How To Secure A Server

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video I'm going over securing a web server so this is a kind of a weird topic and one that's kind of taking me a couple weeks to put together at least some basic steps when it comes to security I always say no one is ever truly a hundred percent secure and I'm gonna show you kind of what you should be doing at least for the bare minimum for securing your web server and then also after it's secure what you should be following up with because like I said security is a moving target and no one is ever truly a hundred percent there's always boner abilities that come out updates that you should be doing and then also just making sure everything's kind of tight around your server to make sure nobody has intrudes on it and exploits your website and uses it for malicious purposes all these things are extremely important so that's what we're gonna cover in this video so let's go ahead and jump into it this video is brought to you by up cloud superior cloud hosting with 100% uptime guarantee click the link in the description below to receive a $25 credit so I'm starting this out I wouldn't made a cheat sheet on the website how to secure web server so you can simply just kind of copy paste all these in and then set it up that way because I think having all these copy paste commands is so much better in this format so look for the link below it's Chris Titus com forward slash secure web server so with that I'll go ahead and pull up terminal and we're gonna secure a basic ubuntu server today that has some web capabilities so what we're gonna do is pull up this it's actually gonna be my minecraft PC and we'll go yes and we'll sign in here now this is using just regular password authentication brand-new set up for the most part no security has been done on here and what we need to do is secure it so the very first thing we need to do is enable ufw so what we'll do is simply go in and do that so we'll go sudo UFW and enable and we'll go ahead and hit no to this before doing the enable I'm actually going to do a sudo you have w limit ssh or two to tcp this is typically the default SSH port before enabling ufw which actually I'm going to change those instructions in the background because you want to make sure you poke your holes in the web firewall before enabling the firewall otherwise you'll lock yourself out which wouldn't be good so we got that and also if you don't already have this make sure you do an apt install ufw so we've been enabled port 22 now we're gonna do port 80 in 443 which is HTTP and HTTPS so we'll go ufw allow 80 - tcp and then we're gonna also do 443 tcp now from here now we can actually go sudo you fw enable so now we can check our status by just doing sudo u FD u fw status and you'll see we have all of these enabled which is good so from here this is a basic web server firewall however this is still not secure most people this is actually just reiterating you know let's say you have a VPS like up cloud and most of these are it has its own external firewall so these things are already pretty much limited down I know this is a little redundant doing a firewall on the server as well on top of the external one but I like to be very careful and especially since the limit command will limit how many connections can be applied I don't have to worry too much about brute-force attacks on port 22 as well so that's why we kind of double up the firewall here so with this this all this does is poke holes in these we act we need to set our defaults now by by design in the defaults here we actually will not be doing much this this actually doesn't allow a lot of things actually it allows pretty much everything so with that we need to block all denying connections so we'll go ufw default and deny incoming this will deny all incoming traffic and then we'll just do sudo ufw default allow outgoing we'll reload the firewall after putting these extra rules in so we'll just do sudo ufw reload this will just reload the firewall and then we'll just do a status so with our status in we have everything set up and properly done ufw is pretty much set up for a basic web server right here this is good but now we need to move on to SSH SSH right now is what I call a tar pit other people call it you know limiting connections it can be called a lot of different things but it limits how many times someone can try to connect now by itself it's it's good but we can make it better so now we need to create an SSH key to log into our server so I'm gonna go ahead and exit this server and we're gonna go ahead and create an SSH key for this now I'm on my client PC now the remote PC I'm connecting to the server with so we're gonna go ahead and create this now if you're on Windows you can use putty gin if you're on Mac you can actually stick with this actual generator it actually has it as well so we're gonna go SSH key gin and we're just gonna do an RSA and it'll say which file you can hit enter here and it just goes ahead and saves it in your home folder dot SSH ID underscore RSA it'll create two files of public one and a private one which I'm about to go over now you can create a passphrase most people recommend and especially if it's facing the internet I would totally do a passphrase here however I'm not going to for this tutorial just because I don't like entering a password when I go connect SSH I'd rather just jump right in which would be pretty nice but for some folks that want that extra level of security go ahead and enter a passphrase here needless to say both no password and password are far better using the keys than any password authentication that we were doing so know that both these methods ones a little bit less secure than the other but know that this is still extremely secure not using a passphrase as well so just just know if you want that extra level you go there so we got that and we've created our key now we can transfer this to the server using just directly SCP to transfer it which I've done a video on I'll link it up here in the title card but if you don't want to use SCP there's another command that makes it'll even a little bit more seamless on the website I put two methods one is you know just directly copying and then modifying your authorized keys directly on the server this is the manual method but a lot of people just like it done easily so I'm gonna use the easy method for this video but I just want to let you know it is in your home directory SSH on the client machine if we take a look you'll see that we have the underscore RSA in the RSA dot pub ones the public key and the public key is the one you want to move to your server to do this we're gonna do SSH - copy - ID and from here we'll do it - I our home directory for it slash dot SSH and then we'll do the IAD underscore dot pas and we're gonna push this to our server now I'm using my user would be minecraft at and then the IP this isn't actually a forward facing internet server so one nine two one six eight dot 69.6 and what this entered in we should be able to do it now if you do SCP obviously you do a colon and Dictate word go but this by itself should go ahead and make this to where we just connect right up so let's see what we got here all right we'll enter our password okay I just stopped it there for a second because when I did the copy key command I gotta say I messed up on my username and that completely borked my entire SSH service on that server I just ended up just blowing it out and reinstalling that SSH service so very important don't mess up when you use this command double and triple check it because you don't want to mess up like I just did and honestly I could have probably cut this part out but I think some of the jewelry of this is when you mess up actually fixing it so I just wanted to tell you that just double and triple check when you do the SSH - copy - ID because if you're wrong you're really gonna mess up that server and you're gonna have to go through and redo your SSH service directly on that server using like console because you won't be able to SSH into it any longer because well you messed up when you did the SSH copy hid so with that we're gonna do this again we're gonna go SSH - copy - ID - I select our local file which for slash SSH - ID underscore RSA dot pub and then we're gonna put on our server now I put mine grab last time that was wrong actually was actually administrator what's the user and then we put type r.i.p alright so we double triple check everything everything looks perfect now we can try it so we'll hit enter well type in our password for this user and it added the key almost immediately saw how it stuck last time because it totally messed it up the login was correct but the user was wrong and it just locked me completely out of SSH so don't do that so with this we should be able to SSH directly into the machine now so we can do SSH just as a test and check this out we'll go SSH administrator at our server name and it immediately logs in remember we didn't put a password anymore so this is actually kind of nice it's all using keys now now the power of the SSH - copy - ID is it did a lot of other stuff too - where now we can't just log in via password the password off I think is actually turned off now if we look down here on the website I need to change challenge/response off to no password off - no use pam - no and permit root login and no as well this disables all password authentication through SSH but you got to make sure you always have that key on lockdown I personally would backup my private key just in case I need to take that to somewhere else but at the same token I would just get another computer that I have I have multiple computers and I would login using one of those and also create multiple certificates I can log into that one server with because if let's say I format that PC I wouldn't be able to walk directly into that server without going to the console and some people have issues getting to the console so you might even be locked out of your server if you your only method of access was SSH so again be very very careful when doing this can't emphasize that enough but once you get this on lockdown oh the security of it is perfect so with that let's go into we'll switch users into root and go into e.t.c and ssh now there's one file in here we want to do and that's sshd underscore config and we'll go through this and see if we can't find those challenge-response off password off all that so let's go to authentication we should see some stuff here and we can see permit root login we're gonna change this to no because we don't want any root login privileges to SSH and we'll go ahead and scroll down a little bit more challenge response off is no password off is actually calm it out and said yes but well we'll put no as well and then at the very end is Pam and use Pam should be no as well and once we do this we're just going to do a system control and restart sshd or it might be SSH if you're on a Cintas server so with this let's go ahead and exit and then we're just gonna exit again and we're closing this session and then we're just gonna reconnect and we have reconnected and we're in our server so everything looks good here this is pretty much secured down which is great and I know if someone tries to connect without a key it should deny them so we can test this method out using my other internal PC all right this is my inside PC and what we're gonna do is we're just gonna pull it up and go terminal it's almost like the inception of computers here but that's okay so this is on my main PC not my studio and we're gonna try to SSH using administrator okay with SSH right here on our main PC we're gonna try and connect says hey when I get the fingerprint like yep and then it says nope permission denied doesn't have a proper key so it's public key so I don't actually have the key on this system to connect to this box so I would need to create the key and put it in the authorized key folder so let's get out of the main PC I just want to show a failed attempt to show that it's secured because once you secure something you should one verify you can connect back to it and then also get to a second computer and if you don't have a second computer just launch a VM and then check to make sure it is actually properly secured because you should be getting a permission denied on all other attempts so if we log back into this server and we go into I think it's the home directory and we go into SSH and from here we should have authorized keys now let's take a look at our authorized keys will see that that key we established here we could add another key and get it connected to the main system so how does that work when it's already on lockdown this is a great question well mainly you'd have to copy it over to this computer and then upload that private key to this file or upload that public key to to this file so let's go ahead and redo this on the main PC just so you can see how this would work or how I go ahead and copy this public keys so we're back on our main PC we need to create that key that we just did so we're gonna do ssh-keygen - t space our SA and I'm just gonna go ahead just like the other one just enter through these and now we have that public key so we can easily copy this now you got to copy it to your machine that already has access so we can go ahead and do another copy ID so we go dot SSH and we have the private key which is here which that'll stay on this system and we have our public key so we can actually open this file we'll open this with Kate now it has this entire key now I think I can just copy this key right here and come all the way back to this file and paste it in let's see if that's that's good and it looks like that is the good key so let's go ahead write that out exit so we're back on our main PC over here we can close out of this and we'll close out of this and we're going to go ahead and try to reconnect so so here we go SSH in and there we go we have now added two pcs using keys I wanted to just explain SSH keys because so many people screw this up and it's really easy to screw up so may sure to double triple quadruple check before really going into this and tuning that command again you can lock yourself out so be very careful when doing it and I always recommend doing it on more than one PC or at least maybe launch a VM and have it in the VM as well you know just just in case you never know so with this I'll go ahead and close out we're done with SSH so now that we're done with SSH we need to enable other security features such as like flood attacks and those types of things so we'll launch into our terminal we'll connect back to our minecraft PC that we're securing down and then we're just gonna go ahead and do a sudo nano et Cie system system yeah this is control.com and from here this is kind of different depending on the system I would have said a copy-paste for this but every system is just a little different on their sysctl comm and sometimes doing a copy-paste doesn't work right so I like to actually uncomment what's there so one we want to uncomment to enable spoof protection yes please and then we come down here now coming into here we want to block ping which is ICMP will block all ping requests this also prevents man-in-the-middle attacks that's mi TM meet stands for and since we did this one we're not gonna do this one so here we go we're gonna also block this as well where you are not a router it kind of tells you hey if you're not a router you should probably enable this so we will enable this and we want to log marsian packets as well and then that's pretty much it right there we'll go ahead and write this out and you could do a reboot here or you can do I think it's system control - P sudo system control - P so with this it kind of shows you hey this is all the stuff that you're doing and you know you're not accepting redirects anymore you're not responding the pings you're logging martians these are all good things so this is just an extra step for security on a system and now we can move on to preventing IP spoof which means hey instead of saying let's say I banned or routed someone's IP address and they're you know really determining into my server they can spoof another IP and then try and connect to my server which we don't want that obviously if we ban somebody we banned them for a reason we don't want to allow any spoofing to occur so what we do is just change a specific file so we're gonna go sudo nano et Cie host Kampf and then from here we're just gonna change this around so host is actually gonna come after bind hey make sure you get double and triple check these two because it's gonna be a big sad face if you screw up your system files here these are system files so don't just rush through them double triple quadruple check when you're doing this and then no spoof on go ahead and exit out so with that done we're almost to the end here we just need to install fail to ban so we'll do a sudo apt install fail to ban this kind of reads what's going on if someone's constantly attacking or ddossing your server fail to ban kind of reads that and goes hey this is a malicious user and bans them so it's really awesome so once you install it all you need to do is do a sudo system control and able fail to ban and then just sudo system control start fail to ban so with this you can do a status just to make sure that it is running and as we see it is active so with this this is a basic setup now I like to do one last command after a reboot I like to do a reboot just to you don't necessarily have to do a reboot so this is in production obviously don't reboot but with this anytime I set up security I do all my updates I get everything going typically I'm doing this at the very beginning and I like to reboot after doing a complete install redoing all of the actual stuff for this server just to see to make sure all of my services kick up everything is looking good once it comes back online that's just my personal preference you don't necessarily have to do a reboot but I do so from here we're gonna go ahead and reconnect uh I don't know if it rebooted that quickly but it did sweet let's see what our uptime is yeah uptime zero minutes just to make sure you've got a reboot let's do a net stat - ton LP and this kind of tells us what all is exposed to the outside world what all's going on here so we got eighty 22 and 443 those are the ones that are right now kind of exposed so this is a good thing to run just shows active internet connections this is this is also you can run it as route as well gives you a little bit more visibility and you can actually see what's using what so I know that I got my sequel going on three 3:06 sshd which is a service running on 22 and I got Apache running on 80 and 443 so there we have it this is a pretty much secured program or secured server now it's not a hundred percent secure this is just what I consider the basics of security and you should be doing on pretty much every single Linux server installation now you need to be doing monitoring and I'm gonna go into that and show you a couple screenshots but for the most part this is it for the basic security setup don't ever think that you can just do this and it's gonna work a hundred percent of time and everything's going to be just rainbows and sunshine because if you get bigger you get a lot of traffic you're gonna get a lot of attacks and you gonna need to modify things you mean to monitor and constantly revise some of your security that's why you know you'd pay a big company to do web-hosting or something like that to monitor a web site that gets hundreds of thousands of hits a day because you need to be constantly monitoring and adjusting for these attacks that you're going to Nevitt oligo get so just phrase that on Chris tightest comm since I've started this channel it went from you know getting maybe an attack once every month if that to getting I don't know probably around 20 attacks a day so as you get a bigger footprint on the internet you're gonna get more issues more people trying to get at you so that is the basics in security when it comes to the website I would say this is actually pretty good now there's a lot of things that go into the monitoring aspect now I just showed a little monitoring through a couple screenshots I'll go ahead and flip up here I use like word fins or WP security either one of these you should always be monitoring any of your CMS content management system so whether that's WordPress whether it's Joomla whatever it might be you need to be constantly looking for these attacks and monitoring what's happening with your server you also need to be monitoring your actual web server instance so I don't solely rely on a wordpress plug-in because that's only covering really the WordPress aspect of it I really want to know what's happening also is there SSH attacks these types of things that wouldn't be picked up by a wordpress plugin so I like to use something called tripwire and that's almost its own dedicated video when it comes to security monitoring that's a whole different beast and one that you need to be doing on your servers at the very least use the plug-in those are pretty much anyone can easily install and activate them and they give at least some bit of monitoring and email notifications when something bad happens or files change these types of things are really important but also I highly recommend going one step above and using something like tripwire directly on your Linux server instance this tells you when files are monitored what kind of access you know has happened is anybody logged into the server these types of things over the past 24 hours this really helps maintain security and you can also do a lot of great things such as reporting let's say you have specific malicious attacks you can easily report those using these IPS to the authorities but I don't technically really report anybody what I like to do is routes I'll just route all the traffic to like fbi.gov or something like that and if they're in the states and they're doing like sequel injection attacks on my website which I've actually had 200 of those it was actually in one of the screenshots there that showed that I dug deeper into that IP and they were actually trying to do sequel injection attacks on a website but that specific IP let's say he shows back up and it's just constantly trying to hit my website with stuff I'll just do like an IP tables and just say of all the traffic from this IP go ahead and redirect it to a government's website and what that'll do is he'll actually start running his attacks against the government and well I don't know exactly what happens after that I just know I never see that IP again so whether or not a guy with sunglasses shows up at his door I don't know it seems to be a little more effective than just simply reporting it to a web submission so you know there's different ways of doing it you can have a little bit of fun with it but know when it comes to routing things to like a government and getting someone in trouble for pin testing that's something you have to be very worried I I don't typically do this unless someone's really like day after day are just really pinging my web sites and if that happens then yeah I need to take some more measures and that's when I rerouted their traffic to something else and and they probably will end up getting in a little bit of hot water at least a nasty phone call or a letter so with that that's securing your web server in a nutshell I hope this is beneficial because there's too many people I think leave open s saij password those types of things and that's extremely bad pretty much anybody can break in and at the very least using ufw in limiting SSH port 22 is mandatory everyone should be using you have w limit i've also covered this i think in a past video where i used IEP tables which is the same thing as what you have w and limit is it's just a little more complex to set up using IP tables which now it's degraded anyway so that's why i really didn't show IP tables in this video but needless to say let me know your thoughts down in the comments section below I always look forward to this and I will be checking these comments because on these advanced videos when you get into this type of subject matter I'm telling you there's just no way to cover everything because honestly there's experts out there that know a lot more than I do when it comes to securing I just know these are the basics that I've seen be extremely vulnerable on web servers and that's why I like to cover them here there's a lot more that goes after this there's other ways to get in and other things you should be worried about but that's why I always say monitoring after this is mandatory because every web server is just a little bit different and honestly every websites a little bit different because of the clientele that's attracted to it some are a little more tech savvy and some are bigger targets especially if you run like e-commerce or something on your website thank God I don't do that a lot of it's just redirected offsite if I ever was gonna do anything like that I don't think I'd want to host that just because the security concerns but with all that a big shout-out to my patrons without you I couldn't make videos like this one and I'll see you in the next one
Info
Channel: Chris Titus Tech
Views: 63,535
Rating: 4.9389315 out of 5
Keywords: chris titus tech, secure web server, apache web server, server, web server, how to secure web server, web, web server (software genre), secure apache web server, host a web server, secure, secure apache server, home web server, configure web server on https, personal web server, securing linux servers, caddy web server, linux web server, web server https, hacking web server, cloud hosting
Id: 7pJKBL9x6bY
Channel Id: undefined
Length: 30min 20sec (1820 seconds)
Published: Fri Oct 11 2019
Related Videos
OpenSSH Full Guide - Everything you need to get started!
LearnLinuxTV
122K
How To Protect Your Linux Server From Hackers!
LiveOverflow
121K
Linux Security - Securing Apache2
HackerSploit
26K
you NEED to learn Port Security…….RIGHT NOW!! // FREE CCNA // EP 14
NetworkChuck
198K
Clone Any System
Chris Titus Tech
78K
The Best Windows Utility
Chris Titus Tech
137K
How to Secure a Linux Server with UFW, SSH Keygen, fail2ban & Two Factor Authentication
Tech Guides
28K
Tutorial: Building the Simplest Possible Linux System - Rob Landley, se-instruments.com
The Linux Foundation
261K
The Ultimate Windows Utility Upgrade
Chris Titus Tech
40K
Minimal Windows 10 Install | ISO Creation, Setup, and Config
Chris Titus Tech
328K
How to setup Openbox on a minimal install of Debian
DistroTube
67K
Private Internet Access Sold Out! | Choosing A New VPN
Chris Titus Tech
59K
10 Tips for Hardening your Linux Servers
LearnLinuxTV
11K
Debian vs Arch
Chris Titus Tech
186K
Security: Malware Analysis
Bill Buchanan OBE
39K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.