FA. 👍
Auto updates- you make a great suggestion, but I have had automatic updates automatically break stuff... usually in the middle of the night or Friday at 4:30p.
Dude you are just awesome I`m a junior web developer who wants to keep learning about more fields from computers and software, Im about to study network administration and after that maybe some hardware grade or something. I see almost all your videos and I learn A LOT like wow. I just want to soy thank you for all this knowlegde. A hug from Spain!!
All excellent with one nitpick: changing ssh port from 22 is sort of useless, as anyone who cares already has a port scanner and doesn't even bother checking just the default. (And, yeah, like others have said, I'd add fail2ban to the list, but that's for another video where you can talk through the details and reasons behind them.)
@@konev13thebeast I've got to admit, though, that changing the port reduces the size of the log files. Just out of curiosity, I swapped between 22 and 1234 (I think it was) a few times, and the frequency difference is enormous. Drive-bys on 22 are about 20-30/hour for me, fell to about 2-3/day with the non-standard port.
@@d00dEEE how important is it to monitor ssh logs unless theres a massive spike though? From my experiences from windows servers, firewall can handle most flooding issues fine. Genuine question Ive never touched a linux server before
Regarding the private/public key pair. 2 questions. 1) Can the same key pair be used to connect to different servers? Or do I need separate key pairs for each server? 2) Since the public key was copied to the server as "authorized_keys" how can I add a key pair from another machine? ie allow ssh access from both desktop and laptop? Can I copy the private key to the other machine? Or do I need a key pair for that machine? Does the second key get appended to "authorized_keys" (and how) or is the public key file name on the server not important?
#1 Not sure but I believe, you must use separate key paits for each server. Otherwise it is like using the same password for everything (twitter if you have a twitter account, paypal if you have a paypal account, ETC..) and that is not a good idea.
I don't know if anyone else commented on this but you want to also NOT permit empty passwords, it's selected by default to "no" but just encase so ppl will know. /etc/ssh/sshd_config PermitEmptyPasswords no
I have some improvements: Make shure to lock up the public key folder so password is required to add/edit/remove public key(s) Also setup app armor. It is easier to setup than se linux. And helps improving security a lot.
Thanks so much for another great video. I signed up on Linode. This is my first web hosting as I am just starting to toy around with servers, websites, and such. Your videos are fantastic and I always learn a lot. Thank you.
Respectfully, I think you missed the point for installing certificates AND disabling password logins. I suggest re-watching the video at ruclips.net/video/ZhMw53Ud2tY/видео.html and ruclips.net/video/ZhMw53Ud2tY/видео.html . Network Chuck is suggesting forcing the user(s) to use certificates AND disallow (simple) password logins. Since such a system forces the user to have a certificate installed AND can NOT log in via a simple password request there is no reason to use fail2ban. I've used fail2ban in the past - in fact, I was even -- initially -- thinking fail2ban would be a good addition to this video. However, in retrospect, using certs removes a user's/hacker's ability to brute force a password and, therefore, is not required. Peace. :) V/r
I'm watching it again for the 6th time. Running the few VPS I'm managing with the list and securing the new one while watching this video. Your energy is amazing and the sense of humor is awesome. Permit Root login - yes. ... NO ! ! ! !
So first off thank you so much Chuck for these. These are amazing. I am retired Navy and currently in HR but want to make the switch to IT. I LOVE computers but always got frustrated so I didn’t want to do it as a job, but learning makes it better. So I did this and followed your steps and secured my server. Problem is, I like to connected through terminus remotely from my IPhone/iPad. I would love a video how to add multiple authorization keys. I guess I could make multiple users each with their own key (user-iPad, or user-iPhone) but I was wondering how you would trackle multiple keys for one user. Also is it possible to stick the keys on. Thumb drive to use from another machine? I am reversing the steps because my dumb ass created keys on my windows machine for another server and overwrote the old keys *face palm* so now at am having trouble ssh’ing in.
Your could just copy the private key to your iPhone maybe idk how that works from iPhone but there is ssh clients for iPhone so in sure they have the option for adding keys
The best part of this is testing whether the website is accessible even though you knew that the firewall was going to be blocking port 80: expectations don't always match the reality of what will happen. That's how security bugs tend to be discovered. Just because something is expected to happen doesn't mean that it will happen so testing it doesn't hurt especially if it's something security related.
I completely agree with what Leo said here. This is why when I spin up a vm on linode everything is behind a VPN either openvpn or wireguard. I typically never leave anything exposed to the public internet. Or I write a ufw rule that only allows traffic from my home IP.
Awesome video as usual! But I do have a question -- If someone did hack my computer with the private key, they would easily be able to access my server. While I like not having to log in each time, I feel like somewhat of a password might be more secure. Thoughts?
Legend!!! loving it every time I check your channel the subscribers are more every day. Looking forward to seeing you with 1M. You deserve it mate! all the best!
Nice video, but just changing the default ssh port doesn't make it that much harder for hackers to find the new ssh port. Nmap allows for service scan which will make your new ssh port be discovered very easily. That said, the tip about using a ssh key pair is indeed good practice :)
I'm surprised that you didn't mention key formats while discussing key pairs. My colleagues who are professionals in this area (and security is an area best left to professionals) highly and unanimously recommend using EB25519 format over older RSA/DSA formats. I also didn't see (but perhaps I missed) any mention of SSL/TLS, certificates, key rotation, and all the other things that keep life interesting in a secure world. IMHO, blocking root access altogether is a bad idea. Better is to provide key-pair access (no password) using a public key that is not contained in any authorized_keys file of any user. I also configure /etc/sudoers to allow members of "wheel" to use sudo without a password challenge to avoid breaking shell scripts. Since I host all my public-facing servers on AWS EC2, I lock down each machine using an AWS security group in addition to the on-board firewall. You didn't mention SELinux, which is part of securing any modern Linux. It's also tedious and complex, so I understand why. It is perhaps worth a mention though. I appreciate this video. It is a perfectly reasonable introduction -- it might worth saying more about next steps.
Chuck, you can use that '~' in Windows (Powershell) just like Linux and Mac.. Or, you could've just used a period since you were already in the directory (ie './id_rsa'). You also might want to remove the line in '/etc/ufw/before.rules' just below where you added the drop rule; it's the exact same rule but allowing instead. I know if reads from top to bottom, but, there's no reason for both to be in there.
@@mihaidoboga Port 717 is not a standardized port. It won‘t interfere with anything. If you want to check all important/standardized ports, checkout this site: en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Changing the SSH port will only take a script kiddy with nmap a few extra seconds to find. This also breaks some enterprise apps that are connecting via ssh to perform various audits. You would think it would be possible, but some apps cannot accept a different port for SSH, and you would require a separate service account for every non-standard ssh port you may have configured. Lets also factor in internal firewalls and routes between vlans.
sometimes nmap doesn't recognize an open port as an ssh port if it's not port 22 , it have personally happened to me , in my case nmap recognized an open ssh port on 8022 as an oa-system .. i'm not sure what that is. but looking it up on the internet didn't give me a good hint , and i was still able to use it because i know it's an ssh port. it might be a good layer of security to make your open port non usable unless you know what it's used for. let me know what you think
Awesome lesson Chuck, I followed step-by-step and everything worked perfectly...except a couple typing errors Thank you for your passion and your patience. God Bless bro
Great video! I've learned much things. You always explain the things simple and understandable. If you don't mind, I just saw that in the final step you've added existing rule at the top for the `--icmp-type echo-request -j DROP`. I've tested it with simply changing that rule at the bottom and it works. Is it for a reason done this way? Also after the `ufw reload`, I've tried with just restarting the ping and it worked - for this I thing there is no need to reboot the whole server, except if it is under some kind of attack already.
Won 20 bucks in a networking class.
Another student told me he could get into any computer remotely.
I accepted his challenge and turned off my network card in the drivers.
He was pissed.
Priceless..
🤣
😂😂😂
I bet that no-one can kill you after you've committed suicide*
clever...
I just want to caution everyone from enabling automatic updates on production systems. The best practice is to use scheduled maintenance windows and to always test updates in a test/dev/QA environment before making changes to prod :)
Perhaps create cronjobs to update one a month
You're right. The ideal situation is using a repository host, whether that's something like Red Hat Satellite, Oracle Spacewalker, or using simple webserver which synchronizes repositories.
You then control your packages on the upstream, so that when they are downloaded by the host - only the packages that have been tested are applied.
This is how we automate patching - determine what updates we want > synchronise packages to repo host > create test environment to mimic prod > schedule ansible jobs via Tower to auto patch test hosts with smoke tests > when smoke tests pass, execute job on prod > run smoke tests, and if it fails, execute a job to undo the patch.
Yes. I can't stress this enough. Upgrade on other environment first and test everything first.
This is a BS channel for wannabee network/linux/ansible people with bloated headlines and an eyecandy editing, he barely had any real life experience with these stuff, most of the stuff he teaches about are from official rtd.
@@viktatororban4407 Everything you listed is exactly what's appropriate to teach beginners and for enthusiasts to communicate to them. Beginners need enthusiasm to draw them onto the path of becoming an expert.
You should use "apt upgrade" instead of "apt dist-upgrade" as the latter might also remove packages or change things in the system which might break your applications. "dist-upgrade" should be used if you want to upgrade to a new release of the distro, not if you just want the latest versions of your packages in order to get security fixes.
Definitely one of the top 3 videos of all time to date... changing TCP ports, encrypted authentication, and disabling ping. Love it... Thanks again Chuck!
Great video. I am Gonna subs.
20:41 - The line was already there (the last entry in that section). All he had to do was change the ACCEPT to DROP. ICMP ping may be blocked but hackers can still find his server using the nmap utility. Great video though. Love the channel!
I'm kind of surprised the 2nd line doesn't overwrite what the first one did. I guess the behavior is to only check for the entry once and ignore additional entries.
Just as a correction
for macOS the command ssh-copy-id @ does also work.
@14:08
PasswordAuthentication no is not enough to disable password for ssh login.
Make sure to set ChallengeResponseAuthentication no as well
I have another suggestion tho. there's a firewall option that allows your port to be neither "open" nor "closed" .. but instead "filtered" , making your server accepts incoming connections only from a known ip adress. it might not be useful for everyone since not everyone have static ip adresses. but hey, if you do, then that's just the best layer of security you might add to your server.
As a security professional I really found this video to be of good quality. You were to the point, informative but not overbearing, engaging while being authentic. Keep up the great work! ❤ 😍
He's literally the only RUclipsr that breaks it down enough to where even my bricked brain understands
It seems standard IT advice is to replace the password in ssh with the RSA key, but this thinking, I feel, is wrong. I would only do that if it was intranet only and I was feeling lazy. You can, and it's much better to, use both! What if a machine that had your RSA private key somehow gets compromised (I for one have multiple some of which are portable)? You would be done. Yes you can put a passphrase on the private key, but you are just buying yourself time, if you even know it was compromised in the first place. Having the password as well is a simple way to have MFA which is a must for any server you have on the internet. The RSA key is the thing you have, coupled with the thing you know i.e. password. Setup fail2ban on SSH, to protect against simple brute force, and you got a fairly strong setup. Even better is what I do and setup Google Authenticator on on that SSH stack, but I'll admit that maybe overkill :).
Also another bit of SSH advice is make it so the SSH user has no administrative powers, don't even put them in the sudoers group. Remember sudo allows administrative privilege with the same password used to login. Once you login, you should elevate your privilege by using su to the an administrator account (someone who is in sudoers). This is the way cisco switches are by default and it's good practice.
Security in layers :)
Add a layer of security with encrypting your home folder/even better your whole machine with luks. Loose it? The attacker will see nothing.
Yeah even that could be hacked (extremly hard) but it makes it harder and add a layer.
Linode, just to tell you - A really good choice for sponsorship! Keep going, his style is a remarkable combination of useful information and energetic hype!
spent a few hours trying to get key auth to work, found out Chuck left a part out in the video. You need to add the private key to the ssh agent so your computer knows which key to use. In windows, do these commands:
Set-Service ssh-agent -StartupType Automatic
Start-Service ssh-agent
ssh-add
NOW you should be able to log in :)
The way you deliver content is outstanding. English is my second language, but you somehow manage to be quick, to the point, and very understandable. Kudos. Fantastic work.
Same here! All of his videos are really understandable and easy to learn.
I would always recommend protecting your private key. A private key with no protections on it is more commonly referred to as a back door. You can password protect your private key. Passwords are only useless in Windows these days, since Microsoft refuses to stop using unsalted MD4. Cracking a password for a 4096 bit RSA key, or a SHA512 hash? Yeah. Let me know how that works out for you. If you use a godawful password, sure, it can be done. If you take any steps to make a somewhat decent password, chances are extremely unlikely that someone's going to crack it.
However, if you're taking all of these steps to secure your Linux boxen anyway, might as well step it up a notch. Get you a Yubikey, and use it to protect your private key, or use it as a 2nd factor. Yubico has some great documentation. Probably the hardest part about doing it is selecting which method you want to go with, since Yubikeys are extremely flexible.
Steps 1-4 I can understand and recommend too but the ping part in step 5 is just so unnecessary in my opinion.
Sure you can block pings but any "good" hacker has many other tools to check if your server is still running (ahem.... nmap... ahem)
I would also recommend any linux admin to install and set up at leas a basic fail2ban config to automatically block any recurring SSH logins or any other brute force attacks trying to get into your services
This was great. I've just passed my Linux essentials exam and this helped learn a bit more about security. Btw, reloading the firewall did do the trick in my server. I didn't have to reboot .
Brilliant. Coming from a person who is very comfortable with Linux, is so nice to see the simple security aspects covered. And I always love how enthusiastic you are, making I.T fun!! Big fan here, over in London /UK! Keep it up, and great to see your channel growing as well. Keep you fed :)
Thank you 😊
Chucks the man but I've always wondered how much coffee he really drinks everyday.
Can u do videos on selinux but with a different twist@@NetworkChuck
I've had bad experiences with unattended updates, especially on a production server. They often tend to overwrite custom settings. For example, with PostgreSQL, an update might reset a custom database path, and similarly, Docker updates might alter the custom data path set for Docker.
ufw by default allow established connections, that's why reloading ufw is not helping. you need to drop all established connections, what reboot does.
I use FirewallD but I'm not sure if it's better though. I'm not running a server, just desktop for home use.
@@wakeupNeo_ I don't think either one is better, they're just different. The biggest difference I've seen is that ufw seems to be easier at command line, but firewalld is easier with Ansible. At least until ufw gets an Ansible module (it might have already).
@@wakeupNeo_ ufw can also limit access to a certain port. For example, you can prevent someone from brute forcing port 22 by limiting the connection to 2 connections per 30 seconds.
@@明智吾郎-e4b yeah I switched to ufw now and blocked access to port 22. You can probably do this with firewalld but ufw much more easy to use.
The only reason why i come back to watch your videos i seem to learn new things, commands, and get up to date with my passion for techstuff
8:14 - "chmod" actually stands for "change mode" intead of "change modification"
This is the greatest presentation I've seen on hardening a cloud linux server. You're fast paced, but the whole video was understandable and easy to follow. Thank you so much for making this video. I've shared it with people and included links to it on my blog posts.
Perfect timing, man! Just fired up my first Linux server this week!
How did it go? What distro?
if you have any issue getting linux-headers and unable to find the correct one - make sure to type in apt-cache search linux-headers and find the correct one for you. Thanks. Thank you again for another amazing video. !!!!!! You are amazing my friend. Continue to inspire people !
Oh my god, I need this so much, thanks you!!!!
Edit: I need more... Moooreee. Lol, jokes away, I really like to see more about firewall managing. Great video, thanks!
network chuck, i want you to networkfuq me.
Linux primarily relies on nftables and ip tables as the backend to their firewalls. Modern distros based on Ubuntu use ufw, while modern Red Hat based distros use firewalld.
I personally prefer firewalld, but both are firewalls and can be configured to how you want (I find firewalld can be customised much more heavily). In most production on prem and cloud environments in the enterprise you'll have dedicated virtualised or hardware firewalls in between each network of hosts that further regulates traffic through firewall rules. Usually these rules are more lenient, while the software firewall rules act as more specific rules specific to the host.
You can read more about them here: wiki.ubuntu.com/UncomplicatedFirewall
firewalld.org/documentation/
How to be unhackable: do not connect to the internet.
Just don't use a computer
Just
J
The hacker well still connect to your pc on miniport and it wont even tell you they change the code with python so it make it look like it working but is on..
Just to be clear I love your videos. They are very informative and well produced. But I have to add some commentary on what you just showed (from a perspective of a professional pentester):
- Although updates are crucial like you explained an automated update mechanism (even if it is just the stables) might break something upon updating. So you might consider automatic updates a risk depending on your situation.
- The mac command to copy your public key to the server will also work on linux the exact same way (although your command is shorter and easier to remember)
- Using a password upon generation of your key pair is recommended. So when your private key is getting hacked somehow it will be useless if the password is not easily guessable
- In general just use strong (random) passwords and store them in a safe location like a password store.
- Changing the port of your ssh listener is just security by obscurity. Any port scanner using a service scan can show you that ssh is listening on port 717 (like for example nmap -sSV ...)
- Deactivating ping once again is security by obscurity. Nmap has the flag -Pn which will scan your ip address no matter if the server answers to a ping or not.
Other than that your counter measures are very well designed and really good explained. Thanks for sharing that content.
One other thing I would suggest is editing /etc/hosts.allow and hosts.deny.
I know you have ufw, but adding another layer will not damage anything.
Make sure your passwd file is shadowed.
I've been doing this since the 90's
Any and every install get's that treatment.
how do you do that? where do you guys learn this all?
Good starting guide and well explained, still missing tons of hardening activities, for example unattended upgrades and other. But I guess these things are better than what 90% of the folks implement out there so it's not about out-running the hungry lion, just running faster than the guy behind you...
I don't manage Linux servers but this was so informative. I am a maker and have been looking to set up a server for my IoT devices and this is awesome to make sure my server isn't going to be hackable. AWESOME!! Thank you Chuck!!
Great video chuck. for ssh this is what I do . I change the port like you do but I lock it down so I can only ssh from my home ip address. ufw allow from to any port Even if your public ip address changes you can still ssh back in from the linode web console and change the firewall rules.
That’s a great step. Very secure.
Some good advice there. Security is always about layers. If one layer is breached the next should take over.
I have found that limiting the allowed from address to SSH can make a big difference in how many break-in attempts you see. Even if you don't have a static IP, your ISP will only have a limited range of IPs he can give you and you can allow only that range.
It's also a good idea to use something like fail2ban. It automatically bans IPs that e.g. have a certain number of failed SSH login attempts. Works rather well :-)
Great recommendations, Madeye.
3:53 "Coffee break"
Puts an ad
21:22 "Coffee break"
Puts another ad
Yeah, Coffee gives you lots of money.
@@b07x 😂
Yeah man 👍
Looks like you haven't implemented his pihole video ;)
hes definitely getting carried away with this shit....but man his videos are so good w/e
I always automatic update my servers and never see anyone talking about this (even in "how to security")
Quality content++
How do you update it automatically? unattended-upgrades?
one more thing i would like to add is to get the linpeas enumeration script on your server and enumerate it, then try to secure as many attack vectors it can find
What is that?
@@Andremzsptm its a shell script that shows all possible ways to privesc (become root without knowing root pass basically) and with a quick google search you can find the github repo by carlospolop that has linpeas
@@ladyViviaen that's really nice. Thanks
Is it a script like Lynis?
@@Gunslinger088 from what i saw on google lynis is more overall security scans and whatnot while linpeas only scans for privesc weaknesses
I tried this and Linode wouldn't apply the $100 discount and was going to charge me the full amount of $36/month. Dedicated 4 GB - lowest priced package per month. I watched the rest of your video and found it useful. Thank you!
Super useful. Followed all the steps in Arch Linux (some minor differences) in Linode (simpler to set up than AWS and less invasive than Azure at collecting personal data). This is really cool.
this by far has to be the best video you have done...
every time I deploy a new server, I go through this
A good Linux tutorial by Chuck, yep these are the good measures discussed in this tutorial.
I use ssl proxy (stunnel/nginx) to encapsulate SSH connection and also use SSLH to multiplex (more corrected ALPN based forwarding) ssl proxy encapsulated SSH connection through same port number as my web server (443).
I’ve learned so much from chuck. Became a coding teacher and now learn great instructional etiquette through chuck. Thank you so much haha
For mac you can use ssh-copy-id as well!
Nice, Thanks!
I am learning more and more everytime...as soon as I finally move to linux, yours is the FIRST system I install as a firewall etc.
i love the "warning" it gives when adding users not as root - with great power comes great responsibility
In min 20:52 shouldn't we comment the fifth line?
-A ufw-before-input -p -icmp --icmp-type echo-request -j ACCEPT
Great video by the way!
Awesome tutorial, chuck. You are the man! Thanks for all that you do to help us newbies.
The activity in staring in a screen conglumerates that you want to have a correscending appleture of thought, recontextualizing the greatness that can be grown from that with the "Ryzen Five"
Please do more blue team stuff. Hacking into system as attacker is one thing, but at the end the whole idea of ethical hacking is to find vulnerability and then know how to secure them.
I think a good thing to add would be "ufw limit [ssh port]" to protect from ssh bruteforce attacks as well
$HOME also works as shorthand for your own user directory in Windows 10
%userprofile% is the one that tends to work across the board in windows
Oh, I kinda like the padlock & the little key drew on the screen. Much appreciated!
This was awesome. I am classes right now and we just went over ssh and private and public keys. This lab definitely helped reinforced my learning and best of all I now have a server.
BETTER explanation than my linux teacher. Excellent bro 👊🏼
Very informative video. It's a very big misconception that Linux systems are secure from hackers.. Everything with an operating system and a signal is not 100% secure..
Just released my own SaaS and now I'm trying to make it more secure 😁
Another great video Chuck, turns out I have already done most of these on my two linux VMs at home. Oh yeah and guess who just landed a new job as a Cloud Engineer ... ?
I've got my 1st server and checked out everything you showd us. Fine, it work. Hungry to learn more... Keep up with this great work
How is it going so far after a year
Exactly what I need
@JazzyOzzy What are you running on your server? These 5 things are a start on hardening but nowhere near being hardened to a security standard like NIST.
Great video chuck. I'm gonna do this on all of my Linux boxes from now on.
Doesn't help. It's snake oil.
I miss the twitch live streams
"Connection refused" is still saying "im here, scan my ports"
@@asificam1 it's common practice in network security to block echo replies and not send unreachable. No reply means you don't exist period. But yes good point in this scenario since he spun up Apache
It only slows hackers down rather like a locked door..
Criminals just go through Windows!
What is the general consensus/opinions of Port knocking or Single Packet Authorization (FWKNOP) to keep ports closed until actively ready to use?
Thanks, this really came in handy hardening the sever I just setup. We are living in amazing times when you can learn so much online these days.
Also a million Chuck! You well deserve it!
Got a question while watching, did not have time to type it that you already answered it. Very nice tutorial.
Nice Video 👍. I would recommend Lynis to audit the system.
Nice one Chuck, very cool starter............Side topic, I recently managed to also configure 2FA using the google pluggable authentication module (PAM). This increases the security in the sense that you would also need to have a token using apps like Authy or Google Authenticator. So if somehow hackers get access to your private key, well their stuck for a while due to missing 2FA. 👍
Auto updates- you make a great suggestion, but I have had automatic updates automatically break stuff... usually in the middle of the night or Friday at 4:30p.
For basic servers auto updates should be ok. However, when you have stuffs like MariaDB, PHP, python and etc things can break.
Dude you are just awesome I`m a junior web developer who wants to keep learning about more fields from computers and software, Im about to study network administration and after that maybe some hardware grade or something. I see almost all your videos and I learn A LOT like wow. I just want to soy thank you for all this knowlegde. A hug from Spain!!
I've broken like 5 virtual machines already so far on this journey haha. I love this channel.
I've literally taken my SD card out of my raspberry pi and reinstalled Ubuntu Server with the pi imager several times.
12:45 "etsie" is one of my favourite Linux-typical-directory nick names😄
All excellent with one nitpick: changing ssh port from 22 is sort of useless, as anyone who cares already has a port scanner and doesn't even bother checking just the default. (And, yeah, like others have said, I'd add fail2ban to the list, but that's for another video where you can talk through the details and reasons behind them.)
Looked through the comments specifically for someone that agreed on this point
@@konev13thebeast I've got to admit, though, that changing the port reduces the size of the log files. Just out of curiosity, I swapped between 22 and 1234 (I think it was) a few times, and the frequency difference is enormous. Drive-bys on 22 are about 20-30/hour for me, fell to about 2-3/day with the non-standard port.
@@d00dEEE how important is it to monitor ssh logs unless theres a massive spike though? From my experiences from windows servers, firewall can handle most flooding issues fine. Genuine question Ive never touched a linux server before
Regarding the private/public key pair. 2 questions.
1) Can the same key pair be used to connect to different servers? Or do I need separate key pairs for each server?
2) Since the public key was copied to the server as "authorized_keys" how can I add a key pair from another machine? ie allow ssh access from both desktop and laptop? Can I copy the private key to the other machine? Or do I need a key pair for that machine? Does the second key get appended to "authorized_keys" (and how) or is the public key file name on the server not important?
#1 Not sure but I believe, you must use separate key paits for each server. Otherwise it is like using the same password for everything (twitter if you have a twitter account, paypal if you have a paypal account, ETC..) and that is not a good idea.
13:48 this cracked me up 😂 Loved the tutorial. I'm gonna recommend it in my next video 👍
I don't know if anyone else commented on this but you want to also NOT permit empty passwords, it's selected by default to "no" but just encase so ppl will know.
/etc/ssh/sshd_config
PermitEmptyPasswords no
Automatic updates? Untested updates in a production environment?
yes you are correct!
@@thelearner761 I too was about to address that point. Good call Ezra & The Learner
I have some improvements: Make shure to lock up the public key folder so password is required to add/edit/remove public key(s) Also setup app armor. It is easier to setup than se linux. And helps improving security a lot.
Maybe you can also make an Video to take the SSH Security to the next Level with fail2ban and totp authentication😉, would be nice to see this.
Fail2ban is nice!
Or SSH tarpit
@@abanoubmelad2919 GO 127.0.0.1
Port knocking or it's successor single packet authorization (fwknop)
this would be really nice to have this also explaind to go another step ahead.
Thanks so much for another great video. I signed up on Linode. This is my first web hosting as I am just starting to toy around with servers, websites, and such. Your videos are fantastic and I always learn a lot. Thank you.
I think fail2ban is even more important than ufw
I was gonna say add fail2ban and apparmor or selinux and set those up
Tried it. Instead of having 1000 brute force attempts from 50 ips, I got 1000 brute force attempts from 350 different ips. Now I had 300+ ip blocked
Thanks Chuck. Can you also make a video about SELinux? How that works with some examples?
Respectfully, I think you missed the point for installing certificates AND disabling password logins. I suggest re-watching the video at ruclips.net/video/ZhMw53Ud2tY/видео.html and ruclips.net/video/ZhMw53Ud2tY/видео.html .
Network Chuck is suggesting forcing the user(s) to use certificates AND disallow (simple) password logins. Since such a system forces the user to have a certificate installed AND can NOT log in via a simple password request there is no reason to use fail2ban. I've used fail2ban in the past - in fact, I was even -- initially -- thinking fail2ban would be a good addition to this video. However, in retrospect, using certs removes a user's/hacker's ability to brute force a password and, therefore, is not required. Peace. :)
V/r
Agreed
Not seeing anyone mention it, but that 'weird squiggly key' for those who don't know, is called the 'Tilde' key.
---> ~
Good job dude. i hope you do a video about forensics one day
I'm watching it again for the 6th time. Running the few VPS I'm managing with the list and securing the new one while watching this video.
Your energy is amazing and the sense of humor is awesome.
Permit Root login - yes.
...
NO ! ! ! !
So first off thank you so much Chuck for these. These are amazing. I am retired Navy and currently in HR but want to make the switch to IT. I LOVE computers but always got frustrated so I didn’t want to do it as a job, but learning makes it better. So I did this and followed your steps and secured my server. Problem is, I like to connected through terminus remotely from my IPhone/iPad. I would love a video how to add multiple authorization keys. I guess I could make multiple users each with their own key (user-iPad, or user-iPhone) but I was wondering how you would trackle multiple keys for one user. Also is it possible to stick the keys on. Thumb drive to use from another machine? I am reversing the steps because my dumb ass created keys on my windows machine for another server and overwrote the old keys *face palm* so now at am having trouble ssh’ing in.
Your could just copy the private key to your iPhone maybe idk how that works from iPhone but there is ssh clients for iPhone so in sure they have the option for adding keys
The comments are allways great on Network Chuck's videos. Thanks for the content too..
The best part of this is testing whether the website is accessible even though you knew that the firewall was going to be blocking port 80: expectations don't always match the reality of what will happen. That's how security bugs tend to be discovered. Just because something is expected to happen doesn't mean that it will happen so testing it doesn't hurt especially if it's something security related.
I completely agree with what Leo said here. This is why when I spin up a vm on linode everything is behind a VPN either openvpn or wireguard. I typically never leave anything exposed to the public internet. Or I write a ufw rule that only allows traffic from my home IP.
The comments are a gold mine of knowledge.
Awesome video as usual! But I do have a question -- If someone did hack my computer with the private key, they would easily be able to access my server. While I like not having to log in each time, I feel like somewhat of a password might be more secure. Thoughts?
Still needs password to run sudo commands
Legend!!! loving it every time I check your channel the subscribers are more every day. Looking forward to seeing you with 1M. You deserve it mate! all the best!
Nice video, but just changing the default ssh port doesn't make it that much harder for hackers to find the new ssh port. Nmap allows for service scan which will make your new ssh port be discovered very easily. That said, the tip about using a ssh key pair is indeed good practice :)
True, but with 65535 ports and a 3 or 5 attempt ip banhammer, you can decrease your risk by a reasonable margin.
Hey, the way you explain things are fun, easy to understand and short to the point. simply amazing!!!
Good tips, simple to implement and well explained. Thank you!
Using this on my RazPi!!! Great content as always.!!!
Awesome! And thank you.
I'm surprised that you didn't mention key formats while discussing key pairs. My colleagues who are professionals in this area (and security is an area best left to professionals) highly and unanimously recommend using EB25519 format over older RSA/DSA formats. I also didn't see (but perhaps I missed) any mention of SSL/TLS, certificates, key rotation, and all the other things that keep life interesting in a secure world.
IMHO, blocking root access altogether is a bad idea. Better is to provide key-pair access (no password) using a public key that is not contained in any authorized_keys file of any user. I also configure /etc/sudoers to allow members of "wheel" to use sudo without a password challenge to avoid breaking shell scripts.
Since I host all my public-facing servers on AWS EC2, I lock down each machine using an AWS security group in addition to the on-board firewall.
You didn't mention SELinux, which is part of securing any modern Linux. It's also tedious and complex, so I understand why. It is perhaps worth a mention though.
I appreciate this video. It is a perfectly reasonable introduction -- it might worth saying more about next steps.
Chuck, you can use that '~' in Windows (Powershell) just like Linux and Mac.. Or, you could've just used a period since you were already in the directory (ie './id_rsa'). You also might want to remove the line in '/etc/ufw/before.rules' just below where you added the drop rule; it's the exact same rule but allowing instead. I know if reads from top to bottom, but, there's no reason for both to be in there.
Do you mean I can replace the $env:USERPROFILE part on Windows for a ~?
Nice video! But you should have used a port number above 1024 :)
Why?
@@sterling1989 Because port numbers in the range 0 - 1023 are the well-known ports (system ports) which are mainly used by system processes.
@@mihaidoboga Port 717 is not a standardized port. It won‘t interfere with anything. If you want to check all important/standardized ports, checkout this site: en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Changing the SSH port will only take a script kiddy with nmap a few extra seconds to find. This also breaks some enterprise apps that are connecting via ssh to perform various audits. You would think it would be possible, but some apps cannot accept a different port for SSH, and you would require a separate service account for every non-standard ssh port you may have configured. Lets also factor in internal firewalls and routes between vlans.
sometimes nmap doesn't recognize an open port as an ssh port if it's not port 22 , it have personally happened to me , in my case nmap recognized an open ssh port on 8022 as an oa-system .. i'm not sure what that is. but looking it up on the internet didn't give me a good hint , and i was still able to use it because i know it's an ssh port. it might be a good layer of security to make your open port non usable unless you know what it's used for. let me know what you think
Awesome lesson Chuck, I followed step-by-step and everything worked perfectly...except a couple typing errors Thank you for your passion and your patience. God Bless bro
It's just the best stuff I saw on RUclips, I mean it. Simple things, useful things, but man you have a style. Thanks a lot for your work!
Whenever "Chuck" says coffee break, I drink a beer. Cheers.
Thats like 20 beers per episode. I think you might have a problem, but who am I to judge.
Instructions unclear. Logged into Chuck's personal PC and traumatized by photo directory.
Great video! I've learned much things. You always explain the things simple and understandable.
If you don't mind, I just saw that in the final step you've added existing rule at the top for the `--icmp-type echo-request -j DROP`. I've tested it with simply changing that rule at the bottom and it works. Is it for a reason done this way?
Also after the `ufw reload`, I've tried with just restarting the ping and it worked - for this I thing there is no need to reboot the whole server, except if it is under some kind of attack already.
One Doubt... is Kali Linux prepared like this or we need to do this 5 steps? NICE VIDEO!!!