How to Secure a Linux Server with UFW, SSH Keygen, fail2ban & Two Factor Authentication
HTML-код
- Опубликовано: 16 июл 2024
- In-depth guide on how to secure a Linux home server running Ubuntu 20.04. This video explains how to change the default SSH port, how to configure an UFW firewall, how to use ssh key-based authentication, how to install and configure fail2ban, and finally how to setup two factor authentication (2FA).
Follow this tutorial on my blog: techguides.yt/secure-linux-se...
This video is part of my ultimate home server tutorial video series!
Part 0: 10 GIGABIT Ryzen Home Server Build: • Ultimate 10 GIGABIT Ry...
Part 1: How to Install Ubuntu Server 20.04 LTS from USB: • The Home Server Projec...
Part 2: How to format and partition hard drives: • How to Partition, Form...
Part 3: You are here :)
Part 4: How to set up ZFS RAID10 on Ubuntu 20.04: • How to set up ZFS RAID...
Part 5: How to Install Nextcloud Hub 21 on Ubuntu 20.04: • How to Install Nextclo...
Part 6: How to Install Bitwarden on Ubuntu 20.04: • How to Install Bitward...
Check out today's video sponsor IPVanish: techguides.yt/ipvanish
Timeline:
00:00 - Intro
01:21 - Get a VPN for less than 50$ for a full year!
02:25 - How to change default SSH port
05:26 - How to set up UFW
09:02 - How to set up key-based authentication
12:11 - How to disable password based authentication
12:52 - How to set up fail2ban
16:03 - How to set up two factor authentication
Video Resources
Thumbnail adapted from: www.freepik.com/free-vector/c...
Man in the middle attack: / mitm-man-in-the-middle...
Privileged ports: www.w3.org/Daemon/User/Instal...
💻 Gaming Setup: amzn.to/2E67AUG
📷 Production Gear: amzn.to/2VhbShO
🎵 Production Music courtesy of Epidemic Sound: www.epidemicsound.com
📝 Blog: techguides.yt
🐦 Twitter: / techguidesyt
📺 Twitch: / speedbre4ker
🎧 Discord: / discord
#Secure #Server #TechGuides 
Наука
Someone give this man a Raise!
apparently, he just got it...well deserved!
Thanks, I look forward to watching the rest of these when they are uploaded.
Awesome! More are coming soon
Wow one of the best most detailed videos, I have ever seen. I need more of these videos. You are the man. Tech guides
Really appreciate it! Im trying to produce more videos like this very soon :)
I would love an apache webserver tutorial from you. These are very concise and extremely useful. Thank you for making them. There are a lot of verbose and confusing tutorials out there that can be difficult to follow.
Thanks for the nice feedback! I tried to make those as easy to follow while still containing a lot of useful information :)
I have never, in my life, learnt so much, from one video, sir! Thank you!
So nice to hear, thank you!
Thank you so much for these videos. I am very interested in learning how to make my server apache and php secured, so I hope you do that video too!
Thanks for watching! I might do it but it will definitely be a while until I can make it
Very helpful video, thanks!
Just a couple of things to note from my experience of trying to do some of these:
1. I think you need to edit/add the [sshd] jail in jail.local rather than fail2ban.local
2. You can set findtime = x (e.g., x = 1d). This is useful if you have maxretry > 1; it can look at the past x to detect previous login attempts rather than just the past 600 seconds
3. Using `sudo service fail2ban reload` may be preferable. Apparently `reload` is normally a neater/tidier version of `restart`. For example, using reload, you won't reset the currently failed, etc.
Nice bitesized video for basic security.
Thanks keep up the good work!
Thank you! Will do
Chapeau pour toi man!! This video was so useful. Keep up the great job!
The most informative video series in a very straightforward manner. You do not just type the command you are explaining what is behind the scene in a few concentrated informative pice of knowlde. Thank you very much. Could you please complete the series by Secure the next cloud instance itself (apache and PHP), also performance tuning for the server. (Apache, PHP, next cloud). Backup and restore.
Your tutorials have changed my IT world man! Danke schöne!
Very cool! Thanks :)
Wow learnt something new about the 1024 limit and how the model is becoming obsolete. nice video.
Excellent video. Thanks!
I have ungoogled my life so this last bit with the authentication I cannot use but the rest of the video is brilliant, thank you.
You can do the exact same with Authy ;)
Thanks dude! Great video and guide.
My eyes are bleeding from you're picture😵
Thanks for this tutorial it was very helpful
Awesome work, man
Thank you! Cheers!
Thanks, very helpful video 👍
Thank you for watching!
I would like to learn more on how to make my server apache and php secured, so I hope you do that video soon!
Thanks for the feedback!
Brilliant Tutorial, thanks! :)
Thank you so much!!
You are the best. I would love to see more videos about securing an Ubuntu server. Are you still planning to make the other guides?
Thanks! I have just released part 4 :)
Awesome tutorial!!!!
Glad you liked it!
amazing video thanks
I recently decided to convert my old laptop in a home server for a learning experience and why not. I have a 920m 2b Nvidia gc and 2tb hdd and i7-5500U with 16gb ddr3. My target is to have a secure network storage, a workstation to spin up VMs for small projects so I feel like a developer and learn the art of maintaining a system. I wish to keep the stack private, open source and stable. I got a good start with your videos, and would love to know popular use cases of dedicated home servers you have come across other than plex, nas and dhcp.
This is pretty cool
You should look into a dashboard i.e. Heimdall, Homer, Dashmachine.
The videos are great keep up the good work! :)
Thanks for the suggestion and kind feedback! Appreciate it
I realize this tutorial is 3 years old but it's still very informative and also s
Thanks!
Discovering your videos is probably the best thing to happen while building my own Ubuntu server. I have already built it and have multiple hard drives, I have dedicated one to PLEX. I'm worried that following this video would block access to plex, thus I won't be able to stream. Any thoughts on how to go about it? Perhaps adding plex into the list of allowed UFW's or allowing plex to access only the one harddrive? Would that compromise my server security? What do you recommend?
Thanks.
Thanks, the security of NGINX is may be important too...
nice video
Thanks for watching!
Thanks allooot
Great job man! Thanks. BTW are you aware of any setup or guide to use ubuntu server to enroll/approve devices connection to the home wifi router?
Thx
Thank you for the wonderful tutorial. One question though, once you've installed the Google pam on the server, can you use another authenticator apart from the Google authenticator to scan the QR code for use?
Yes, I tried this with Duo Mobile and it works just fine.
Thank you! No, you don't necessarily need the google authentication, just one that implements the same algorithm.
one question, can I use microsoft authenticator app instead of google one for this 2 factor auth?
Nice tutorial. The only thing it might have been changed would be the rsa key. Why not use ed25519 key instead. It has an arc algorithm for encryption which is considered better than rsa
Also how come and while you scp id_rsa.pub to the authorized_keys which are both file has as a result the index of the id_rsa to be copied inside the authorized_keys instead of copying the id_rsa.pub file to the other computer. I thought echo does that not scp
Thank you your help and for your time. Please Can you explain how to build a production server ( ubuntu for ex nexcloud ) it will help me.
Hey man! I can't quite follow, what do you want to build?
Thanks. In your video you install home server . I want to know how to install a real server in production ( number of cpu, partitions , swap ) for nextcloud server.
This was amazing. You're awesome. can you please do a video on securing a nginx server. I am trying to setup a dotnet core webserver
I'm afraid I have never used NGINX so no real experience with that or any security related topics...
I do have an apache2 server but I haven't done much to it because I haven't secured it as of yet. Videos on how to secure an apache2 server from you would be awesome, thanks.
Thanks for the suggestion! I'll put it on my list :)
amazing video can you please refer me to the ssl video couldn't find it in the description
Sorry for the late response, here you go I think its that one: ruclips.net/video/c1t_OrIia1U/видео.html
You're videos are fantastic, just having a small issue with the SSH, I change the port in the .config and restarted the SSH service, even rebooted the server but it still only accept connection through the 22. Suggestions?
I'm having the same issue right now.
@@matthewpierce7717 Turned out I didn’t activated the port change. Don’t remember exactly where but there was “#” that shouldn’t be there.
Hey, thx for this video! Helped me a lot!
In case I want to give another user access to the server, I just need to copy his ssh key into the authorized_keys?
Yes exactly! Cheers
@@TechGuides Ah cool
Google Auth doesn't work for me though on Ubuntu Server Version 20.04
Message: "No supported authentication methods available (server sent: publickey)
"
Not sure where the mistake is since I copy-pasted it from your blog. But SSH is fine^^
Is a 64 character PW long enough for Nextcloud? Also with 2FA.
please HELP ME after changing port i entered everything you said in windows powershell but it says connection timed out. Please tell me what to do? PLEASE HELP ME
Would it be possible to login from a different IP/computer with a key based authentication and disabled root login?
Tech guides, please could you help I have followed the tutorial but every time I use Google authenticator and I input the verification , my laptop disconnects, the connection.
Thank you for this video. I have a question though, i set up the RSA key which is stored on my main PC. I tried to SSH from my phone through the wide area network and was still able to log in provided the port number, ipaddress, and password. I thought the RSA key is supposed to block that? Hope you have some insight, thanks again
Setting up the RSA key is only one part. You also have to disable password based login as I describe after 12:11 :)
Great video and thanks for posting it! The last step of adding AuthenticationMethods breaks my ability to login via SSH and the only solution is to login locally and remove that line and then it allows me to again login remotely. Any idea why?
Thanks! What happens when you attempt to login? You're simply not getting the "Verification" prompt?
I am very interested in learning how to make my server apache and php secured
OK great, I have planned to do a video on that sometime early next year!
I had issues with fail2ban on Ubuntu Server 24.04, apparently at the time of me writing this, theres an issue with the python version used in 24.04 and fail2ban. Found a work around but it resulted in even more problems for me so I rolled back to 22.04 and everything worked fine.
Damn thanks for the headsul! I wanted to start using 24.04 soon and produce some content on it...
I want to log in from another machine, my laptop. Thus, I will generate another ssh key on ot. But how can I copy it to the server into the authorized_keys file without being able to log in from the laptop, since it requires an ssh key to log in?
Thanks a lot for your videos by the way!
I would just copy the new public key to a machine that already has access and write it to the authorized_keys file. Or disable keybased authentication for until you've installed the new key
Thanks for making these very useful videos. I did run into a bit of a problem though, and I haven't been able to get past it. After generating my ssh keys and copying the public key to authorized_keys on the server, I am still being prompted for a password. Any suggestions would be much appreciated.
How do you access your server? Make sure you pass the private SSH key to the ssh command when connecting
im trying to set up a server PLEASE MORE SERVER STUFF AND webserver security PLZ
yes it will come! :)
When is part5 coming?... looking for the nextcloud install.. thanks.
I'm currently trying to get it out on the 23rd of January - although I'm not always great with my own deadlines ;)
@@TechGuides thanks. It is appreciated...
Who are the expert or masterclass that could have the best pratice on the market so i can pay to learn with ? any recomendation ?
My videos are quite comprehensive but I'm sure you'll fined better "experts" on various paid course sites
Nice video! I'm following these steps and since I did try updating server to install fail2ban. I can't update or upgrade or ping. Is anyone else having this issue?
Hey thanks! Sorry for the late reply. What exaclty is your isseu? Did you install fail2ban and can't no longer log-in? If yes, check the list of banned IP addresses (you will need to physically connect to your sever to check if indeed you have accidentally banned yourself)
Hi, I hope this is not too much of a hassle to you, but why did you copy the key a second time into the authorized_keys file at 11:55? I also got problems after this step, as I was prompted for some password(I'm using Ubuntu+Gnome) to unlock my private key.
Just for the purpose of copying the public key into an already existing authorized_keys file ;)
@@TechGuides I still don't really understand. Does it need to be there two times?
No absolutely not. Only use one of the methods shown to copy your public key. The first method (copying the entire rsa_key.pub file onto the server) is applicable if you have never set up ssh keys on your server and thus the authorized_keys file does not exist yet. This is likely your situation if you are watching this video.
The second method is only applicable if the authorized_keys file already exists on your server - so if you have already set up ssh key-based authentication before, i.e. for another computer. In that case, you don't want to simply copy & past the entire public key file onto your server or otherwise the authorized_keys file would obviously be overwritten and your other computer will no longer be able to connect.
Uhmm, before this i just installed Nextcloud hub which, after i deleted port 80 from firewall, doesn't work anymore. Can it work without that port open?
Also, you have been soooo helpful, as i only need a home server but this is the first time i am linux-ing, therefore i couldn't have done it without you in one round
Yes you will need to open port 80 to be able to connect to your nextcloud instance. If you ever decide to enable SSL you'll need to open port 443 as well
Could you show how to setup two factor authentication for a virtual machine in a Ubuntu VirtualBox? ...as I could do it successfully for a physical but the same procedure does not work for a VM, what could be wrong? ...thanks!
I have no experience with virtual machines I'm afraid...
hey
thanks alot for this tutorial
i have a problem, some how, when i add the google authenticator it breaks the ssh and ask for the password then for the token from google
any idees, to solve that?
i googled ot, but still no results, if some one know how to solve it, it will be thankfull
okey i found it
........
To disable password prompt, we edit /etc/pam.d/sshd as below:
sudo nano /etc/pam.d/sshd
Comment out the line @include common-auth by adding # at the beginning.
. . .
# Standard Un*x authentication.
#@include common-auth
. . .
Save the file and restart sshd.
sudo systemctl restart sshd
Hi! Great that you've got it resolved! I was slightly confused what didn't work for you, since I explicitly went over commenting out that line at 17:38 ;)
What is the point of changing the default ssh port if you are just going to point traffic to it anyway from your router? Is there a special way of doing that?
Cause attackers wont be able to get your ssh port that easily. They can still run a scanner but most attacks will just attempt to connect on port 22 and move on if nothing was detected (or at least thats what I hope)
Can u please share how did u get the system info (temp, processor load ) on ssh login ??
Do you mean glances?
@@TechGuides Nope when u login via SSH u get the other machine details just wanted to know how can I get them when I login into my machine
I think this always gets displayed when connecting to a server running Ubuntu
Just web interface
How can you access files from the explorer?
Google samba file share on linux
I know this video is several years old but instead of adding an alias for ssh it would be better to create a ~/.ssh/config and just add the port assignment there. man ssh_config for more information.
Good tip! I wasn't aware of the config file back then but I do use it almost exclusively now ;)
hi i did all on this video, it was going wel intel the google authenticator after that not possible to login :-( permission denied (publickey).....can some one help me, thanks
Im sorry about that. Didnt you open another shell to test connecting with the new settings before disconnecting? Also dont you have physical access to your server?
@@TechGuides hi the problem is the permitrootlogin set to no? but i,am a root.....:-( is there any away to get in?
You should never login as root. You can do anything as any regular user as well. Simply log-in with a user that has sudo privileges. If you then need to become "root" your can just type "sudo su"
I had everything running great until the google authentication. Now I have an issue with
"connection closed by **IP address** port **selected port**
has anyone run into this issue? This error only occured after setting up the google two step authentication
I FOUND THE ANWER!!!
in the pam.d/sshd_config file, be careful to notice there is a "Standard un*x authentication" line AND a "standard un8x authorization" line.
commenting out the wrong one will lock you out of SSH connection.
Sorry to hear that you've locked yourself out :( Which line exactly did you erroneously comment out?
hi have followed all your steps 3 times on different ubuntu 20.04 servers, at file while trying to login i am getting this message " root@192.XXX.0.XXX: Permission denied (publickey)." what could have been wrong can you figure out please
Did you update the authorized_keys file in the root directory and not the one from your linux user? Btw I do not recommend to login as root as this is generally considered unsafe practice
@@TechGuides yes i have used root
😁
I keep getting client_loop: send disconnect: Connection reset by peer. I've changed my port, set up UFW and did keygen. but still get this and have to reconnect, appreciate your help in this matter, Thanks
Did you allow the new port through UFW? Are you specifying that port when trying to SSH to your server (using the -e flag)?
@@TechGuides yes I allowed new port in UFW. I used -e flag it worked. In my client machine in the bash rc file I still had 22 so I changed to my new port. Thanks for your help and your videos.
Ah great that you could get it resolved! Cheers
Are you Tech With Tim's older brother? :p
Hahe the similarities are eerie right? :D
@@TechGuides Yeah its actually a bit creepy ahhaha. Thanks for the video btw! I really enjoy watching these, very educational and well made :D
Totally ;) Thank you so much!
If the port forwarding is set in the router, so setting the public port to something else as '22' in the router, I can still only connect to the server via 'ssh -p 22 user@ip'. How is that possible?
so before doing this ruclips.net/video/sO-afVsDJOA/видео.html
Can login via command without password, but mobaxterm returns a error: no supported authentication methods available (server sent publickey)
Edit: Advanced SSH settings and check "Use private key" and point to the file.
Sorry i'm new to all this linux stuff whehehe.... Love you're videos.
Is there something for the google auth in mobaxterm ? Because when i entered the code i need to type another one for the SSH-browser.
I hope there is something to sync it or use the same.
Thanks man! Hmm I haven't really used mobaxterm together with the google auth on my server. I think I tried it once and simply entered the same token twice. I would have to test it again though
Mine, says Resource temporarily unavailable, when trying to ssh into home server. Any suggestions.
Sounds like you've specified the wrong port after changing it in the sshd_config. Did you ssh using the -e port flag specifying the new port?
@@TechGuides no I don't think I did that but was able to set different port number. Thanks. When I go into the sshd_config file concerning the keygen, (I set up pass phrase). Do I leave password authentication as yes and do I permit root login as no?
Please follow the video guide from 09:02 onwards - I discuss exactly which options to set to yes and no
Or just stick your whole server behind a web reverse proxy, only open port 443 to the public. Use a raspberry PI and use that as a VPN client for open vpn and vpn into your network when you want to access your server outside. No ssh security needed as it’s only available locally.
Sure, unless you want to SSH from the outside ;)
@@TechGuides You can SSH locally when connected to your home VPN if I’m not mistaken? I just prefer that over opening any more ports other than port 443 for my web apps, then I know my reverse proxy will handle everything the public internet will throw at my one open port on my network. Great videos by the way, keep it up :)
Please my lord talk about nextcloud again, did it change much from your previous guide series ?
Not really, the install is basically identical but I will show it without snap ;)
Ubuntu is broken. Nextcloud snap doesn't work with it.
DietPi works!
Hi thanks for the extensive videos, I am looking forward to the rest.
Why don't you use ssh-copy-id to add your key to the server?
It is explained here in more detail.
www.ssh.com/ssh/copy-id
Thank you so much! I know that command, however it can also very quickly get you locked out of your server if you're not careful and I simply prefer to add keys manually.
I have a pc build idea for you if your interested in hearing it?
Dont have a lot of budget but Ill upgrade my PC soon so shoot!
@@TechGuides Thats fine! What are your current specs? If you dont mine me asking.
basically what I've got here ruclips.net/video/F-qCbhxdKHE/видео.html but with 64GB trident z rgb ram and a different AIO because the kraken broke
Blocking ICMP echos is just silly as you'd get an 'host unreachable' answer from the last router before the host if the IP was really down instead of just no response. Maybe use reject with 'icmp-net-prohibited' instead..
ICMP ist helpful - see shouldiblockicmp.com/
Also: If you use a port >1024 for sshd, as long the sshd is running no other user program could bind to it. And if through some race condition some local user would be able to run a malicious sshd -> the host id would change. I don't really see a risk there..
Thanks for watching! I agree with the sshd port, just didnt want to get the internet mad. Regarding the ICMP: not sure why I would ever want my private server to be pingable? What do you mean by "if the IP is down"?
A bit sad you didnt follow up on this... Could you elaborate on what you ment?
@@TechGuides What salat is saying is that blocking echos does not hide your server. A hacker knows your server exists because there is no "host unreachable" response from the router, only a timeout. The lack of this response indicates the router has a route (connection) to your server. I'd like to add, ping is a useful diagnostic tool. It can help you decide if a problem with your server is due to a configuration error or a network outage.
Bla, bla,bla you can do it in 2 minutes, not 20. crap
Changing ssh port number from the default 22 is useless advice, it will not make anything more secure. Servers can just be scanned by anyone to see what ports they are listening on.
This step is about mitigating automated attacks that will always try to use port 22. I get thousands of those each day, none ever try to do a full port scan
@@TechGuides those automated attacks will be stoped by fail2ban, changing the port number does not increase security in any meaningful way.
you forgot to comment it out the line @include common-auth This tells PAM not to prompt for a password in /etc/pam.d/sshd
heads up your link for this video (How to secure a linux server ) ruclips.net/user/redirect?event=video_description&redir_token=QUFFLUhqbW8tN2NoMlhVTUV2NDhxMGZaRHZObUI4STRwd3xBQ3Jtc0tscDFzMzlfd25rUGpjQXdmcDY5bWwtYkVrdzNzcG1MTXFnRjE4UTBqTGk1OS1XQTZkWDlCbTlkTUxMUGMxMmNVWEx1UXdyOHZzYUFpMHFmVE9hZFZTWmNFWElLR3FlcFVnenN5dFZPWWRramlLakZrYw&q=https%3A%2F%2Ftechguides.yt%2Fsecure-linux-server&v=sO-afVsDJOA goes to page with no content :) you can RM this comment :)
I used this video to setup my server. Thanks. Any new development since it was made three years ago?