How to secure a Linux sever (Debian) – Full Video

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody and welcome back to another tutorial today we are gonna be working on Linux servers and how to secure it this will be done in a debian kernel based server so this guide is pretty much meant for anybody who's using Debian Linux Mint if you want to make that server Ubuntu 1804 if you're gonna use CentOS Red Hat Fedora Arch this guide will still technically work for you you would just have to make sure that your commands are the same as in there for example when we install software in Debian we use apt for our installation as most people who use CentOS and Red Hat will use yum so before you go ahead and you know follow this guide along I would recommend making sure that anything that I do in here will work on your server that you're working on at the time being also I do want to layer by know that this is no way means of guaranteeing your server is 100% secure obviously but this is the basic fundamentals that you need to be able to actually lock your server down a few things we're gonna be going over with will be disabling Ruud making sure you have static IPS how to create SSH how doing secure and encrypt your SSH using encryption keys adding a few extra security features on there to stop DDoS attacks and brute-forcing installing fail to ban to again stop a DDoS and brute force and then enabling your firewall to pretty much block everything outside of the port you're not using so that there's no random port just happen to be open for example if somebody came and installed something on your server that you know connects to the internet you want to make sure that port is guaranteed to be blocked unless specified in your firewall so nobody can go ahead and remote access into your system as a bonus I'm actually going to show you how to actually create a encryption key using putty and puttygen on Windows even though we're using Linux servers more and more today people are still using Windows client computers as well still so in that case allow them do not know how to create an encryption key to a linux server we can do with a Windows server very easily but maybe not a linux server so this video is going to actually show you install putty and then how to actually can make a encryption key for your putty and then put it on there on the server and you're good to go so first thing is first I'm gonna be doing this on a virtual machine like I do on all my videos if you look up here we have debian 10 which is gonna be our server and I went ahead and installed Linux Mint as a client because you do need to have at least a client to test your SSH keys I'm also doing this on a Windows laptop at the moment so I also have putty installed to show you what happens when you try to login after you do the encryption keys and you lock all your you lock all your settings down to show you that it does fail and everything else and like always everything we discussed in the actual video here will be down in the description below ok so this guy that I actually went ahead and wrote will go ahead and scroll through real quickly it gives you everything you need so we have your prerequisites where I'm going to show you exactly the all the information I'm using and I left a spot over here for anybody who wants to follow along anybody wants to use this guide to be able to you know type in your actual own information here so that when you're doing the guy you know with the slip like for instance every time you see the word admin you know that's the you the routing that you're gonna create unless you chose admin then you can my root password will be password for the video I do not recommend anybody to use this as your actual admin password that is ridiculous but I don't feel like making a really detailed encrypted password for no reason then as we say down here if you don't have putty I actually have links to the 64 bit and the 32 bit putty which will give you puttygen and all the other programs you need to be able to create your new encryption key on Windows and then basically each step will show you exactly as we're going to go through so for example step 1 we're going to check our disable root and as you can see here the way I have the guide set up is this is what your terminal is going to look like so mine would be rooted Debian and then this right here will be the commands you're going to type in so anything that you see in Blue is the command you're going to write now you can see here mine I added admin so in the case if you decided to switch up a name and choose a different name obviously everything here is this admin will be changes something different then we go on to step two which is creating a static IP using command-line but I also throw in an extra for the desktop GUI because I am using the GUI so it makes a little bit easier so I quickly wrote out a guide showing you know obviously pictures on how to actually set up your command line I mean your network interface through the desktop the next thing we have is static your network through the command line in Debian so I show you how to figure out your IP address your in your Ethernet name and pretty much walk you straight through on how to go ahead and say everything up here is it before an after picture pinging to make sure everything is working and then I throw in an extra Ubuntu 18:04 because if you are going to do this on Ubuntu 18:04 started using that plan which became more of a nightmare I feel so anybody was actually doing this and they're actually doing this on their you know Ubuntu 18:04 server you're not going to be able to do what I did up here so I went ahead and actually showed you the commands on how to go ahead and set up your network configuration okay and then after that we get into our SSH encryption keys and how to make that and then we get into extra security features to sit there and stop you know DDoS attacks and know spoof installing fail to ban installing your firewall or configuring your firewall if you ever have it installed and then how to do your encryption with putty so a lot of is very straightforward this guide is available for download in the description below so enough talking let's go ahead and get this going because that's the reason why you're here okay so the first thing we're going to do is we're going to static our IP address now you have two ways of doing this you have a command-line interface and you have the GUI desktop interface as you can see here I'm using the desktop interface so I'm going to go ahead and do it this way so if I want to go ahead and change my IP address I scroll down here to the network connections icon and click Edit connections you can also get to it through a system control center and then in advanced network configuration then from here we're going to select our network adapter which model is called wire connection 1 and then we're going to go ahead and edit the selected connection now in here you have a bunch of different things you can choose from but the only thing we're worried about here is ipv4 settings well ipv6 you can go ahead and disable if you want to let's hit the wrong one so you can go ahead and hit ignore if you want to in that case but doesn't matter so for here we're gonna change our method to manual and then we go ahead and type in all our information here so 1 9 2 1 6 8 3 10 as you can see here that is the static gateways and everything that I've been received for this video your information will more than likely be different than what I have my netmask is 24 or you can type in 255.255.255.0 the Linux system will take you know we'll understand both methods and then your gateway would be whatever your gateway is now down here for your DNS servers you always going to want to put at least your router in and you can leave it at just your router but I've always like to have to because in case there's something wrong my router or it's not working properly or some kind of configuration at least I have an external one that's being able to show me that Google is still working and outside connections are still working and then from there we're gonna hit save we can close out of this video by this box here and then right here where it says enable networking we're go ahead and turn that off and then turn it back on and that's just a quick easy way of actually sitting an IP a static IP but if we go to application system tools and terminal again I'm using the mate version of Debian you could be using gnome KDE and whatever the other one was I forget so all you have to do is pretty much get to wherever your terminal is and open it up so it might be a little bit different from your desktop but the network connection is the same if you run a desktop so to go ahead and test to see that our network connection is good we're going to type in IPA and as you can see here my internet is static to a one 92168 3:10 at sub nest 24 which is what I chose now just to make sure everything is working we're gonna go ahead and ping our router we're going to go ahead and ping an external DNS and then we're gonna go ahead and ping a URL I usually do pingu --gel perfect everything is up and working if you did not receive the same message as I did where everything is successful please go back and check your network configuration now if you're using Ubuntu for this video obviously there's a few extra differences as you can see here inside my inside your configuration down here where it says install Ubuntu you're gonna have to actually go through static and using the net plan and then you're gonna have to go ahead and edit your net plan to look very similar to what I have on the screen here okay now to let you also know net plan is very finicky you cannot use tabs you can't you know break the indentation so what you see on my screen right now is exactly how to configure your ubuntu interface on command line with debian it's a little more lenient especially with the older network configurations how they ever setup but what Ubuntu and their ridiculous net plan set up they're doing now if you use tab instead of spaces you it will not work properly it will give you an error if you go ahead and use if you put the indentation wrong like for example if this was further in or further out you would get an error message and it would not work so it's very very finicky on how you want to set everything up so make sure if you're setting your is up to do it pretty much exactly as I have done it here if you're using Ubuntu and then the same thing you're gonna go ahead and hit sudo netplan and you're gonna go ahead and apply it and what its gonna do it's gonna fix it now if you did everything correctly you will not have anything shown as you can see here what its gonna go ahead and do is it just gonna be blank so but if you did do something wrong it's gonna go ahead and tell you you have an indentation problem that's 99% of all errors you're gonna an error saying can't apply netplan due to indentation and then it'll tell you that hey your address is not you know indented right or your hit tab instead of spaces it is very painful and then you're gonna go ahead and restart your you know resolve config file as well ok so now we're gonna go ahead and disable root we cannot delete root and we would not want to delete but there's no reason to keep root enabled and also it is a vulnerability issue for some people because if somebody's able to guess your root password we're getting to root they are able to go ahead and you know cause you know havoc on your server so the best thing to do is to disable root access for logging in and then later on we're going to show you how to remove root from either accessing it remotely as well but for right now we need to create a new user the new user we're going to use is admin in this video you can choose any admin you want or any user name you want but for videos sake we're just going to use the word admin so to do this we're going to do add user space and then we're going to type in the name we want to use I want to use admin press enter now you can be prompted for a password now this is gonna be your new super user root admin so make sure the password is very secure use exclamation points or special characters capital letters lowercase letters numbers make sure it's you know 12 to 24 you know password you know for your situation for this video I'm just gonna make it very easy for myself as you saw I just made a password but I do not recommend you using password use something that's difficult to guess the more stuff you put in there the better it is so we're gonna type in our new password type in another new password alright now what we're gonna do here it's going to ask you for the credentials of the admin user for the most part leave them all blank unless you want to fill them out you're more than welcome to like for me I can type in vmware advisor my room number is 427 my work phone number is eight eight eight five five five seven three five six we'll just say home phone number five five five one two for other and then there we go so if you want to fill it out you can um similar to this but you don't have to most people usually leave it blank because say for instance you're you're working for a company you went ahead create this information you don't want to leave your personal information there especially if you happen to maybe move on to bigger better things or something ends up happening where you are no longer with the company you don't want to leave your stuff there so it's easy to leave everything blank but if you do want to fill it out this is pretty much the proper format you can fill out press y the information is correct now the next thing we got to do is give myself super user Pat admin well pretty much keep myself sudo right so I got to be able to turn my admin who is now just like any old day user as I type in su admin okay and if I type in sudo Who am I type in the password I created admin is not a sued or and I've been reported to these you know admins so mainly in this case right here it's letting me know that I actually do not have root access it's just a waste so go ahead and press exit to go back to your root at debian now for here we're gonna have to go ahead and give myself like I said sudo access so the easiest way of doing it is typing in user mod - a capital G sudo then admin and a very simple breakdown of what this means is is user mom needs user modification the - a G means add to group and then sudo is obviously the group name and it happen is the user you want to add to the group sudo if everything's done correctly you press ENTER and that's it if you have a problem with it or you done anything wrong you'll be greeted with an error saying either it's already been added to sudo miss syntax or some of that nature so just make sure you pay attention that's how we're filling it out so now we gotta go ahead and test if actually see atom it has sudo like we did before so su - space admin okay now you see I'm a pseudo admin right now now I type in sudo Who am I again type in my password and if you get it correctly you'll be greeted with the word root if you don't put the word sudo in front of it you'll be greeted with admin which is exactly what you are but we want to make sure that we type in the word sudo at any time it automatically believes we're going to be root and that's exactly what we want to also further test it you can always type in sudo apt update and if it goes ahead and update your repositories then you know that you everything's done correctly now in this situation if you're going to be doing this on a CentOS that command will be wrong you'll be sudo yum update I believe again so make sure you pay attention with certain things in the actual guide here okay so now we have to go ahead and disable route but we can't do that while we're logged in as root so what we're gonna do real quickly is we're just going to log out and log out a route then we're gonna log back in as our new admin account so as you can see here we went ahead login a new account my desktop background is different so we know this is not some kind of trick and you see I'm logged in as admin so first things first open up terminal again all right so now again I want to test to make sure that it wasn't a fluke so sudo Who am I my password again and I am route so perfect so now we have to disable the root account so what we're going to type in is sudo use your mod - pee exclamation point Ruth now again a very simple way of breaking this down is what one sudo means super user okay for lack of better words user mod is user modification the dash P stands for password okay and then the you know exclamation point well actually I did that wrong I'm sorry the exclamation point in this situation means to disable now what it actually does is scrambles the password and generates a random password that is pretty much impossible to just randomly guess even brute-forcing would take a long time to figure it out and that's the main point of this and we'll put lion to root so technically root will be no longer allowed and what this actually does it pretty much disables the account because it doesn't understand what the password is and it just makes it you know unreadable so you can't log in so once we go ahead and we do this we're going to press ENTER and then if you've done it correctly it will just go ahead and just bring you up for a new terminal but I want to test to make sure that my route is not going to be able to log in so what I'm going to do is I'm going to type in soos patch root same thing we did before with our admin we're gonna go ahead and type in our old password and you can see we have a failure and that's exactly the one to see so again if you just want also see if you know maybe we made a mistake here su root password I'm gonna put the exclamation point in there like we did just because you know maybe it changed the exclamation point and again it failed so everything's looking good with that now if you ever want to bring back the password for your root it all it actually is is a very simple command from your admin you might sudo PS WD and you'll type in the word root and then once you press ENTER you'll be greeted with a new password and then all you do now root is able to be successfully you know access now sudo then we're gonna go ahead and type in root how do you see root has now been enabled so I'm going to go ahead and disable root again so to recap we have done so far we have created a static IP for our new server and we have gone ahead and deleted or disabled technically our root account and create a new admin account which will be our new root for the server the next part of the video we're going to do is to install SSH which is OpenSSH server and then we're going to log in to our client machine and then we're going to create encryption keys from our client to our server and then after that we're going to locate the SSH config and we're going to alter the file a little bit so that the only way we can login to the server would be through our encryption keys only so if we don't have an encryption key we will be unable to login to the system okay so let's start that process okay so what we're going to do here is we're going to install OpenSSH server and then we're going to alter the configuration file and then we're going to log in to our Linux terminal on our client PC not on our server or client we're going to generate a new key and then we're going to transfer it to the server so that the only way we can log into our server via SSH will be our new key and then we're going to test everything in the end so first thing is first we have to make sure we have OpenSSH server installed now if we go back to the guide that is down in the description below first we can see here is we have to install OpenSSH server now by default most servers already have this installed it may not be enabled on some of it you may have to enable it but for the most part it's always been installed but we don't have to worry about enabling it right now because we're going to actually alter the config file before we do anything as well so first thing is first let's just verify we have it installed so sudo at install SSH I'm sorry open SSH server - why and it said it's already been installed and it's the newest version which is good if yours is not it will go ahead and go to the update process which will only take a few moments to do the installation now what we have to do is we want to change our port now the default ports 22 now every person that has Google can figure this out by default we do not want to leave any ports as default because we don't want to leave it vulnerable especially we're going to be allowing this access to the outside world I don't want to leave it at port 22 because that's just giving people a very easy way of getting into something so if I'm trying to like compromised your system here the first thing I'm going to try to do is I'm trying to go into attack route and your SSH Fork it's a very good chance you're not sitting at your servers all day long you're using some kind of ssh software to connect back and forth to your linux terminals and you're living in your linux servers so i want to change that to something else now the point that i chose is 2 2 0 0 you can choose any port you want as long as is not a default port example 22 23 53 84 4 5 480 647 and so on and so forth it all depends on what it is but trying to pick something that has 4 numbers so example 4 5 9 8 look at that that's a random number that's a good thing and it's gonna make it more difficult for me to figure it out which is again much easier for you to have to not worry about somebody always trying to hack the system again this is no guarantee that some I can't figure out your port it just takes them longer to figure it out and that's what our main goal is to put so many different blocks in front of somebody that they just get tired of trying and then moving on from there so very simply it's going to be sudo now the text editor I like to use is narrow you may choose any text editor you want like vim or VI or whatever but I always like nano always used it so to me I'm going to stick with Nano and then we go to et Cie SSH and SA and sshd config press ENTER and then you'd agree with this page now we're going to come back to this a little bit later towards the end of this portion of the tutorial but right now I wanted to get my port changed automatically I want to make sure that changing the ports gonna actually work right out of the box so if I don't do anything else besides changing the port at least I know that you know at least I'm somewhat more protected than just having a blatantly open 222 so you're going to scroll down to where it said port and you're going to remove the hash tag by deleting it then just changing the port to whatever you want so like I said you want to make it fit 4583 you can there's no problem with that but to keep the video simple we're going to just add Zero's at the end of it then you're gonna press ctrl X to save Y and an enter now we're gonna have to go ahead and restart the SSH config because it's honestly not going to figure this out yet because it's already even started so it's not so whatever we do in that config file will not take place until we restart the system or restart SSH so it's a very simple command they'll be sudo if I can spell system control restart ssh now very simple command sudo system control which means hands all the services we're tying to restart the SSH service press enter and as long as you're greeted with nothing besides as you can see on the screen here another blinking cursor everything worked out well if you ended up getting some error message you need to go back to your SSH config file and then correct whatever error that you're actually having now if you want to see if it actually is actively running you will go to pseudocyst of control status ssh now because we restarted ssh you should now see where it says active on my screen it's just say active on your screen ok so what we're gonna do now is we're gonna go and login to our Linux terminal on our client PC and then see a we can SSH into our new server here okay so I'm now logged in to my client PC and then I'm going to open up our terminal so as you can see here I'm using Linux Mint again there is no ok as you can see I have a different username different setup so there's no trickery going on here so the first thing we want to do is want to test to make sure port 22 is actually not accepting communication so SSH you're going to type in the username and the IP address of the server and you're trying to connect to and that's it so if you don't change the port 22 this is how you get an SSH into the server or into any compute you're technically if you don't change for 22 so we're in a press ENTER and you can see we have connection refused because it's not accepting an answer on port 22 which is exactly what we want I wanted to sit there give me that so at least I know that my config file has been applied to my SSH server so to go ahead and actually connect to it well we're going to type in the same thing but we have to add which port to connect to so you're gonna hit space dash P which means port then type in the port that you want to go to so space 2200 for me press Enter you're gonna be prompted with a encryption key fingerprint you have to press yes or no or type yes or no so I'm gonna go ahead and type in yes if you just type in Y you just get a answer saying you have to type in yes or no then you'll be greeted with the password so I'm going to type in the password and there we go we are all good to go so now I'm able to log into it if I type in top I see that all the system that's running on there and we're good to go as you can see here up top it does now say admin at Debian which is the server I'm working on so what we're going to do now is we're going to create the encryption key and the encryption key for the server is very simple so what we're gonna do first is type in exit because we want to log back in whoops we want to be logged back in out of the server and back on our own so as you can see here I'm now locally connected but if you want to be sure you're not connected to the server very simply close out of the terminal and just open up a new one it's perfectly fine so first thing is first now considering we were retested SSH we should now have an SSH folder already built into the system to verify that very simply just type in CD SSH now if you go into a folder that actually has that SSH you should be good to go and what that means here is that we went ahead and already SSH into another computer and it's create a full a not folder but a file called known hosts which means that it's already connected to the house back and forth okay but we want to now create an encryption key for our server now I went ahead and made myself some notes over here just to make it easier for myself so we're gonna go ahead and move things around just a little bit for us okay so the first thing is we have to now create the encryption key using RSA now there are a few different encryption keys we're going to use that we can use but in this video we're going to use RSA key that's as simplest at the moment so we're going to go ahead and copy and paste that right into our terminal exactly as is we do not need to run as a sudo can be run as a sudo it's going to break the encryption key and we're not going to be a login anyway so we go ahead type an SSH - key gen - t - RSA pretty much what is the command is we're going to create a s SH key we're going to well we're going to generate an SSH key the T stands for which type and the type we're going to use is RSA press Enter now the next parts are going to be very fairly simple where do we want to save the file we want to save in SSH folder which is perfect so we're going to enter at this point here because we want to save it in the default which as you can see here is our default location now this is an option for most people I like to put this on only because I feel adds an extra level of security enter passphrase now when you create the encryption key and you put it over there and you don't put a pass for it automatically logs you in as long as the credential is correct the keys are matching so when you go to login it's not going to ask you for a password anymore you know just gonna say up he's got the the public key he's got the private key we're good to go log am in I like to add this because what it does that says hey what's the password for the encryption key and then if they don't know the password they still get blocked from this server so this is up to you and how you want to do this depending on what kind of level security you want me personally I like to put a passphrase on here so a passphrase is could be any of your password you want if you kind of want to make it the same as your admin password you can that's on your server I don't recommend it but you can do it that way as well you'll be prompted to enter the same one again and then you'll be generated your fingerprint key now you don't have to use a passphrase if you don't want to use a passphrase just hit enter at both of them and just going to skip past it but me personally I like to always put a password on there so as you can see here it went ahead and generated our key there's our random key our image and then we're all good to go now you can go ahead and steal this information it doesn't bother me because it's not going to work but this is something you would not want to show people to the real world if you're using a live environment so very simply if I type in LS right now because we are still in the dot SSH folder you can see now I have three files in there the ID RSA which is the private key and the ID RSA which is the public key the public key is the key that we're going to give out to the server so the next part of it is I'll go ahead and actually write this out SSH copy - ID which means we're going to copy and ID through SSH the actual OEE that we're going to copy which is - I will be an SSH IDRs a dot pub which we say we want to copy public-key over and then it's going to as where which server so I want to do it to my admin server at 192 163 10 on port 2200 make sure you do this correctly because if you make any mistake so you put it to the wrong folder you do anything like that you're going to pretty much botch up your host server then you're gonna have to go back to your server remove SSH and then go ahead and reinstall it or pretty much remove the keys and how SSH to go ahead and fix your problem you're having so make sure that when you're doing this you're copying over the public file and that you're doing it to your correct information so mine again is admin at 192 168 310 and the port that I chose is 2200 so make sure everything is correct press Enter you'll be prompted with the password for your server so it's asking me for my admin password on the server so I'm going to go ahead and type that in and now it says that everything went ahead and we're looking good so now we have two ways of logging in the other way which we already did which I'll show you the original way which is SSH admin let's go ahead and copy that I can just go ahead and show you over here as well okay so you have two ways of doing it still you have the art traditional way that we did the first time but now with the encryption key it gives you a very special way of actually logging in so SSH - P and then the port which is 2200 and not this code so we're going to go ahead and try to use this exactly as you see here so make sure you have your quotes in there and so on press Enter and it's not functioning for some reason so let's oh okay forgot to put his face in there okay so now as you can see here I have my private keys locked so if I'm unable to enter this key so let's say I'll just type in the wrong one I get an error saying I can't login and as you can see here fail to login let's go ahead and close now let me go and try it again type in the password that is correct now I can do this as well automatically unlock the key whenever I'm logged in that's a preference for anybody else me personally I usually Ted that turn off again more security so somebody's actually had my computer okay they can't just automatically do this big aw he's stupid enough to leave the password you know logged in every time good for him and there you go so if you see here I went ahead and logged me in a demon asked me for the admin password because the keys was correct now you still can log in so I'm gonna go ahead and exit this you can still log in though using clear text password so if we do where is it the original way well I'm 40 on here it's not going to show me that so let me just go ahead and bring out putty real quickly and I'm going to show you on putty that even though I don't have a key on my Windows computer I'm still going to be able to you know SSH into the server okay so I have putty open here on my Windows client so I'm going to type in 192 168 3.10 which is the server at 2200 there is nothing else added to it there's no special keys I can put any encryptions on it as you can see authorization is all set to blank hit open login I want login to the admin and the password and as you can see I'm still logging in and this is something we don't want to do because there's no reason then they had the encryption key if we're still going to be allowed people to login you know using the regular clear text passwords so I'll go ahead and close that so as of right now we are all done with our Linux terminal on Linux Mint then we're going to go back to the server and then we're going to edit the config file just a little bit more and then we're going to come back to the file here I mean to the client here and then we're gonna go and test out the encryption keys on both the Linux terminal you see here and the windows putty to see if we went ahead and locked our ssh configuration okay so now we're back on the server and what we're gonna do now is we're going to go back into our ssh d config file and we're going to edit a few things inside here now all right so let's go with my little my little guide here all right so when we get to here we're gonna now want to change a few things we're gonna want to permit route login to no password authentication to no use pam as no ok and then we're going to want to add a user list and a denialist as well to it so say you have multiple users on your server you would only want say the admins to be able SSH into it nobody else can or nobody else can use other users so when you put an allow list in there it only allows whatever's on that list to connect so if I want to try the log in as root or say another user if it doesn't actually match the allow list they're not gonna let them in no matter what even if they have the encryption keys right and so on and so forth same thing with the denied user list when you deny user if he has all the correct encryption keys and everything else if he's on this list down here to be kicked out so I'll give you a quick example you have admin you have Joe and you have Jeffrey all three of them were on the allow list but now Joe quit so we're gonna put Joe in the deny list because we're not sure if Joe has his keys on other computers or whatever he may have done now can we check for it yes but we really just kind of want to get them and right away while we go through the system so when I go ahead and add Joe to the denied user list he will be automatically you know prompted with all the same stuff so you'll add the encryption the password will come up but once it goes in and checks his file here realized that Joe's in the denied list it's gonna automatically give him an authentication error meaning that he's on the denied list and not allowed to connect in that case right there he'll know that you know he's no longer allowed to do what he has to do and he cannot cause any harm to the system if he if he you know deems necessary so what I'm gonna do here is we're gonna go ahead and maximize this screen and then we're just gonna do a little bit of scrolling so we're gonna scroll down okay to authentication here now authentication you can see has permit route login so we're going to delete the hashtag so now it's active and we're going to change it to no at the end so delete everything at the end and then change it to no now next thing we're going to look for is password authentication yes now as you can see here this pretty much disables clear text passwords and we don't want clear text passwords to be allowed to be used on our server so we're going to go ahead and uncheck that and change that to no we also want challenge-response authentication is set to no but with the newer version of SSH it actually hasn't already sent to know so we don't have to worry about that now at the bottom here you have used Pam and again we're going to change that to no so right now we've pretty much removed any way possible that you don't have an encryption key on here and you don't and you turn we turn off password indication and challenge-response turned off on both of them and then we don't allow root to log in when we set Pam to know pretty much just says hey if you don't got an encryption key we can't let you in at this point now a few other things you can do here is the x11 forwarding if you don't use it I usually turn it off so I said that - no but this is an optional you don't have to it doesn't affect it gets locked it we're gonna use x11 and what x11 does means if I'm able to log into your server I'm able to actually open up you know screen capture technically through SSH it's pretty cool you can use in some ways but I usually turn it off because I don't bother if you're gonna use SSH you're going to use the terminal we're not going to open up Dolphin and all that stuff and Program Files so the last thing I do is create our allow and delete user or deny user folders so all the way at the bottom here as you can see I can't go any further down we're gonna type in exactly other UC so hashtag allow users and underneath that we're gonna type in allow users just as you see there and we're gonna type in the user name exactly as you create it so I created my wall a lowercase so I'm gonna make sure it's all lowercase if you make it capital it's not gonna work and then the same thing with deny users another hashtag in front of it type in deny users as you see here and type in the word root so now what we're gonna do is once we did all that we're going to control X press Y enter the save it and then we're going to go ahead and restart SSH again and if we want we can verify the status as you see it is running so now what that one ahead it did was it disabled pretty much any other way we can get onto the server without an encryption key now if you want to add an encryption key to the server you will have to go back in there and re-edit them so say for instance if you are going to want to add an encryption key you can go one manually copy and paste it directly over to the server but in Windows you can't do that well you can but you can't just easily go that you have to copy and paste it if you're on a linux server you can still SSH the key over to it as long as all the credentials worked it will accept that information still so if I did do the I do the SSH copy ID to that server as long as everything's you know valid it will accept that you know that method of installation because unfortunately other than that the only way to install an actual key is to come here and physically do it so as I'll show you real quickly all your keys are located in this folder under authorized keys so if I go ahead and open it up there's my key as you can see for my Linux Mint so if I want to add another key I would just have to pretty much copy and paste it into here and then save it and then from that point we're good to go so what I'm gonna do now is I'm gonna hop over to my Linux Mint terminal and I'm going to go ahead and try to SSH back into it again to make sure one I can still connect and then after that we're going to log in to our putty through or Windows terminal and then we're gonna see if we can connect through that as well we should be denied through Windows and we should be allowed through Linux so let's hop on over and see if that's the case okay so now I'm back over here on my terminal for Linux Mint and then we're going to do what we did before so SSH - pee on 2200 admin at 192.168 310 press enter and then look at that logged in directly with no questions asked no reason for any kind of passwords because we've already verified all our passwords and encryption keys so I like this this is very good we're looking good so now we're gonna hop in on our Windows SSH client and then we're gonna see if we get the same exact message as we got here okay so I did you see here I have putty up and open and let's go ahead and try to see if we can get into it now again just to show everybody here I don't have any authorization Keys put in no other nothing installed so this is just as the Nellas we're gonna get okay we're gonna go ahead and click open login as admin and there we go no support authentication methods available server-sent public key so what that means that it doesn't have a public key or private key associated with this server to this terminal and in Windows so it's not going to let me on the server so will that I think we actually went successful here so to recap what we did in this section is we went ahead and installed OpenSSH server we went ahead and created an encryption key on our client for linux to our server we verify and tested that it worked then we went ahead and configured our SSH config file to block any kind of clear text passwords anybody's an authorized and pretty much anybody doesn't have a key on the server and then we went ahead and test it again to make sure that it worked on our linux server or our Linux client and our windows was denied access completely so our next portion of the video will be installing the extra security features on our server as well as installing fail to ban and you FW which is a wing linux firewall so let's go ahead hop on over on our server and let's finish this video up okay so what we're gonna do now is we're going to enable a few extra security features on our server as well as install two pieces of software fail to ban and our ufw firewall now to quickly go over what and fail to ban and ufw is is fail to ban is a IP monitor that monitors all your logs and tests to see who's trying to pretty much brute-force into your system so if I tried logging in like three four five six times wrong password it's going to go ahead and banned the IP address it only bans it probably for maybe a few minutes you know five to ten minutes max and what that does that say for instance if I actually hand legitimately trying to log in I forgot my password it will go ahead and re-enabled my IP address so I'm able to log in but if you're trying to brute force and you start getting all these banners you're gonna more than likely probably stop trying to log into the system so that's what fail to BAM really does you can also do a few editing in the config files and everything but I will not go over that in this video to try to keep it as short as possible and ufw is basically the Linux firewall what that will go ahead and do is it just pretty much enables your firewall and we're going to allow select ports for instance our SSH port our HTTP port and our HTTP port as well as a few other ones that we want to later on down the road it'll also go ahead and lock our global connection for incoming so that only select ports that we allow to come into our port will be allowed and they'll go ahead and enable all all outgoing because we do want to communicate outside the world so pretty much if I go here and look at my guide I created the first thing we're going to do again is enable the extra security features now it's a very straightforward way of doing it we just have to go into the system control config file and just unhatched AG a few you know configurations in there so for us to go ahead and do this we're going to type in sudo nano ET c and s YS CTL vo and type in our password and then we're going to be greeted with our config file now in here this pretty much controls how the system wants to work especially when it comes to networking we're going to go ahead first off enable spoof protection so you scroll down here we have these two here that are checked off or hash tag off we're going to remove the tags for them and what this does that it just enables spoof protection against our server alright then after that we're gonna want to go ahead and go further down doot doot doot keep going keep going and then we want to go ahead and UNTAC the M I am which stands for main in the middle attacks we want to go ahead and pretty much pull them all so that we can not have to worry about too many I pings pretty much for your ICMP and redirect it back to them now the last three things you want to go ahead and enable his we want to enable the blocking for I CMP redirects which is ping and it says you have we're not a router and this server is not around so this pretty much blocks all ping attacks directly to the services prevent brute-forcing and DDoS attacks as well and the same thing here with the IP source route packets we're gonna go ahead and untag them because again as it says we're not a router and the server is not a router so there's no reason to go ahead and keep them disabled and the final thing we're gonna want to do here is to log all Martian packets so Martian packets are pretty much as they are they're packets that we're not really sure where they're coming from they haven't been you know blacklisted or whitelisted at the moment so we want to be able take a log of it so in cases an IP that does get through for whatever reason we're able to figure it out and if we want to later on ban and block it so that's actually all we have to deal with this system control config file here once we go ahead and pretty much tape remove the hash tags of all them we can go ahead and save our file and you can see very simple very easy to go and if you go into here on our actual setup here I went ahead and broke it down for anybody that wants to go look at so in the file when you see this section here this is what you have to untag and the same thing all the way down the next thing we're going to want to install is fail to ban now as I said before fail to ban is pretty much a software that monitors your logs and verifies anyways trying to brute force into it with too many failed health implications to the server this is very good for most people because if you do know your password there's a very good chance you're logging in and if you have an encryption key you should be allowed to log in if you don't more likely this person is trying to do some kind of malicious intent to your server to cause harm and we don't want that so very easily it's sudo apt install fail to ban - why say well yes and then we'll go ahead and wait for it to finish installing which only takes roughly around a few seconds I'll go back to our file here now once it's installed it should automatically enable itself but I also went ahead and wrote the two scripts here to enable end to start fail to ban in case it doesn't so sudo system control which I believe them doing it correct that could be wrong and it's correct enable fail to ban and then we're going to go ahead and do the same thing but instead of reviewing Nabal we're going to type in the word start if everything's done correctly you'll see the exact same on my screen here we'll go ahead and enable the service you can see above and then when you do start you'll never be prompted with anything but it'll go ahead and let you know now again if you wanna know the status if it is actually running just go ahead and type in status fail to ban now you can see here the service is actually running as it says here and everything is good to go and that's pretty much it for fail to ban it there's really no command you go into it there's nothing you can do change or add to it like I said it just monitor you know your IP logs and see if there's anything that's acting a little malicious or not normal outside the the spectrum of the server here so the next thing we're going to do real quickly is install ufw and then configure the firewall to allow select rules as you can see here we're going to deny most incoming and allow all outgoing and then we're going to go ahead and enable the UFW so first things first sudo app install ufw - why okay so now we went ahead enabled it so we can go in and actually start the process now but the thing is I like to configure the firewall rules before we start it so we don't have to keep restarting the the service every time we do it so the easiest way of doing it as you can see here is just adding your actual you know your your ports available right now now as you can see I have two different styles of port configuration one is limit and ones allow what limit does it actually limits the amount of connections allowed per can you know per port so we're telling it that on SSH to limit the amount of connections from user to server I do believe that they actually specifying the config file what the limit is but I believe the maximum limit is 3 but you can change that at any given time you can make it 1 2 15 whatever you want but the more people you allow to it the more chances are you are going to compromise your system so to go ahead and do that it's sudo ufw limit and then we're going to type in the port that we want so my poor for ssh is 2200 and my protocol is tcp go ahead and press Enter and then if you're go ahead and everything's good you'll be given a rules updated and rules updated b6 so we're going to do the same thing for our HTTP and HTTPS which is sudo ufw allow because I want to allow all traffic for 80 and then they're gonna be the same thing for 4 for 3 now you can go ahead and add a few other things so on this server here I actually have another program called webmin and that's actually installed as well and that uses port 10000 so for me I want to go ahead and you sudo the UFW allow 10,000 on tcp now I can go ahead and change that as well to a limit and again our only limit the amount connections for that port as well so it's up to you how you want to do it if you want to know what webmin is you can check out my other videos my channel to go ahead and more detail how to install webmin and what it actually is but to give you a quick summary webmin is a graphical user interface through the web browser so if you're using a command line only server and you're not really good at command lines this allows you to actually configure your server through a GUI via web browser and you can do it from anywhere in the world so if you're in the USA and you happen to go to Europe but you need to configure it you can still do the same configurations you know overseas or anywhere in the world so next thing we have to do is configure our global connections now very simply the wrong button so very simply sudo ufw default deny incoming and allow angle so it pretty much says that all our global connections our default would just be to deny all incoming as per this and the same thing where outgoing our default for all outgoing will be allow so sudo ufw default and then we're gonna hit deny incoming as I spelt that wrong which more than likely I spelt it wrong file go ahead and and I did so we go ahead and go back and default deny and then you'll go ahead and be given the prompt you see on the screen here now sudo ufw default allow outgoing again if I knew how to spell we will be good okay so then when you spell everything correctly you'll be prompted with the default outgoing policies changed to allow the default incoming policy has changed is it not so now that we have our rules and ports and everything configured now it's time to go ahead and enable our ufw so now we go back over here it's very simple to enable ufw very simply by just typing in sudo ufw enable sudo ufw enable wait a few seconds and now it tells you that the firewall is active and enable on system startup if your firewall does give you some sort of error at this please check the log file to figure out exactly what's going on in the UFW folder but more unlikely if you follow the tutorial that I just did and everything has been successful you'll be greeted with this successful response now the same thing if I wanted to see the status I'll just type in sudo ufw status and then what you see here is all the ports I allowed available open so you can see here I have you know my SSH my my HTTP HTTPS and my webmin ports are all either allowed or limited and then the same thing on v6 now my ipv6 is actually disabled so those you know actual rules don't apply at all but it's still good to have on there in case you accidentally enable them you're not realizing what you did wrong or what's going on now you can go ahead and check the actual status of UF do you in system control so systemctl status ufw and you can see here it's saying that the it's right now not active it's not running and that the you know it is loaded though so what we're gonna have to do is we're gonna have to actually start it so sudo system control start ufw press enter and then we check the status as you can see now everything is actually good to go and run well and that's pretty much it to adding the extra features and the firewall and so on now you can go ahead and change anything you want in this again if you want to add more ports your firewall you would just follow the same system I had going on here when I did be limit and allow and the port numbers if it's a UDP you type in UDP but it's different protocol you type in the protocol you need but that's about it and that's all you really need so what we're going to do real quickly is I'm actually going to log in to my Linux terminal on my Linux Mint I'm going to make sure my SSH still works properly now we already know that it's not going to work on Windows because we already been denied that before we can apply the protocols so let's hop over to our Linux Mint and try to see if we can still SSH into our server okay so now we're over here on our client for Linux and I'm using a consid Linux Mint I'm going to open up terminal and then as I did before I'm just going to go ahead and type in ssh P alright then we're going to do print : knuckle I'm sorry quotation 2200 and then another quotation at the server I want to go admin at 192 168 310 press Enter as you see here we're still able to log in so even though the firewall is turned on and active it knows that our SSH port at 2200 is open and that our encryption key is still functioning the way it should be and let's head back over to our server real quickly so let's go ahead and figure out and kind of wrap up what we've gone through in this entire tutorial we went ahead and created a static IP then we went ahead and disabled root and create a new you group user we went ahead and log and created an ssh server on the server we create a encryption key from a client to our server and verified it works then we went ahead and locked down our SSH config file to allow only our encryption from our client to our server so if you don't have an encryption key you cannot log into the system or if your encryption key is broken you will have to go ahead and redo the encryption key we also went to intested on the Windows client to verify that it doesn't connect and that was true it was successfully I'm connecting to our server with an error saying the key was invalid then we went ahead and enabled our extra security features which is pretty much stopping pings DDoS attack brute-forcing and so on then we installed fail to ban which again is a IP monitoring software that will ban your IP address if you have too many failed attempts to the server and then finally we went ahead and enabled our firewall on our linux server and then we tested it with our client to make sure that we can still log on our client and then we lock down all the ports that we need to and changed our global incoming and outgoing to either deny or allow depending on our access we need okay so as a bonus I did say I will also teach you how to connect your putty from windows over to your linux server so first you have to do is make sure you download putty so I open our web browser and you can see it's still a part of our secure a link server and pretty much just go ahead and look for putty download download putty click here and then you're gonna want to be there pick your 32-bit or 64-bit installer this will give you everything you need with all the utilities so as you can see down here we'll get our putty our FSU p putty putty gin and everything seal and you're in your pageant button step down everything you know one at a time it's just better just down the installer so you can get them all alright so first things first is I want to open up putty gin okay and what party gin is there just a key generator for it so what we're gonna do here is we're simply going to hit generate and then when it says generate here it says please generate some randomness by moving the mouse over the blank area and the blank area is here so just pretty much is go ballistic okay so as you can see here we went ahead and created a public key as you can see it's right here I would not recommend showing this to anybody but for this video I can because once the videos up with this key gets destroyed so there's a few things you may want to do first off the key comment I always like to name what the key is so for instance Debian SVR for Debian servers so I know that this is actually this key is meant for my Debian server that I'm working on if you have a actual like domain or some like that you can call it DCO one you know Debian see no is the domain controller for near Debian servers but for this video we're just gonna keep it simple I'm gonna call it my Debian server because that's what I'm actually uploading the key to now passphrase is a choice I like to put it on there for the extra security features what it does that when you go to try to use the key and try to authenticate with the server it's going to ask you for your password to unlock the private key if you don't actually have that it won't let you login to the server if you lose that password you have to go ahead and redo all this all over again so I don't recommend losing it this is optional but I always like to add extra security if possible so the next thing we're gonna do in this is we're going to save both the public key and the private key now I like to save them in a folder called my documents under putty because at least I know where the keys are so we're going to ahead save public key and you can see here I already had you know keys made earlier but I'm gonna go ahead and overwrite them so I gonna call my the putty public because that's what it is save I'm gonna overwrite mine and we do the same thing for the private key now you can see it's under this PC documents and putty now if you want you can create a folder for each key if you want but that's up to you so if you have like multiple servers you're doing this for you want to name each server you can me personally I pretty much use the same private key and just generate you know multiple publics in that case but well that's not really for this video so we're gonna go ahead and hit putty private it's save I'm gonna overwrite it so for the most part we're pretty much done but what we're gonna do here is we want to copy all this now the reason why we saved the public key is because if I want to actually you know see I can load private keys I can save them and everything else if I'm having some like that I want to you know add it to it later I can so I always have the key but for this video we're gonna copy this actually to the server right now so I'm gonna move this over here and I'm going to open up a SSH into my cert my linux server that i have and on the server i'm using obviously is debian alright I'm open I'm going to log directly into it right now so we're all good now you can go ahead and winscp into it as well and do some copy and pasting and just copy the file back over but I feel this works just as good so first things first we have to go into our SSH folder so CD SSH then we're going to press L and s to see that we have a full a file in there called authorized keys and that's where all your keys get stored for any client you connect to so what I'm going to do here is sudo nano to edit the file and type in authorize underscore keys press enter type in my admin password and there you go so now we have one key area for a Linux for my Linux client I create but now I'm going to copy all of my windows one here so what I'm going to do here very simply is it select all hit copy then here just go ahead and paste now it may paste the way mine looks like this but if you hit your home button it brings you all way back to the beginning which is what we want so as you can see here we have both of them in there nothing got overwritten and we're good so now I'm going to hit control X and then press Y to save it and then hit enter again to save the file now I want to go ahead and restart SSH only do sudo system control restart SSH so now I've applied the keys and make sure the keys are good so exit out of this and then we go ahead and exit out of puttygen okay so to apply the actual key and everything to putty is very simple we're going to go down and actually open up putty okay and then what I'm going to do is I'm going to first off type in my hostname or IP and configure the port now the next thing we have to do is go down to where it says connection and then in here you're gonna see a bunch of different things so we're gonna go down an SSH hit the plus C on the plus sign sorry and then we're gonna go down to off now in here we're gonna go ahead and look for the private key follow up dedication so I'm gonna hit browse I'm gonna open up the private key that we saved earlier hit open and now once all that's ready to go if you want you can go into something out under data if you want you can type in admin if that's the normal auto log-in name but I usually don't bother with that because sometimes I use different obviously different user names to log in every time but this is pretty much just for this server as we're doing so once we go back we verify that the private key is good we're gonna have company it's gonna ask you for which name you want to log in as so I'm gonna add minh now see I have the past passphrase for the private key and that's what it's asking for here not the password for your admin you know your admin password on the server but asking you for the passphrase too you know activate the private key and there we go so once I type it in I am ready to go now I'll go ahead exit and let me do that one more time and it should give me an error if I do it if I don't type in the password so I'll go back down go to auth open up the private key and open type in admin now if I type in the wrong password see eventually hitches will not let me in so I keep it enter I can't do it so until I actually type in the correct password it won't let me into the system at all it doesn't error me out you can go in the settings and actually change to like save you do it three times or four times it'll just no no good but for this video I'm just trying to keep it as simple as possible for you but that is exactly how you can go ahead and apply a encryption key from your Windows computer to your debian computer now I'll go ahead and open up my actual debian server here and then just to prove that we do have our two keys in here sudo nano ssh authorized keys and i spelt it wrong which is okay and there you go so we have a two keys from earlier if I look all at the end and you can see this is Debian server which matches what we had originally so at least I know we're all good to go and that's pretty much it it's a very simple process to be able to actually you know link them together you can do multiple keys you can do a lot of different things as well adding it to it as well as in some putty too they actually have another feature in here where if you go down to auth and you see where it says a temp altercation through pagan you could turn it on and off now what pagan actually is is I'll go ahead and open up my putty folder so inside putty if you actually run the private key so you load in the pagan type in the password to unlock the key if you look down here in my icons I actually now have the key loaded so if I want I can keep adding more and more private keys to this and what it will do is they'll actually run a list through all these actual keys to see which one will work on the server so if you have like say five or six servers multiple privates multiple public keys having it inside the the pageant key list will actually be very helpful in the end so you don't actually confuse which keys or what it'll automatically just say okay which key is this it so it's a Debian server it'll run it against this key as well and that's pretty much it on how to set up your putty with with Linux servers well that will be the end of this tutorial on how to configure a secure Linux server or technically securing your Linux server I hope you liked the video subscribe I do post a lot more videos out there pretty much showing pretty much the same thing you see here I also do work with pfsense how to configure in networking with PSN's how to configure your virtual NIC editor on VMware Workstation and I do some obscurities like the first ever Ubuntu ever installed the first ever men linen windows beta testing x' from back in the day like neptune and luna and pre luna and then we also do our Windows installation server installation so I try to keep a little bit of everything and all of it is actually done in VMware Workstation so you can copy what I'm doing it also showed you a few tips and tricks like how to make a dual boot in Linux workstation and how to maybe make a virtual then copy it to a real server or just copy it off your virtual on to say like a flash drive and you know install it somewhere else so yeah you always recommend people just check out my videos if you like them subscribe but always put comments and then like always everything we do in the videos is all in the description below so the actual guide that we worked on in the in videos here how to secure a server is actually down below in my action on my cloud server and then you can be able to download this and if you want you can just pretty much skip through copy and paste whatever you want and yeah so until next time guys I hope everybody has a great day and I will see you on the next video

Info

Channel: VMware Advisor

Views: 1,800

Rating: 4.9000001 out of 5

Keywords: vmware, vmware workstation, vmware player, vmware 15, 15, 14, ssh, openssh, ufw, putty, puttygen, sshd_config, Debian 10, server, linux mint, ubuntu 18.04, ubuntu, disable root, fail2ban, encryption, encryption keys, secure, security, secure linux, security linux, virtualization lab, home virtualization lab, Vmware advisor

Id: jKmfZEbnokk

Channel Id: undefined

Length: 80min 2sec (4802 seconds)

Published: Thu Mar 26 2020