Hardening Access to Your Server | Linux Security Tutorial

Рет қаралды 149,363

Күн бұрын

In this tutorial, we'll go over how to harden your Linux server against unauthorized access. With these basic security practices in place, your server will be more secure from outside attacks.
Chapters:
0:00 - Intro
0:41 - Updating Your System
4:34 - Using Automatic Updates
6:20 - Add a Limited User Account
10:22 - Harden SSH Access
16:12 - Remove Unused Ports
17:57 - Outro
New to Cloud Computing? Get started here with a $100 credit → www.linode.com/lp/youtube-vie...
Read the doc for more information on Securing Your Server→ www.linode.com/docs/guides/se...
Learn more about Security→ www.linode.com/docs/guides/se...
Subscribe to get notified of new episodes as they come out → kzfaq.info?sub_co...
#Security #Linode #ServerSecurity #Linux
Product: Linode, Server Security, Linux; Jay LaCroix;

Пікірлер: 83

@latlov 3 жыл бұрын

5:00 Automatic updates with: $ apt install unattended-upgrades $ dpkg-reconfigure --priority-low unattended-upgrades 6:08 Confirm usage of unattended-upgrades 7:00 Create a new user 7:37 # ls /home 7:43 # cat /etc/passwd 7:55 Check whether sudo is installed or not: # which sudo 8:20 visudo 8:30 Make that new user a member of either those two groups (sudo or admin) 9:10 Otherwise # usermod -aG [sudo,admin,wheel] userName 9:36 # groups userName 9:52 Make sure that sudo works: # su - userName 10:02 Make sure sudo actually works: $ sudo apt update 14:23 allowUsers user1 user2 etc 15:15 $ sudo systemctl restart sshd 16:20 List all ports that are actually listening for outside connections $ sudo ss -atpu 17:20 $ sudo apt remove postfix

@Ranblv 2 жыл бұрын

--priority-low is wrong it's --priority=low

@afrinthasleema4900 Жыл бұрын

00lĺ

@cjt5570 3 жыл бұрын

I am so happy to see Jay on Linode channel. I started using Linode a year ago with his promo link, and I really like it. Going to set up more instance this year😍

@fosres 3 жыл бұрын

I personally like how Linode is featuring some of my favorite KZfaqrs. Wolfgang was also featured on Linode's channel. Thanks Linode!

@AkamaiDeveloper 3 жыл бұрын

Great to hear, thanks for the feedback!

@vasiovasio 3 жыл бұрын

Really Great and Useful Video! Thank you Linode!

@pablogallegosgonzalez623 Жыл бұрын

Hi from Chile, in the last days i learn so much about linux distributions and configurations, thanks a lot.

@alanjrobertson 2 жыл бұрын

Fantastic video, Jay 👍

@hanskinsella5078 3 жыл бұрын

Great video, really helpful content.

@marcosoliveira8731 2 жыл бұрын

I´ve learned new stuff today. Thank you.

@t.s.k2318 3 жыл бұрын

Thank you for this video.

@garcelleng1142 Жыл бұрын

thanks so much i needed guidance for a project and your video helped me.

@miladzahmatkesh7813 2 жыл бұрын

Thanks! so useful.

@fred2009ification 3 жыл бұрын

Very Nice. Greetings from Brazil.

@fgarza 2 жыл бұрын

Thanks, I was using putty to ssh into the server, and previously configured DigitalOcean to only accept connections with the private key, but it was only for root user. I had to manually create the ~/.ssh/authorized_keys file in my new user and paste the private key there so that it allowed me to enter to the server again. So now I can only log in with my user and not my root.

@BhaktaDas 2 жыл бұрын

Love from India, Great Help

@anoldslowhorse Жыл бұрын

Extremely helpful video, so many great examples to follow. A must view. Thank you.

@bigbicepstime 3 жыл бұрын

Golden stuff

@He-Is-One-and-Only 2 жыл бұрын

Would be very helpful if u add those commands or in a TXT file linked. Nice stuff appreciated 👍🏻

@emanuelfaisca1783 3 жыл бұрын

Great Video! Thank you for this. Can you do one about firewall configuration.

@AkamaiDeveloper 3 жыл бұрын

Sure, stay tuned!

@dragon3602010 3 жыл бұрын

@@AkamaiDeveloper yeah it would be cool, ufw with dockers because there is something weird about it, thanks 👍

@wojteknastaj6438 Жыл бұрын

Hi Jay, thank you so much for all the content on your channel. It helps a lot. I'm following your process here but running into a problem. I created my user, and when I try to switch from root to the new one, I get this 'su: cannot open session: Cannot make/remove an entry for the specified session'. I tried to google it but can't really find a helpful answer. Can you help me with this?

@cmdaltctr 2 жыл бұрын

Thank you for this, you are a great teacher. Will there be video on setting up firewall?

@AkamaiDeveloper 2 жыл бұрын

Thanks! We have 2 videos on firewalls. First using the cloud manager: kzfaq.info/get/bejne/fp2ngJieqa-VXZ8.html And using UFW: kzfaq.info/get/bejne/jtqCi9Blq6yvZ4U.html

@latlov 3 жыл бұрын

5:00 One question concerning "automatic upgrades". Will the system reboot automatically? or do we still have to reboot it ourselves? What if automatic rebooting, as a result of unattended-upgrades, affects the web applications or containers?

@AkamaiDeveloper 3 жыл бұрын

You can use "sudo nano /etc/apt/apt.conf.d/50unattended-upgrades" to configure how reboots are handled on the server. You can change these lines for example: Unattended-Upgrade::Automatic-Reboot "false"; Unattended-Upgrade::Automatic-Reboot-Time "02:38";

@DannyMexen9 3 жыл бұрын

Very helpful, thank you.

@susiebaka3388 2 жыл бұрын

will unattended-upgrades upgrade packages like django and postgres? I don't want this to happen because it could break my application.

@prevpapers Жыл бұрын

Hi, Is there anyway to block some port open by running docker-compose.

@bzdesign07 3 жыл бұрын

very useful tutorial. thank you. but i have a question. when we use SSH keys to login our Linux server , how can we have sftp connection and transfer files from / to our server ?

@AkamaiDeveloper 3 жыл бұрын

This thread might answer your question superuser.com/questions/1569467/how-to-connect-to-sftp-server-using-ssh-key-from-command-line-whats-the-comman

@TakeOnMe5 Жыл бұрын

The copy of the public key is optional, right? On first connect it will be added to the known hosts by answering a prompt.

@hopelily6432 Жыл бұрын

Hi there, I'm logged out of the ssh, how do I fix it on the Lish console?

@BalurPoco Жыл бұрын

How can I get automatic updates on a RHEL clone distro, for example in AlmaLinux?

@jeffreyschlieve590 2 жыл бұрын

The video was great, I have one issue, I use SecureCRT and windows. is there a way to transfer the key with Secure CRT? I was not able to run the same commands from the windows dos prompt.

@AkamaiDeveloper 2 жыл бұрын

You might find success using the method outlined in SecureCRT's documentation www.vandyke.com/support/tips/publickeyauth.html - however if you run into trouble, you can always install your key manually using the steps in our guide here: www.linode.com/docs/guides/use-public-key-authentication-with-ssh/#manually-copy-your-public-key

@jeffreyschlieve590 2 жыл бұрын

@@AkamaiDeveloper I ended up using power shell. It was the first time I had actually used it. I am kinda old school and slow to adapt some times. Thanks for your direction it helped me learn.

@Techtips200 3 жыл бұрын

How to do hardening via ansible play book

@elvangoktepe5183 2 жыл бұрын

Hi thank you for this video. But i think i made something wrong while adding my user to sudo. Because it was writing "permitAsRoot Yes" I mean i couldnt locked ssh. How can i fix it? Thank you

@AkamaiDeveloper 2 жыл бұрын

Our Troubleshooting SSH guide is a good place to start to figure this out www.linode.com/docs/guides/troubleshooting-ssh/

@michalroesler Жыл бұрын

Where can I find info regarding specific lines of "ssh -v HostName" output. I want 2 learn what this output means. Most of it I understand but 4 example: debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling or debug1: identity file C:\\Users\ oeslermichal\\.ssh\\poczt_id_ed25519 type 3 What "type 3" means ???

@rostranj2504 3 жыл бұрын

when I `$ exit ` it switches back to root and does not logged out. I also have to prepend the user with `@` and the ip address to log in. I can't log in just ssh and ip address... the latter after setting up ssh and testing on another terminal tab that it works the former right in the beginning when we first log out.

@AkamaiDeveloper 3 жыл бұрын

We think it was some video editing magic that caused Jay to be fully logged out upon typing "exit" at about 10:25. After using "su" to switch to another user, the first time running "exit" will close the shell created by "su", dropping you back into the previous shell.

@hopelily6432 Жыл бұрын

@@AkamaiDeveloper Im also getting the same error, - I wish you could reply the comments like you did last year...

@starsstars5727 Жыл бұрын

Can I ask how can i reset root password to connect with ssh

@coolergappney1943 2 жыл бұрын

nah doesn't work. Everytime I try to ssh in to my limited User I get permission denied. I even used the vid tutorial and the options given when creating the server. Both don't work.

@lafayette9410 3 жыл бұрын

I've gone through this multiple times but can't figure out why mine only switch between root and my user@localhost, whereas yours has jay@webserver and jay@laptop. Whether that's relevant I do not know, but I get to the key and up to the point where you ssh into the linode is the same, but I still have to enter a password. I'm sure there's a detail I missing if my result is different but I'm at a complete loss.

@AkamaiDeveloper 3 жыл бұрын

Hello Lafayette, it sounds like you need to make sure that you are attempting to generate the SSH key on your home computer, then copy the public key onto your Linode. You might find the steps in this guide more helpful www.linode.com/docs/guides/securing-your-server/#create-an-authentication-key-pair

@lafayette9410 3 жыл бұрын

@@AkamaiDeveloper This helped exactly as I needed and I'll try to spend a bit more time digging through the foundational elements from respective sources before wandering too far in frustration. I certainly have plenty to look out for with no shortage of resources. Thank you very much for the response, it means a lot in my early days of Linux.

@serpantinthewild 3 жыл бұрын

What is the purpose of adding a second user other than root? is the root account doesn't need an SSH Key,? Can we create ssh keys for the root user and second user on a same local system?

@AkamaiDeveloper 3 жыл бұрын

Since the root user, which has unlimited privileges, can execute any command - even one that could accidentally disrupt your server - It is recommended to limit access to root for security. More info on securing your server can be found here www.linode.com/docs/guides/securing-your-server/

@serpantinthewild 3 жыл бұрын

@@AkamaiDeveloper Thank you :)

@mirorauhala 2 жыл бұрын

@@AkamaiDeveloper what's the difference between a root user and a user you've given sudo access to? Doesn't the "normal" user have root access but through the sudo group? This seems like faulty logic to me. What was the vulnerability in the first place?

@AkamaiDeveloper 2 жыл бұрын

@@mirorauhala The idea is that you grant privileges on a case by case basis with sudo, and every time you do an action with it you need to provide a password, or have authorized within a recent time frame. In a system with just one user, it doesn’t have as big an impact as a system with many users, some with sudo access and some not. There is also a great explanation here: unix.stackexchange.com/questions/291454/difference-between-sudo-user-and-root-user

@hb9145 2 жыл бұрын

@@AkamaiDeveloper You make no sense. Sudo is no better than root in a single user system. You have merely replaced a user with unlimited access with another, so how exactly is this hardening a server?

@911ruinedbrendanfraserscar5 3 жыл бұрын

I have been through every guide and cannot figure out why its still prompting me for password entry. I'm accessing a linode that runs on ubuntu 18.04 LTS from my local device (laptop) using an ubuntu 20.04 LTS terminal. I follow your steps exactly and it does not work. I follow your steps exactly + going into /etc/ssh/sshd_config and deleting "#" next to "PubKeyAuthentication yes" and deleting the "#" next to "PasswordAuthentication no" to enable the lines then save, exit log back in and it still prompts me for a password. My starting user in my laptop terminal is @ so I enter ssh root@ and it prompts for password. Do I need to copy the public key to my local device as well?

@AkamaiDeveloper 3 жыл бұрын

You'll need to restart the sshd service in order for the new sshd_config changes to be applied. Try "sudo systemctl restart sshd" and you should be golden. Also, just in case - make sure you're editing /etc/ssh/sshd_config and not /etc/ssh/ssh_config. The latter is for your Linode's SSH client.

@911ruinedbrendanfraserscar5 3 жыл бұрын

@@AkamaiDeveloper the restart command is coming back as not specific enough, I mean i read and save the lines afterwards then exit and log back in isnt't that the same result? I will make sure im editing the correct config file i think that could have been a mistake on my part. lastly I opened a supprt ticket and they recommeded I make a secure key from my local device (windows laptop) and copy the pub key onto my linode, since that seems to be a central issue as well imo. Again when I'm logging in and getting pw prompt it is initially from my local windows device name (i.e. logging in as ). Additionally, I can switch users from root and my sudo without pw prompt once im in. Does this sound like it could be another barrier? Also thank you so much!

@AkamaiDeveloper 3 жыл бұрын

@@911ruinedbrendanfraserscar5 It sounds like you may have forgot the "sudo" from the command we sent you. No, a user logging out and logging back and in does not apply the changes to the server's sshd service. It is not the same as changing the shell environment. You can find some more info here: www.linode.com/docs/guides/securing-your-server/#ssh-daemon-options

@grandstreetW Жыл бұрын

@@AkamaiDeveloper i get Failed to restart sshd.service: Unit sshd.service not found.

@kamranibrahimov999 2 жыл бұрын

At 15:40, I am asked a password and then every time I get permission denied. Which password should I enter there? After multiple attempts, I get "Permission denied (publickey,password)" error.

@epochseven4197 2 жыл бұрын

Hello, did you ever find out the answer? ....because I am having the same issue as well.

@kamranibrahimov999 2 жыл бұрын

@@epochseven4197 Yes, see, the person in the tutorial has the same username in VPS and laptop, but I had different usernames. So I had to specify my VPS username there. Instead of "ssh " I typed "ssh @" and it worked.

@epochseven4197 2 жыл бұрын

@@kamranibrahimov999 Thank you. That part was confusing for me also because he used the same name for both the VPS and laptop.

@tubeDude48 2 жыл бұрын

I've never come across a Debian Distro that DIDN'T have "sudo" installed!

@zigorvlc 2 жыл бұрын

Still waiting to see how to prevent ssh login without certificate

@cokeforever 2 жыл бұрын

where's fail2ban? those machines are bruteforced 24/7, you need to add fail2ban in order to minimize traffic and resource usage on bruteforce attempts

@programadorweb8403 Жыл бұрын

firewall and fan2ban ?

@timothychng7747 3 жыл бұрын

not a tutorial to get you to Sys Admin level, would like to see that

@bilich7651 3 жыл бұрын

Hi, I got a problem, when I try to access as you at 15:40 I can't access, ask me for a password, Wich I don't know what's the password ssh "ip address" "my user"@"linode-ip's password" I followed all your steps what can I do?

@AkamaiDeveloper 3 жыл бұрын

When logged in as 'root', you will have the ability to change individual user passwords for your Linode. If you can't log in as root we recommend resetting the root password for your Linode: www.linode.com/docs/guides/reset-the-root-password-on-your-linode/

@Waferdicing Жыл бұрын

💕💗💟💙💜❤️💛💝

@sergiocoder Жыл бұрын

Man, why do you have to say "Linode" instead of "server" every time? I already know it's a Linode channel. Seems like some psychological marketing trick to program people into using Linode when they need a server in the future? lol

@ilearncode7365 2 жыл бұрын

They are pronounced "etsy" and "soo doo"? My life has been a lie. Also, why even within the same distro are there DIFFERENT instructions to do things? Ive been using "apt upgrade -yes" to upgrade, but here it is "apt dist-upgrade". Also, useradd AND adduser? Is that an inside joke at Linux Inc?

@superuser8636 Жыл бұрын

Avoid apt-get dist-upgrade unnecessarily as it can cause version mismatch incompatibilities between available updated software versions and kernel

@adminbird Жыл бұрын

If I’m not mistaken (I use arch btw so apt isn’t my forte), apt-get is the older package manager whereas apt is newer, but you can still use apt-get

@shakiransari6526 11 ай бұрын

😂cvbud😊😊😊 14:34 sanj😊❤

@tarabaitarabai806 11 ай бұрын

❤

@ajithaajithamani1857 11 ай бұрын

Ttkjyyyyjy7