5 Steps to Secure Linux (protect from hackers)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
can linux servers be hacked yeah anything can be hacked especially if you've done nothing to protect and harden your linux server have you done that not sure good keep watching in this video i'm showing you five things you have to do to secure or harden your linux server from hackers from attacks now disclaimer actually no we're protecting ourselves no disclaimer you want to do this right now now here's a cool thing if you don't have a linux server to protect or harden or secure you can get one right now for free no really you can the sponsor of our video today lenode they are a cloud service provider and you can spin up a free linux virtual machine lab right now i'll show you how to do that here in a moment now in this video i got a little bit of help shout out to awol from my discord server he's one of my moderators a linux guru and he helped me put this video together oh and by the way have you hacked the youtube algorithm today make sure you do like this video subscribe notification bell comment all that youtube stuff attack youtube ethically of course anyways let's start securing our linux server right now all right first what do you need well you need a linux server right if you want to protect one you gotta have one and if you don't let's get you one right now for free check this out go ahead and click that link in the description below to access lenode.com welcome from networkchuck so go ahead and get yourself signed up you'll get a hundred dollar credit to create whatever you want and in our case we want to create a linux virtual machine right let's do that now now if you already have a linux server that you want to secure use that but if you don't do this once you're logged in go ahead and click on create lenode i'll do that now create there's just a few things we have to do here first our distro i'm leaving mine at debian 10. next we'll select our region choose one that is close to you like i'm going to select fremont california i'm going to scroll down to our lenod plan and choose the cheapest option nanoed one gigabyte it's only five bucks a month and we have 100 credit so we're good it's a free server for you right now it's awesome anyways continue we're gonna scroll down last thing we gotta do is oh second to last thing we're gonna label it can't touch this and then put your password in just create whatever password you want this will be your root user password and that's it click create and we're off to the races at linux vm being created in the cloud i will never not love this it's amazing anyways we're gonna let that finish cooking perfect time for a coffee break okay mine is ready let's do this first thing we got to do is actually log into our server we're going to use ssh now i will be demonstrating this on windows but a lot of the steps are the same on linux and mac anyways so right here i have ssh access i'm going to copy this bad boy right here click copy copied and here on windows 10 i'm going to use powershell just search powershell and click on windows powershell and launch that sucker and then we'll go ahead and paste that command we copied by right clicking boom there it is and hit enter i do want to continue type in yes and now for our password we're gonna get rid of that don't worry and we're in okay step one and it's probably our most important step enable automatic updates this is vital most servers get hacked because they weren't patched they didn't have their security updates and sure we can update our servers manually but we're going to forget that crap so let's get to work now real quick i do want to show you how to update your server manually just in case there's an emergency or something we can do this with two simple commands first apt update with this command we reached out to our repositories and said hey am i up today my system my apps and if they weren't it would tell us right here now according to this i'm good and if you just deployed your server you might be too and then to install any updates if we had any it'd be apt this dash upgrade and hit enter again i had nothing so i'm good you might have a lot so let it do its thing now to have our updates install automatically because we're going to forget we will i'll forget we'll install this utility apt install unattended dash upgrades and go hit enter for yes it is going to sit at 98 for a second don't let it scare you just take a coffee break and it'll be done here in a moment and we're done now one more thing we need to set the sucker up and it's only one command not scary at all the command will be dpkg dash reconfigure space dash dash priority equals low and then right after that type in unattended dash upgrades now don't worry all these commands are below in the description if you just want to you know copy and paste but sometimes it's kind of fun to type it out right so let's do that anyways hit enter you're going to get this pretty little menu here do i want to automatically download and install stable updates heck yes i do hit enter and we're solid that's gonna do it now step two solves a massive problem we have right now because watch this right now i'm logged in as root that's not good logging in as root is something you never ever wanna do especially over the internet come on it's okay i do it all the time it's bad though so it's not okay so how do we fix that well we just don't log in as root we're gonna create another user this user will have limited access meaning he doesn't have the god-like privileges of root over here but often when you actually wanna do stuff on your server you need the power of root so we'll add our user to the sudo or sudo group so we can do stuff and we're going to do that right now we'll create our user with one command add user and then our user mine will be network chuck me and hit enter you'll be prompted for a password put in your password one that you can remember and then you get a few profile questions i'm gonna skip all that enter enter enter and we're good well almost we gotta add our user to the pseudo group again one simple command user mod space we'll do a dash lowercase a capital g that is important and then we'll put in the group we want to add them to the group will be sudo and then our user network chuck and done hit enter and you're good now why do we do that why do we need sudo well a lot of the things you want to do on your server require root privileges which is the godlike account on your server but we don't want to use that account because it's kind of dangerous it's safer to use an account you create and then when you need to use root privileges you preface your command with sudo let me show you and actually do this with me right now we're going to log out of root and we're going to log in with our new account so i'm going to type in log out to get out of there connection closed and let's log back in with our new user account right now so the command will be ssh my new username network chuck at my server just 173.255 blah blah blah put in my password and i'm in with my new account now let's say is this user i wanted to create a new user account so i'll type in add user and we'll add bernard hackwell watch what happens what command not found we just used that command ah but you see we don't have permission to even know that command exists like we're very limited in our power but we have a magic word the magic word is sudo sudo add user bernard hackwell that's going to ask us for our pseudo password which is our normal password the one we use to log in and suddenly that command works we're basically getting the roots powers just for a moment for that one command pretty cool so to verify that your sudo works just type in any command really sudo ls and if that works once you type in your password you're golden step 3 passwords are for suckers man now sure your password might be 30 characters with 17 symbols and no hacker could ever brute force that right i don't know maybe why take that risk so let's do away with that whole password thing we're going to create an authentication key pair and it's actually super simple don't worry and if you're new to this i'm not kidding we're not going to use a password to log into our server anymore watch this now i'm going to oversimplify this but here's what we're basically doing right here on windows we're going to create two keys a public key and a private key we're going to give our linux server the public key and again to kind of oversimplify this you can think of the public key as like a a padlock or something and our private key being will a key and the only way to log into our server or unlock this padlock here is to use this private key that we're going to keep hidden keep on our servers and not give to anybody so right now let's create that public private key pair now first we got to prep one thing in our linux server one command i know i keep saying that but it really is just one command again it's in the description if you just want to copy and paste otherwise let's type it out so the command will be mkdir or make directory put a space and then that weird squiggly forward slash dot ssh so here we're creating a directory to store our public keys and we'll do an and and we're going to add one more command to this thing here we'll do chmod or change modification 700 in that same location squiggly forward slash dot ssh now squiggly means your user profile your home directory the user we created so network chuck for me and what is this command doing it's actually changing the permissions of that folder or directory so that everything that needs to access it can so anyways we're going to hit enter right now boom and done that was easy right so now we're going to leave our server we're going to back out i'm going to click or type in log out and we're back home in powershell you might be on mac or your linux terminal that's a good place too now we're actually going to create our public private keys and again it's one simple easy command and yeah it's gonna be the same on mac linux and windows so here we go ssh dash key gen space dash b and we're going to specify how big we want our key to be the bigger the better more secure i want to say 4096 and hit enter boom generating the public private key pair where do you want to store it this is the default location in windows i'll hit enter now for me i already had a public private key pair i've created previously that's why i have this message that file already exists or that key already exist but for a lot of you you've never done this before so you won't get that message so no worries you're fine but if you already have one there you may want to save it as a different file otherwise you'll overwrite this and what that could mean is you might lose access to login to other servers you have now for me this was a test key i have no problem overwriting that so i'll say yup and do it now you can also do a password for your key basically you're putting your key into the lock and then you have to put passcode in as well but you don't have to and i'm not going to right now so i'll just hit enter enter and we're good or i'm good the keys have been created let's see what they look like we're going to enter the command cd or change directory and we'll navigate to our dot ssh folder and then type in ls to list the contents there and there they are our private and our public key and we have one step left here we want to upload this public key to our linux server let's do that now now this will be different on windows mac and linux but only slightly i'll show you windows first we're going to use the secure copy protocol to throw our key up there so scp is the command space and then this is windows only do a dollar sign env colon and then all caps user profile and forward slash dot ssh forward slash your public key which by default will be id underscore rsa dot pub space and now we got to tell it where we're sending it so it's going to be network chuck or whatever username you set up at my server ip address and i forgot what it was it'll find it real quick just copy that sucker once more paste and then colon right after the ip address we'll do our squiggly forward slash dot ssh forward slash authorized underscore keys just like that once i hit enter it is going to ask me for my password last time i'll ever have to use it watch this okay it's up there it's copied i threw my public key up there so now this is so cool check this out i'm gonna log back into my my server here ssh network chuck at my server ip address i'm not gonna put my password in straight in baby look at that that's awesome so right here i'm not using a password to log in i'm using my public private key pair which is much more secure because a hacker can't brute force that now for linux doing this is super easy it's one command like everything else it's going to be ssh copy dash id and then your username at your server for mac it'll almost be identical to the windows way of doing it the only difference will be right here at your user profile part where i have the dollar sign and the env gonna remove that and it will look just like this the squiggly which again means your home directory four slash dot ssh forward slash id underscore rsa.pub so yeah passwords are for suckers and we took care of that so we're good now right no because you can still use passwords on the server it's just my account using the public private key so step four we're going to lock down login or logins no more passwords across the board and i got a few other things too let's do that so i'm going to get back into my server ssh network chuck at my server ip no password love it i'm in so to lock down our logins we're going to edit a file the file will be and we're going to use our pseudo command now sudo and then we'll use my favorite text editor i love it nano and then we'll put in our file name so it'll be forward slash etc or etsy forward slash ssh forward slash sshd underscore config and hit enter oh pseudo password boom we're in in this file we're going to change a few things and it's nothing crazy like check this out first we're going to change the port now by default port 22 is used by ssh that's what we're using to log into the server we know that and so do hackers everyone knows that so it would make sense to probably change that right we're going to do that now you don't want to use a well-known port or anything that might interfere with your current port usage so something random and high i'm just going to throw in 717 just for fun support is done and now for address family just below it going to remove that pound sign so it's no longer a comment now what we're going to do here is change it to only use ipv4 right now it's using any which is ipv4 and ipv6 in most cases you don't need both so i'm just going to use ipv4 i'll type in inet for most of you this is what you'll want to do making it ipv4 only next we're going to scroll down to about two here where it says permit root login yes no we're not gonna let root log in anymore no no no more sir root cannot log in via ssh anymore changing that yes to a no we're almost done let's keep scrolling down keep scrolling until you see password authentication yes no passwords there's for suckers dude we're gonna change that yes to a no and what this will do is change it to where no one no one can log into our server with the password they have to have a public private key pair that's the only way and that is the only thing i care about changing on this document to secure and lock down my logins so with nano to get out of here i'm going to hit control x put in y and then enter to save that configuration and then i'll restart my ssh service that command will be sudo systemctl restart sshd boom now we want to test it first because we could have broken something honestly we could have you might have locked yourself out of your system but you're still you're still here and that's good just don't log out yet i'm going to open up a new terminal or a new powershell in windows here and i want to try and log in with my new stuff i've configured ssh network chuck at my server ip now this should not work because right now it's going to use the default port of 22 but we changed that didn't we so let's see if this works it shouldn't yeah it's not looking good yeah could not do it connection reviews that's what we want so now to connect on our custom port i'm going to add the switch dash p 717 that should do the trick let's test it out i'm in yes okay custom port 717 and of course whatever you change yours to so at this point we're looking pretty good we've locked down our logins root can't log in and if any other user wants to log in they can't use a password because passwords can be hacked they have to use a public private key which i mean those aren't completely unhackable but they're definitely more secure than a password now again everything is hackable but some things are more secure and we want to be on that side of things right yes now one more thing to harden our server make it secure take that hackers one more thing let's fire well it up let's lock it down put our fence up our perimeter no one's getting in except for me let's do that now so first i want to see what ports are being used on my server here or basically what's being allowed into my server what holes are open we'll do that with command sudo ss t-u-p-l-n boom sudo password and let's take a look inside so right now i'm looking pretty good the only port or hole in my server i have open is port 717 which is not the default ssh port so it should be pretty hidden pretty good like hackers aren't going to look for that by default they have to try pretty hard now when you run that command what do you see do you see just a ton of things listed there might be some things that you don't want open or maybe things you're not sure about so in the case that you do see something weird that you don't know what it is first google it because it might be something you need like dns or something but if you google it and it's something weird uninstall it that's what i would do just be careful now we're gonna get our firewall ready i'm not gonna let anything into my server to get our firewall set up we're going to install something called the ufw which actually stands for the uncomplicated firewall it's basically a nice front end to mess with your firewall rules because it can get complex and this is not as complex so let's try it out first we have to install it really simple sudo apt install ufw go now by default it's not going to be enabled so if i do sudo ufw status it'll tell me status inactive so nothing crazy going on just yet but we're about to get crazy let's do it right now we're not getting too crazy and the first thing i want to do before i put my fence up my barrier up is i want to put a window in or a door in where i want to come in right and that's going to be our ssh port now again normally that would be port 22 but we changed it so we have to allow that custom port we did i'm going to allow mine right now so the command will be sudo ufw allow and my port number 717 and that's it rules updated now if i do a pseudo ufw status i shouldn't see anything just yet yeah it says inactive so now what will happen is i'll enable this firewall and it should block everything except that port 717. so let's try it out the command will be sudo ufw enable and yeah it could disrupt some things it could break things but you should be finding within your session right here so i'll hit y and it's active and it will be active the next time you reboot it and everything else so let's do a pseudo ufw status once more and we can see what's going on it's active and it's allowing my 717 port so now before we do anything let's try to log in from another terminal or powershell window just to make sure we can get back in so again command ssh network chuck at my server specify my custom port with dash p717 and okay we're in we're good nothing blew up now if you're running things on your linux server that you want exposed like maybe you have a website like let me install one real quick sudo apt install apache 2. yeah i'll install it real quick just for fun then i'll start it up sudo system ctl start apache 2. so now i have a website running on my server if i do sudo ss t-u-p-l-n to see what ports i'm listening on i've got an extra one now not only 717 but i also have port 80 my website port http but that doesn't mean you can get to it because my firewall is probably blocking it let's test it out open up my web browser real quick navigate to that ip address and it's not loading and that's what i expected let's go allow it so let's get back to our terminal here same command as before sudo ufw allow but this time the port will be port 80. i'll do a forward slash and say tcp because it is tcp 480 and hit enter we'll add it now let's see if that website works now ah it does immediately now sometimes you might have to restart or reload your firewall but in this case we're solid now there's one more thing i want to do with our firewall and it's it's pretty important because like i don't want hackers to be able to find out my server is there my server exists and a lot of times a server can be found out just by pinging the ip address like look here got another window open here i'll ping my ip address go ahead and do this now as well ping your server i'll do a dash t so it's continuous here and yeah you can ping it which is a great utility to make sure your server is up but that tells the hacker that your server is up and ready for attacks i don't want that i want to stay hidden so we can actually block pings which yeah also means you won't be able to ping it but this is often a best practice to protect your servers so let's go do that right now back in our linux machine we're going to edit another file so the camera will be sudo nano and then our file name it'll be etsy ufw before dot rules and let's jump into that file we're going to add one line to this file here so i'm going to scroll down to the section where it says ok icmp codes for input right here we're going to add one line here again it's in the description i'm not going to type this one out i'm just going to copy and paste i'm just going to hit enter here right click to paste there she is hit control x y and enter to save my rules now if i check back at my pings they're still happening because this might be a situation where i have to restart my firewall so i'm going to do that right now the command will be sudo ufw reload this might do it let's let's test it out okay reloaded let's see if our pings are working now so upon a reload it's not applying the rules i'm just gonna do a reboot of my server so i'll do a sudo reboot and we'll see if that works coffee break so it should be rebooted i'm going to get back into my server here same command and we're back in so it is up let me check on my pings pings they're not happening anymore let me um let me restart my pings here another continuous ping let's test it out now pings are things are not happening they're down secure all right you made it till the end we hardened our linux server now i gotta say this nothing's unhackable what we did here today is best practice and it will help keep you safe but it's not foolproof like anything everything is hackable everything but most often those big hacks and attacks you hear about they happen in environments that haven't been properly secured or patched so just by doing this you're already ahead of the game anyways that's the video that's all i got today guys let me know your thoughts what do you do to secure your linux server comment below and again shout out to lenode our sponsor and they're they're awesome i love those guys it's so fun to spin up things in their cloud and quickly lab things so if you did not use them to do this lab try it out again it's a hundred dollar credit when you first sign up so it's risk-free i don't like that term a risk-free trial sounds gimmicky it's not though they're really cool oh and also if you haven't seen my new merch it's the shirt i'm wearing right now comes out a t-shirt and a mug uh networkchuck.coffee check it out and we also have coffee there anyways uh don't forget to hack that youtube algorithm like button subscribe notification bell all that youtubey stuff and yeah yeah that's all i have i promise we're done i'll catch you guys uh catch you guys next time this is cold coffee i've been recording for a while here we go ah cold coffee that's terrible all right later [Music] you
Info
Channel: NetworkChuck
Views: 701,858
Rating: undefined out of 5
Keywords: secure web server, how to secure web server, secure apache server, secure linux, linux server hardening, secure linux server, linux web server, cloud hosting, how to secure web server from hackers, securing linux servers, kali linux, how to, secure ubuntu, secure debian, secure kali linux, protect linux server, server hardening, free linux server
Id: ZhMw53Ud2tY
Channel Id: undefined
Length: 23min 15sec (1395 seconds)
Published: Thu Mar 18 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.