Hardening Access to Your Server | Linux Security Tutorial

Akamai Developer
11 Nov 202018:48

Summary

TLDRThis tutorial video focuses on enhancing the security of a Linux server running Ubuntu Server 20.04. The host begins by emphasizing the importance of keeping the server up to date with regular patches and updates. They demonstrate how to update the package manager's repository index and install updates. The video then covers enabling unattended upgrades for automatic security patches. It proceeds to advise on creating a limited user account and disabling root login, ensuring the new user has sudo access. The host also explains how to generate an SSH key pair for secure password-less logins and restrict SSH access to specific users. Finally, they suggest checking for and closing unnecessary open ports to tighten server security. The video serves as a foundational guide for securing a Linux server, with the host highlighting that the journey to a fully secure server is continuous.

Takeaways

  • πŸ›‘οΈ Always keep your Linux server updated by regularly installing patches to protect against outside threats.
  • πŸ”„ Begin by updating the package manager's repository index with 'apt update' before performing any package management tasks.
  • πŸš€ Use 'apt dist-upgrade' to perform a full upgrade of all installed packages on the server.
  • πŸ”„ Reboot the server after updates to ensure that all patches take effect.
  • πŸ€– Enable unattended upgrades on Debian and Ubuntu systems to automate the update process and reduce the risk of forgetting to update.
  • πŸ‘€ Avoid using the root user for daily tasks; create a limited user account and disable root login for enhanced security.
  • πŸ”‘ Generate an SSH key pair for secure access to the server without passwords, and copy the public key to the server.
  • πŸ”’ Edit the SSH daemon configuration file to disable root login and restrict SSH access to specific users only.
  • πŸ”„ Regularly check for and remove any unnecessary services or ports that are listening for outside connections to minimize security risks.
  • πŸ”’ Use the 'ss -atpu' command to list ports and services that are open to the outside world, and close any that are not needed.
  • 🌐 The journey to a completely secure server is ongoing, with many additional measures that can be taken beyond the foundational concepts covered in the video.

Q & A

  • What is the main purpose of the video?

    -The main purpose of the video is to provide viewers with basic security concepts to better protect their Linux server from outside threats.

  • What is the first step recommended in the video for securing a Linux server?

    -The first step recommended is to keep the Linux server up to date by regularly installing patches and updates.

  • What command is used to update the repository index for the package manager on Ubuntu?

    -The command used to update the repository index on Ubuntu is 'sudo apt update'.

  • Why is it important to run 'apt update' before performing package manager tasks?

    -Running 'apt update' is important to refresh the package manager's understanding of what packages are available, ensuring that the latest packages are considered during updates.

  • What command is used to perform a full upgrade of all installed packages on the server?

    -The command used to perform a full upgrade of all installed packages is 'sudo apt dist-upgrade'.

  • Why should the server be rebooted after installing updates?

    -The server should be rebooted to ensure that some patches take effect, as they may not apply until the next startup.

  • What is unattended-upgrades and why is it recommended to install it?

    -Unattended-upgrades is a package that automates the installation of security updates, reducing the risk of forgetting to update the server and keeping it secure.

  • Why is it advised to run as a limited account and disable root login after setting up a Linux server?

    -Running as a limited account and disabling root login enhances security by reducing the server's exposure to potential intrusions, as the root account is often the first target for attackers.

  • How can a new user be created on a Linux server running Ubuntu?

    -A new user can be created using the 'sudo useradd -m -s /bin/bash username' command, followed by setting a password with 'sudo passwd username'.

  • What is the significance of using an SSH key for server access?

    -Using an SSH key simplifies server access and enhances security by allowing key-based authentication, reducing the reliance on passwords and the risk of brute force attacks.

  • How can SSH password access be disabled on a Linux server?

    -SSH password access can be disabled by editing the SSH daemon's configuration file (/etc/ssh/sshd_config) and setting 'PasswordAuthentication no' and 'ChallengeResponseAuthentication no'.

  • What command can be used to check which ports are listening for outside connections on a Linux server?

    -The 'sudo ss -tulpn' command can be used to check which ports are listening for outside connections.

  • What is the final recommendation made in the video regarding server security?

    -The final recommendation is that the journey to a completely secure server is ongoing, and while the concepts covered in the video provide a good start, there's always more that can be done to enhance security.

Outlines

00:00

πŸ›‘οΈ Basic Linux Server Security Measures

This paragraph introduces the video's focus on implementing basic security measures for a Linux server to protect against external threats. It emphasizes that while no server can be made completely invulnerable, essential security practices can significantly enhance protection. The video specifically targets a Linode running Ubuntu Server 20.04 with 1GB of RAM, a single CPU, and 25GB of storage. The first step discussed is keeping the server up-to-date with the latest patches and updates, highlighting the importance of regular updates and the use of package manager commands like 'apt update' and 'apt dist-upgrade' to refresh the repository index and perform a full upgrade of installed packages.

05:01

πŸ”„ Enabling Unattended Upgrades for Linux Servers

The second paragraph delves into the importance of automating the update process to ensure the server remains secure without manual intervention. It explains how to enable 'unattended-upgrades' on Debian and Ubuntu systems, starting with installing the package if it's not already present, and then configuring it to automatically apply security updates. The process involves using 'dpkg-reconfigure' with specific options to enable the feature. The paragraph also touches on the need to reboot the server after updates to ensure patches take effect and provides a brief guide on how to do so through the Linode dashboard.

10:02

πŸ‘€ Creating a Limited User Account and Disabling Root Login

This paragraph discusses the security benefits of running a Linux server as a limited user account instead of the root user. It guides through the process of creating a new user with 'adduser' and setting a password with 'passwd'. The user is then added to the 'sudo' group to grant administrative privileges, ensuring they can perform essential tasks without needing the root account. The importance of having 'sudo' installed and properly configured is highlighted, along with the steps to verify that the new user has the necessary permissions to execute 'sudo' commands.

15:04

πŸ”’ Securing SSH Access with Key Pairs

The focus of this paragraph is on securing SSH access to the server by generating a public-private key pair and disabling password authentication. It explains the process of creating an SSH key using 'ssh-keygen' and copying the public key to the server with 'ssh-copy-id'. The benefits of using SSH keys for simplified and secure access are outlined. The paragraph then details the steps to edit the SSH daemon configuration file to prohibit root login and restrict SSH access to specific users, enhancing the server's security by limiting potential entry points for attackers.

🚨 Minimizing Open Services and Ports for Enhanced Security

The final paragraph emphasizes the importance of minimizing open services and ports to reduce the server's attack surface. It demonstrates how to use the 'ss' command to list active ports and services, advising viewers to close unnecessary ports and remove unneeded services to improve security. The paragraph also discusses the process of restarting the SSH daemon to apply changes and the importance of verifying that SSH continues to function correctly after configuration changes. It concludes with a reminder that securing a server is an ongoing process and encourages viewers to explore additional security measures beyond the foundational concepts covered in the video.

Mindmap

Keywords

πŸ’‘Linux Server

A Linux server is a computer system that operates as a server using the Linux operating system. In the video, the Linux server is the main subject, as the host discusses various security measures to protect it from outside threats, emphasizing the importance of a secure server environment.

πŸ’‘Security

Security in the context of the video refers to the measures taken to protect a server from unauthorized access and potential threats. It is the overarching theme of the video, with the host explaining different practices to enhance the security of a Linux server.

πŸ’‘SSH (Secure Shell)

SSH is a protocol that provides a secure channel over an unsecured network for remote login and other secure network services. The video script includes a detailed explanation of how to secure SSH access by using SSH keys and disabling password-based authentication.

πŸ’‘Updates

Updates in this context refer to the latest patches and software versions that are released to fix vulnerabilities and improve system functionality. The script emphasizes the importance of regularly updating the server to keep it secure against new threats.

πŸ’‘Unattended Upgrades

Unattended Upgrades is a feature in some Linux distributions that allows for the automatic installation of security updates. The video explains how to enable this feature to ensure that the server is always up-to-date without manual intervention.

πŸ’‘Root User

The root user, also known as the superuser, has the highest level of access within a Linux system. The script discusses the security implications of using the root user and recommends creating a limited user account and disabling root login to enhance security.

πŸ’‘User Account

A user account in Linux is a set of user-specific settings and permissions. The video script provides a step-by-step guide on creating a new user account, setting a password, and adding the user to the sudo group to allow administrative access without using the root account.

πŸ’‘Sudo

Sudo is a command in Linux that allows users to run programs with the security privileges of another user (by default, the superuser or root). The video explains how to ensure that a newly created user has sudo privileges, which is essential for performing administrative tasks securely.

πŸ’‘SSH Key Pair

An SSH key pair consists of a private key, which is kept secret on the user's machine, and a public key, which can be shared openly. The script details the process of generating an SSH key pair and using it to secure SSH access to the server by disabling password authentication.

πŸ’‘Port

In the context of networking, a port is an endpoint of communication in the OS's network software architecture. The video script mentions checking for open ports to ensure that only necessary services are listening for outside connections, thereby reducing potential attack vectors.

πŸ’‘Apache

Apache is a popular open-source web server software. The script mentions Apache as an example of a service that might be running on the server and listening on port 80 for HTTP connections, which is expected and justified in the context of running a web server.

Highlights

Introduction to basic security concepts for a Linux server.

The importance of keeping the server up to date with regular patch installations.

Updating the repository index with 'apt update' before performing package manager tasks.

Performing a full upgrade of all installed packages using 'apt dist-upgrade'.

Rebooting the Linode to ensure patches take effect.

Enabling unattended upgrades for automatic security updates.

Creating a limited user account and disabling root login for enhanced security.

Adding a new user with 'useradd' and setting a password with 'passwd'.

Ensuring the new user has sudo access by adding them to the appropriate group.

Generating an SSH key pair for secure server access.

Copying the public SSH key to the Linode for key-based authentication.

Editing the SSH config file to disable password authentication and restrict root login.

Using 'ss -atpu' to check for open ports and services listening for outside connections.

Removing unnecessary services to minimize open ports and enhance server security.

The ongoing nature of server security and the need for continuous improvement.

Conclusion and call to action for viewers to like, subscribe, and engage with the content.

Transcripts

play00:05

hello and welcome back to lino

play00:07

in today's video we're going to take a

play00:09

look at some concepts that we can

play00:11

implement

play00:11

that'll give our linux server a basic

play00:14

level of security that'll better protect

play00:16

it from outside threats now there's no

play00:18

way to make a server bulletproof and the

play00:20

concepts around security are practically

play00:22

endless because it's a huge topic

play00:25

but in this video the essential things

play00:27

that we will implement

play00:28

will definitely give our linode a layer

play00:30

of protection that'll definitely be

play00:32

helpful

play00:33

so let's go ahead and dive in and take a

play00:36

look at some of the things that we can

play00:37

do

play00:37

to better secure our linode

play00:41

so let's go ahead and get started

play00:45

specific for this video i have this test

play00:47

linode right here running ubuntu server

play00:49

2004

play00:51

it's a nanoed with one gigabyte of ram a

play00:54

single cpu

play00:55

and 25 gigabytes of storage now what we

play00:59

should do is go ahead and get this

play01:00

server secured so it's better protected

play01:02

from outside threats

play01:04

so first of all i will copy the ip

play01:06

address so we can go ahead and use ssh

play01:09

to connect to it

play01:20

and there we go so now that i've logged

play01:22

in we can see that i have 25

play01:24

updates apparently that can be installed

play01:26

and that actually brings me to

play01:28

my first point you should always keep

play01:31

your lyn node up to date

play01:32

it's not good enough to simply install

play01:34

all of the patches the day you create

play01:35

the lynode

play01:36

you should keep it up to date every

play01:38

single day and regularly install your

play01:40

patches

play01:41

so let's go ahead and get those up to

play01:43

date now the first thing we always want

play01:45

to do when we are using

play01:46

a package manager with a linux

play01:48

distribution is update the repository

play01:51

index for the package manager

play01:53

and since this is running ubuntu the

play01:55

command will look like this

play01:57

on a debian or ubuntu system it's pretty

play02:00

much the same on both

play02:01

app update will just update the

play02:03

repository index to basically refresh

play02:05

its understanding of what packages are

play02:08

available it's not actually going to

play02:09

update anything so anyway i'll press

play02:11

enter here

play02:17

so now that that's done we can actually

play02:18

see from the output here that there are

play02:20

26 packages that can be upgraded

play02:23

and if you recall at the beginning of

play02:24

the video it showed 25

play02:26

and that's a good example of why we

play02:28

should run apt update before we perform

play02:30

package manager tasks

play02:32

because we already have a new package

play02:34

that's made available since the last

play02:35

time this was refreshed

play02:37

so to go ahead and install all the

play02:39

updates we could run this command right

play02:40

here

play02:43

apt dist upgrade so this is going to do

play02:46

a full

play02:46

upgrade of all of the packages that are

play02:48

installed on the server currently

play02:50

so i'll press enter so we can see here

play02:53

that we have 26 packages to upgrade

play02:57

and six of those are newly installed

play03:00

and the y here is capitalized which

play03:02

means basically if we were to press

play03:04

enter that's the default it's going to

play03:06

go ahead and say yes

play03:07

if we want to abort we could just do n

play03:09

for no and press enter and then it will

play03:11

abort that entire process so i'll just

play03:13

press enter because i do want to get

play03:15

these upgraded

play03:21

all right so now all the packages on

play03:23

this linux are all up to date

play03:25

now the commands that i've shown you so

play03:27

far are specific to debian and ubuntu

play03:30

if your lynn node is running something

play03:31

else for example centos then the command

play03:33

will change

play03:34

in the documentation on the linode

play03:36

website there are examples for all the

play03:38

distributions that are supported

play03:41

so at this point it's a good idea to go

play03:42

ahead and reboot the linode

play03:44

because if we don't then some of the

play03:46

patches won't take effect until the next

play03:48

time it starts up

play03:49

so it's a good idea to go ahead and

play03:50

reboot it if you can that's actually

play03:52

pretty easy if we go up here to the

play03:54

dashboard

play03:55

where it shows running we can go ahead

play03:56

and drop this down and then we can click

play03:58

on reboot

play04:00

click reboot again

play04:03

then up here we get a progress bar

play04:05

that's going to show us the progress of

play04:07

the reboot so we simply wait for the

play04:09

lino to come back up

play04:10

and then we can reconnect and continue

play04:12

on

play04:19

all right we should be back up and

play04:21

running so we should be able to

play04:26

reconnect

play04:29

now as we can see here again we have

play04:31

zero packages

play04:32

that are available for updates so we

play04:34

should be good to go

play04:36

now i don't know about you but i am very

play04:38

forgetful i lose my car keys

play04:40

i don't remember where i put my cell

play04:42

phone my memory just isn't all that

play04:44

great so

play04:45

remembering to install the updates on my

play04:47

lynode is just not something that i can

play04:49

trust myself to do

play04:51

so what i do is i use unattended

play04:53

upgrades and i highly recommend that

play04:55

even if you're not forgetful because

play04:57

it's one less thing that you have to

play04:59

worry about and each of the

play05:00

distributions have their own

play05:02

method for enabling automatic updates

play05:05

so on debian and ubuntu it's pretty

play05:08

simple so i'll go ahead and show you

play05:09

what to

play05:10

do for this we will need to install a

play05:12

package

play05:13

so if you haven't already run apt update

play05:15

to resynchronize your package index you

play05:17

should go ahead and do that

play05:18

but what we actually want to do is run

play05:20

apt install

play05:22

and the package is

play05:25

unattended hyphen upgrades but i'll

play05:28

press enter

play05:30

so as you can see here unattended

play05:32

upgrades is already installed

play05:34

and if you receive similar output that's

play05:36

great then that means you already have

play05:37

the required package

play05:39

simply having unattended upgrades

play05:41

installed isn't enough to actually make

play05:43

it work

play05:44

we need to go ahead and turn this

play05:46

feature on so to do that

play05:47

we will run dpkg reconfigure

play05:51

dash dash priority equals low

play05:55

then unattended upgrades

play06:01

and now here it's asking us if we want

play06:03

to go ahead and enable automatic

play06:05

updates and that's the entire reason why

play06:08

we are going through this exercise so

play06:09

i'll say yes

play06:11

it's just basically a matter of pressing

play06:12

the left arrow and pressing enter

play06:15

and there you go so at this point

play06:17

forward security updates should be

play06:19

installed automatically

play06:21

now moving on there's another problem

play06:23

that we should take care of when it

play06:24

comes to securing our linode

play06:26

and that's the fact that i'm running as

play06:28

the root user

play06:30

now if you are just setting up your

play06:31

linux for the very first time

play06:33

that running as root is expected but

play06:36

after you get everything all set up it's

play06:38

better to run

play06:38

as a limited account and actually

play06:40

disable root login

play06:42

so to do that we should create a user

play06:44

account for ourselves

play06:45

so to add a new user we're going to use

play06:48

user add

play06:49

then we'll add the option dash m so that

play06:51

our user will get a home directory

play06:54

dash s for the shell we'll set it to bin

play06:56

bash

play06:57

just like that and then the name of the

play06:59

user that we want to create so i'll just

play07:00

name my j

play07:01

you know my first name keeps it simple

play07:04

and then a double ampersand

play07:06

and we'll use the passwd command because

play07:08

we want to set a password for the new

play07:10

user

play07:11

and then we'll use the same username

play07:13

here as well now essentially here we

play07:15

have two

play07:16

different commands the first one is

play07:17

creating the user

play07:19

and then the second command is just

play07:20

setting the password so i'll press

play07:22

enter i'm just typing in the new

play07:26

password

play07:27

the desired password that i want the new

play07:28

user to have

play07:30

and that's basically all there is to it

play07:33

so if we list the storage of the home

play07:35

directory

play07:36

we should see a directory that is named

play07:38

the same as the user account that we've

play07:40

just created

play07:41

and then if we check the etsy password

play07:43

file

play07:44

we can see the new user there at the

play07:46

bottom and now the new user can go ahead

play07:49

and log into the system

play07:51

at this point though you should make

play07:53

sure that you have sudo installed

play07:55

so you could do which and then sudo just

play07:57

like that and you should get some output

play07:59

if you don't get any output then that

play08:01

means that the package is not installed

play08:03

so on debian and ubuntu it's apt install

play08:06

sudo it's pretty easy so

play08:09

once you have sudo installed that's not

play08:12

enough to give you access to it you have

play08:13

to make sure that your user is able to

play08:16

access the sudo command

play08:17

and to do that you can run visu just

play08:20

like that

play08:21

and if you scroll down you're looking

play08:23

for a group

play08:26

and here we have two groups actually

play08:28

start with a percent symbol

play08:30

so we have the admin group and we have

play08:32

the sudo group so you can basically make

play08:34

your user a member of either of these

play08:36

two groups

play08:37

and you should be good to go with sudo

play08:39

access for that user

play08:41

and the reason why i'm having you guys

play08:42

pull this up is because different

play08:44

distributions will use a different group

play08:47

for sudo access by default

play08:49

so on a centos system for example you

play08:51

might actually see

play08:52

a similar verbiage as i have here but

play08:54

the group name might be

play08:55

wheel so what you're going to do is

play08:58

choose a group

play08:59

that is shown in this file that has

play09:01

access to sudo

play09:02

and again we have admin and sudo in this

play09:05

case

play09:06

and add your user to be a member of one

play09:08

of those groups

play09:10

so to do that we can run user mod

play09:13

dash lowercase a uppercase g and then

play09:15

the name of the group

play09:17

which could be you know depending on

play09:18

your distribution it could be sudo

play09:21

it could be admin it could be wheel and

play09:24

so on

play09:25

so i'm going to use sudo because that's

play09:26

the default for ubuntu and debian

play09:29

and then the username you want to add to

play09:31

that group

play09:32

to verify that everything worked out you

play09:34

can run this command groups and then

play09:36

your username

play09:38

and you should see that group that

play09:39

you've added that user to in the output

play09:41

to show that it has indeed been set up

play09:45

so now that we have added our user

play09:46

account to the appropriate group

play09:48

you can go ahead and switch to that user

play09:50

and just make sure that sudo works

play09:53

so to do that is su hyphen then the

play09:56

username that you've just created

play09:59

and what we should be able to do is run

play10:02

a command with sudo so i'll just do sudo

play10:04

apt

play10:05

update simple enough it doesn't really

play10:07

matter we just want to make sure that

play10:09

sudo actually works

play10:11

i'll type in my user's password

play10:14

and it's working so it looks like my new

play10:17

user account

play10:18

has access to sudo so everything seems

play10:21

to be working perfectly fine

play10:23

so now let's go ahead and lock down open

play10:25

ssh

play10:28

so i've exited my ssh session and what i

play10:30

want to do is create a public

play10:32

private key pair basically an ssh key

play10:35

that i can use to connect to the server

play10:38

because the best thing that we can do is

play10:39

disable password access which is what

play10:41

i'm going to show you how to do now

play10:43

so first we're going to need to generate

play10:45

an ssh key

play10:46

and to do that i will run ssh hyphen

play10:48

keygen i'll press enter

play10:52

and it's going to default to adding the

play10:54

key into the dot

play10:55

ssh directory inside your home directory

play10:58

with a default name of id underscore rsa

play11:02

now if you already have a key in your

play11:04

home directory in the dot ssh folder

play11:06

with that name

play11:07

it will be overwritten so be careful of

play11:10

that if you already have a key you can

play11:12

use the key that you've already

play11:13

generated if you have one

play11:14

but if you overwrite that key you'll

play11:16

never be able to get it back so assuming

play11:18

that you don't already have a key with

play11:20

that name in that folder we can press

play11:21

enter and now we can enter a passphrase

play11:25

past phrases are optional but highly

play11:27

recommended but to keep the tutorial

play11:29

simple i'll just press enter to bypass

play11:32

that for now then enter again and now

play11:35

our ssh key is created

play11:38

so if we take a look at the ssh

play11:40

directory inside

play11:42

our home directory you can see that we

play11:44

have two files id underscore rsa and id

play11:47

underscore rsa.pub

play11:49

now this is actually the private key

play11:52

we don't want to show that content to

play11:54

anyone for any

play11:56

reason because that needs to be

play11:58

protected there's a reason why

play11:59

that's called a private key this key

play12:02

right here the one that ends in a dot

play12:04

pub

play12:05

extension that's our public key and it

play12:08

doesn't matter who we show that to

play12:10

we can show that to everybody and it

play12:12

doesn't matter because as long as we

play12:13

don't leak the private key

play12:15

then we're fine but how does that help

play12:17

us with ssh

play12:19

well what we can do is copy this key

play12:21

over to our linode

play12:22

and to do that we will use this command

play12:24

right here ssh

play12:26

hyphen copy hyphen id we'll use the

play12:29

option dash

play12:30

i and then the tilde

play12:33

dot ssh then the public key file

play12:36

which is this one right here we'll type

play12:39

in the username

play12:41

then the at symbol and then we'll paste

play12:43

in the ip address

play12:45

so essentially what we're doing is we're

play12:46

using the ssh copy id

play12:48

command giving it an input file that is

play12:51

the public key

play12:52

the one that we've just created and then

play12:54

we give it the username to our lynode

play12:57

at then the ip address of our lynode and

play12:59

if i press

play13:00

enter it'll ask me for the password for

play13:03

ssh so i'll type that in

play13:07

and it's dropped me back to the shell of

play13:08

my laptop but it says number of keys

play13:10

added

play13:11

one so now if i go ahead and ssh into

play13:14

the lynode

play13:16

just like this and now you'll notice

play13:20

that i was immediately connected to the

play13:21

lynnode and it didn't even ask me for

play13:23

the password for my user

play13:25

this is one of the benefits of having an

play13:27

ssh key because it simplifies

play13:29

access via ssh to the server but the

play13:32

entire reason why we're doing this is

play13:34

not to make ssh easier although well

play13:37

that's a great added benefit

play13:39

the reason that we're doing that is

play13:40

because this allows us to lock down

play13:42

ssh altogether and what we'll need to do

play13:46

in order to accomplish that is edit the

play13:48

ssh config file for the ssh daemon

play13:51

and we can do that by entering sudo nano

play13:54

or whatever text editor you want to use

play13:57

slash etsy

play13:58

slash ssh slash sshd

play14:01

underscore config just like that and

play14:03

press enter

play14:04

type in my password now if we scroll

play14:08

down a little bit here

play14:12

we have permit root login yes we want to

play14:14

change that to no

play14:16

because that's a user account that is

play14:18

going to be targeted first

play14:19

for intrusions from the outside so by

play14:22

setting this to no we are not allowing

play14:24

root to log

play14:25

in at all now what we could also do is

play14:28

add a new option and it doesn't really

play14:29

matter where but i'm going to add it

play14:31

right here

play14:32

and that could be allow with a capital a

play14:35

users of the capital u no space there

play14:38

and then a list of user names we want to

play14:40

allow to ssh into our lin node so i'll

play14:42

add mine

play14:43

if you have other users that you want to

play14:45

access the linode then you can add them

play14:47

here on this line as well with a space

play14:48

in between each

play14:50

so for example we could do something

play14:51

like this

play14:53

to allow tim and sue access to the linux

play14:56

for example

play14:57

but i'm going to simply leave my name

play14:59

right here

play15:01

ctrl o to save the file and control x to

play15:03

exit out

play15:05

and then we will go ahead and restart

play15:07

the service

play15:12

and this should be the command on quite

play15:14

a few distributions actually

play15:16

so i'll just enter this command to

play15:18

restart the ssh daemon

play15:21

so notice that when i restarted the ssh

play15:23

daemon it didn't drop my ssh session i

play15:25

still have that open

play15:26

i could still use it and you definitely

play15:28

don't want to disconnect until you know

play15:30

that it's working

play15:31

and what we could do is open a new tab

play15:34

then in the new tab we could simply ssh

play15:37

into the ip address of our lynode

play15:40

make sure that it still works

play15:43

and it does so that's very important

play15:46

again we want to make sure that ssh is

play15:48

fully working

play15:49

before we drop out of our original shell

play15:52

because if we dropped out of that shell

play15:54

then well we've actually lost our only

play15:55

way into the server

play15:57

but on this new tab i've actually

play15:58

created a new ssh session

play16:01

that allowed me in so i know that it's

play16:02

working fine worst case scenario if you

play16:05

do get locked out you can actually go

play16:06

into the lich console

play16:08

on the lino dashboard and you can fix it

play16:10

from there so no big deal

play16:12

another thing that we can do is make

play16:14

sure that we don't have any services

play16:16

running that are listening for

play16:17

outside connections because the fewer

play16:20

ports that are open

play16:21

the more secure our server actually is

play16:24

so what we can do is run sudo ss

play16:28

dash atpu just like that

play16:32

type in my super secret password yet

play16:33

again

play16:35

and we can see a list of ports that are

play16:37

actually listening for outside

play16:39

connections

play16:40

now already we have ssh and that's okay

play16:43

because i want that i want to be able to

play16:45

use ssh and we've just secured that just

play16:47

now

play16:47

so that's not really a concern to me we

play16:50

also have http

play16:52

listed right here and that's also

play16:54

expected in my case because i am running

play16:56

apache 2 which is a popular web server

play16:59

this is actually running a blog

play17:01

so it is important for this server to be

play17:04

listening for connections

play17:05

via port 80 for apache but if you see

play17:09

anything here that you can't explain

play17:11

anything that's open to the world

play17:14

that doesn't have a justification it's

play17:16

important to go ahead and remove

play17:18

it so for example if you had post fix

play17:21

listed you could run

play17:22

sudo apt remove post fix

play17:25

if that wasn't something that you were

play17:27

trying to run or didn't need

play17:30

i can't show you a complete walkthrough

play17:32

of this because

play17:33

depending on what you have installed on

play17:35

your linode this is going to be

play17:36

different for everyone

play17:38

essentially what you're doing is you are

play17:39

running the ss command like we have here

play17:42

and looking for some port that is

play17:44

listening that you don't have a

play17:45

justification for

play17:47

and if it has no purpose then go ahead

play17:49

and remove it because again the fewer

play17:51

services that you have running that are

play17:52

listening for outside connections

play17:54

the more secure your lin node is

play17:58

so when it comes to security there's

play18:00

many different things that we can do to

play18:02

protect our servers from outside harm

play18:04

in this video we took a look at some of

play18:06

the foundational concepts that we can

play18:08

utilize

play18:08

to better secure our servers things like

play18:11

securing openssh

play18:12

for example but it doesn't stop here the

play18:15

road to a completely secure

play18:17

server is never ending there's a lot

play18:19

more that we can do

play18:20

but the concepts that we've gone over in

play18:22

this video will definitely get us off to

play18:24

a good start

play18:25

so thank you so much for watching and if

play18:28

you haven't already done so

play18:29

please like and subscribe and we'll see

play18:31

you in the next video

play18:44

[Music]

play18:48

you

Browse More Related Video

Self Host 101 - Set up and Secure Your Own Server

How to Set Up a Signal Proxy Server

How To Make Your Own Minecraft Server With Eaglercraft!

Setup Share Folders with NTFS Permission in Windows Server 2019

SSH Tutorial System Commands

The $0 Home Server

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Linux SecurityServer HardeningSSH KeysUpdates ManagementUnattended UpgradesRoot LoginSudo AccessFirewall ConfigurationPort MonitoringSecurity Best PracticesUbuntu Server