Quick tips to improve Linux Security on your desktop, laptop, or server (hardening for beginners)
Рет қаралды 207,210
Күн бұрынTry out Proton Mail, the secure email that protects your privacy: proton.me/mail/TheLinuxEXP
Grab a brand new laptop or desktop running Linux: www.tuxedocomputers.com/en#
👏 SUPPORT THE CHANNEL:
Get access to a weekly podcast, vote on the next topics I cover, and get your name in the credits:
KZfaq: www.youtube.com/@thelinuxexp/...
Patreon: / thelinuxexperiment
Liberapay: liberapay.com/TheLinuxExperim...
Or, you can donate whatever you want: paypal.me/thelinuxexp
👕 GET TLE MERCH
Support the channel AND get cool new gear: the-linux-experiment.creator-...
🎙️ LINUX AND OPEN SOURCE NEWS PODCAST:
Listen to the latest Linux and open source news, with more in depth coverage, and ad-free! podcast.thelinuxexp.com
🏆 FOLLOW ME ELSEWHERE:
Website: thelinuxexp.com
Mastodon: mastodon.social/web/@thelinuxEXP
Pixelfed: pixelfed.social/TLENick
PeerTube: tilvids.com/c/thelinuxexperim...
Discord: / discord
#Linux #security #cybersecurity
00:00 Intro
00:56 Sponsor: Proton Mail
02:32 Software and updates
04:04 Services and SSH
06:38 User management
10:10 Physical Security
11:35 SELinux, AppArmor, and firewall
14:04 Parting Thoughts
15:15 Sponsor: Get a PC made to run Linux
16:30 Support the channel
Password complexity tips: www.networkworld.com/article/...
Tips to secure SSH: www.cyberciti.biz/tips/linux-...
The more software you use, the larger the attack surface for your Linux install is. It's always good to take a look at all the installed applications, and libraries, and remove what you don't use anymore. You can also remove packages that aren't linked to anything else and aren't used by anything.
On Debian or Ubuntu, for example, you can find these by running sudo apt autoremove
And on a desktop, you probably already apply updates, or your distro has auto updates enabled. But on a server, it's easy to let things slide, and forget to log in regularly and make sure things are up to date. I'm guilty of that myself.
And just like with packages, libraries, and apps, you should also make sure you only run the services you actually use. You can list all services running with:
systemctl list-unit-files
To stop a service you don't need, you can run
systemctl stop SERVICE
To stop the service from starting with the system, you can run
systemctl disable SERVICE
If you're on a server, the general rule of thumb is also NOT to run a graphical desktop on it. It will often be much more secure to use SSH to log in to the server remotely.
But you might also need to secure SSH first. If you have multiple users, make sure only the ones who need it have SSH access. To do that, you can edit the /etc/ssh/sshd_config file, and type AllowUsers then the names of the users that will actually have access to SSH.
Now, something that might be useful in general, for a server or a desktop, is making sure all the users are correctly handled. The first thing will be to disable root login.
If you decide to disable the root account, make sure at least one user has admin privileges though, or you'll have a system without any way to access any task with sudo. Once you're certain everything is ok, you can use the following method:
Edit /etc/passwd, and change the first line, by replacing /bin/bash, or whatever other shell root currently logs into, by /sbin/nologin (or /usr/sbin/nologin depending on the distro)
If you prefer, you can simply disable root login through SSH, so the account is still there if you want it locally, but remote attackers won't be able to login as root. To do so, you can edit /etc/ssh/sshd_config, and uncomment the PermitRootLogin line, and then set its value to no. Restart SSH with sytemctl restart sshd, and you're done.
To remove the ability to use USB, Thunderbolt or Firewire, you can add the following lines to their respective files (create them if need be). To revert this, just remove the lines that have been added in the various files by the commands.
Add: install usb-storage /bin/true to /etc/modprobe.d/disable-usb-storage.conf
Add blacklist firewire-core to /etc/modprobe.d/firewire.conf
Add blacklist thunderbolt to /etc/modprobe.d/thunderbolt.conf
@TheLinuxEXP 8 ай бұрын
Try out Proton Mail, the secure email that protects your privacy: proton.me/mail/TheLinuxEXP
@1cool 8 ай бұрын
Since switching to Linux a few months ago, Windows feels completely unusable and unstable.
@None17555 8 ай бұрын
Updates can't break a Linux install huh? I guess my time spent with Manjaro was just some fever dream!
@ronjustron840 8 ай бұрын
Well... you lost my trust very quickly. Proton Mail is NOT as secure as you lead on. They now track IP addresses and allow access to government agencies. Plus, you need an even more traceable email to tie it to in order to get an account. It's a bullshit smokescreen.
@gandir5720 8 ай бұрын
@@None17555 The chance of breaking an update in linux is very small if you use a stable and well maintained distro like Debian. If you use Manjaro or Arch Linux well then it's mostly just a matter of time for it to happen.
@boymahina123 8 ай бұрын
that moment when Proton Mail isn't nearly as private as you would think
@stevegraham5494 8 ай бұрын
As usual, LE speaks the truth that others are afraid to say. Linux isn't bulletproof. Any OS is only as secure as the effort the admins put into it.
@TheLinuxEXP 8 ай бұрын
Yep! It all depends on the distro and how much you’ve configured it to resist the threats you’re most afraid of!
@rallealyt 8 ай бұрын
Isn't bulletproof, but Windows has much more holes and attack vectors. Windows if full of complexity due to legacy support and has closed code. When someone finds a vulnerability, sometimes it is exploited for quite some time before someone finds out. Linux is open source. People are constantly auditing the code for vulnerabilities and it's much quicker to find a vulnerability. So, yes, Linux is definetly more secure by default, but I agree that Windows is also more targeted. But remember that the vast majority of servers in the world are running Linux and those are the ones usually targeted by the most advanced hackers.
@SifatUllah-6666 8 ай бұрын
@@rallealytI'm a Windows user but the defaults in Windows are very bad for security and privacy. They may be fancy and cool and animated and convenient.....but they cause a security risk too. But I'm an advanced user, so virus or malware attacks on my machine have never happened.
@st0rmrider 8 ай бұрын
Yeah, but he only realised it last week when he got sick by virus and (as reminded him) he still needs an antivirus... At least he is well now
@gabriellevesque2185 8 ай бұрын
I mean, all the large-scale attacks on webservers are servers with linux behind, the applications installed are more likely to have vulnerabilities then the OS, I've never rly heard of any big websites running on Windows.
@augustinmuller6660 8 ай бұрын
very interesting and a video about SElinux or firewall would be amazing
@TheLinuxEXP 8 ай бұрын
Yeah, I really wanted to explore them more, but they definitely will need their own video, there’s a lot to talk about!
@stevenwinderlich2891 8 ай бұрын
@@TheLinuxEXP Might wanna start of with SELinux vs AppArmor and what theyre used for and where the differences advantages and downsides are
@craigslist6988 8 ай бұрын
@@TheLinuxEXP as a casual linux user wanting to find easy ways to run more securely, the most frustrating thing about security on any system (windows is worse obviously) is how fundamentally mixed up everything is at a low level, making it impossibly difficult to troubleshoot or make a security profile from simple, rational concepts. If you could make a video on how to get just deep enough into something, maybe like SELinux or Apparmor but not overwhelming... I would appreciate that a lot. An example of something I would love it if you made a video about is how I can most easily run insecure things securely. For example - I want to install an new notepad program, so I find one and install it. At a very basic level I know a few things, like when I'm not using it it shouldn't have any processes running. And it should never connect to a network, unless it's doing some cloud saving, for example. How can I easily manage security flip switches to turn those abilities on and off? Don't even give that process a sign there is a network card until I flip a switch? Same for executing in the background, writing to anything, etc. If that can be done in a video, I would be grateful and impressed. As for how... allow me to ramble on how I've found this impossible... Like trying to accomplish application container/sandbox style security.. I need to setup apparmor or SELinux... okay, maybe there's a GUI profile manager? Nope.. I haven't been able to find anything. And it seems intentional. For apparmor, supposedly easier to use but being less 'fundamentally' secure than SEL, had a GUI, premsde profiles... but now all that is gone, they're all paywalled. A bad trend for linux recently. SELinux on the other hand just seems to be ideologically against GUIs and profile tools because you *must* understand / accept full responsibility for all the nuanced complexity it has, in which case you aren't going to be some GUI using slob, you'll obviously live and die by CLI. It pains me I can't just install a new program I kind of trust but not fully and use linux to 'watch it' for abnormal behavior, because whenever anything uses any system services/resources they just "have access" or "don't have access". For a super common example - application specific network limitations and/or traffic monitoring / firewall is literally not a thing. It seems insane to me from a not-a-kernel-dev perspective that there is simply no fundamental way to watch / attribute all network traffic to specific processes. I get it that the way the architecture of the system is.. it's just hard or impossible to trace the source back into userspace from the kernel. But if you COULD simply monitor application traffic and behavior, profile 'normal' behavior, it would make it so easy to spot, or even automate spotting, abnormal / compromised process behavior. That would make malicious intrusion incredibly difficult, having to move around within other proceedes. Instead if you want to do that for network traffic you'll have to become an expert at ip/port/packet analysis to... make best guesses? Or start down the rabbit hole that is various tools to approximate this idea. I get that a fundamental problem arises from granular control (SELinux being the ultimate granularity) and config gets more and more complex as you get granular in a system with a complex web of interlocking parts... but I mean, why aren't basic, best practices and profiles easiee to make? Get me an 80/20 profile. We know one of if not the most common attack vectors is a malicious or infected process, so why are the tools to control, isolate, and analyze process behavior so arcane? /rant
@ultravioletiris6241 Ай бұрын
@@stevenwinderlich2891 wrong channel
@lionking10222 Ай бұрын
@@TheLinuxEXP Would still love to see a dedicated firewall video from you. You explain things really good und easy to follow.
@alexk4894 8 ай бұрын
IMO it's also worth to pay attention to secure boot configuration, especially on laptops. Many distros do not implement initrd checking during boot, so attacker can easily modify it and intercept password for encrypted partition. To avoid this there's a thing called "unified kernel image", which combines kernel and initrd into a single file and adds SB digital signature. The main problem is that it is NOT configured out of the box on most systems. Canonical has plans to implement it in next Ubuntu release (thanks to systemd-ukify), so hopefully this will be changed in a future.
@Ryan-ct3rv 8 ай бұрын
The way I see it, if someone has physical access to my system it's game over anyway.
@dirksesterhenn2432 8 ай бұрын
@@Ryan-ct3rv This hasn't been the case for smartphones for over a decade, and the same approach can be adopted on the desktop.
@deepin2u 8 ай бұрын
Great knowledge. Thanks for sharing.
@Sqaaakoi 8 ай бұрын
I'd love to enable secure boot, but I also rely on being able to hibernate my device, which for some reason is disabled when secure boot is enabled as a part of the kernel lockdown afaik I'm already using UKIs with dracut and systemd-boot, so I'm well prepared for hibernation and secure boot to be easy For context I am running Debian Unstable, with a manually compiled updated dracut
@alexk4894 8 ай бұрын
@@Sqaaakoi I'm not sure about your device (laptop, right?), but most modern laptops don't drain too much battery while in sleep mode, aka suspend-to-ram. Personally I use only this option and my laptop remains cold and charged for a long time. At least, more than 3 days. Also it does not require a big swap file/partition. I did a quick google search and seems like newer kernels should allow hibernation after adding "lockdown_hibernate=1" to a kernel cmdline. I did not test, but hope it helps
@danbuter 8 ай бұрын
More security videos are always good!
@calabi-yau4894 8 ай бұрын
Even an introduction to firewall configuration covering the most important points would be excellent!
@miguelangelvizuetmata555 8 ай бұрын
Agreed.
@deepin2u 8 ай бұрын
Yes please!
@IlIIllIlIlIIlIlIlIlIIl Ай бұрын
exactly
@Monttukani 8 ай бұрын
I'd love to have a noob understandable video about firewalld and selinux configuration for an average Steam gaming and internet browsing pc! Also Clamav on access scanning and/or commercial antivirus software for consumer desktops would be nice.
@deepin2u 8 ай бұрын
❤ I second this as well. Make it so.
@quitequiet5281 2 күн бұрын
Me too! 🤚
@fedora 8 ай бұрын
Don't forget, every time you disable SELinux, you make Dan Walsh weep. Dan is a nice guy and he certainly doesn't deserve that.
@JonasLomp 8 ай бұрын
11:00 with usbguard you can allow and block USB ports based in plugged in devices, so you can create a whitelist with your devicea, and block anything else.
@Ghennesph 8 ай бұрын
Updates are just as likely to break things on linux as well. currently, Linux 6.5.5 seems to produce segfaults in FIO with BTRFS, and Mesa 23.2 breaks HEVC and H264 encoding in OBS Studio, again, for now. The difference with updates in linux, is you can scrutinize each package, update individually, and find exactly what's causing the problems, and then not update that package until it's fixed. Timeshift and BTRFS subvolumes make this pretty quick and easy, vs System Restore and Windows Update, and use much less disk space for more restore points. Linux updates are not bug free, and you should always have a backup to fall back to before updating.
@graemewiebe2815 8 ай бұрын
One thing I thought I should mention - although primarily effective for windows/Mac users, even just having an adblocker (unlock origin being my FOSS choice) can have a huge impact at web based attacks - not only malware, but web based tracking and information gathering.
@PainweedingPills 8 ай бұрын
So much this. uBlock Origin is a must, back then i used to have Adblock Plus but that thing was a RAM hog.
@Rudxain 7 ай бұрын
uBlock also supports disabling JS. Most dangerous browser vulnerabilities are because of JS (there's some HTML and CSS too). I use whitelist mode, so all websites are static, except for some domains where I need JS
@thedarcbird Күн бұрын
UBO is my go to. I use it on both Firefox and Vivaldi. (I don't trust anything else.)
@joshmc5882 8 ай бұрын
I like the defaults on Fedora, firewall on by default, selinux on by default, root login disabled by default, only official repositories enabled by default
@bigredlizerd 8 ай бұрын
A video on AppArmor or SELinux would be very useful.
@MegaManNeo 8 ай бұрын
I second that. Feel pretty secure with openSuSE's default but I too enjoy having secure machines.
@user-vv4dz9eo2p 8 ай бұрын
A firewall video would be great!
@a-yon_n 8 ай бұрын
It’s conflicting that by default, the firewall is turned off on most Linux desktops.
@craigslist6988 8 ай бұрын
@@a-yon_n and it is that way because there aren't any really user friendly configuration/management tools. Which sucks but makes sense.. people went through all the trouble of writing the actual firewall code for free and now some normie wants them to do more work to dumb it down and make it easy for them to use? Leave it for someone else...
@manojcmenon 7 ай бұрын
And the other topics like SELinux and App armour would also be great.
@FrankPhartzzz 3 ай бұрын
@@craigslist6988isn't the firewall gui on mint pretty straight forward even for noobs?
@muddyexport5639 8 ай бұрын
Thanks! Good vid. Always interested in the security side for the user. Not so much for the server but never hurts to learn. You do a really good job of explaining "how to" and "why". Please continue...
@agooglygooglr 8 ай бұрын
4:53 you can also do `sudo systemctl disable --now service` to disable a service and stop it at the same time. saves you from typing out a second command
@TheLinuxEXP 8 ай бұрын
True!
@notNajimi 2 ай бұрын
Oh sweet, ty for the tip lol
@muammar007 8 ай бұрын
I have watched a security video where they also suggested CalmAV to regularly scan your system especially if you dual boot with Windows.
@TheLinuxEXP 8 ай бұрын
That’s also a very good tip, yeah!
@20NewJourney23 5 күн бұрын
@@TheLinuxEXP Sadly ClamAv gives false positives a LOT of the time. I won't use it anymore. It's a known problem.
@TheJackiMonster 8 ай бұрын
Besides obvious things like applying security updates: I think most critical is that you have control over open ports. You don't want other people to get remote access to your system. So either close ports by disabling services or via firewall. For servers I recommend fail2ban as well. That bans IP addresses by amount of failed attempts which can prevent primitive DoS attacks by single attackers. Additionally you can improve internal security by dividing services and applications into containers, users and groups. So you don't run software with permissions they don't need or shouldn't have in general. Another thing for SSH: If your server is public, you should only allow access via public keys and disable root login as well. Otherwise people will brute-force it...
@felixjohnson3874 8 ай бұрын
Fail2ban is much more about passwd brute forcing than DOS blocks
@rautamiekka 7 ай бұрын
"either disabling services or via firewall". No, you don't do only either, you must do both (assuming the service ain't used).
@TheJackiMonster 7 ай бұрын
@@rautamiekka What do you expect a firewall to do when there is no actual service running?
@odnankenobi 8 ай бұрын
Love to see some security related content. It's such a confusing and noobie-unfriendly territory to get into when learning Linux, whe need more videos like those. The firewall is specially important: it's the first line of defense past the Router, and it's frequently off by default. Full Disk encryption is also a must. For me, the most important thing to learn right now is to learn how to setup full disk encryption together with secure boot, and if possible along with the TPM (Trusted Platform Module) so I have the option of setting it up without entering the password every time I boot. Tips on troublesshoting it when making changes to the system (changing partitions, distro hopping without losing files) would also be welcome. I haven't been able to crack down linux security by myself yet. If this series does goes on, maybe I'll finally be able to do it.
@lince4824 8 ай бұрын
Having a TPM module is nice, software using it rare though. The more rare when the most needed.
@generic694 8 ай бұрын
@@lince4824 In some sense you would want fewer pieces of software to use TPM, so its functionality can be kept minimal and stable. More usage = new requirements = new bugs.
@lince4824 8 ай бұрын
@@generic694 it must be used WHERE it is needed and WHENEVER it is needed. If you store critical passwords in RAM to avoid using the TPM module that's a security hole, as it happened to a serious widely exploited to the own Microsoft Servers network, because they decided to keep that password in RAM. It didn't need any high tech tool or software to abuse it, just a crash report sent to the development team, which in fact happened to include that CRITICAL Microsoft Exchange password. Do you think it cannot happen in Linux? TPM must be used whenever it is needed, not more, NOT LESS
@AustinEschweiler 8 ай бұрын
I think doing a video series on security is a great idea
@niksethi500 8 ай бұрын
Finally, a useful video that actually helps enhancing the security side by side making linux use less resources.
@tomaszgasior772 8 ай бұрын
If using Docker, don't add your user account into "docker" group, don't configure your OS to use "docker" and "docker-compose" commands without sudo.
@FunctionGermany 8 ай бұрын
what security does this actually add? an attacker just needs my user's password to use sudo if they have an ssh session which i think is harder to obtain than the password.
@SirRFI 8 ай бұрын
Can you elaborate why? Wouldn't running the entire docker as sudo make it even worse if the image/contrainer was compromised? What about passing UID to the container, rather than making it run as root by default)?
@tomaszgasior772 8 ай бұрын
@@SirRFI Docker daemon (server) is always running as root. The only thing you can decide about is whether client software is running as root or not. Having docker command available in your command line without sudo is like having sudo without password. With reasonably simple docker run invocation you can modify host files of your OS which is very big security hole.
@memesfromtheforsakenworlwi9218 8 ай бұрын
Would absolutely love a firewall tutorial
@Uchiha_Madara1224 8 ай бұрын
Yes more tool and security video please especially SELinux & AppArmour
@StanislavBloshenko 8 ай бұрын
I would appreaciate some basics of firewalls. Thanks!
@TheLinuxEXP 8 ай бұрын
Noted!
@terraflops 8 ай бұрын
more of this please ! You answered my query i have been searching for
@claudemartins5094 8 ай бұрын
Superbe vidéo comme d’habitude, des vidéos sur la sécurité sont toujours instructives . Configuration de Firewall, AppArmor,SE Linux, Kicksecure, Fail2ban, etc… seraient des sujets qui je pense pourrait aider beaucoup d’utilisateurs. Bonne continuation
@leevi6026 8 ай бұрын
One thing you really should have mentioned about securing SSH server is fail2ban, that reduces change of getting bruteforced a lot and doesn't interfere normal usage almost at all. Other than if you manage to typo password few times in a row you might have to login from some other IP address to unban your IP (or just wait until automatic unban after set unban time). Though I would suggest to tighten the settings a little bit from the defaults, which are too loose if you ask me. For example I think unban time is usually too low with the default settings. EDIT: After continuing the video I noticed you did mention faillock in later part of the video, but I think fail2ban is more useful for SSH because it blocks all access from that IP instead of "attacked user account". Both ways has something good and bad of course, but overall I prefer fail2ban because then you can have long unban time without yourself being blocked completely out of the system.
@deepin2u 8 ай бұрын
Propper!!
@generic694 8 ай бұрын
Just forbid password login and use key only.
@rautamiekka 7 ай бұрын
@@generic694 Amen to that.
@timsoft3 8 ай бұрын
allthough there can be an emphasis on protecting your computer from outside attackers, which does require action, especially on servers, it is also worth mentioning that some security like drive encription makes it harder to recover data, so for a number of people it is less secure having encripted drives because they are more likely to loose their data due to forgetting passwords or hardware problems, that to some random person stealing their computer to look at their files.
@phonkyfeel1 8 күн бұрын
Oh that is totally true. I’m an absolute goof and am being honest for the sake of agreeing with your posts’ accuracy.
@DamjanDimitrioski 8 ай бұрын
Don't forget to have ssh jump host which adds additional security. And port randomizer both on jump host and real server. Good luck guessing: current IP for the SSH jump host (with random IP pool that you will have schedule for the next IP), and it's port, and the ssh port of the real server. That it doesn't matter if you have root or not. You can use different certificates for both jump host and real server. Each devop will have own account with least neede permissions and groups.
@alexk4894 8 ай бұрын
Sometimes it's too painful to use random ports. Personally, I think that port knocking and limiting login attempts will be good enough in most cases
@bionborys1648 8 ай бұрын
Yes, a selinux and firewall configuration video with solid fundamentals and some advanced tips would be great and pretty much unique in YT.
@AAAMGGG 8 ай бұрын
Thanks for video. Regarding firewall, selinux and apparmor is good topics for future videos. I would add that firewall is more relevant topic, since I think it is sort of must have for desktop and server.
@TsvetoslavGeorgiev 6 ай бұрын
Hi Nick, great video as always! I'd definitely love to see a more in-depth video on SELinux, AppArmor and Firewall!
@jolynele2587 8 ай бұрын
i recently started dual-booting again (thanks pc games), and i have to say hardening on windows is relatively easy compared to linux. though i still believe i am the greatest security to my own device, it is great to know all of this just in case of a lapse of judgement.
@autohmae 8 ай бұрын
On the basic level. Windows still has FAR more services running as SYSTEM user (higher privileges than Administrator) than on Linux as root user. That said, I think it would be great to have Linux further develop with running less things as root. And as you mentioned have better defaults, or make it easy to have a distribution package called hardening. A huge missing feature of Windows is proper container support. That said I think Linux containers are still behind on Solaris Zones security level.
@jolynele2587 8 ай бұрын
@@autohmae containers are definitely a linux security perk. i agree that you can do more in depth hardening with linux. but windows gives you simpler options and intuitive defaults
@Sypaka 2 ай бұрын
On my end, I am still trying to harden my Windows using Sandboxie and custom rules. And damn, I am still not done.
@Tinyindie 8 ай бұрын
Thanks for the vid. I'd be interested in a firewall video!
@user-xu5bb6uf1n 5 ай бұрын
the securing SSH tip was a big one for me as I am new to setting up SBC running lite weight apps that I only access through SSH. thanks for that.
@keylanoslokj1806 8 ай бұрын
Can you please one day make a guide on how to make your own virtual VPN, without needing to buy a physical device? Thanks a lot!
@deletewindoze 8 ай бұрын
I have security cameras going to a computer using FTP, and not all the images and videos would record. The camera company wanted me to disable the firewall, which I didn't like at all. What I found out is that you can allow all access through the UFW from only one other computer. I did this for each camera, and the problem went away. This is a very special case, but it allowed keeping the firewall up, while solving the problem.
@Slugbunny 8 ай бұрын
The "in the process" pun had a pause just long enough for me to stop eating and give the phone a meaningful look from my lunch. 😏
@eDoc2020 8 ай бұрын
Another thing you can do for hardening is renaming the root account, then anyone looking for root login will need to overcome another hurdle. The downside is it could get confusing and some scripts and programs might be hardcoded with the name, possibly causing more problems than it's worth.
@Rudxain 7 ай бұрын
AFAIK, it's possible to login by user ID. root must always be 0. So even if the name is unknown, you can still login to user 0
@that_heretic 6 ай бұрын
@@Rudxain This highlights the biggest issue. Educate yourself about how linux actually works. Then act accordingly. Misconceptions are what get people in trouble. Whether that's trusting something that shouldn't be trusted, or the example you give here.
@Rudxain 5 ай бұрын
@@that_heretic exactly! ... wait, you mean I'm ignorant or OP is ignorant? I'm genuinely confused. I could be wrong about the UID
@joroc 5 ай бұрын
Linux user have time
@patw1687 8 ай бұрын
Sure. Any tips to protect my data and work is appreciated. It will also help explain why IT does the crazy things they do (soft of). Thanks Nick.
@Lampe2020 8 ай бұрын
12:58 SELinux is also used on Android.
@kiankazem3846 8 ай бұрын
PS the main reason root shh is disabled in favor of sudo for Admins is that the attacker needs to also find their username
@TheLinuxEXP 8 ай бұрын
Yep!
@RU-qv3jl 8 ай бұрын
Great video and as I’m still learning I’m all for a video on firewall config and SELInux.
@WarkWarbly 8 ай бұрын
Consider placing your web browsers into a container and using a watchdog on the browser. That way you can make a script that watches the browser and if anything goes wrong you can kill the container and delist any permissions and rm -rf the contents or the container itself. There's a performance and resource hit for this though. Good luck with KZfaq and similar sites, as they tend to run at 3/4 or less overall speed/response/however you want to call it.
@WarkWarbly 8 ай бұрын
Also instead of selinux or app armor you may want to consider SNORT or Suricata. They all utilize a similar rules based method for partition to partition, app to app, system to network, and network to system management and logging. The only benefit of Suricata is that it can make use of GPU tech. So those with a dual/multi GPU setup can get a tiny performance boost. So if you're one of those with a dedicated GPU and a CPU with integrated graphics (Intel k series or AMD APU) you can run Suricata without too much of a system performance hit.
@Pang-nn4eq 7 ай бұрын
Browsers are one of most secure softwares there can be on desktop OS. I fail to see how this adds anything. Containers aren't a security boundary. GPU processes, audio processes are all vectors for attack. And you do not contain those with a simple container.
@WarkWarbly 6 ай бұрын
@@Pang-nn4eq Browsers are not as secure as you believe, and the container itself isn't the security, its the container **along with** snort or suricata- programs that behave as malware watchdogs. And yes, you can actually use a simple container for drivers- the Linux Kernel Virtual Machine (KVM) is one instance in where you would contain drivers, as each installation of the Linux distro of choice would be running in or as a container.
@Pang-nn4eq 6 ай бұрын
@@WarkWarbly, browsers have dedicated security teams with people on payroll. A browser executes remote untrusted code. It's a miracle they don't pwn their users every day. Sure, some zero days existed and do exist.
@arnab0bhattacharya 8 ай бұрын
I am very interested for a firewall and SElinux video
@thescrewfly 8 ай бұрын
For the algae rhythm! Also, a firewall episode would be welcome.
@newmonengineering 7 ай бұрын
Pass phrase, the key to having a great password. Use 2 or 3 word combos. Thanks thr video covers a lot. Great video.
@DeDean16 8 ай бұрын
It'd be great to see some more security videos from you :)
@kramercanfield1742 7 ай бұрын
Yes! I’d love to see another video on this please
@lapin_noir 8 ай бұрын
Yes please! I would love to see a deeper dive into hardening Linux!
@false_positive 8 ай бұрын
i have changed the default ssh port for security reasons; i also use "howdy' facial recognition tool to avoid entering password manually with every move
@MegaManNeo 8 ай бұрын
Thanks for that always handy to have security PSA, Nick! Really should check my VPS again 😅
@MustafaDarwish1 4 ай бұрын
Oh yeah, I would love to see videos on firewalls, you explain things in a good way.
@c8__ 8 ай бұрын
You're the best Linux desktop channel in my opinion. I would really like a SELinux video from you.
@TheSast 8 ай бұрын
There is also bubblewrap! It's used by flatpak under the hood.
@czfxw 8 ай бұрын
Yes, please! Firewalls & Selinux videos!
@sebastian.tristan 5 ай бұрын
Great tips. Thanks for taking the time and making this video.
@taylorkoepp3048 8 ай бұрын
It's possible to turn on auto updates for security patches on servers, surprised this wasn't mentioned (it's one of the first things I do).
@CAZOlsen 8 ай бұрын
Very interested in knowing how to setup security on for different types of users like beginners or if i need to setup for other users like family
@rocstar3000 8 ай бұрын
It would be amazing to have a firewall config video
@SirRFI 8 ай бұрын
I expected Safing Portmaster sponsor spot for video like this, meanwhile it wasn't even shown as firewall or something. Anyway, + for firewall or SELinux/AppArmor video. Likewise, I would like to see video on backups (preferably not online ones) and password managers.
@vicstoron 8 ай бұрын
a video on Linux firewalls would be great! please consider doing so in the future
@evaneesiko8097 8 ай бұрын
Finally a video on security I can follow....more please👍
@cromfrein5834 8 ай бұрын
Firewall configuration would be pretty interesting to see!
@sami-nn9fg 7 ай бұрын
I recommend adding one-time passcode step for the SSH login. That way, even if someone ever steals your password, they still won't be able to log in.
@Xankill3r 8 ай бұрын
What do you think of Portmaster on the firewall front? Of course Portmaster is more than just a firewall but it can be used exclusively for that role alone. I'm using it on my Windows 10 machine and it has been working great. My Linux machine is PopOS unfortunately and Portmaster causes the login screen to not work if it's allowed to launch at startup.
@JamesSiverFox 8 ай бұрын
Thank you for this info, I'm a Linux Noob so I'm still learning. Most of this is over my head, but once I learn more I'll hopefully be able to use this lol.
@echovoid258 8 ай бұрын
Yes, I would like to see another video going more in-depth.
@lovekushkumar6222 8 ай бұрын
Make a video on SeLinux and Apparmor configuration and how to add or remove policy 😊
@fotografm Ай бұрын
Which backup program do you recommend ? I am having problems finding one that works for Ubuntu (Timeshift is not working). Which one did you show in the video ? Thanks
@ukaszpalczewski7588 8 ай бұрын
Nice to know! Thx for the ep :)
@hermean 8 ай бұрын
I definitely would appreciate a firewall config video, and another on SELinux and AppArmor
@fram1111 6 ай бұрын
Great stuff and do a video on security settings and all the little in and outs. Just like your normal videos and if need maybe beginner/advanced videos.
@cchutney348 8 ай бұрын
I know this is not necessarily a very hardcore, into the miserable details kind of channel, but I would love some deep dives on this topic!
@rodfer5406 8 ай бұрын
Yes, please do all security videos. Thanks.**
@robertheinrich2994 8 ай бұрын
there is of course one option to keep it really secure. don't have just one machine for everything. we all access websites that are less than optimally trustworthy. some are somewhat shady. and we all have an old laptop or PC sitting around, not fast enough for everyday use, but still quite good (especially with linux, since there are linux distros out there that are pretty light on the computer). just have one machine with high securty dedicated for online banking, email etc. and your main PC is for everything else. even a VM is helpful and better than nothing. a lot of malware just goes the easy route and scans for passwords and logins to the really important stuff. oh, and that machine you dedicated to the most important tasks? just keep it turned off. it's hard to hack a computer that is physically without power.
@craigslist6988 8 ай бұрын
I use an expanded version of this idea.. buy 4x (or find them lying around, like that old laptop) flash drives. You can run a live distro on each drive, completely separated operating systems. Even 16GB is enough to run the basics, GUI, web browsing and all the other basic apps.. 32GB is much more comfortable for Firefox's crappy memory leaks. 128GB you'll never run into a space issue if you just use external storage for large downloads. These drives are < 20$ now, fairly small price to pay. What I wish is that they had something I could 'hot swap' between these OSs.. like VMs, but without emulation losses. You can hibernate and swap to estimate that behavior though... if you can get hibernation working (need more space also, 128GB is plenty for it).
@robertheinrich2994 8 ай бұрын
@@craigslist6988 oh yes. the most insane variant of using old laptops was from around 20 years ago. knew a guy who bought a bunch of old laptops from his employer just for surfing in somewhat risky situations. to be more precise: he loved surfing in the internet while being on an air mattress. sometimes, a laptop met the bottom of his pool. no problem, he took the next laptop from the stack of laptops he had.
@SakkakuTamashi 8 ай бұрын
Little tip on systemctl: if you do systemctl disable service-name --now it stops and disables with the same command
@jcugnoni 8 ай бұрын
Excellente video. Vraiment utile. On a tjrs tendance à oublier les bonnes pratiques ...
@radekcrlik5060 8 ай бұрын
Good tips. I guess every user should know at least a little bit about security these days. Regarding full disc encryption, it is a good choice. Unfortunately, it is a pain in the ass to setup during installation for most of the distros I tried especially if you want to have multiple partitions. I see this as an area for improvement in Linux :)
@gregmurdoch3264 8 ай бұрын
The problem with Linux is the user base, not the software. You can lock down Linux tighter than a nuns nasty, and you can achieve bulletproof (nearly) tin foil hat status, but, you need to know how, and that's where 9x% of people get in trouble. I've run dozens, maybe in the lower 100 counts of Linux servers, and I've the number of times I've seen an “experienced IT professional” do something that causes a head smack to crack your skull, is countless. My list of stuff to check as a first pass. This won't bulletproof the tin foil, but it will shine. (Nick brought some of these up) 1. The first biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS. 2. The second-biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS. 3. The third-biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS. 4. Lock down SSH, and DO NOT change the port. Changing the port is not going to help you. If you're at the point that moving from 22 to 9022 is going to polish the top of your security walking stick, then fine, but if that's the case you're also going to agree it's usually pointless. 5. Lock down user accounts. Make sure user accounts are properly controlled, groups are reviewed, passwords policies are in effect, and review system permissions. 6. Use SELinux or another security framework, if SELinux is fighting you, in 9X% of cases, you've done something wrong. 7. Use IPTables, BPF Tables, and other tools to build the proper routing settings! 8. Sweep for kernel modules! 9. Manage keys correctly, don't have users with a single SSH key that use the same key on everything. 1 key = 1 service. 10. Use multifactor authentication. You are NOT too busy to have additional factors, PERIOD! 11. Monitor, Monitor, Monitor, oh and make sure you monitor. All logs should be sent to a remote server. 12. (Nick brought this up), remove the stupid GUI! It's a server, learn to use it. 13. Use VM's, for isolation. 14. Disable services you don't need, and close ports that shouldn't be open. 15. If you use an email server, FULLY ISOLATE IT. Seriously! Do not install an email server with other services. If you follow these points, you'll be at least in a good default state, from there have fun polishing the tin foil even more.
@TheLinuxEXP 8 ай бұрын
Good tips, thanks!
@lince4824 8 ай бұрын
You're very wrong . I stopped reading at paragraph 2. Tin foil hat please, just kidding, but you're very very wrong. You are right that most people, experts and admins will make a barely secure system much much more insecure on the first day though.
@gregmurdoch3264 8 ай бұрын
@@lince4824 What do you feel I got wrong and why? I don't mind disagreement, but I really don't see much wrong with my list as a basic first pass. Keep in mind you can do much more, and should. Oh, and the #1 thing admins do, usually by accident or because they're busy, give everyone sudo, and sudo ALL=ALL. Actually, in a lot of case I recommend removing sudo, it's a very powerful tool, and you almost certainly don't actually need it.
@UndoEverything 8 ай бұрын
Thanks. I really need this episode.
@TheLinuxEXP 8 ай бұрын
You’re welcome!
@Aquis7 8 ай бұрын
Thanks for this I enjoyed it. Yes I am a fedora user so would love a SELinux vid!
@JoeBlow69938 8 ай бұрын
I'd very much like to see a deeper dive into UFW or other firewalls.
@JBlask 7 ай бұрын
I would like to see a video on firewalld, backup software, and logging software/logging analysis software. Thanks.
@nathanandrinoid7569 7 ай бұрын
I was researching a system call restriction of an installed service. I eventually figured it out in the service config permissions, but I had app armor installed it seems like they had some overlap. I would love a video to teach more about both and if they do overlap.
@First_Grafter 8 ай бұрын
I'd love a firewall video! I do turn mine on but never really know how it works 😅
@TechWaltMD 7 ай бұрын
Great content, You might mention boot hardware keys if their is a part 2
@suki4410 7 ай бұрын
Very good tips! Thanks!
@macloricott13 8 ай бұрын
Nice video. Please, more of this stuff!
@burnin8orable 8 ай бұрын
I'm interested in seeing a video on SE Linux.
@user-mf2lo1ws8i 8 ай бұрын
That's what I love to use/build minimal/Small Linux distributions. And "at your own risk". :)
@CTimmerman 8 ай бұрын
On GNU/Linux updates can also break features like your auto-fullscreen Chrome kiosk Ubuntu with some task bar iirc.
@shabang71 8 ай бұрын
Hi Nick. i think many people would like to know how to set up firewalls and Selinux/Apparmor for a generic use case
@YannMetalhead 8 ай бұрын
I would love a video about the more complex themes like firewall.
@fugoogle_was_already_taken 8 ай бұрын
On servers, you also should deny remote root logins and escalate if you need root privileges
@johanb.7869 8 ай бұрын
Lynis auditing tool. It scans your system and shows options on how to harden your system after it's finished. Needs to run as root.
@ronm6585 8 ай бұрын
Thank you.
@guildpilotone 8 ай бұрын
I would like to see a firewall setup video.
@herozero777 3 ай бұрын
I'd also like to see a video on how to configure a firewall. :) And thanks for this great video as well.
@alexandrubossro 7 ай бұрын
Does allowing only local network to connect to SSH and configuring firewall, so the only used ports are allowed outside of localhost like 80 is a solution?
The Linux Experiment
Рет қаралды 113 М.
The Linux Experiment
Рет қаралды 608 М.
РЕМОНТ ПО ГАРАНТИИ СЕРВЕРНОЙ ПЛАТЫ ASUS P9X79 ЗА ЛАЙКИ! В ЧЕМ БЫЛА ПРОБЛЕМА? КЛИЕНТ РАЗГОНЯЛ ПЛАТУ!?
notebook-31
Рет қаралды 143 М.
Immersed
Рет қаралды 59 МЛН