The Biggest Linux Security Mistakes

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

now most people know when it comes to linux it's pretty secure right well when i set up a linux server it is and there's a lot of things i do in the server realm that make it secure but in the desktop realm linux desktop in particular a lot of configurations by default aren't and many linux users make it so they're even more vulnerable so a lot of people are worried about mitigations and other security holes which are valid but these ones i'm talking about today are the three biggest things i see linux users do to where they're much more vulnerable than they think they are because i think the worst thing i ever see is someone asking the question am i secure the answer is always no security is a journey not a destination but let's uh tackle these three big things today and at least make you a little more secure if you want to do them now obviously this could be an hour-long video going over a whole bunch of ways to hack linux but i'm really going to cover the three big things there's the network side there's the operating system time inside and there's the application side i'm going to pick the biggest one or the biggest security flaw i see if i were to put my black hat on and pretend like i'm going to hack some linux desktop users these are the entry points and the places i would first probe to see if they are open because chances are they would be so the first one is going to be not using a firewall by default settings most places don't actually have a firewall like if we do uf uh w status you see i don't even have ufw installed which is the firewall there's also like nft tables and ip tables that does almost the same thing but ufw makes it a little bit easier if we just do a pseudo install ufw say yes to this now if you're on arch you would just do a pacman-s ufw if you're on debian it would be apt or nala install ufw this is a very very common package and now if we do like sudo ufw status you'll see it's inactive so just installing it doesn't really do anything it just makes it so you can lock down your system so the recommended rules i usually go for is 22 80 443 and then deny everything else coming into this system this basically allows this to only use these ports so if an application tries to get out of line and use something else you need to go through ufw allow and then the port they need i would just copy that put that into terminal and then just go and then if we come back to our status page you can see all your rules you can see the firewall is now active uh it is allowing ssh dns h80 and 443 is basically the web and that's basically it those are the only thing allowed into the system and on ssh which is a big attack vector most people use i'm putting it as limit which is like a tar pit meaning if people attack it multiple times it'll allow maybe five to ten attempts before it just shuts that user down the other thing is fail to ban now i'm not going to go too far into failed ban because this is more of a server setting but one i would recommend setting up for anybody that's going to be sharing any services through their thing any server i've ever set up typically has a firewall and also failed to ban i would say failed to ban is probably the biggest thing i have seen a lot of misconfigurations of fail to ban in the server realm so make sure you're actually enabling it and uh you can see i put like some sample files here for fail to ban uh so follow that if you're curious basically what it does is it's an intrusion uh detection so if it sees hey someone's attacking all these ports over and over and over again uh this basically bans them so it just says hey you're out of here you can't attack this system anymore because you've done five to ten or twenty different bad things and i don't want to accept that request anymore people think without these two things that the attacker can keep attacking and keep probing the system and that will make it to where they will eventually find a weakness again security is a journey not a destination meaning everyone is vulnerable it's just a matter of how vulnerable you are and that's what you need to be thinking about whether you're a linux user whether you're a windows user whether you're a mac user all of these are vulnerable systems at one point or another so it just depends on how many points how big that attack surface is i always am preaching about windows has so many different attack vectors linux still has quite a few and so does mac i mean these systems do have ways to get hacked into and this is the first layer of it is the network the operating system when it comes to linux desktop users i would say repositories are the biggest flaw i can't tell you how many times i've seen a debian based install with like 10 different repositories or 20 different repositories and keeping up with that many repositories is hilarious to me because one they could break their system because one repository might uh override another one of the official one and it just kind of could trip over each other much less some of the other vulnerabilities that might come from it installing an older version to make a dependency for some program that you're wanting and that's why you're using that repository right here i give an example of nala now obviously i'm on my fedora system so i can't really show this but i did want to show pin priorities so if you did that one example video which i made just a little bit ago showing using nala instead of apt for the front end to install and upgrade your system i would highly recommend checking that out the video name was stop using apt this right here would do a pin priority of a hundred on here and you would just drop it into this directory you would just make a volume uh perf file and then copy this put it in there and basically would say anything coming from volume.org is where the null package is pin priority 100 meaning it is behind the operating system if there's a update to like gcc compiler it's going to update it through debian instead of volume if it had it in that repository now luckily i think the volume repository only has nala but they might expand it and then that can cause all kinds of problems with the debian-based system system that's why when you add these repos you want to add these preference files to say hey yes anything from here is allowed but i only want this package at this priority now you can also change this asterisks this is a wild card that would say hey i only want the package nala to be upgraded from volume and you can do that and that would help secure your system a little bit better than just adding a whole bunch of random repositories and just saying hey whatever packages they want to replace on my system they can go for it that's also a very big recipe for security flaws and potentially breaking your system too now let's get to the application level this one is something i don't think anybody in the linux desktop can do at least from a desktop level if you're really into like security and prevention i highly recommend learning about app armor and se linux many distributions do distribute them by stock defaults but they are left in just complain or a permissive mode that just throws some stuff in the log when an application does something funky it allows it to do that funky thing but it just logs it the good thing about these programs is you can set profiles so say hey this program can only access this part of the system or this part of the file system it can only have access to this hardware and not that hardware so you have all this control which is fantastic and in the server realm typically if i'm setting up like a rel-based server it comes with se linux probably the best for security and i can configure all that to enforced mode and this will completely go through it just know the difference between uh for app armor there's complain mode and enforcing and for se linux it's permissive and enforced uh enforce really locks down the system and if you install a bad application it's going to lock it down these are fantastic applications if you're concerned about security and if you're using linux for security i would definitely recommend learning them and putting them into a force mode and then if you run into like some oddball program that you have that doesn't have a profile for you know either app armor or sa linux you can create that profile and say hey i only want this to have access to this folder in my home folder and not have any access to any of the hardware on my system and then you can literally limit all these down just using these profiles so that's a beautiful part of linux but so many people just install app armor and then just never do anything with it they just leave it in complain mode and then it might show up on some you know systemd logs somewhere but for the most part 99 percent of the users that have it installed they really don't do anything with it but these things are the three big things that i think many people miss in linux desktop and if you do want to tighten down your system and really like have it like fort knox this is how i'd go about doing it because this is what i do in the server realm that really really helps make that server much more secure than at a regular old desktop machine so with that let me know your thoughts down in the comments section and i'll see you in the next one

Info

Channel: Chris Titus Tech

Views: 151,943

Rating: undefined out of 5

Keywords: chris titus tech, Biggest linux security mistakes, linux security, selinux, apparmor, ufw firewall, fail2ban, repository pinning

Id: QxNsyrftJ8I

Channel Id: undefined

Length: 9min 43sec (583 seconds)

Published: Wed Aug 03 2022