Another good one ia to make the oxygen really sparse. Since hackers wear masks aswell, you're gonna make it really hard for them to breathe

@@airdog46x *laughs in covid*

Create a speech-to-text daemon that logs every time it hears the words "mainframe" or "I'm in"

lol

There is thermo-underwear for girls ... no one can guess that you are invulnerable in the 850nm spectrum from far away!

It's the security variant of: "do not blindly copy&paste code from stackoverflow"

I think this could be generalized to advice in general "Don't take advice as the unquestionable truth -- always dig deep to know why... but listen to your Mom"

The same advice can be applied to anything in life

I feel like I need to dig deeper to know why you liked the advice...

But why should I follow that advice? ;)

I was about to write the same thing: it really comes down to how one uses a server and how consistent they are with getting configuration right. On one hand a firewall can definitely help protect from misconfigured services, but, on the other hand, it can lead to an admin being lazy because "I have a firewall". If there is nothing running, there is nothing to break and/or attack.

In the machine i use for www and dns i have a toon of stuff and it is binded to 0.0.0.0 so is good for me, and is the ssh keys a good idea to not force the use of them?

@@raxxer1234 I get it what you're saying, but the example was about "securing a Linux server", i.e. one machine with firewall and server software on it. In that case, if one is careful about what they install and how they configure it, then having a firewall or not makes little difference in terms of actual security (as demonstrated by holes in the two paper sheets): in order to provide the (publicly accessible) services, one would have to open the same ports on the firewall anyways. When a firewall comes in handy is when it is run separately (like you were mentioning) or if one wants to test lots of software without caring about proper configuration (but I'd say that that's not a good way to do things on a publicly accessible machine).

Please fix your discord

@@tHe0nLyNeXuS I definitely agree. While I wouldn't go as far as to say that closing ports on a firewall is "snake oil," I would say that its often advertised as something you "must do." I think of it more as a safety net when you're walking a tightrope--I'm glad its there, but I really really really don't want to have to test the effectiveness of the safety net.

The best example of security by obscurity that I can think of is GSM. That too is being broken piece by piece by open source initiative such as osmocomm

Exactly. Especially if you know you have a disproportionate number of skids targeting your site, changing as many ports as possible away from default can help a lot. Plus, doesn't it just feel nice to have the page for your IP on shodan be as short as possible?

30 years in tech, 15+ in infosec, it is in fact “security through absurdity”. Why are we in security? To reduce risk. It’s not all that complex.

@@bruhdabones that’s why you perform a threat assessment BEFORE building, who is targeting you, what are the more common TTP’s they use and how can you mitigate those to reduce risk.

I do use the "security by obscurity" thing, since I did find it to be successful overall with SSH bots. On port 22 I run EndleSSH, which for the ones who don't know it's an SSH tarpit. Before running EndleSSH, i did have my SSH server on port 22 and I remember in the system log that every 30 minutes, some random bot would try to bruteforce the login. I kinda got tired of seeing that, so I decided to add EndleSSH on port 22 and then hide my SSH port, and so far, none of the bots have even tried looking for that hidden SSH port.

Look at THAT! They MATCH! lol

I am curious. Doesn't that firewall analogy counter the argument of not changing SSH port?

​@@patrickgrady7505 how would it? The SSH port would have to be open for you to connect there anyways. People change the ssh port to avoid automated exploits against ssh or password brute forcing.

@@skyracer-mk8hg sorry I am new to this because I am trying to make a web server from my raspberry pi. Say I change the ssh port and use the firewall analogy, would the holes still match? Appreciate your feedback btw. I am probably just overly paranoid about protecting my stuff.

@@blankeyezero certain meme materials 🤭

Disabling direct root login does add an extra layer of security. It basically doesn't allow an external attacker to directly attack the root account via brute force or key compromise. In order to achieve root access, attacker would first have to compromise a normal user and then target root access. So I think there is definitely some aspect of security to it.

"Using sudo gives you a bit of time to think about what you're doing as well." - Not if you sudo'd already within your last timeout period.

@@ThisIsTheInternet or if you run sudo -i then you basically just have a root shell and will never be prompted for a password again until you exit it

When running commands as a normal user without sudo, it will tell you that you don't have the privilege to run that command. That is an alert and another chance for you to revise your command. Even when you type sudo ahead of time, just it being there means you're running something as "root" which creates a little bit of awareness in you. Also, running sudo will be always logged and you can view who ran commands as "root".

If you're not a complete moron, you should have no issues running as root (with SSH keys of course)

It's not the same though. You get different output in port scanners when scanning a blocked port or an open port just with no service listening on it. A server without any firewall may be more interesting for those "automated" scanners and script kiddies and hobby hackers and else. I mean, I did laugh hard as well though. Not wanna imply questioning "assumed best practices" is a bad thing and yes, from a pure security perspective, there is no real difference within the security of that port, whether a firewall is blocking "nothing" or the port listening on "nothing". My point is, often it's not only about direct security issues. The appearance of a server may also be factor. If you knock on someones door, the way how the door is build may make it more or less attractive to kick the door open ;)

@@rantanplan178 also don’t forget if you later opened something by installing an app that does that Hence you would love to mange a firewall

@@ko-Daegu Not sure if I get your point. "if you later opened something by installing an app that does that " - by installing an app that does that? Does what? You mean installing an app you don't know and that app likes to phone home without you knowing about this "phoning home" feature?

@@rantanplan178 No I mean the module I’m using opens or uses Venetian ports I would like to stay alerted 24/7 by firewall and I control what port the app opens Instead of assuming that my app only work with certain port maybe my app does but some liberate module or other integrated app doesn’t or have the capability that can be leveraged My English is shit never mind

@@ko-Daegu Nah your english is fine. As long as we understand each other, it's good enough. What is a "venetian port"? I don't think I've heard this term before. Anyways, I think we were both talking about the same thing. You talk about software you aren't sure what network activities it may execute. Well, in general I'd say don't use software you aren't sure what it's doing, especially not in production environments. However, there is our beloved Windoze or other proprietary software and you may not want to give them your entire network to play with. Therefore yes, using a whitelisting strategy on your network filters is certainly a good idea.

This one should always be a recommendation. Deny by default and operate on a minimal trust model. You reduce your attack surface substantially

Yep. This guy seems to have basically no clue about the concept of defense in depth.

Lol. Why is the BSI mailing you ?

I'm a sysadmin as well and totally agree. Hate working with people who just do something without thinking why they're doing it or why it's done that way, even if they're doing everything correctly!

What do you recommend I dig deeper in if I want to make a server really secure. My background is not IT but rather hardware and software engineering, nevertheless, I'm really interested in knowing how to run my own home server. I don't need military-grade security but I definitely like to learn how to make it very secure. Particularly, if setting an user and giving it root privileges doesn't do anything, what's the best way of accessing my server?

More like every subject

@@m4l490n I'd start on the basic security of the web site itself, as that is rather easy to do and if you're a software programmer, probably also easier in itself. Parameterized queries takes away any attack surface through user inputs on SQL for example.

@@m4l490n Start out by using external hosting first and let them take care of server security, then focus mainly on the web site security (and do a lot of logging). When you're confident, you can move on to setting up your own server.

Yeah that is what I though as well. Makes them guess 2 values instead of 1. And then the adding that user to sudo doesn't feel so strange.

The same also goes for disabling password authentication on SSH in my opinion - almost nobody is out there brute forcing SSH keys, they rather focus on passwords

That's mostly irrelevant if you have a strong password. If your password somehow leaks, your username most likely will too

@@kinibini2133 that's the whole purpose of keys. Making brute force harder or practically impossible

I was looking if someone made this comment as I was thinking the same thing.

What's DS-Lite?

@@spacewolfjr It's the thing providers do nowadays to assign you a shared IPv4. But sadly, port forwarding is not possible through it, and sometimes it just randomly doesn't work. IPv6, on the other hand, is redirected directly to the outside internet. No need to forward ports, your machine is directly accessible.

@@NoNameBAM Ahh, interesting, I luckily don't have that issue with my ISP... yet

My home ISP assigns me both ipv4 and ipv6. Pretty sure NAT is still possible, even if you are ipv6 only.

@@NoNameBAM that's strongly abridged.

Agreed, some time ago I had an SSH server exposed on the default port (was a temporary thing because i'm lazy) and sshd logs were full of failed requests, probably in the thousands of requests each day

Yeah that's the only reason I do this.

I think it is a good reason to do so. The whole point of the video is : "Think about why you do it". For a hacker who tries manually, changing port does not close the attack window. Of course it allows blocking bot requests and script kiddies, and reduce unwanted bandwidth use.

Or, better yet, just drop traffic from unknown addresses :) ips does wonders kids

@@GlutesEnjoyer or better use ipv6 like he mentioned in video 😂 lol

Also helps to keep the logs cleaner if you kept auth logs enabled :)

😂😂

Well, technically that would be a "first line" of defense ;)

I feel this video discredits the principle of defense in depth in some ways.

Couldn't agree more!

@@fr0mage it's only his opinion, a couple hours of research won't make any youtuber a security expert lol. He completely ignored any risk assessment. The so called "snake oil" practice will protect your server from nearly all 0day bugs from automated attacks and so on.

What do you call it when your first line of defense is your last line of defence? Other than vulnerable to salami tactics

1. SSH Keys aren't 2FA, Yes you can password protect them but it is not required. 2. anybody can cat /etc/passwd and see all the user accounts that exist. As Liveoverflow mentioned, somebody can always just modify the bashrc file to execute whatever malicious command they want as root.

Yes fail2ban is effective specially if configured manually and perfectly but the problem most of the time due to its memory consumption issue.

Imagine what would happen of your server provider would give you an insecure by default server 🙃

@@LiveOverflow It wouldn't be yours for long!

I have an unhackable device; a brick.

Even better, stick the private key on an external air-gapped device like a smartcard, or use U2F-based authentication for SSH, like YubiKey. The trouble with using SSH private keys that are stored on your main work device is that _that_ device may become compromised without you knowing, and then you're back to square one.

@@JivanPal But then we go to physical hacking where basically all bets are off right, someone could take your drives or installs a key logger. It's about someone somewhere trying to remote in where you don't have cameras and a guard dog.

@@Stoney_Eagle, not sure how you come to that conclusion. If your private key is on your laptop, malware from the internet is a threat. If your key is on a smartcard or you use U2F via YubiKey or similar, there is no threat unless someone takes that external device. In the first scenario, a _file_ is your second factor. In the second scenario, a _physical object_ is your second factor. The whole point of 2FA is that the second factor ought to be something you physically possess, not something that can be acquired remotely.

@@Stoney_Eagle "all bets are off" - i guess physical security isn't a thing?

Fun fact: Ssh keys can have a password Soo it is semi-auto authentication

And attacker have to guess the username, not just use the default root.. still... i will keep using root with key.. lol

@@frumbert non-root users using sudo makes access management easier when you have multiple people who need to manage that system. When one person leaves the team, you shut down their account and you don't have to change passwords and distribute the new password to everyone who needs to know.

I laughed at this too! That was soo funny

Fail2ban with permanent block. Good luck bruteforcing.

@@ChadReitsma but then how does the user login what if a bot locks them out 100 times a day it just doesn’t work

@@AnonYmous-spyonmepls Fail2Ban normaly only bans the IP Address from where the login attempts were made, you can still just login and ues your server normally.

@@alexandramiller4011 then build in a script that switches between VPNs after you get locked out still doesn’t solve anything tbh

@@AnonYmous-spyonmepls you'd have to try use invalid SSH keys or Passwords to get locked out/banned. if a attacker attacks your server HIS ip address will be banned, not yours.

You can filter out this patterns from logs, when it is not just passing by botnets and when, for example, somebody trying each password only once and then filter out groups of IP. But i think you need this information only if you have some kind of honeypot, i don't know why you need this if you just want working server :)

I believe he has a video or two where he said something like 'steganography is fun but in a CTF challenge it does not add any value in terms of real-life learning experience'. Figuring out a stegano-hidden payload or flag is - in my opinion - comes down to: - solvable with one of the two most common tools because the technique is among the several 'known' or popular ones; - impossible if the method is well-designed; - doable by finding the code that does the steganography (hide or unhide part), but, in this case, it is a reverse engineering challenge really - which is fun on its own.

And I am now a subscriber!!

A firewall rule to limit the rate at which they can try passwords is a good thing to shut the bots up. I use a rule that allows only four connection attempts from an IP address in any one minute period and that seems to deter them quite effectively. I also use PKI and have disabled the root user and if they never even get an option to enter a password, that slows them down very effectively.

@@dingokidneys But basically, all of that trouble goes away when you just change ports. I never had any "1 million log-in attempts made since last time you logged in" since I started changing ports. I don't relly on it as some security measure, it's just annoyance removing measure.

Because every line of log is written immediately with no caching in place, as everyone surely knows. fail2ban is good, but not because of io operations.

@@TheBrassn Yup, forgot to mention that logs need to be written without caching. Also I didn't say it's the only reason to use fail2ban

But this doesn’t add extra security in any means. That’s the scope of the video

It might be possible to use fail2ban to redirect the attacker ip to a tarpit on a different port after a number of failed attempts. That would be fun...

Keys are way more convenient than a really good strong password, and they are more secure provided you protect your Private key files properly.

You got any good resources on this? I'd love to try this out.

He showed you in the video one way you can bypass the sudo password requirement for an exploit.

Yes but no. If you set a strong password or use a SSH key, chances are they got in through a service. This would still require the password to be discovered or for priv esc to occur which is fairly trivial.

How? Do you have program that react to port scanning from one ip address?

@@astronomos826 yeah, most router firewalls have that feature...

@@zyansheep what about detecting the failed password attempts instead of wrong ports? :D

@@ChillerDragon well, i might type in my password wrong...

Most likely just preference? Zero can be pronounced as "ou" (not specific to this context) and I guess it just flows better in speech that way.

@@niter43 nah, apparently you can call it whatever you want, really. Some even says it "ohdays". ¯\_(ツ)_/¯ Many official publications from the reputable sources though still calls it Zero-day (0day).

And look at that! THey MAtch! lol

but then what would even happen when u connect to them..

@@LiEnby everything blows up

i created fake sql errors on my site xD

You mean installing services without knowing what are you doing? Because that's how you inadvertedly open ports. Firewall is useful, but not because of that. Useful, because you may have multiple networks, eg. VPN access, multiple physical subnets, etc. and you want to control which service should be available from where. But securing a server is not magically happen by putting a firewall in front of it. You don't have to secure "the server", you have to secure the SERVICES! All of them! Read their manuals, thoroughly examine and understand their configuration files, etc. It may sound a phylosofical nitpicking, but it is not. When you configure your services securely, all of them rely on some sort of authentication and encryption, then even when you inadvertedly have it opened in firewall, it still remains secure. The firewall just adds additional protection. On the other hand, when you just hide your sketchy services with gaping holes in them with a firewall, then as soon as someone manages to get into the "insider" network somehow, through some weak point (eg. a workstation), then everything is fucked.

The confusion could also be related to jesus age

To address that "password" vs. "ssh key" question: Even your "secure" password: is it more than a thousand characters long? And are those characters random-looking and unguessable? Your ssh private key is. Yes, sure, your key might get lost when your private machine gets compromised. But when your password gets more than a hundred characters long, you will write it down in some file, and there you are again at the same problem.