Top 5 Security Tips

Top 5 Linux Security Best Practices Every Admin Must Know

Estimated read time: 1:20

    Summary

    In this video, Grant Knoetze walks through the top five Linux security best practices essential for every admin to know. From securing remote access with SSH key pairs over passwords to configuring firewalls and implementing updates, the video provides valuable strategies to bolster your Linux systems. Knoetze coolly guides viewers through practical steps such as changing the default SSH port, disabling root login, enabling unattended upgrades, and ensuring proper firewall settings using UFW. He further emphasizes the importance of access control and efficient log monitoring to maintain optimal security posture. These insights are a must-have for anyone looking to fortify their Linux environment securely and effectively.

      Highlights

      • Knoetze highlights the use of SSH key pairs to avoid vulnerabilities associated with password-based authentication. 🔒
      • Emphasizes changing the default SSH port, reducing exposure to common attacks. 🚀
      • Stresses the importance of disabling root login for enhanced security posture. ❌
      • Introduces unattended upgrades to automate and simplify updates. 🔄
      • Covers configuring firewalls using UFW to block unauthorized access before it reaches the server. 🔥

      Key Takeaways

      • Use SSH key pairs instead of passwords to secure remote access. 🔑
      • Change the default SSH port to enhance security by obscuring potential entry points. 🚪
      • Disable root login to reduce unauthorized root access risks. 🚷
      • Enable multi-factor authentication for an added layer of security. 🛡️
      • Keep your system updated to patch vulnerabilities promptly. 🛠️

      Overview

      In this informative video, Grant Knoetze dives into the crucial security best practices for Linux systems. It all starts with securing remote access by using SSH key pairs instead of the vulnerable password-based method, making your digital vaults much harder for cyber villains to crack. 💪

        Grant also details the process of changing the default SSH port and disabling root login as efficient ways to obscure common breach avenues. Coupled with enabling multi-factor authentication, these measures significantly elevate your Linux system's defenses against unsolicited visitors. 🕵️‍♂️

          Moreover, staying ahead of threats by regularly updating your system through automated unattended upgrades and configuring firewalls with UFW ensures a robust shield against potential attacks. Don't forget about implementing access controls and regularly monitoring logs to ensure everything stays as secure as possible! 🔍

            Chapters

            • 00:00 - 00:30: Introduction In this introduction chapter, the presenter welcomes the audience and sets the agenda for the video, which is to discuss the top five Linux security best practices that every administrator should be aware of. The presenter mentions that they have authored an article on IT Pro Today covering these practices in detail and provides a link to the article in the video description. The chapter ends with the host preparing to demonstrate the practices on a virtual machine using a Kali Linux setup.
            • 00:30 - 02:30: Securing Remote Access with SSH Key Pairs The chapter discusses the importance of securing remote access using Secure Shell (SSH), a critical tool for Linux administrators. It highlights SSH as a common target for attackers and emphasizes the need for hardening its security. One key recommendation is to use SSH key pairs instead of password-based authentication, as the latter can be more vulnerable to various threats.
            • 02:30 - 05:00: Disabling Root Login and Changing Default SSH Port The chapter discusses methods to enhance security by disabling root login and changing the default SSH port to protect against brute force and dictionary attacks. It guides through the process of generating SSH key pairs using the ED25519 algorithm, which involves executing commands in the terminal to create a public-private key pair.
            • 05:00 - 06:00: Implementing Multifactor Authentication The chapter discusses the use of the digital signature algorithm EDSA, which operates on the Curve 25519. This elliptic curve is recognized for its security and efficiency, offering a more secure and faster alternative compared to predecessors like RSA or ECDSA. A key advantage of EDSA is its ability to produce smaller keys, only 256 bits, while maintaining robust security. The chapter likely includes an implementation demonstration or explanation, as indicated by the speaker's intent to save progress by hitting enter.
            • 06:00 - 10:00: Keeping Systems Updated and Using Unattended Upgrades Chapter: Keeping Systems Updated and Using Unattended Upgrades Summary: This chapter discusses the importance of maintaining system security by keeping systems updated. It introduces concepts like SSH ID creation and the utility of storing passphrases safely. It highlights the steps involved in generating SSH keys, including directory creation and passphrase management, emphasizing that the identification and the public key are stored securely. This process enhances the robustness of system access control, marking a vital step in system maintenance.
            • 10:00 - 14:00: Configuring Firewalls with UFW The chapter covers configuring firewalls using UFW (Uncomplicated Firewall) and emphasizes the importance of using SSH key pairs instead of password authentication for enhanced security. The transcript segment provided discusses copying a public key using the SSH copy ID command, noting the option to execute the command remotely to save the public key to a server.
            • 14:00 - 17:00: Implementing Access Controls and Monitoring Logs The chapter provides a tutorial on enhancing server security by disabling root login via SSH. It starts with guiding the user to clear their terminal screen for convenience. The primary focus is on editing the SSH_config file found in the /etc/ssh directory to turn off root login.
            • 17:00 - 17:30: Conclusion The chapter discusses navigation to the SSH configuration directory using command line instructions. It provides guidance on changing directories to the SSH configuration folder and listing files within it, highlighting the use of 'ls' and 'ls -la' commands to view files and hidden files with permissions. The focus is on identifying and accessing the SSH_config file for further configuration or reference.

            Top 5 Linux Security Best Practices Every Admin Must Know Transcription

            • 00:00 - 00:30 hello and welcome to today's video we will be speaking about the top five Linux security best practices every admin should know so I recently wrote an article for IT Pro today on the top five Linux security best practices every admin must know you can find a link to this article in the description in the meantime let's run through it in our virtual machine so we're inside our Cali box over here let's first of all talk about
            • 00:30 - 01:00 securing remote access so secure shell or SSH commonly used in Linux machines especially is the lifeline for Linux administrator administrators but attackers also commonly target it there are a few steps to harden secure shell first of all use SSH key pairs instead of password authentication always one of the best ways to secure SSH access is using SSH key pairs instead of password-based authentication which can be vulnerable to threats for example
            • 01:00 - 01:30 brute force and dictionary attacks so to generate SSH key pairs go ahead and open your terminal so inside my terminal let's just go ahead and type SSH dash keygen hit enter and we can see it's generated a public private key pair what's happened here is it has generated us an ED25519 key pair so this is an algorithm that it's used and it's Edward's curve
            • 01:30 - 02:00 digital signature algorithm which is E DSA and it uses a curve 25519 which is a highly secure elliptic curve it's considered more secure and faster than older algorithms like RSA or ECDSA and it produces smaller keys only 256 bits while providing your same strong security so I'm just going to go ahead and hit enter i like this is actually where I would like this to be saved
            • 02:00 - 02:30 inside SSH ID let's go ahead and hit enter it's created the directory SSH the hidden directory so I can go ahead and I can create a passphrase if I like you can there's my passphrase you can't see it prompted to do it again and it's telling me that my identification has been saved here public key has been saved here there's the key fingerprint and there's the keys random art image so you can now copy this key pair or you
            • 02:30 - 03:00 can copy the public key to your server or wherever else and all that you'll do is you'll use the SSH dash copy dash id command so what it's done is it's given me because I'm working only on a local machine here my VM it's given me a whole bunch of parameters but it could execute this remotely to save my public key to a server or somewhere else so that's it for SSH and using SSH key pairs instead of password authentication let's move
            • 03:00 - 03:30 along and I'm going to go ahead and clear my screen something else that you can do is you can disable root login so you can turn off root login with SSH by editing the SSH_config file which is located in Etsy SSH so follow these steps we're inside our terminal just change directory inside my terminal here clear my screen just to make things a bit easier to see and from
            • 03:30 - 04:00 here I can navigate to my SSH configuration directory which is uh we can change directory to etsy ssh hit enter and I'm in sc if I do ls we can see what files I have in here can do ls-la to see all hidden files and also have my permissions brought up so the file that we're interested in here is this SSH_config file so I'm going to use
            • 04:00 - 04:30 pseudo because I'd like to write to disk and what I'd like to do is I'd like to use nano which is my favorite text and code editor you can use whatever you like and I'd like to go ahead and modify SSH can hit underscore here use tab completion okay ssh config which is the file that I'd like to go ahead and modify and I hit enter it's going to ask you for your
            • 04:30 - 05:00 password for pseudo and here we can see the SSH_config file ready for modification so one of the first things that we can do is we can go ahead and change our default SSH port and this is security through obscurity so we're obscuring something to make ourselves more secure so the default port for SSH is port 22 changing it to a non-default port adds an extra layer of security by reducing exposure to common attacks so
            • 05:00 - 05:30 we're going to open up our SSH config file and we're going to find our line that says port 22 so how we go ahead and we do this we can just use our arrows here and we can go all the way down to where our port number is specified so this is our host and it's specifying there we can see where the port is port number 22 i can go ahead and I can change this so I can just uncomment this and I can go ahead and I can change this port 22 to something ephemeral so let's say port 8900 then what we can do is we can just
            • 05:30 - 06:00 make that neat we can control O to save hit enter crl X and it's as simple as that my default port for SSH has been changed something else that you can do is you can add multiffactor authentication i've written extensively on this and created videos on it you can just navigate or go to my IT Pro today profile and you can see where I've written article on securing SSH with multiffactor authentication using Google
            • 06:00 - 06:30 authenticator let's go ahead and clear our screens so something else underrated but what we can actually must do is we must keep our system updated so you're going to use your package manager depending on what distribution you're using could be yum dnf in this case it's a Cali box so I'm going to use a so I hit p sudo apt update
            • 06:30 - 07:00 update and double amperand sudo upgrade so I can hit the yes flag so let's break this down update is updating the operating system upgrade is upgrading all packages we want to update the operating system to patch any vulnerabilities and we want to upgrade all software packages because if there is a vulnerability in a package that's been installed it's a vector or it's a way of access into the machine and it
            • 07:00 - 07:30 presents a security risk so we always want to upgrade all our packages for example Python 2 you shouldn't be using because it is vulnerable it's just one example there are many others can just go ahead and hit enter so I've given it the yes flag so what it's going to do is it's not going to prompt me for any yes or no it's just going to go ahead and update my system let it do its job a is still working okay and my system has now been updated and all packages have been
            • 07:30 - 08:00 upgraded what we can also do is we can use unattended upgrades i've um uh created a article on this before so it's essentially creating a chron job and a chron job as you know is a scheduled task in Linux and what we can do is we can use unattended upgrades so to install unattended upgrades and what this will do is this will automatically update and upgrade your system you can just use your package manager so in my case it's a so p suda apt
            • 08:00 - 08:30 install and we go ahead and unattended dash upgrades and it's going to go ahead and it's going to install unattended upgrades and then I can go ahead and configure and use unattended upgrades which will create a chron job a scheduled task which will automatically update and upgrade my system see that AP is working progress is
            • 08:30 - 09:00 78% 89% progress we can see that unattended upgrades has been installed to use so to use you can just type in unattended-upgrades and we can hit enter and okay I need to be root to run this application so sudo unattended dash upgrades hit
            • 09:00 - 09:30 enter get help on unattended upgrades you can just type in needs to be done with pseudo pseudo unattended upgrades d-help let's see what our options are okay okay and it's going to give you your options and flags and you can go ahead and configure unattended upgrades to automatically update and upgrade your
            • 09:30 - 10:00 system okay something that can also be done is we can configure firewalls so properly configured firewall blocks unauthorized access before it reaches your server or your machine i've previously done an in-depth video on using UFW uh uncomplicated firewall you can go ahead and take a look at my IT Pro today contributor page using IP tables and NF tables but let's just chat about how to get started so first of all UFW uncomplicated firewall is a free tool on Debianbased systems you can use
            • 10:00 - 10:30 UFW directly from the command line for example you can allow specific traffic with the commands like this so first of all what I'm going to do is I'm going to make sure it's installed so I'm going to just go ahead and type UFW and then give version i can see that it's not installed it's not found but would I like to install it yes hit enter and it's going to go ahead and install the uncomplicated firewall hey we can see that uncomplicated firewall UFW has been installed i'm a fan of clearing my
            • 10:30 - 11:00 screen we can go ahead and do that enter now if I type in UFW it's recognized it and version it's going to give us a whole bunch of Okay it's giving me said invalid syntax but it's UFW command and it's going ahead and it's given us all the commands that we can use with UFW so let's clear our screen again and we can chat about allowing certain protocols so we can do this
            • 11:00 - 11:30 UFW and if we want to allow SSH or disallow SSH I can allow SSH and I go ahead and I hit enter okay you need to be root remember that pseudo UFW UFW UFW allow SSH go ahead and smack enter and rules updated so if we want to disallow SSH we can go ahead and we can
            • 11:30 - 12:00 do sudo UFW disallow i think it's disallow soon find out ssh no it's given us what okay disable enable allow deny deny any rule so we're supposed to be using that deny keyword so let's do clear let's do pseudo UFW deny SSH and we can see that rules been updated i would like to allow SSH
            • 12:00 - 12:30 so we can just go ahead and hit allow SSH again and we can clear our screens so if you're going to look for the status of uncomplicated firewall you can just do pseudo UFW status enter it's inactive and we can activate it so it's the status is inactive we can go ahead type in pseudo UFW enable excuse that now I don't want to install that clear my screen and excuse
            • 12:30 - 13:00 my typer you'd like to enable it okay and this should file is active and enabled on system startup so if I go ahead and I take a look at the status again and we can see that the status is active and it's giving me a couple of rules let's go ahead and clear our screen so something else that we can do is implement access controls you should always follow the rule of lease privilege and as a best practice assign
            • 13:00 - 13:30 permissions using role based access control or arbback so you can also use pseudo and Linux natively to assign administrative pair privileges sparingly something else that we can do is we can monitor and we can audit logs so Linux systems use sys log as a standard for logging events which stores logs in the var log directory so inside varlog you can use the ls command to see the logs so for example or.log records authentication attempts and current.log log logs kernel operations your log
            • 13:30 - 14:00 files may differ slightly based on the distribution you use but everyone will be using this sys log standard inside vlog you can use ls to see the logs all right so just ls inside uh var log and I can see here where all my log files are okay in this virtual machine we can see inside vlog we've got alternatives log boot log dackage log fail toband log etc etc on your machine you might find orth.log and current.log and actually
            • 14:00 - 14:30 sislog inside your log files remember that whatever environment that you're using if you managing this if you're an administrator remember that you're going to have to configure centralized logging which I've gone through in a previous video so what you can do is you can set up centralized logging you can do a whole bunch of things and I can use native Linux tools and commands like rep to search inside logs uh all logs have a standardized format but for example if I
            • 14:30 - 15:00 wanted to I can also output or I can output the contents of a log file to a text file for easy searching or saving somewhere else so let's just say I would like to cat well it's going to want me to do this as pseudo and I would like to cat let's just talk about the boot log boot.log log and I would like to output it to boot_log.txt it's going to give me permission denied if you need to do some
            • 15:00 - 15:30 troubleshooting here you can just log in or you can make yourself root with pseudo su now that I'm root let's just go ahead and let's cat boot.log let's output it to boot_log.tx txt and we can see that that's been done so let's say I want to cat boot_log.txt there's no output let's
            • 15:30 - 16:00 just uh see if we can cat that means there's nothing in that log file let's just go ahead and let's cat uh let's see dackage dackage.log okay and we can see that there's a few dackage logs let's run the same thing thing we don't have to do sudo let's just say we'd like to output it so dackage log use your redirect operator we'd like to output it to
            • 16:00 - 16:30 dackage.txt to work with or to grip or do something else we hit enter and that's been outputed so we can just uh dackage we can cat dackage dot txt and we can see there or we can grip dackage dpkg kgtxt and or we look for a word here let's look for startup startup grip startup in dackage txt we
            • 16:30 - 17:00 can see that grip has found the two instances of startup so that's essentially working with uh native Linux commands with your log and uh like I said we've been through in depth in previous video and articles on setting up uh centralized logging and so on well that's the end of today's video i really hope that you've enjoyed this and I'll see you on the next one bye for now