Hardening Access to Your Server | Linux Security Tutorial
Summary
TLDRThis tutorial video focuses on enhancing the security of a Linux server running Ubuntu Server 20.04. The host begins by emphasizing the importance of keeping the server up to date with regular patches and updates. They demonstrate how to update the package manager's repository index and install updates. The video then covers enabling unattended upgrades for automatic security patches. It proceeds to advise on creating a limited user account and disabling root login, ensuring the new user has sudo access. The host also explains how to generate an SSH key pair for secure password-less logins and restrict SSH access to specific users. Finally, they suggest checking for and closing unnecessary open ports to tighten server security. The video serves as a foundational guide for securing a Linux server, with the host highlighting that the journey to a fully secure server is continuous.
Takeaways
- 🛡️ Always keep your Linux server updated by regularly installing patches to protect against outside threats.
- 🔄 Begin by updating the package manager's repository index with 'apt update' before performing any package management tasks.
- 🚀 Use 'apt dist-upgrade' to perform a full upgrade of all installed packages on the server.
- 🔄 Reboot the server after updates to ensure that all patches take effect.
- 🤖 Enable unattended upgrades on Debian and Ubuntu systems to automate the update process and reduce the risk of forgetting to update.
- 👤 Avoid using the root user for daily tasks; create a limited user account and disable root login for enhanced security.
- 🔑 Generate an SSH key pair for secure access to the server without passwords, and copy the public key to the server.
- 🔒 Edit the SSH daemon configuration file to disable root login and restrict SSH access to specific users only.
- 🔄 Regularly check for and remove any unnecessary services or ports that are listening for outside connections to minimize security risks.
- 🔒 Use the 'ss -atpu' command to list ports and services that are open to the outside world, and close any that are not needed.
- 🌐 The journey to a completely secure server is ongoing, with many additional measures that can be taken beyond the foundational concepts covered in the video.
Q & A
What is the main purpose of the video?
-The main purpose of the video is to provide viewers with basic security concepts to better protect their Linux server from outside threats.
What is the first step recommended in the video for securing a Linux server?
-The first step recommended is to keep the Linux server up to date by regularly installing patches and updates.
What command is used to update the repository index for the package manager on Ubuntu?
-The command used to update the repository index on Ubuntu is 'sudo apt update'.
Why is it important to run 'apt update' before performing package manager tasks?
-Running 'apt update' is important to refresh the package manager's understanding of what packages are available, ensuring that the latest packages are considered during updates.
What command is used to perform a full upgrade of all installed packages on the server?
-The command used to perform a full upgrade of all installed packages is 'sudo apt dist-upgrade'.
Why should the server be rebooted after installing updates?
-The server should be rebooted to ensure that some patches take effect, as they may not apply until the next startup.
What is unattended-upgrades and why is it recommended to install it?
-Unattended-upgrades is a package that automates the installation of security updates, reducing the risk of forgetting to update the server and keeping it secure.
Why is it advised to run as a limited account and disable root login after setting up a Linux server?
-Running as a limited account and disabling root login enhances security by reducing the server's exposure to potential intrusions, as the root account is often the first target for attackers.
How can a new user be created on a Linux server running Ubuntu?
-A new user can be created using the 'sudo useradd -m -s /bin/bash username' command, followed by setting a password with 'sudo passwd username'.
What is the significance of using an SSH key for server access?
-Using an SSH key simplifies server access and enhances security by allowing key-based authentication, reducing the reliance on passwords and the risk of brute force attacks.
How can SSH password access be disabled on a Linux server?
-SSH password access can be disabled by editing the SSH daemon's configuration file (/etc/ssh/sshd_config) and setting 'PasswordAuthentication no' and 'ChallengeResponseAuthentication no'.
What command can be used to check which ports are listening for outside connections on a Linux server?
-The 'sudo ss -tulpn' command can be used to check which ports are listening for outside connections.
What is the final recommendation made in the video regarding server security?
-The final recommendation is that the journey to a completely secure server is ongoing, and while the concepts covered in the video provide a good start, there's always more that can be done to enhance security.
Outlines
🛡️ Basic Linux Server Security Measures
This paragraph introduces the video's focus on implementing basic security measures for a Linux server to protect against external threats. It emphasizes that while no server can be made completely invulnerable, essential security practices can significantly enhance protection. The video specifically targets a Linode running Ubuntu Server 20.04 with 1GB of RAM, a single CPU, and 25GB of storage. The first step discussed is keeping the server up-to-date with the latest patches and updates, highlighting the importance of regular updates and the use of package manager commands like 'apt update' and 'apt dist-upgrade' to refresh the repository index and perform a full upgrade of installed packages.
🔄 Enabling Unattended Upgrades for Linux Servers
The second paragraph delves into the importance of automating the update process to ensure the server remains secure without manual intervention. It explains how to enable 'unattended-upgrades' on Debian and Ubuntu systems, starting with installing the package if it's not already present, and then configuring it to automatically apply security updates. The process involves using 'dpkg-reconfigure' with specific options to enable the feature. The paragraph also touches on the need to reboot the server after updates to ensure patches take effect and provides a brief guide on how to do so through the Linode dashboard.
👤 Creating a Limited User Account and Disabling Root Login
This paragraph discusses the security benefits of running a Linux server as a limited user account instead of the root user. It guides through the process of creating a new user with 'adduser' and setting a password with 'passwd'. The user is then added to the 'sudo' group to grant administrative privileges, ensuring they can perform essential tasks without needing the root account. The importance of having 'sudo' installed and properly configured is highlighted, along with the steps to verify that the new user has the necessary permissions to execute 'sudo' commands.
🔒 Securing SSH Access with Key Pairs
The focus of this paragraph is on securing SSH access to the server by generating a public-private key pair and disabling password authentication. It explains the process of creating an SSH key using 'ssh-keygen' and copying the public key to the server with 'ssh-copy-id'. The benefits of using SSH keys for simplified and secure access are outlined. The paragraph then details the steps to edit the SSH daemon configuration file to prohibit root login and restrict SSH access to specific users, enhancing the server's security by limiting potential entry points for attackers.
🚨 Minimizing Open Services and Ports for Enhanced Security
The final paragraph emphasizes the importance of minimizing open services and ports to reduce the server's attack surface. It demonstrates how to use the 'ss' command to list active ports and services, advising viewers to close unnecessary ports and remove unneeded services to improve security. The paragraph also discusses the process of restarting the SSH daemon to apply changes and the importance of verifying that SSH continues to function correctly after configuration changes. It concludes with a reminder that securing a server is an ongoing process and encourages viewers to explore additional security measures beyond the foundational concepts covered in the video.
Mindmap
Keywords
💡Linux Server
💡Security
💡SSH (Secure Shell)
💡Updates
💡Unattended Upgrades
💡Root User
💡User Account
💡Sudo
💡SSH Key Pair
💡Port
💡Apache
Highlights
Introduction to basic security concepts for a Linux server.
The importance of keeping the server up to date with regular patch installations.
Updating the repository index with 'apt update' before performing package manager tasks.
Performing a full upgrade of all installed packages using 'apt dist-upgrade'.
Rebooting the Linode to ensure patches take effect.
Enabling unattended upgrades for automatic security updates.
Creating a limited user account and disabling root login for enhanced security.
Adding a new user with 'useradd' and setting a password with 'passwd'.
Ensuring the new user has sudo access by adding them to the appropriate group.
Generating an SSH key pair for secure server access.
Copying the public SSH key to the Linode for key-based authentication.
Editing the SSH config file to disable password authentication and restrict root login.
Using 'ss -atpu' to check for open ports and services listening for outside connections.
Removing unnecessary services to minimize open ports and enhance server security.
The ongoing nature of server security and the need for continuous improvement.
Conclusion and call to action for viewers to like, subscribe, and engage with the content.
Transcripts
hello and welcome back to lino
in today's video we're going to take a
look at some concepts that we can
implement
that'll give our linux server a basic
level of security that'll better protect
it from outside threats now there's no
way to make a server bulletproof and the
concepts around security are practically
endless because it's a huge topic
but in this video the essential things
that we will implement
will definitely give our linode a layer
of protection that'll definitely be
helpful
so let's go ahead and dive in and take a
look at some of the things that we can
do
to better secure our linode
so let's go ahead and get started
specific for this video i have this test
linode right here running ubuntu server
2004
it's a nanoed with one gigabyte of ram a
single cpu
and 25 gigabytes of storage now what we
should do is go ahead and get this
server secured so it's better protected
from outside threats
so first of all i will copy the ip
address so we can go ahead and use ssh
to connect to it
and there we go so now that i've logged
in we can see that i have 25
updates apparently that can be installed
and that actually brings me to
my first point you should always keep
your lyn node up to date
it's not good enough to simply install
all of the patches the day you create
the lynode
you should keep it up to date every
single day and regularly install your
patches
so let's go ahead and get those up to
date now the first thing we always want
to do when we are using
a package manager with a linux
distribution is update the repository
index for the package manager
and since this is running ubuntu the
command will look like this
on a debian or ubuntu system it's pretty
much the same on both
app update will just update the
repository index to basically refresh
its understanding of what packages are
available it's not actually going to
update anything so anyway i'll press
enter here
so now that that's done we can actually
see from the output here that there are
26 packages that can be upgraded
and if you recall at the beginning of
the video it showed 25
and that's a good example of why we
should run apt update before we perform
package manager tasks
because we already have a new package
that's made available since the last
time this was refreshed
so to go ahead and install all the
updates we could run this command right
here
apt dist upgrade so this is going to do
a full
upgrade of all of the packages that are
installed on the server currently
so i'll press enter so we can see here
that we have 26 packages to upgrade
and six of those are newly installed
and the y here is capitalized which
means basically if we were to press
enter that's the default it's going to
go ahead and say yes
if we want to abort we could just do n
for no and press enter and then it will
abort that entire process so i'll just
press enter because i do want to get
these upgraded
all right so now all the packages on
this linux are all up to date
now the commands that i've shown you so
far are specific to debian and ubuntu
if your lynn node is running something
else for example centos then the command
will change
in the documentation on the linode
website there are examples for all the
distributions that are supported
so at this point it's a good idea to go
ahead and reboot the linode
because if we don't then some of the
patches won't take effect until the next
time it starts up
so it's a good idea to go ahead and
reboot it if you can that's actually
pretty easy if we go up here to the
dashboard
where it shows running we can go ahead
and drop this down and then we can click
on reboot
click reboot again
then up here we get a progress bar
that's going to show us the progress of
the reboot so we simply wait for the
lino to come back up
and then we can reconnect and continue
on
all right we should be back up and
running so we should be able to
reconnect
now as we can see here again we have
zero packages
that are available for updates so we
should be good to go
now i don't know about you but i am very
forgetful i lose my car keys
i don't remember where i put my cell
phone my memory just isn't all that
great so
remembering to install the updates on my
lynode is just not something that i can
trust myself to do
so what i do is i use unattended
upgrades and i highly recommend that
even if you're not forgetful because
it's one less thing that you have to
worry about and each of the
distributions have their own
method for enabling automatic updates
so on debian and ubuntu it's pretty
simple so i'll go ahead and show you
what to
do for this we will need to install a
package
so if you haven't already run apt update
to resynchronize your package index you
should go ahead and do that
but what we actually want to do is run
apt install
and the package is
unattended hyphen upgrades but i'll
press enter
so as you can see here unattended
upgrades is already installed
and if you receive similar output that's
great then that means you already have
the required package
simply having unattended upgrades
installed isn't enough to actually make
it work
we need to go ahead and turn this
feature on so to do that
we will run dpkg reconfigure
dash dash priority equals low
then unattended upgrades
and now here it's asking us if we want
to go ahead and enable automatic
updates and that's the entire reason why
we are going through this exercise so
i'll say yes
it's just basically a matter of pressing
the left arrow and pressing enter
and there you go so at this point
forward security updates should be
installed automatically
now moving on there's another problem
that we should take care of when it
comes to securing our linode
and that's the fact that i'm running as
the root user
now if you are just setting up your
linux for the very first time
that running as root is expected but
after you get everything all set up it's
better to run
as a limited account and actually
disable root login
so to do that we should create a user
account for ourselves
so to add a new user we're going to use
user add
then we'll add the option dash m so that
our user will get a home directory
dash s for the shell we'll set it to bin
bash
just like that and then the name of the
user that we want to create so i'll just
name my j
you know my first name keeps it simple
and then a double ampersand
and we'll use the passwd command because
we want to set a password for the new
user
and then we'll use the same username
here as well now essentially here we
have two
different commands the first one is
creating the user
and then the second command is just
setting the password so i'll press
enter i'm just typing in the new
password
the desired password that i want the new
user to have
and that's basically all there is to it
so if we list the storage of the home
directory
we should see a directory that is named
the same as the user account that we've
just created
and then if we check the etsy password
file
we can see the new user there at the
bottom and now the new user can go ahead
and log into the system
at this point though you should make
sure that you have sudo installed
so you could do which and then sudo just
like that and you should get some output
if you don't get any output then that
means that the package is not installed
so on debian and ubuntu it's apt install
sudo it's pretty easy so
once you have sudo installed that's not
enough to give you access to it you have
to make sure that your user is able to
access the sudo command
and to do that you can run visu just
like that
and if you scroll down you're looking
for a group
and here we have two groups actually
start with a percent symbol
so we have the admin group and we have
the sudo group so you can basically make
your user a member of either of these
two groups
and you should be good to go with sudo
access for that user
and the reason why i'm having you guys
pull this up is because different
distributions will use a different group
for sudo access by default
so on a centos system for example you
might actually see
a similar verbiage as i have here but
the group name might be
wheel so what you're going to do is
choose a group
that is shown in this file that has
access to sudo
and again we have admin and sudo in this
case
and add your user to be a member of one
of those groups
so to do that we can run user mod
dash lowercase a uppercase g and then
the name of the group
which could be you know depending on
your distribution it could be sudo
it could be admin it could be wheel and
so on
so i'm going to use sudo because that's
the default for ubuntu and debian
and then the username you want to add to
that group
to verify that everything worked out you
can run this command groups and then
your username
and you should see that group that
you've added that user to in the output
to show that it has indeed been set up
so now that we have added our user
account to the appropriate group
you can go ahead and switch to that user
and just make sure that sudo works
so to do that is su hyphen then the
username that you've just created
and what we should be able to do is run
a command with sudo so i'll just do sudo
apt
update simple enough it doesn't really
matter we just want to make sure that
sudo actually works
i'll type in my user's password
and it's working so it looks like my new
user account
has access to sudo so everything seems
to be working perfectly fine
so now let's go ahead and lock down open
ssh
so i've exited my ssh session and what i
want to do is create a public
private key pair basically an ssh key
that i can use to connect to the server
because the best thing that we can do is
disable password access which is what
i'm going to show you how to do now
so first we're going to need to generate
an ssh key
and to do that i will run ssh hyphen
keygen i'll press enter
and it's going to default to adding the
key into the dot
ssh directory inside your home directory
with a default name of id underscore rsa
now if you already have a key in your
home directory in the dot ssh folder
with that name
it will be overwritten so be careful of
that if you already have a key you can
use the key that you've already
generated if you have one
but if you overwrite that key you'll
never be able to get it back so assuming
that you don't already have a key with
that name in that folder we can press
enter and now we can enter a passphrase
past phrases are optional but highly
recommended but to keep the tutorial
simple i'll just press enter to bypass
that for now then enter again and now
our ssh key is created
so if we take a look at the ssh
directory inside
our home directory you can see that we
have two files id underscore rsa and id
underscore rsa.pub
now this is actually the private key
we don't want to show that content to
anyone for any
reason because that needs to be
protected there's a reason why
that's called a private key this key
right here the one that ends in a dot
pub
extension that's our public key and it
doesn't matter who we show that to
we can show that to everybody and it
doesn't matter because as long as we
don't leak the private key
then we're fine but how does that help
us with ssh
well what we can do is copy this key
over to our linode
and to do that we will use this command
right here ssh
hyphen copy hyphen id we'll use the
option dash
i and then the tilde
dot ssh then the public key file
which is this one right here we'll type
in the username
then the at symbol and then we'll paste
in the ip address
so essentially what we're doing is we're
using the ssh copy id
command giving it an input file that is
the public key
the one that we've just created and then
we give it the username to our lynode
at then the ip address of our lynode and
if i press
enter it'll ask me for the password for
ssh so i'll type that in
and it's dropped me back to the shell of
my laptop but it says number of keys
added
one so now if i go ahead and ssh into
the lynode
just like this and now you'll notice
that i was immediately connected to the
lynnode and it didn't even ask me for
the password for my user
this is one of the benefits of having an
ssh key because it simplifies
access via ssh to the server but the
entire reason why we're doing this is
not to make ssh easier although well
that's a great added benefit
the reason that we're doing that is
because this allows us to lock down
ssh altogether and what we'll need to do
in order to accomplish that is edit the
ssh config file for the ssh daemon
and we can do that by entering sudo nano
or whatever text editor you want to use
slash etsy
slash ssh slash sshd
underscore config just like that and
press enter
type in my password now if we scroll
down a little bit here
we have permit root login yes we want to
change that to no
because that's a user account that is
going to be targeted first
for intrusions from the outside so by
setting this to no we are not allowing
root to log
in at all now what we could also do is
add a new option and it doesn't really
matter where but i'm going to add it
right here
and that could be allow with a capital a
users of the capital u no space there
and then a list of user names we want to
allow to ssh into our lin node so i'll
add mine
if you have other users that you want to
access the linode then you can add them
here on this line as well with a space
in between each
so for example we could do something
like this
to allow tim and sue access to the linux
for example
but i'm going to simply leave my name
right here
ctrl o to save the file and control x to
exit out
and then we will go ahead and restart
the service
and this should be the command on quite
a few distributions actually
so i'll just enter this command to
restart the ssh daemon
so notice that when i restarted the ssh
daemon it didn't drop my ssh session i
still have that open
i could still use it and you definitely
don't want to disconnect until you know
that it's working
and what we could do is open a new tab
then in the new tab we could simply ssh
into the ip address of our lynode
make sure that it still works
and it does so that's very important
again we want to make sure that ssh is
fully working
before we drop out of our original shell
because if we dropped out of that shell
then well we've actually lost our only
way into the server
but on this new tab i've actually
created a new ssh session
that allowed me in so i know that it's
working fine worst case scenario if you
do get locked out you can actually go
into the lich console
on the lino dashboard and you can fix it
from there so no big deal
another thing that we can do is make
sure that we don't have any services
running that are listening for
outside connections because the fewer
ports that are open
the more secure our server actually is
so what we can do is run sudo ss
dash atpu just like that
type in my super secret password yet
again
and we can see a list of ports that are
actually listening for outside
connections
now already we have ssh and that's okay
because i want that i want to be able to
use ssh and we've just secured that just
now
so that's not really a concern to me we
also have http
listed right here and that's also
expected in my case because i am running
apache 2 which is a popular web server
this is actually running a blog
so it is important for this server to be
listening for connections
via port 80 for apache but if you see
anything here that you can't explain
anything that's open to the world
that doesn't have a justification it's
important to go ahead and remove
it so for example if you had post fix
listed you could run
sudo apt remove post fix
if that wasn't something that you were
trying to run or didn't need
i can't show you a complete walkthrough
of this because
depending on what you have installed on
your linode this is going to be
different for everyone
essentially what you're doing is you are
running the ss command like we have here
and looking for some port that is
listening that you don't have a
justification for
and if it has no purpose then go ahead
and remove it because again the fewer
services that you have running that are
listening for outside connections
the more secure your lin node is
so when it comes to security there's
many different things that we can do to
protect our servers from outside harm
in this video we took a look at some of
the foundational concepts that we can
utilize
to better secure our servers things like
securing openssh
for example but it doesn't stop here the
road to a completely secure
server is never ending there's a lot
more that we can do
but the concepts that we've gone over in
this video will definitely get us off to
a good start
so thank you so much for watching and if
you haven't already done so
please like and subscribe and we'll see
you in the next video
[Music]
you
تصفح المزيد من مقاطع الفيديو ذات الصلة
5.0 / 5 (0 votes)