10 Tips for Hardening your Linux Servers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hello again everyone and welcome back to learn linux tv today i am launching a brand new series on my channel enterprise linux security and in this series i'm going to talk about well enterprise linux security this is a series that i've been wanting to launch for quite a while and today's the day this is episode number one and in this video i'm going to go over 10 tips for hardening your linux servers now some of you out there that are more seasoned when it comes to security than others you might feel that some of the tips that i'm giving you in this video are a little well entry level and that's not completely untrue this is episode number one and we do have to start from somewhere but i really do feel that the tips that i'm going to give you in this video are the most important things to focus your attention to when it comes to hardening your linux servers now before we get into it i want to take a moment to mention the sponsor for this video kernel care keeping servers safe compliant and ensuring constant uptime is a full-time job one that can't be left a chance and one that must be fully automated and fully supported to do that you need a live patching tool that integrates with automation tools and vulnerability scanners supported with the latest patches and one that lets you decide which patches are rolled out across your organization and runs within your firewall and kernelcare enterprise does this it provides you with more integration support and control it works in your local infrastructure via e-portal a dedicated patch server that runs internally but outside your firewall it acts as a bridge between internal patch servers and the main kernel care patch server this approach is ideal for staging and production environments that need strict isolation from external networks or require more stringent controls over the patches that are to be applied kernel care enterprise is available for all major linux distributions and includes priority support 24x7 via live chat email or ticket system check out kernel care enterprise via the url that's on the screen right now or give the link that's in the description to click and thank you so much to kernel care for sponsoring this video as well as many other videos on this channel i really appreciate it now let's get into my list of 10 things that you can do to harden your linux servers now when it comes to my first tip this is not actually a system tweak or a system change or anything like that it's all about your mindset now for all i know you could be a system administrator you could be a security professional or you might even be a cto either way it's very important to understand what an appropriate mindset is when it comes to the security of your servers so what do i mean by that the thing is it's important to understand what is feasible and infeasible when it comes to the security of your servers namely is it possible to have a completely unhackable server that nobody can break into that is completely bulletproof well yeah absolutely you could definitely set up a server that is unhackable basically you just put that server under your desk you don't power it on and you certainly don't connect a network cable to it and i guarantee you nobody's going to hack it but we need to be realistic a lot of companies out there maybe even yours they make money by selling things to the public or providing a service to the public which requires a public facing server and the thing is there's all kinds of vulnerabilities out there that are being leveraged every day and new ones are discovered every single day so you could be the victim of a vulnerability that hasn't even been publicly disclosed yet if you follow every tip in this video you should be relatively fine but you want to adjust your mindset you don't want to have the mentality that you are going to be like creating perfect servers that cannot be hacked or you have just hired this awesome security person and now all your worries are just you know not worries anymore and you can't have that mindset you have to have the mindset that anything is possible and you need to be ready for it at all times now i'm not trying to scare you well actually am i not trying to scare you well i kind of am but the reality of the situation is if you follow everything in this video like i mentioned you should be good but you should always be prepared for what could happen [Music] for number two on my list i really do think that this is going to be one of those things that's going to be painfully obvious to the majority of you guys that are watching this video but i don't think i can create a security series especially not an introduction to a security series and not mention the importance of patching now the thing is if patching is so obvious then why do so many companies out there do a terrible job of keeping their servers up to date i mean it's almost appalling to me at this point i've had so many companies out there that i have worked with personally when i tell them you need to patch your servers there's something critical that is basically going around right now and the response i'll get is yeah maybe next month i don't think we can do that right now we have this really important release we got to get out the door but i think things should slow down in a month or so and maybe we'll have you pat your servers then and then a week later oh my god we got hacked what do we do how did this happen it's obvious how this happened you didn't take security patching seriously and now you've been owned by one of the vulnerabilities that one of those patches would have protected you from and i get it rebooting your servers or patching your servers which often does require a reboot it's not easy to do it's annoying it's tedious and it's even harder to design your infrastructure in a way that you don't need to reboot after patching it causes service disruption you have to test the patches before you roll them out it's a big deal for a lot of people and quite often some of these patches are created for very important reasons i mean security researchers and people that write these security patches i mean they don't do it because they have nothing better to do they do it because they're actually patching real vulnerabilities so you need to keep your servers up to date and if you don't currently have a way to do that then i highly recommend you find a way to do that or at least work that into your workflow in some way now kernel care the sponsor of this video they actually offer a service called kernel care and what that service does is it enables you the administrator to live patch your servers and if you can live patch your servers then that's even easier because you won't need a reboot a live patch is the process of injecting a patch right into the running kernel which means you can benefit from that security fix if it is a kernel related security fix right then and there no reboot required but even if you don't go with a service like kernel care at least enable unattended upgrades various linux distributions have a similar solution like unattended upgrades it's different per distribution but you get the idea automatic updates are your friend because they'll keep your servers up to date and that's a very important thing for number three it's probably even more obvious than number two and that is the importance of secure passwords and by secure i mean randomly generated passwords the thing is you would be surprised by how many hacks out there were done solely because there were weak passwords involved so definitely have randomly generated secure passwords for all of your very important servers and services it's critical and that also implies good password management hygiene something like bit warden or lastpass something like that is very important to keep your passwords because if you forget your passwords then that's even worse right because you can't even get into your own servers but having really good password hygiene is extremely important again i'm not going to spend a lot of time on this because i think it speaks for itself but if you as the administrator for your company if you notice some very easy or insecure passwords you really do need to change them on the spot because if you don't you could have a very long day or week ahead of you [Music] now number four on my list is all about not making things publicly available unless you absolutely have to now i get it a lot of companies out there have a public facing website that's very important because you do want your customers to reach your website in that case that server does truly need to be open to the public internet there's just no way around that however if a server or service does not need to be public facing make sure that it's not implement firewall rules that block its ability to be reached from the outside now don't just assume that a service on your company's network is not reachable from the outside after you apply that firewall rule actually check to make sure that it's not for example you can use your phone just make sure you're not on the company wi-fi and try to access that service make sure that you can't do that that's the only way to be sure that it's not publicly reachable from the outside if you are allowed to do so and you have permission to do so you could try a port scan from the outside that'll really let you know if a service is accessible from the outside but either way you do want to make sure of that now one particularly sore point for me is when people make database servers accessible from the outside and there is almost never an excuse to make a database server accessible from the public internet unless your company actually offers managed database services then in that case yeah you do need to make that database server publicly available and i'm sure the majority of you guys are not in the business of providing managed database services so definitely make sure that your database servers are internal only because they're probably the backend to your web server or something like that just make sure they're not publicly available it's very important having a database server publicly available is one of the scariest things because there could be personally identifiable information on that server and your company could end up on the news for all the wrong reasons long story made short just make sure that your database servers as well as any other servers that don't need to be publicly available are not publicly available [Music] now number five on my list is closing down ssh openssh or simply ssh for short is one of the greatest things in the linux community at least one of the most convenient things in the linux community because it allows you the administrator to manage your servers or your company servers from the comfort of your home office your company's office basically you don't even have to get out of your chair to manage your servers and think about it we used to have to walk into the data center to do basically most of the things that we use ssh for nowadays ssh is awesome but it's also a very very very large target because if a remote attacker gets access to ssh especially as root they will wreak havoc on your servers you definitely want to lock down ssh and there's multiple things that you can do in order to do that and i have a dedicated video that talks about how to lock down ssh you should check out that video because it'll tell you everything that you need to know but in summary some of the things that you want to do to lock down ssh include but aren't limited to ensuring that root access is disabled you don't want to allow root authentication to ssh in addition to that you should also disable password authentication as well and only allow key based authentication to your servers via ssh going a step further you can lock down ssh to approved or white-listed ip addresses to ensure that ip addresses on the public internet cannot access ssh on any of your servers if you have a vpn endpoint then you can lock down ssh to be accessible only from the ip address of your vpn endpoint and that would be another step in the right direction the more you lock down ssh the better because it's usually the first target that hackers try to get access to when they want access to your servers [Music] now item number six on my list is all about having multiple layers of security and what that means is that you should never rely on just one thing so like i mentioned i recommended that you lock down ssh which is great but if that's all you do then maybe someone will get access to your servers by another method so the more layers of security you have the better for example you could consider fail to ban on your servers as another layer of protection maybe you already have a firewall on that server as well and you are locking down ssh the more layers of security the more hoops you force hackers to try to get through in order to get access to your servers the better because you are making it that much harder on them to access your server and after a while maybe that person will give up and then move on to another server which is exactly what you want and only very targeted attacks would continue past that point by having multiple layers of security for example fail to ban or a similar service that looks for intrusions in the logs and then blocks ip addresses that basically try to bypass the rules that you've set that's a good step to have and other tools as well the more you have the better so try to have multiple layers of security on your servers and make it that much harder for outside intruders to break in [Music] now number seven can be argued that it's not really a security specific thing but i think it's important to include on this list because it is very important and that is the concept of backups and not just any backups tested backups any backups that you have not tested and any backups that are not in at least three different places are not truly backups so you want to have your backups in like i mentioned three different places one of which should definitely be off-site and you want to do test restores on those backups to make sure that the backups are good because trust me if your servers go down and you need to restore from a backup you don't want to explain to your boss that you can't restore the servers because the backups aren't working and i have seen this happen it's horrifying and it's not a good experience for anyone involved definitely have backups and have multiple layers of backups in multiple different locations but especially test those backups and that ensures that if you are actually facing a security incident and your servers are completely turned inside out you have backups so you're probably going to be good yes it's going to be very inconvenient to have a security incident but you have backups you can at least get up and running quickly and their company's data is not in jeopardy and not lost forever which is very important especially if your company is housing very important blueprints for products and things like that you definitely want to make sure that those items are backed up and they're backed up securely now for number eight it's very important to keep an eye on all of your servers and the overall health of your servers and monitoring tools will help you do just that nagios and zabx are two that come to mind immediately if there's any kind of issue and you have the appropriate checks configured then you will be notified that there's an issue and if you know about the problem before your customers know about it then you actually appear as a very competent i.t professional because you are ahead of the game you are aware of everything that's going on and it's not just you know a matter of having these monitoring tools enabled although that goes a long way you want to make sure that they're checking the right things you don't want to for example be checking for uptime only and then have the server fall over because the disk is full you should be checking disk space as well and obviously website availability goes without saying if it's a web server and you could even have user checks on your monitoring tools if there's more than one user that is on that server it should send you alert and you could even configure it that if so much as one user logs into your server it sends you an alert so if you're working on the server for example and you're doing some administration work you get that alert that someone is logged into your server oh yeah that's fine that's me actually i'm on my server right now and i'm installing some updates but if you get that alert and there's no maintenance planned that's a red flag someone got in so there's all kinds of different security checks that you can configure it's very important to have monitoring tools in place [Music] now for number nine and i have to say of all the things on this list number nine is definitely the hardest it's the most expensive if you are working for a company and you have some very important services that are running and maybe you even store personally identifiable information you really should have a third-party security audit now it's one thing that you know you the administrator you're checking everything all the time and that's awesome but you're only one person you need someone on the outside to check your servers and make sure that there's nothing that you've missed but the problem with this though is that third-party security audits are extremely expensive so this is only for those of you out there that work for enterprises that can afford such a thing but even if you can't afford such a thing right now you definitely should keep this on the list because if your company grows and you actually have the ability to hire someone on the outside to basically audit your servers you definitely should do that because they could find something that you've missed and they might even save you from a major incident [Music] now for number 10 the last item on my list it's all about business continuity how are you as the administrator going to ensure that your company is back up and running quickly after an incident and how long do you think it'll take you to get everything back up and running if your answer to that question is well a week because i have to rebuild everything i have to install all the operating systems i have to patch everything i have to reinstall all the applications if that's the answer you're doing it wrong you should have some sort of automation images backups or something that is going to get you back up and running as quickly as possible the quicker you can get everything up and running the better and if you have an auto healing environment which means if a server falls over that a new server like a virtual server is provisioned automatically in its place and that's especially true with containers for example you're doing it right you're doing a great job because the answer to that question is well the server's never down because it automatically brings one back up and that's really cool but your answer to this question really determines how good of a business continuity plan you actually have and if you don't have a plan you really should draft one if all of your servers fell over tomorrow what would be the process for getting everything built back up where it was before you had that incident and that's going to determine what goes into your business continuity plan now this is something that we could talk about in a future video but i wanted to plant that seed right now because a business continuity plan is very important to have so there you go those are my 10 tips for hardening the security of your linux servers i hope it was helpful now i know that a lot of those tips were somewhat entry level but again this is the first episode of this series and i wanted to give you guys the overall list of important things to consider and then in future videos we will take a look at more of these concepts in greater detail so what are some concepts that you think i should cover in this series what's important to you let me know in the comments down below i look forward to hearing what you have to say and i will go ahead and create episode 2 in this series as soon as i possibly can so definitely subscribe to my channel if you haven't already done so and i'll see you again very soon thanks for watching [Music] you
Info
Channel: LearnLinuxTV
Views: 14,571
Rating: undefined out of 5
Keywords: Linux, Tutorial, Review, Howto, Guide, Distribution, Distro, Learn Linux, operating system, os, open-source, open source, gnu/linux, LearnLinuxTV, LearnLinux.tv, homelab, linux security, hardening, security, security tweaks, secure web server, cloud hosting, linux web server, how to secure web server, securing linux servers, secure linux server, linux server hardening, home web server, personal web server, kernelcare, secure linux server checklist, linux os, open source software, how to
Id: Jnxx_IAC0G4
Channel Id: undefined
Length: 22min 47sec (1367 seconds)
Published: Wed Apr 21 2021
Related Videos
Heroes in a Bash Shell: The Linux Command Line
SANS Institute
807
OpenSSH Full Guide - Everything you need to get started!
LearnLinuxTV
144K
5 Easy Tweaks to increase your Linux Server's Security
LearnLinuxTV
10K
Linux Command-Line Tips & Tricks: Over 15 Examples!
LearnLinuxTV
73K
Building a 10-Node Kubernetes Cluster on Raspberry Pi & Ubuntu Server
LearnLinuxTV
34K
Linux for Noobs #5: Ten tips for a successful Migration
LearnLinuxTV
8.6K
Linux Essentials - Symbolic Links
LearnLinuxTV
11K
Open-Source Ethics, and how the University of Minnesota Failed Linux
LearnLinuxTV
3.8K
Arch Linux: Full Installation Guide - A complete tutorial/walkthrough in one video!
LearnLinuxTV
282K
How to protect Linux from Hackers // My server security strategy!
The Digital Life
41K
Linux Essentials - awk
LearnLinuxTV
11K
Linux Essentials - Managing Users
LearnLinuxTV
13K
let's hack your home network // FREE CCNA // EP 9
NetworkChuck
1.9M
Linux for Noobs: Choosing a Distro (10 distributions shown!)
LearnLinuxTV
66K
Linux Interview Questions And Answers | Linux Administration Tutorial | Linux Training | Edureka
edureka!
625K
KDE Dev Reacts to The Linux Experiment's Review of KDE Plasma
Niccolò Ve
19K
Why Universal Linux Apps are GREAT!
LearnLinuxTV
17K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.