5 Steps to Secure Linux (protect from hackers)

I just want to caution everyone from enabling automatic updates on production systems. The best practice is to use scheduled maintenance windows and to always test updates in a test/dev/QA environment before making changes to prod :)

kym

Won 20 bucks in a networking class.
Another student told me he could get into any computer remotely.
I accepted his challenge and turned off my network card in the drivers.
He was pissed.

jarrod

Definitely one of the top 3 videos of all time to date... changing TCP ports, encrypted authentication, and disabling ping. Love it... Thanks again Chuck!

johncullen

You should use "apt upgrade" instead of "apt dist-upgrade" as the latter might also remove packages or change things in the system which might break your applications. "dist-upgrade" should be used if you want to upgrade to a new release of the distro, not if you just want the latest versions of your packages in order to get security fixes.

m

@14:08
PasswordAuthentication no is not enough to disable password for ssh login.
Make sure to set no as well

royalebloodme

20:41 - The line was already there (the last entry in that section). All he had to do was change the ACCEPT to DROP. ICMP ping may be blocked but hackers can still find his server using the nmap utility. Great video though. Love the channel!

kpopempire

Just as a correction

for macOS the command ssh-copy-id <user>@<machine> does also work.

stlphotography

Linode, just to tell you - A really good choice for sponsorship! Keep going, his style is a remarkable combination of useful information and energetic hype!

vasiovasio

The way you deliver content is outstanding. English is my second language, but you somehow manage to be quick, to the point, and very understandable. Kudos. Fantastic work.

uwemeyer

spent a few hours trying to get key auth to work, found out Chuck left a part out in the video. You need to add the private key to the ssh agent so your computer knows which key to use. In windows, do these commands:
Set-Service ssh-agent -StartupType Automatic
Start-Service ssh-agent
ssh-add <path to your newly created private key>

NOW you should be able to log in :)

michael_oconnor

This was great. I've just passed my Linux essentials exam and this helped learn a bit more about security. Btw, reloading the firewall did do the trick in my server. I didn't have to reboot .

edgarardon

Brilliant. Coming from a person who is very comfortable with Linux, is so nice to see the simple security aspects covered. And I always love how enthusiastic you are, making I.T fun!! Big fan here, over in London /UK! Keep it up, and great to see your channel growing as well. Keep you fed :)

gswhite

As a security professional I really found this video to be of good quality. You were to the point, informative but not overbearing, engaging while being authentic. Keep up the great work! ❤ 😍

HopliteSecurity

I've had bad experiences with unattended updates, especially on a production server. They often tend to overwrite custom settings. For example, with PostgreSQL, an update might reset a custom database path, and similarly, Docker updates might alter the custom data path set for Docker.

cookiebinary

Oh my god, I need this so much, thanks you!!!!


Edit: I need more... Moooreee. Lol, jokes away, I really like to see more about firewall managing. Great video, thanks!

estudiordl

Perfect timing, man! Just fired up my first Linux server this week!

Eschguy

Great video chuck. for ssh this is what I do . I change the port like you do but I lock it down so I can only ssh from my home ip address. ufw allow from <public address> to any port <ssh port> Even if your public ip address changes you can still ssh back in from the linode web console and change the firewall rules.

briank

I have another suggestion tho. there's a firewall option that allows your port to be neither "open" nor "closed" .. but instead "filtered", making your server accepts incoming connections only from a known ip adress. it might not be useful for everyone since not everyone have static ip adresses. but hey, if you do, then that's just the best layer of security you might add to your server.

medanisjbara

I would always recommend protecting your private key. A private key with no protections on it is more commonly referred to as a back door. You can password protect your private key. Passwords are only useless in Windows these days, since Microsoft refuses to stop using unsalted MD4. Cracking a password for a 4096 bit RSA key, or a SHA512 hash? Yeah. Let me know how that works out for you. If you use a godawful password, sure, it can be done. If you take any steps to make a somewhat decent password, chances are extremely unlikely that someone's going to crack it.

However, if you're taking all of these steps to secure your Linux boxen anyway, might as well step it up a notch. Get you a Yubikey, and use it to protect your private key, or use it as a 2nd factor. Yubico has some great documentation. Probably the hardest part about doing it is selecting which method you want to go with, since Yubikeys are extremely flexible.

praecorloth

This is the greatest presentation I've seen on hardening a cloud linux server. You're fast paced, but the whole video was understandable and easy to follow. Thank you so much for making this video. I've shared it with people and included links to it on my blog posts.

jesselistarseed