10 Tips for Hardening your Linux Servers
Вставка
- Опубліковано 25 чер 2024
- For the first episode in my Enterprise Linux Security series, I go over 10 tips for hardening your Linux servers. This video includes some important suggestions to take into consideration for your infrastructure, that will serve as a foundation for future episodes. As the series continues, we'll explore more concepts in-depth.
LearnLinuxTV Links
🐧 Main site:
➡️ www.learnlinux.tv
🐧 LearnLinuxTV Community:
➡️ community.learnlinux.tv
Support LearnLinuxTV (commission earned)
📖 Check out Jay's latest book, Mastering Ubuntu Server 4th Edition. Covers Ubuntu 22.04!
➡️ ubuntuserverbook.com
🙌 Support me on Patreon and get early access to new content!
➡️ learnlinux.link/patron
☁️ Check out KernelCare Enterpise and patch your servers in real-time:
➡️ kernelcare.com/
☁️ Support LearnLinuxTV and Set up your own cloud server with Akamai Connected Cloud:
➡️ learnlinux.link/akamai
🛒 Affiliate store for Linux compatible hardware/accessories (commission earned):
➡️ learnlinux.link/amazon
💻 Check out the Tiny Pilot KVM for your Homelab (commission earned):
➡️ learnlinux.link/tinypilot
About Me
🐦 Follow me on Twitter!
➡️ / jaythelinuxguy
👨 More about me:
➡️ www.jaylacroix.com
➡️ www.learnlinux.tv/about-me
Recommended evergreen videos:
💽 How to create a bootable flash drive for installing Linux
➡️ linux.video/flash-usb
🐧 OpenSSH Guide
➡️ linux.video/ssh
📖 LVM Deep-dive:
➡️ linux.video/lvm
🔐 How to better secure OpenSSH:
➡️ linux.video/secure-ssh
☁️ How to create a cloud Linux server with Linode:
➡️ learnlinux.link/create-linode
FAQ
🐧 Which distro do I use?
➡️ learnlinux.link/mydistro
💽 My recording gear (commissions earned):
➡️ learnlinux.link/recording-stuff
#Server #Linux #Security - Наука та технологія
01 # 02:42 # Number 1 : Adjust your mindset
02 # 04:59 # Number 2 : Patch your servers (and no excuses)
03 # 07:59 # Number 3 : Strengthen your passwords
04 # 09:10 # Number 4 : Don't open services to the public internet (unless you have no other choice)
05 # 11:32 # Number 5 : Lock down SSH
06 # 13:41 # Number 6 : Implement as many as layers of security as possible
07 # 15:12 # Number 7 : Implement reliable backups that are fully tested
08 # 16:57 # Number 8 : Take advantage of monitoring tools
09 # 18:41 # Number 9 : Consider a third party security audit
10 # 20:02 # Number 10 : Implement a business continuity plan
thanks node, that list summarizes it nicely.
Jay, a video on monitoring tools would be nice. Thanks and keep up the great work.
NMap is good, but a WiFi adapter in monitor mode can be more useful not only for hacking but assessing the security and testing the security too
I love it that you think of backups and continuity as security issues. I've worked for too many companies where that wasn't the case. However there was one that I worked that was in the process of designing their own self-healing environment. Really appreciate that they were pushing forward with that idea.
Doing vulnerability scans should be on this list.
16:00 Gitlab in 2017
Enjoy your content Jay - as always. One of the best Linux channels on UA-cam, and with recent content - probably the best IMHO. Really looking forward to this series.
Looking forward to it! Great first video.
Good growth of the channel. Hard work and consistency paying of.
Great video Jay. A multi part on Locking down a public facing server to maybe DOD levels would be great. Your common sense approach is refreshing.
Going into my second year into System Administration, I'm very much thankful for your information. I will be looking forward to apply them in my company's servers.
great..but plz add timeline in future videos
nice sum up thanks Jay !!! have a nice week !!!
You really found your speciality.. Excellent videos. Best for your success!
Very helpful, thanks Jay!
Nice, well presented and common sense. Thanks!
great series, i cant wait for more videos :)
Great video 👍 you could elaborate on the 10 points more in the upcoming videos.
Great work 🥳 Thank you 💜
Your videos are really good and help us (Linux learners). I would love to see a deep dive on various Linux services such as Apache, Nginx, OpenSSL, Bind9, some email server, etc.
Thanks very much.
Very helpful video sir. May I have the link of next videos in this series?
This is gold. Thanks!
Thanks Jay! One of the big questions I've always had is around item 7--tested backups. I have basic systems like Deja Dup that does my desktop backups to a second disk in the machine and to a NAS on my network (still need an offsite/cloud option in the mix), but my question around this is always about testing the backups. How? Do I just run the restore and wait to see if it throws an error? Does that risk corrupting my existing data? What other way is there to test a backup properly then?
Love the idea for this latest series!
Thanks Jay!
Thank you, Jay.
Thank you for your lessons.
Keeping server up to date is important, although it's worth noting auto-updates can break your server and your service could be down for some time before fixing it
i feel Patching techniques for different servers should be the next
Automatic patching vs manual. All patches vs security only.
10:40 I learned this lesson today. I was setting up an instance to test for database replication. I don't have much knowledge about all the ports setting, so I set it to listen to public. In just few hours my log files were filled with all kinds of suspicious activities. After googled I realized these are mining virus. Public internet is scary. 😂
In addition to patching the OS, don't forget about driver & firmware updates.
I think the wording you were looking for is that you were not looking to incite baseles panic. It is always good to know that you don't know what you don't know, which can be scary when you have a lot hanging on the line.
Plans vs accessibility: in the DMZ [needs a public IP] vs behind a NAT firewall vs only accessed externally via VPN.
18:09 This is what I do for public facing servers. Basically no one should be logged into them, so I've got NCPA running a user check every 30 seconds, and sending that information back to Nagios. For the reverse scenario, a server where you expect a lot of user traffic, you can enable State Stalking on a User List service check, that way when someone does log in, Nagios records who logged in, and you have it down to inside of a minute when they logged in, and what the username was.
3:33 Sarcasm....! :-)
Anyway I am a big fan of you. for your videos. Great work. Keep posting.
A note about patching. many patches open new security holes. it's really a double edge sword. if a patch breaks business continuity then it could be just as costly as getting hacked, and if the patch opens up another security issue, doing nothing and "taking the gamble" (risk acceptance) is what business owners try to do.
for point 10, that's why kubernetes (and harvester) are there as a true solution for HA and self remedy ;)
The best joke ever without emotion. 3:48
Do you have any plan to make a video about SELinux?
Video chapters would be nice. That way viewers can rewatch topics they need to refresh themselves on.
Have you considered doing a desktop hardening, for those who use Linux as a daily driver?
What the program for backups Linux have on his board?
U r doing a good job with these videos my friend.. keep it up..
Port scanning and what to shut off as determined by the server's role.
quality stuff
In windows I have administrative policies, where I change the rules for remote users. My rules is 3 wrong passwords and then block a user account. What the Linux have on his board?
One moment I configured My Linux work machine, after I upgraded my Linux machine and after she had problems with programs that have stopped working. It's ok, or did I something wrong?
I am using deepin how to secure it ?
I've actually experienced failed no-boot backups (not on my own environment and none I was in charge of, luckily). Not fun.
If it was only (not) patching the servers... I so hate it that at my new workplace their lifecycling policies just plain suck. E.g. distributions such as Ubuntu 14.04 and Debian 7.x have been EOL+EOS for quite some time now.... but there are still tons of those servers around, still allowed to run :( It's a tiring uphill battle I'm fighting here. :´(
Can you make traps too
how about some examples?
Pls consider timestamps
How can I block certain countries from hacking into my linux machine. Using Iptables and Ipset. For example blocking China, Russia and India completely. Is this possible! !!!
The term you are searching for is "geoblocking" ;)
tip 11 Run the free Lynis auditing tool and change the ssh port. I used all 10 tips on my servers. I hope episode two will be more useful.
#3 Number 3, best is no passwords at all...
Is there any real content in this video except Ads?
1.5x speed is just right
No chapter marks, no meaningful description about the content. One has to skip through the video to learn what these "great" 10 tips are. I wouldn't call it hardening, but consumer-ish admins who never thought twice about what they install and run have to start somewhere. Very clickbaity. Of course you have to have lighting like a dance club or a brothel. Day in, day out, sustainability doesn't matter.