5 Easy Tweaks to increase your Linux Server's Security

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Music] hello again everyone and welcome back to my enterprise linux security series in this episode episode number two of the series i'm going to walk you through five yes five things that you can change on your server right now to strengthen its security now to be fair what i'm going to walk you through is not going to make your servers hack proof but these are five things they're easy things that you could do right now to strengthen the security of your servers and i'm going to walk you through each one i'm excited to get right into it but before i do i want to mention the sponsor for today's video cloud linux and they have a new service available called extended lifecycle support that enables you to keep your end of life distributions going for just a little bit longer perhaps you need just a little bit more time to upgrade to a newer version and if that's the case then extended life cycle support is something that you might want to consider and here on this page we can see some of the features that are being advertised it mentions that patches are available soon after cves go public the setup process is easy and straightforward it gives you kernel and critical package updates and this is very important right here els gives you an additional four years beyond the end-of-life date from the vendor and the pricing starts at three dollars and sixty cents us dollars per server and from what i found it actually is the cheapest option available today which is awesome and it supports multiple distributions as well for example right here they advertise centos oracle ubuntu and debian and debian is currently in the planning stage at this time but this service is already available for centos 6 oracle 6 and ubuntu 16.04 and if you are currently running one of those distributions then that means you no longer have support for security patches from your vendor anymore extended lifecycle support can keep your end of life servers going for a while longer so if that affects you then definitely check this out and thank you to cloud linux for their continued support of learnlinux tv i really appreciate it now without any further ado let's get into my five tweaks for securing your linux server all right so here i am on an ubuntu server that is running in the cloud and i've just created this server i haven't yet integrated any of my security tweaks that i normally integrate to secure a server this one is completely vanilla and as you can see here the specific version of ubuntu that i'm running is ubuntu 2004.2 lts i usually recommend lts releases for most people because the security updates are available for a longer period of time on an lts release than other versions of ubuntu so anyway let's go ahead and get into some security tweaks [Music] now the very first problem is that i am currently running as root now normally when it comes to ubuntu they actually lock the ubuntu user when you install ubuntu on your server but when it comes to cloud providers they often unlock the root account and that's the account that they have you use when you set up a vps instance like i have here so the first order of business at least for me is to create a non-root user now again if you have installed ubuntu yourself then this step is already completed because generally speaking ubuntu locks the root user by default and typically the root user is unlocked when it comes to cloud providers versions of ubuntu so anyway what i'm going to do is run add user and then i'll give it the name of the user that i want to create i'll just create the user as my first name j just like that so add user and then j now if you are not logged in as root and you want to create a secondary user aside from the user that you already have then what you'll need to do is add sudo in front of the command but since i'm currently logged in as root i don't have to do that so it's going to have me create a password for that user just make sure that it's super secure i'll type it again and for these prompts that are about to come up you could actually answer these but i'm going to leave them blank for now so full name enter room number work phone just going to keep pressing enter and then it's asking me is this information correct yes it is i'll just press enter to accept the default of yes and that's why the y is capital because that's the default so now i actually have a non-root user that i can use to log into the server but i should also make sure that my new user account has access to sudo because i don't want to use the root account unless i absolutely have to so enabling sudo will allow me to execute commands as root from my normal user account so it's pretty important that i do that and by default access to sudo and ubuntu is controlled by the sudo group if a user is a member of that group then they'll be able to use sudo so what i could do is run user mod dash a and then capital g because i want to add a user to a group and the group that i want to add a user to is the sudo group again this is ubuntu specific other distributions will use a group of a different name such as wheel for example but anyway the user that i want to add to the sudo group is the one that i just created j so the command looks like that i'll press enter and i can confirm that my user is a member of the sudo group by running groups and then j and you can see that sudo is among the options there so if i was to switch over to j i could type s u hyphen and then the user and it didn't actually prompt me for the password for my user because root is the super user root can do anything so root doesn't need a password to switch to a different user but as you can see i am logged in as my local user j so i could run a command as sudo so i could do sudo ls etsy which is a very simple command to make sure that sudo works i'll press enter and it's going to ask me for my password which i have just entered and you can see that the ls command worked if i didn't have access to sudo then i wouldn't have seen the output of the ls command and since i do see that that confirms that sudo is working just fine so what i want to do at this point is log out completely so i can hold ctrl and press d to disconnect which brings me back to root and then i'll hold ctrl and press d again to log out of ssh completely so now i'm logged out of that server so that's the command that i used to ssh into the server in the beginning so i'm going to change the username to my name because again i don't want to use root unless i absolutely have to type in my password and as you can see i am logged into the server as my local user account [Music] now another thing that we need to do in order to strengthen the security of our linux server is make sure that we have all security patches installed and ready to go even if we are using an automatic patching solution such as kernel care it makes sense to start from a known good state or a fully updated state so the first thing i'm going to do is run sudo apt update and this is not going to actually update the packages but what it will do is refresh its understanding of what's available to be updated so i'll press enter and now it's refreshing its package index usually this is pretty quick and at the bottom there it is telling me that 42 packages can be upgraded so in order to actually install those updates we can run sudo apt and then dist hyphen upgrade basically a distribution upgrade and this command is also the same for debian as well and by executing this command it should install all of the packages that are available to be updated let's see what happens i'll press enter and as you can see right here it's going to update quite a few things so i'm going to press enter to accept the default of yes i'll let this run and then i'll be back as soon as it's done all right so the update process is complete now what i like to do at this point is reboot the server because i want to make sure that i am actually taking advantage of all of the updates some of which do require a reboot unless you are using something like kernel care enterprise in which case you don't actually have to reboot but this is a brand new server i haven't loaded kernel care enterprise yet so what i'm going to do is reboot it so that i am starting from a fully updated server before i build this server out to be whatever it's going to be like a web server or proxy or something like that having a fully updated package database will just give me the best possible starting point so i will type sudo and then reboot and that's going to reboot the server and i'm going to give this server a few minutes to start back up and then i'll be right back all right so let's see if the reboot is finished and the server is back online so far so good and now i am logged back into the server let's continue [Music] so next what i'm going to walk you through is how to install unattended upgrades in ubuntu now this is actually a different service than something like kernel care enterprise kernel care enterprise will give you live patching unattended upgrades will not but if you don't have a subscription to something like kernel care enterprise then unattended upgrades is a really good thing to have nonetheless and it's actually very easy to install and set up so what i'm going to do is run sudo apt install and then the package i want to install is unattended hyphen upgrades just like that i'll press enter i'll type in my super secret password preferably i'll type it in correctly there we go and on this particular image for this vps provider unattended upgrades is already installed so now that it's already installed how do we configure it then so what i'm going to do is go into the etsy directory and inside there we have an apt directory and underneath that we have the apt.com.d directory as well and if i list the storage we have quite a few files here and before we continue we should ensure that automatic upgrades are enabled and the command that we can run to actually enable that is this one right here sudo dpkg hyphen reconfigure dash dash priority equals low unattended hyphen upgrades and when you press enter it's going to ask you at least one question and for me it only asks me this question it wants to know if the server should automatically download and install stable updates and yes that's exactly what i want so the cursor is already on the answer yes i'll press enter and that's virtually it and inside this directory we have quite a few files so what i'm going to do is use the nano text editor it really doesn't matter what text editor you use but we need to edit some files and the 20 auto upgrades file is the first one that we're going to take a look at now for this particular file you will need at least these two lines so what this means is that first of all we are enabling the package list to be automatically refreshed that's the first line and the second line is enabling the automatic installation of those updates so not a lot to configure here just those two lines so i'm going to hold ctrl and press x to exit out i didn't make any changes here that file should already be populated when we run the reconfigure command so next i'll run sudo nano i want to edit yet another file this time i want to edit 50 unattended upgrades that's the next file that we need to edit i'll press enter and here it is and this one is quite a bit longer than the other one so let's scroll down a bit and look for some things that we might want to change so this first section right here allowed origins is basically where we decide what type of updates we actually want to have so security and infrasecurity are already there now alternatively we could enable the other sources as well but the whole point of this video is security specific and updates proposed and back ports those repositories aren't actually going to be security specific so it's up to you if you want to enable those i don't necessarily recommend it unless you do want to have feature updates be automatic as well so i'm going to leave this section alone so keep scrolling a bit now this option right here completely optional but you could set it up to install updates only on shutdown this isn't something that i normally turn on but it is there if that's something that you want now this line right here gives you the ability to have an email sent to you anytime unattended upgrades actually upgrade something this does require the ability for outbound mail to be set up on your server which in and of itself could be a security risk as long as you do have that locked down you should be fine but that's beyond the scope of this video but if you do have an email address that you want to receive updates to anytime this runs then what you could do is uncomment this and then inside the double quotes right here you could type your email address whatever that happens to be just like that so i'll scroll down let's see what else we have here now similar to the above this has to do with email alerts and if we uncomment this we can control when we actually get an email from this service now by default it's going to email you anytime there's any kind of change now if you have tens of thousands of servers you're going to get a lot of email what you might want to consider just like it says in the line above is changing this to only on error that way if everything is fine you won't get an alert but if there's a problem you will now be careful with this though you might want to consider leaving this set to on change because if the service fails then you might actually think that nothing is wrong because if it fails at a level that's below the unattended upgrades and unattended upgrades doesn't even run in any way shape or form you could actually think that your server's being updated and it's actually not so that's the trade-off i'll leave that up to you now this line right here i do uncomment that line because every now and then you will get a new kernel installed as part of an upgrade and over time those older kernels will take up space i've actually seen servers have their boot partition filled up just because of this alone now ivan commented this and is set to true and what that means is that after a while it's going to actually clean up unused kernels which will help prevent that kind of thing from happening so i do recommend that you uncomment this line and similarly i also uncomment this one as well and most likely these are default and will work regardless of whether or not they're commented out if you don't change their settings but i like to be explicit and every now and then when you install upgrades on your server there might be unused dependencies and what this will do is just clean those up so that way you don't have your entire server cluttered by packages that you are not using which actually benefits security because the fewer packages that you have installed the better and pretty much the same thing here as well we definitely want to keep our server clean now this line right here you might want to pay special attention to this now you can uncomment this and you should it's set to false by default but what this will do is automatically reboot your server once automatic updates have finished now if this is a production server and you are a 24x7 operation then you probably don't want to set this to true however if you do have a maintenance window at the end of the night or maybe in the middle of the night where you don't mind the server rebooting it can only benefit you to set this to true if you are using something like kernel care enterprise then you really shouldn't have to do this at all but i'll leave it up to you it just depends on whether or not you are a 24x7 operation if you can deal with a few minutes of downtime in the middle of the night then maybe this is something that you should enable in which case you will set this to true and this line right here is going to do the same thing but it's going to do it also when users are still logged into the server so think of it this way if you have a maintenance window say two in the morning and it's okay for the server to reboot after updating at that time but since that's your maintenance window if you have an administrator logged into that server that's doing actual work you may not want the server to reboot if someone is logged in i'll leave that up to you to specify that it really depends on your operation and how you have things structured and right here we have the unattended upgrade reboot time so if you do have it set up to automatically reboot your server when upgrades have been applied then this will allow you to set the time that the server actually reboots it defaults to two in the morning if that's okay for your maintenance window you can leave it set to two in the morning that's not a bad time but i'll leave that up to you whatever time you think is fair for the server to reboot if you don't have a live patching solution that's up to you now there's all kinds of different options here and i'm not going to go over all of them those are some of the highlights so what i'm going to do is hold ctrl and press o to save the file i'll press enter and then i'll hold ctrl and press x to exit out and the changes should take effect immediately [Music] so at this point we have automatic upgrades enabled what else can we do to start our server off with better security well the next thing that we can do is actually secure ssh and to get started i'm actually going to disconnect from my server i'll just hold ctrl press d and now i'm back to my local computer and the reason why i disconnected from the server is because i want to create an ssh key that i can use to connect to the server with rather than using password authentication which is one of the first things i do when it comes to ssh so to generate an ssh key i will type ssh hyphen keygen just like that and while i could just press enter right now to accept the defaults i want to actually customize the key that i'm about to create specifically i want to create a key of a completely different type than the default so i will add dash t and that will allow me to set the type of key that i want to create and the type is going to be ed25519 just like that and without going too into detail about what makes this particular type of key better it is an elliptic curve key type it just basically has better security than the default of the rsa type so i'll press enter and it's giving me the path right here where it's going to create the key by default so i'm going to press enter but before you press enter just keep in mind that if you have a key at this location already it's going to be wiped out by this command just make sure of that first before you press enter you don't want to lose an existing key if you have one so i'll press enter and now it's asking me for a passphrase so i can actually create a key with a passphrase and that adds additional security to the key or i could press enter to essentially have a key with no passphrase and i highly recommend that you do use a passphrase with your key again it's optional but it does add significant value because it gives you additional security so what i'm going to do is create the passphrase right now i'll just type in the passphrase that i want it to be and then i'll type it again and now it's telling me that the key has been created so if i list the storage of my home directory specifically the ssh directory you can see that i have these two files right here id underscore ed25519 and then also the same file again but dot p u b at the end of it now the file that's highlighted right now is a public key it doesn't matter if you show the contents of this key to someone else in fact if you want to connect to another person's server to help them out with it it's actually quite common to give them your public key to allow you access so what i could do is cut out the contents of that key and there it is right there now again it's perfectly acceptable to show this key in the public so there's no problem whatsoever with my youtube audience seeing this key but what i should not do under any circumstances is show off the contents of my private key and this is the private key right here the file that does not have the dot pub extension so i absolutely should not do this but i just did now here's the thing i'm going to delete this key as well as the server as soon as i'm done recording this video that's why i'm able to show you the private key because the private key is going to be completely deleted i'm never going to use it and i'm never going to set up a server to be authenticated with this key after this video is done the only reason why i'm showing you the contents of this file is just so you can see what a private key generally looks like but on your end you should absolutely never i repeat never show the contents of your private key to anybody for any reason and you especially should make sure that your private key is never part of a public software repository either in fact i would never even include it in any software repository even if it's a private repository if this private key was to ever leak out into the public then it completely invalidates the key and you can no longer trust it just keep that in mind now again in my case i am going to be wiping this laptop and completely deleting the server i've been using right after i'm done editing this video so that's why i'm able to show it to you guys but do as i say not as i do so we have an ssh key now what can we actually do with it well what i'm going to do right now is run a special command that's going to copy my key over to the server so that way i can actually use the key to authenticate to my server which will then enable me to disable password authentication which is what this is ultimately leading to so i will recall the ssh command that i've been using to connect to the server and here it is and what i'm going to do is change the ssh command to ssh hyphen copy hyphen id and then i'll add dash i then my home directory and then i'll type the name of the key which is that one right there so take a moment to look at the command to see what i'm doing i'm using the ssh copy id command with the dash i option i'm pointing it to the location of my public key then i'm adding my username at and then the ip address of the server so i'll press enter now it's going to ask me for the password to the server this is not the passphrase this is the actual password for ssh for the server that i'm trying to connect to so i will enter that right here and then i'll press enter so now it's telling me that the ssh key has been copied over to that server so what i'm going to do is ssh back into that server this is the same command i've been using i'll press enter and now it's asking me to unlock the private key and this is where you type in the passphrase and as you can see i'm logged back into my server so what we're going to do is disable the ability to connect to the server via ssh with a password we want to mandate that the key must be used that way anybody who does not have the key won't be able to connect and there's a very special procedure i like to do for this so i'm going to leave this session alone and i'm going to open a new tab and here i have a new tab so right here i have the initial session that i logged into and then here i have the new session so i'm going to paste in the command that i used to connect to that server so basically i will be connected to that server in two different tabs as you can see i'm connected to that server again here now what i want to do is edit the ssh configuration file to disable password authentication so i will run sudo nano slash etsy slash ssh then sshd underscore config so here we have the sshd config file this is the config file for the ssh service itself and there's a few lines of configuration that we will want to change here so i'm going to scroll down a bit until i find it until i find the first one and right here we have permit root login and it's set to yes now this might already be set to no on your end or it could be set to something else but what we want to do is set it equal to no we don't want to allow root login to our servers at all keep in mind we've created a user for ourselves and we gave our user access to sudo so we shouldn't actually need the root account anymore but that's not the main reason why we're in this file so i'm going to scroll down a little bit more and here we have the actual line of configuration that i was looking for so i'm going to uncomment this by removing the hash symbol in the front and i'm going to set this equal to no so what this is going to do is disable password authentication completely so the key becomes the only way that i'm going to be able to access this server going forward via ssh so i will hold ctrl and i'll press o to save the file enter and then control x now the changes don't actually take effect until i restart the ssh service so i'm going to run sudo systemctl restart sshd just like that now notice i am connected to the server via ssh in both tabs so i'll press enter and you can notice that i'm still connected to this server in both tabs it didn't actually disrupt my connection here and i'm still connected here as well so now you might be wondering why did i actually have you guys open up two tabs to the same server well the reason is i'm going to have you disconnect in one of the tabs so i'm going to hold ctrl and press d and now i've logged out of the server but i'm still logged into this one now the thing is i've restarted the ssh service if i made a mistake and something went wrong i won't be able to get back into the server again that's why i kept this session open so if i made a mistake when i go to try it again in the other tab then i still have this session that i can use to fix the problem if there is a problem so here in this tab what i'm going to do is try to connect back into the server and it lets me write in it didn't ask me for a password which makes sense i disabled that but what's interesting is that it didn't ask me for a passphrase either the thing is when you have already entered in the passphrase it's quite common that your linux distribution if you are using linux on your laptop or desktop or whatever your host operating system happens to be it is common that they will cache the key in memory that way you don't have to keep entering the passphrase over and over but what a passphrase actually protects you from is that if your key does get stolen you still should regenerate the key and never use that key anymore because yeah they can't use your key they don't have the password but if there's any way in the future for them to actually brute force the encryption it's not really likely right now you never know they might find a way in later it's just good practice to always regenerate your key basically delete it create a new one anytime your key leaks out but the passphrase is one extra layer of security but now that i've proven that i can log in to the server and i also have sudo access we're good to close out of one of these tabs because the only reason why we had both open is i wanted to keep a session alive in case i needed to fix something but it looks like everything went through perfectly fine so i don't need to keep that open anymore [Music] now the next thing that i'm going to show you how to do and this is actually the last thing is i'm going to show you how to use fail to ban now the thing is fail to ban is a very complex app so i can't show you everything in one video and i do have a dedicated video on this already but what i am going to do is show you how to use fail to ban to lock down ssh because that's a good starting point i mean yeah we did actually disable password authentication we disabled root access as well we're able to use a key but we should lock down ssh as much as we can and one of the cool things about fail to ban is that its use case isn't only for protecting ssh if you have a web server running apache for example you can use it to protect that too there's actually quite a few modules for fail to ban that you could use and perhaps this section of the video will serve as your starting point so the first thing we want to do is install fail to ban and to do that we will run sudo apt install fail to ban just like that and it's a small program so it should install really quickly and that's it fail to ban is installed but we're not quite done yet let's check the status of fail to ban to ensure that it's running we can see here that it is active and it's running let's actually see what delta ban is protecting us from currently if anything so we'll run sudo and then fail to ban hyphen client and then we'll give it the keyword of status and as you can see here ssh is enabled already that may not always be the case but it's a great thing that all we had to do was install fail to ban and now it's already protecting us so what fail to ban actually does is it checks your linux system logs for attempts to access the server so the ssh jail in this case is watching the config file for ssh attempts and if it sees too many failures then it's going to actually ban the ip of the person that's trying to get into the server but one thing you definitely don't want to happen is have it ban your ip because that would be really embarrassing if you yourself gets locked out of the server so what we're going to do is go into the etsy directory and then the fail to ban directory inside there we have a jail.com file and you know what we could edit that file and make any changes to it to configure fail to ban as we'd like but we shouldn't actually edit that file because if we install our updates and fail to ban itself gets updated then that jail.com file will also be updated and overwritten we will lose all of our changes so what we could do is we can copy the jail.conf file and we could copy it to a new name of jail.local and we actually have both files we have jail.conf and jl.local and the way this works is that jail.local will be preferred if present it doesn't have to be present but if it is present fail to ban will use that file if it's not present it's going to use jail.com and what that means is that we can have gl.local with all of our customizations inside that file and we don't have to worry about it being overwritten so let's bring it up in an editor just like that and take a quick look now what i'm going to do is scroll down quite a bit here now this isn't why i had you open the file but there's a few things to point out here for example band time so by default if an ip gets banned they are locked out for 10 minutes after 10 minutes they can try to access the server again now if this was a hacker that means that they get banned then they could try again in 10 minutes but the thing is being locked out for 10 minutes in between attempts or however many attempts you're configured to allow will drastically slow them down and prevent a brute force and down here we have max retry equals five so what this means is that if someone is accessing the server via a service that fail to ban is watching and they fail five times then their ip gets banned if their ip gets banned then they're going to actually get banned for 10 minutes and after 10 minutes of course their banning is lifted and they are able to access the server again so you can set this to 60 minutes if you'd like or whatever you think is fair just keep in mind if you get locked out you also might have to wait that amount of time i'll leave it up to you to configure those again that's not why we're here but just something to point out and now we have this line right here ignore ip this is the one that i really want you to think about so i'm going to uncomment this we're going to leave the local host ips alone but what i recommend you do is you add your public ip or whatever ip address it is that you're coming from when you access your servers via ssh and you add that ip address here and what that protects you from is having that ip get banned any ip that you put here will never be banned regardless of how many times you try to access the server so that way you don't have to worry about you yourself going beyond those five attempts and being locked out for 10 minutes or more than 10 minutes if you have that set to something else you basically put your ip here again the ip you're coming from so that way you don't have to worry about getting banned and you can add other ip addresses here as well for example if you have a vpn endpoint you can add the ip address here for that so that way if you are coming from a vpn service and that vpn service uses a predictable ip then you have a way into the server that'll protect you from you yourself getting blocked but i'll leave it up to you to add your ip address here it's just a good idea and i recommend you do that as you can see with just a few quick tweaks you can increase the security of your linux server as we've done in this video so let me know what your thoughts are in the comments down below i'll get working on episode 3 very soon but in the meantime make sure that you subscribe if you haven't already done so and also click that like button if you did like this video that lets youtube know that you want to see more linux content just like this thank you so much for [Music] watching [Music] you
Info
Channel: LearnLinuxTV
Views: 10,376
Rating: undefined out of 5
Keywords: Linux, Tutorial, Review, Howto, Guide, Distribution, Distro, Learn Linux, operating system, os, open-source, open source, gnu/linux, LearnLinuxTV, LearnLinux.tv, extended lifecycle, eol, openssh, add a user, fail2ban, install updates, security, linux security, linux server, linux server security, hardening linux, linux hardening, enterprise linux security, linux web server, secure web server, secure linux server, how to, cloud hosting, personal web server, secure linux, secure server, secure
Id: OVsMaXQkktQ
Channel Id: undefined
Length: 40min 5sec (2405 seconds)
Published: Wed May 05 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.