Quick tips to improve Linux Security on your desktop, laptop, or server (hardening for beginners)
Вставка
- Опубліковано 4 чер 2024
- Try out Proton Mail, the secure email that protects your privacy: proton.me/mail/TheLinuxEXP
Grab a brand new laptop or desktop running Linux: www.tuxedocomputers.com/en#
👏 SUPPORT THE CHANNEL:
Get access to a weekly podcast, vote on the next topics I cover, and get your name in the credits:
UA-cam: www.youtube.com/@thelinuxexp/...
Patreon: / thelinuxexperiment
Liberapay: liberapay.com/TheLinuxExperim...
Or, you can donate whatever you want: paypal.me/thelinuxexp
👕 GET TLE MERCH
Support the channel AND get cool new gear: the-linux-experiment.creator-...
🎙️ LINUX AND OPEN SOURCE NEWS PODCAST:
Listen to the latest Linux and open source news, with more in depth coverage, and ad-free! podcast.thelinuxexp.com
🏆 FOLLOW ME ELSEWHERE:
Website: thelinuxexp.com
Mastodon: mastodon.social/web/@thelinuxEXP
Pixelfed: pixelfed.social/TLENick
PeerTube: tilvids.com/c/thelinuxexperim...
Discord: / discord
#Linux #security #cybersecurity
00:00 Intro
00:56 Sponsor: Proton Mail
02:32 Software and updates
04:04 Services and SSH
06:38 User management
10:10 Physical Security
11:35 SELinux, AppArmor, and firewall
14:04 Parting Thoughts
15:15 Sponsor: Get a PC made to run Linux
16:30 Support the channel
Password complexity tips: www.networkworld.com/article/...
Tips to secure SSH: www.cyberciti.biz/tips/linux-...
The more software you use, the larger the attack surface for your Linux install is. It's always good to take a look at all the installed applications, and libraries, and remove what you don't use anymore. You can also remove packages that aren't linked to anything else and aren't used by anything.
On Debian or Ubuntu, for example, you can find these by running sudo apt autoremove
And on a desktop, you probably already apply updates, or your distro has auto updates enabled. But on a server, it's easy to let things slide, and forget to log in regularly and make sure things are up to date. I'm guilty of that myself.
And just like with packages, libraries, and apps, you should also make sure you only run the services you actually use. You can list all services running with:
systemctl list-unit-files
To stop a service you don't need, you can run
systemctl stop SERVICE
To stop the service from starting with the system, you can run
systemctl disable SERVICE
If you're on a server, the general rule of thumb is also NOT to run a graphical desktop on it. It will often be much more secure to use SSH to log in to the server remotely.
But you might also need to secure SSH first. If you have multiple users, make sure only the ones who need it have SSH access. To do that, you can edit the /etc/ssh/sshd_config file, and type AllowUsers then the names of the users that will actually have access to SSH.
Now, something that might be useful in general, for a server or a desktop, is making sure all the users are correctly handled. The first thing will be to disable root login.
If you decide to disable the root account, make sure at least one user has admin privileges though, or you'll have a system without any way to access any task with sudo. Once you're certain everything is ok, you can use the following method:
Edit /etc/passwd, and change the first line, by replacing /bin/bash, or whatever other shell root currently logs into, by /sbin/nologin (or /usr/sbin/nologin depending on the distro)
If you prefer, you can simply disable root login through SSH, so the account is still there if you want it locally, but remote attackers won't be able to login as root. To do so, you can edit /etc/ssh/sshd_config, and uncomment the PermitRootLogin line, and then set its value to no. Restart SSH with sytemctl restart sshd, and you're done.
To remove the ability to use USB, Thunderbolt or Firewire, you can add the following lines to their respective files (create them if need be). To revert this, just remove the lines that have been added in the various files by the commands.
Add: install usb-storage /bin/true to /etc/modprobe.d/disable-usb-storage.conf
Add blacklist firewire-core to /etc/modprobe.d/firewire.conf
Add blacklist thunderbolt to /etc/modprobe.d/thunderbolt.conf - Наука та технологія
![[柴犬ASMR]曼玉Manyu&小白Bai 毛发护理Spa asmr](http://i.ytimg.com/vi/0TsXQ7z2Dh4/mqdefault.jpg)
Try out Proton Mail, the secure email that protects your privacy: proton.me/mail/TheLinuxEXP
Since switching to Linux a few months ago, Windows feels completely unusable and unstable.
Updates can't break a Linux install huh? I guess my time spent with Manjaro was just some fever dream!
Well... you lost my trust very quickly. Proton Mail is NOT as secure as you lead on. They now track IP addresses and allow access to government agencies. Plus, you need an even more traceable email to tie it to in order to get an account. It's a bullshit smokescreen.
@@None17555 The chance of breaking an update in linux is very small if you use a stable and well maintained distro like Debian. If you use Manjaro or Arch Linux well then it's mostly just a matter of time for it to happen.
that moment when Proton Mail isn't nearly as private as you would think
As usual, LE speaks the truth that others are afraid to say. Linux isn't bulletproof. Any OS is only as secure as the effort the admins put into it.
Yep! It all depends on the distro and how much you’ve configured it to resist the threats you’re most afraid of!
Isn't bulletproof, but Windows has much more holes and attack vectors. Windows if full of complexity due to legacy support and has closed code. When someone finds a vulnerability, sometimes it is exploited for quite some time before someone finds out. Linux is open source. People are constantly auditing the code for vulnerabilities and it's much quicker to find a vulnerability. So, yes, Linux is definetly more secure by default, but I agree that Windows is also more targeted. But remember that the vast majority of servers in the world are running Linux and those are the ones usually targeted by the most advanced hackers.
@@rallealytI'm a Windows user but the defaults in Windows are very bad for security and privacy.
They may be fancy and cool and animated and convenient.....but they cause a security risk too.
But I'm an advanced user, so virus or malware attacks on my machine have never happened.
Yeah, but he only realised it last week when he got sick by virus and (as reminded him) he still needs an antivirus... At least he is well now
I mean, all the large-scale attacks on webservers are servers with linux behind, the applications installed are more likely to have vulnerabilities then the OS, I've never rly heard of any big websites running on Windows.
very interesting and a video about SElinux or firewall would be amazing
Yeah, I really wanted to explore them more, but they definitely will need their own video, there’s a lot to talk about!
@@TheLinuxEXP Might wanna start of with SELinux vs AppArmor and what theyre used for and where the differences advantages and downsides are
@@TheLinuxEXP as a casual linux user wanting to find easy ways to run more securely, the most frustrating thing about security on any system (windows is worse obviously) is how fundamentally mixed up everything is at a low level, making it impossibly difficult to troubleshoot or make a security profile from simple, rational concepts. If you could make a video on how to get just deep enough into something, maybe like SELinux or Apparmor but not overwhelming... I would appreciate that a lot.
An example of something I would love it if you made a video about is how I can most easily run insecure things securely. For example - I want to install an new notepad program, so I find one and install it. At a very basic level I know a few things, like when I'm not using it it shouldn't have any processes running. And it should never connect to a network, unless it's doing some cloud saving, for example.
How can I easily manage security flip switches to turn those abilities on and off? Don't even give that process a sign there is a network card until I flip a switch? Same for executing in the background, writing to anything, etc. If that can be done in a video, I would be grateful and impressed.
As for how... allow me to ramble on how I've found this impossible...
Like trying to accomplish application container/sandbox style security.. I need to setup apparmor or SELinux... okay, maybe there's a GUI profile manager?
Nope.. I haven't been able to find anything. And it seems intentional.
For apparmor, supposedly easier to use but being less 'fundamentally' secure than SEL, had a GUI, premsde profiles... but now all that is gone, they're all paywalled. A bad trend for linux recently. SELinux on the other hand just seems to be ideologically against GUIs and profile tools because you *must* understand / accept full responsibility for all the nuanced complexity it has, in which case you aren't going to be some GUI using slob, you'll obviously live and die by CLI.
It pains me I can't just install a new program I kind of trust but not fully and use linux to 'watch it' for abnormal behavior, because whenever anything uses any system services/resources they just "have access" or "don't have access".
For a super common example - application specific network limitations and/or traffic monitoring / firewall is literally not a thing. It seems insane to me from a not-a-kernel-dev perspective that there is simply no fundamental way to watch / attribute all network traffic to specific processes. I get it that the way the architecture of the system is.. it's just hard or impossible to trace the source back into userspace from the kernel. But if you COULD simply monitor application traffic and behavior, profile 'normal' behavior, it would make it so easy to spot, or even automate spotting, abnormal / compromised process behavior. That would make malicious intrusion incredibly difficult, having to move around within other proceedes. Instead if you want to do that for network traffic you'll have to become an expert at ip/port/packet analysis to... make best guesses? Or start down the rabbit hole that is various tools to approximate this idea.
I get that a fundamental problem arises from granular control (SELinux being the ultimate granularity) and config gets more and more complex as you get granular in a system with a complex web of interlocking parts... but I mean, why aren't basic, best practices and profiles easiee to make? Get me an 80/20 profile.
We know one of if not the most common attack vectors is a malicious or infected process, so why are the tools to control, isolate, and analyze process behavior so arcane?
/rant
@@stevenwinderlich2891 wrong channel
@@TheLinuxEXP Would still love to see a dedicated firewall video from you. You explain things really good und easy to follow.
IMO it's also worth to pay attention to secure boot configuration, especially on laptops. Many distros do not implement initrd checking during boot, so attacker can easily modify it and intercept password for encrypted partition. To avoid this there's a thing called "unified kernel image", which combines kernel and initrd into a single file and adds SB digital signature. The main problem is that it is NOT configured out of the box on most systems. Canonical has plans to implement it in next Ubuntu release (thanks to systemd-ukify), so hopefully this will be changed in a future.
The way I see it, if someone has physical access to my system it's game over anyway.
@@Ryan-ct3rv This hasn't been the case for smartphones for over a decade, and the same approach can be adopted on the desktop.
Great knowledge. Thanks for sharing.
I'd love to enable secure boot, but I also rely on being able to hibernate my device, which for some reason is disabled when secure boot is enabled as a part of the kernel lockdown afaik
I'm already using UKIs with dracut and systemd-boot, so I'm well prepared for hibernation and secure boot to be easy
For context I am running Debian Unstable, with a manually compiled updated dracut
@@Sqaaakoi I'm not sure about your device (laptop, right?), but most modern laptops don't drain too much battery while in sleep mode, aka suspend-to-ram. Personally I use only this option and my laptop remains cold and charged for a long time. At least, more than 3 days. Also it does not require a big swap file/partition.
I did a quick google search and seems like newer kernels should allow hibernation after adding "lockdown_hibernate=1" to a kernel cmdline. I did not test, but hope it helps
More security videos are always good!
Even an introduction to firewall configuration covering the most important points would be excellent!
Agreed.
Yes please!
exactly
11:00 with usbguard you can allow and block USB ports based in plugged in devices, so you can create a whitelist with your devicea, and block anything else.
I'd love to have a noob understandable video about firewalld and selinux configuration for an average Steam gaming and internet browsing pc! Also Clamav on access scanning and/or commercial antivirus software for consumer desktops would be nice.
❤ I second this as well. Make it so.
Me too! 🤚
One thing I thought I should mention - although primarily effective for windows/Mac users, even just having an adblocker (unlock origin being my FOSS choice) can have a huge impact at web based attacks - not only malware, but web based tracking and information gathering.
So much this. uBlock Origin is a must, back then i used to have Adblock Plus but that thing was a RAM hog.
uBlock also supports disabling JS. Most dangerous browser vulnerabilities are because of JS (there's some HTML and CSS too).
I use whitelist mode, so all websites are static, except for some domains where I need JS
UBO is my go to. I use it on both Firefox and Vivaldi. (I don't trust anything else.)
Updates are just as likely to break things on linux as well. currently, Linux 6.5.5 seems to produce segfaults in FIO with BTRFS, and Mesa 23.2 breaks HEVC and H264 encoding in OBS Studio, again, for now.
The difference with updates in linux, is you can scrutinize each package, update individually, and find exactly what's causing the problems, and then not update that package until it's fixed. Timeshift and BTRFS subvolumes make this pretty quick and easy, vs System Restore and Windows Update, and use much less disk space for more restore points. Linux updates are not bug free, and you should always have a backup to fall back to before updating.
A firewall video would be great!
It’s conflicting that by default, the firewall is turned off on most Linux desktops.
@@a-yon_n and it is that way because there aren't any really user friendly configuration/management tools. Which sucks but makes sense.. people went through all the trouble of writing the actual firewall code for free and now some normie wants them to do more work to dumb it down and make it easy for them to use? Leave it for someone else...
And the other topics like SELinux and App armour would also be great.
@@craigslist6988isn't the firewall gui on mint pretty straight forward even for noobs?
A video on AppArmor or SELinux would be very useful.
I second that.
Feel pretty secure with openSuSE's default but I too enjoy having secure machines.
I like the defaults on Fedora, firewall on by default, selinux on by default, root login disabled by default, only official repositories enabled by default
Don't forget, every time you disable SELinux, you make Dan Walsh weep.
Dan is a nice guy and he certainly doesn't deserve that.
4:53 you can also do `sudo systemctl disable --now service` to disable a service and stop it at the same time. saves you from typing out a second command
True!
Oh sweet, ty for the tip lol
I have watched a security video where they also suggested CalmAV to regularly scan your system especially if you dual boot with Windows.
That’s also a very good tip, yeah!
@@TheLinuxEXP Sadly ClamAv gives false positives a LOT of the time. I won't use it anymore. It's a known problem.
Thanks! Good vid. Always interested in the security side for the user. Not so much for the server but never hurts to learn. You do a really good job of explaining "how to" and "why". Please continue...
Love to see some security related content. It's such a confusing and noobie-unfriendly territory to get into when learning Linux, whe need more videos like those.
The firewall is specially important: it's the first line of defense past the Router, and it's frequently off by default.
Full Disk encryption is also a must. For me, the most important thing to learn right now is to learn how to setup full disk encryption together with secure boot, and if possible along with the TPM (Trusted Platform Module) so I have the option of setting it up without entering the password every time I boot. Tips on troublesshoting it when making changes to the system (changing partitions, distro hopping without losing files) would also be welcome.
I haven't been able to crack down linux security by myself yet. If this series does goes on, maybe I'll finally be able to do it.
Having a TPM module is nice, software using it rare though. The more rare when the most needed.
@@lince4824 In some sense you would want fewer pieces of software to use TPM, so its functionality can be kept minimal and stable. More usage = new requirements = new bugs.
@@generic694 it must be used WHERE it is needed and WHENEVER it is needed. If you store critical passwords in RAM to avoid using the TPM module that's a security hole, as it happened to a serious widely exploited to the own Microsoft Servers network, because they decided to keep that password in RAM. It didn't need any high tech tool or software to abuse it, just a crash report sent to the development team, which in fact happened to include that CRITICAL Microsoft Exchange password. Do you think it cannot happen in Linux? TPM must be used whenever it is needed, not more, NOT LESS
Besides obvious things like applying security updates:
I think most critical is that you have control over open ports. You don't want other people to get remote access to your system. So either close ports by disabling services or via firewall. For servers I recommend fail2ban as well. That bans IP addresses by amount of failed attempts which can prevent primitive DoS attacks by single attackers.
Additionally you can improve internal security by dividing services and applications into containers, users and groups. So you don't run software with permissions they don't need or shouldn't have in general.
Another thing for SSH: If your server is public, you should only allow access via public keys and disable root login as well. Otherwise people will brute-force it...
Fail2ban is much more about passwd brute forcing than DOS blocks
"either disabling services or via firewall". No, you don't do only either, you must do both (assuming the service ain't used).
@@rautamiekka What do you expect a firewall to do when there is no actual service running?
I think doing a video series on security is a great idea
Finally, a useful video that actually helps enhancing the security side by side making linux use less resources.
One thing you really should have mentioned about securing SSH server is fail2ban, that reduces change of getting bruteforced a lot and doesn't interfere normal usage almost at all. Other than if you manage to typo password few times in a row you might have to login from some other IP address to unban your IP (or just wait until automatic unban after set unban time). Though I would suggest to tighten the settings a little bit from the defaults, which are too loose if you ask me. For example I think unban time is usually too low with the default settings.
EDIT: After continuing the video I noticed you did mention faillock in later part of the video, but I think fail2ban is more useful for SSH because it blocks all access from that IP instead of "attacked user account". Both ways has something good and bad of course, but overall I prefer fail2ban because then you can have long unban time without yourself being blocked completely out of the system.
Propper!!
Just forbid password login and use key only.
@@generic694 Amen to that.
If using Docker, don't add your user account into "docker" group, don't configure your OS to use "docker" and "docker-compose" commands without sudo.
what security does this actually add? an attacker just needs my user's password to use sudo if they have an ssh session which i think is harder to obtain than the password.
Can you elaborate why? Wouldn't running the entire docker as sudo make it even worse if the image/contrainer was compromised? What about passing UID to the container, rather than making it run as root by default)?
@@SirRFI Docker daemon (server) is always running as root. The only thing you can decide about is whether client software is running as root or not. Having docker command available in your command line without sudo is like having sudo without password. With reasonably simple docker run invocation you can modify host files of your OS which is very big security hole.
Yes more tool and security video please especially SELinux & AppArmour
I would appreaciate some basics of firewalls. Thanks!
Noted!
more of this please ! You answered my query i have been searching for
Consider placing your web browsers into a container and using a watchdog on the browser. That way you can make a script that watches the browser and if anything goes wrong you can kill the container and delist any permissions and rm -rf the contents or the container itself.
There's a performance and resource hit for this though. Good luck with UA-cam and similar sites, as they tend to run at 3/4 or less overall speed/response/however you want to call it.
Also instead of selinux or app armor you may want to consider SNORT or Suricata. They all utilize a similar rules based method for partition to partition, app to app, system to network, and network to system management and logging.
The only benefit of Suricata is that it can make use of GPU tech. So those with a dual/multi GPU setup can get a tiny performance boost. So if you're one of those with a dedicated GPU and a CPU with integrated graphics (Intel k series or AMD APU) you can run Suricata without too much of a system performance hit.
Browsers are one of most secure softwares there can be on desktop OS. I fail to see how this adds anything. Containers aren't a security boundary. GPU processes, audio processes are all vectors for attack. And you do not contain those with a simple container.
@@Pang-nn4eq
Browsers are not as secure as you believe, and the container itself isn't the security, its the container **along with** snort or suricata- programs that behave as malware watchdogs.
And yes, you can actually use a simple container for drivers- the Linux Kernel Virtual Machine (KVM) is one instance in where you would contain drivers, as each installation of the Linux distro of choice would be running in or as a container.
@@WarkWarbly, browsers have dedicated security teams with people on payroll. A browser executes remote untrusted code. It's a miracle they don't pwn their users every day. Sure, some zero days existed and do exist.
i recently started dual-booting again (thanks pc games), and i have to say hardening on windows is relatively easy compared to linux. though i still believe i am the greatest security to my own device, it is great to know all of this just in case of a lapse of judgement.
On the basic level. Windows still has FAR more services running as SYSTEM user (higher privileges than Administrator) than on Linux as root user. That said, I think it would be great to have Linux further develop with running less things as root. And as you mentioned have better defaults, or make it easy to have a distribution package called hardening. A huge missing feature of Windows is proper container support. That said I think Linux containers are still behind on Solaris Zones security level.
@@autohmae containers are definitely a linux security perk. i agree that you can do more in depth hardening with linux. but windows gives you simpler options and intuitive defaults
On my end, I am still trying to harden my Windows using Sandboxie and custom rules. And damn, I am still not done.
Don't forget to have ssh jump host which adds additional security. And port randomizer both on jump host and real server. Good luck guessing: current IP for the SSH jump host (with random IP pool that you will have schedule for the next IP), and it's port, and the ssh port of the real server. That it doesn't matter if you have root or not. You can use different certificates for both jump host and real server. Each devop will have own account with least neede permissions and groups.
Sometimes it's too painful to use random ports. Personally, I think that port knocking and limiting login attempts will be good enough in most cases
Would absolutely love a firewall tutorial
allthough there can be an emphasis on protecting your computer from outside attackers, which does require action, especially on servers, it is also worth mentioning that some security like drive encription makes it harder to recover data, so for a number of people it is less secure having encripted drives because they are more likely to loose their data due to forgetting passwords or hardware problems, that to some random person stealing their computer to look at their files.
Oh that is totally true. I’m an absolute goof and am being honest for the sake of agreeing with your posts’ accuracy.
PS the main reason root shh is disabled in favor of sudo for Admins is that the attacker needs to also find their username
Yep!
the securing SSH tip was a big one for me as I am new to setting up SBC running lite weight apps that I only access through SSH. thanks for that.
Superbe vidéo comme d’habitude, des vidéos sur la sécurité sont toujours instructives . Configuration de Firewall, AppArmor,SE Linux, Kicksecure, Fail2ban, etc… seraient des sujets qui je pense pourrait aider beaucoup d’utilisateurs. Bonne continuation
Sure. Any tips to protect my data and work is appreciated. It will also help explain why IT does the crazy things they do (soft of). Thanks Nick.
Pass phrase, the key to having a great password. Use 2 or 3 word combos. Thanks thr video covers a lot. Great video.
Thanks for video. Regarding firewall, selinux and apparmor is good topics for future videos. I would add that firewall is more relevant topic, since I think it is sort of must have for desktop and server.
Hi Nick, great video as always! I'd definitely love to see a more in-depth video on SELinux, AppArmor and Firewall!
Yes, a selinux and firewall configuration video with solid fundamentals and some advanced tips would be great and pretty much unique in YT.
Another thing you can do for hardening is renaming the root account, then anyone looking for root login will need to overcome another hurdle. The downside is it could get confusing and some scripts and programs might be hardcoded with the name, possibly causing more problems than it's worth.
AFAIK, it's possible to login by user ID. root must always be 0. So even if the name is unknown, you can still login to user 0
@@Rudxain This highlights the biggest issue. Educate yourself about how linux actually works. Then act accordingly. Misconceptions are what get people in trouble. Whether that's trusting something that shouldn't be trusted, or the example you give here.
@@that_heretic exactly!
...
wait, you mean I'm ignorant or OP is ignorant? I'm genuinely confused. I could be wrong about the UID
Linux user have time
Which backup program do you recommend ? I am having problems finding one that works for Ubuntu (Timeshift is not working). Which one did you show in the video ? Thanks
What do you think of Portmaster on the firewall front? Of course Portmaster is more than just a firewall but it can be used exclusively for that role alone. I'm using it on my Windows 10 machine and it has been working great. My Linux machine is PopOS unfortunately and Portmaster causes the login screen to not work if it's allowed to launch at startup.
Can you please one day make a guide on how to make your own virtual VPN, without needing to buy a physical device? Thanks a lot!
Great tips. Thanks for taking the time and making this video.
Thanks for the vid. I'd be interested in a firewall video!
Great video and as I’m still learning I’m all for a video on firewall config and SELInux.
I have security cameras going to a computer using FTP, and not all the images and videos would record. The camera company wanted me to disable the firewall, which I didn't like at all. What I found out is that you can allow all access through the UFW from only one other computer. I did this for each camera, and the problem went away. This is a very special case, but it allowed keeping the firewall up, while solving the problem.
The "in the process" pun had a pause just long enough for me to stop eating and give the phone a meaningful look from my lunch. 😏
I am very interested for a firewall and SElinux video
12:58 SELinux is also used on Android.
You're the best Linux desktop channel in my opinion.
I would really like a SELinux video from you.
i have changed the default ssh port for security reasons;
i also use "howdy' facial recognition tool to avoid entering password manually with every move
Yes please! I would love to see a deeper dive into hardening Linux!
there is of course one option to keep it really secure. don't have just one machine for everything. we all access websites that are less than optimally trustworthy. some are somewhat shady.
and we all have an old laptop or PC sitting around, not fast enough for everyday use, but still quite good (especially with linux, since there are linux distros out there that are pretty light on the computer). just have one machine with high securty dedicated for online banking, email etc. and your main PC is for everything else.
even a VM is helpful and better than nothing. a lot of malware just goes the easy route and scans for passwords and logins to the really important stuff.
oh, and that machine you dedicated to the most important tasks? just keep it turned off. it's hard to hack a computer that is physically without power.
I use an expanded version of this idea.. buy 4x (or find them lying around, like that old laptop) flash drives. You can run a live distro on each drive, completely separated operating systems. Even 16GB is enough to run the basics, GUI, web browsing and all the other basic apps.. 32GB is much more comfortable for Firefox's crappy memory leaks. 128GB you'll never run into a space issue if you just use external storage for large downloads. These drives are < 20$ now, fairly small price to pay.
What I wish is that they had something I could 'hot swap' between these OSs.. like VMs, but without emulation losses. You can hibernate and swap to estimate that behavior though... if you can get hibernation working (need more space also, 128GB is plenty for it).
@@craigslist6988 oh yes. the most insane variant of using old laptops was from around 20 years ago. knew a guy who bought a bunch of old laptops from his employer just for surfing in somewhat risky situations. to be more precise: he loved surfing in the internet while being on an air mattress. sometimes, a laptop met the bottom of his pool.
no problem, he took the next laptop from the stack of laptops he had.
Great Video. I would also recommend changing the SSH default port to something random as most bot probe 22.
No offence intended here but changing ports is generally considered useless, bots are not probing any ports specifically, they mostly probe for any open port. The protocol is then as simple as a packet sniff. You can get better results by disabling ping requests from unknown sources.
I can't remember right now, but can the root account be disabled in NixOS, i.e., can one user account with admin privileges still be used to deploy the configurations to servers and/or computers?
Oh yeah, I would love to see videos on firewalls, you explain things in a good way.
Yes! I’d love to see another video on this please
Thanks for that always handy to have security PSA, Nick!
Really should check my VPS again 😅
Does allowing only local network to connect to SSH and configuring firewall, so the only used ports are allowed outside of localhost like 80 is a solution?
Just a quick question. Is the built in firewall still any good? I haven't used the system in a long while but i remember it had a good one if you took the time to learn it.
Won't let me edit. Never mind my comment I hadn't seen that segment of the video yet.
It'd be great to see some more security videos from you :)
what is it called this app that youre using in 3:03 that you see installed apps?
It's possible to turn on auto updates for security patches on servers, surprised this wasn't mentioned (it's one of the first things I do).
Yes, I would like to see another video going more in-depth.
Finally a video on security I can follow....more please👍
Very good tips! Thanks!
Thank you for this info, I'm a Linux Noob so I'm still learning. Most of this is over my head, but once I learn more I'll hopefully be able to use this lol.
Thanks for this I enjoyed it.
Yes I am a fedora user so would love a SELinux vid!
For the algae rhythm! Also, a firewall episode would be welcome.
At 15:04 what's the UI there based on? I really like the dark theme and the way everything is presented
I mentioned earlier that a "passwordless" key ssh login protects one from a camera recording password entries. I neglected to mention another reason why it's a good idea to use: if routing to your server should ever get compromised, on login you could be talking to a password harvester. With key exchange, your ssh client will say: BS!
That compromise of routing could occur at your ISP, your home LAN, or even over the Internet! There have been cases where large swathes of the Internet got rerouted through rogue countries by means of a compromise of the BGP routing protocol (it had been set up sloppy...)
Great stuff and do a video on security settings and all the little in and outs. Just like your normal videos and if need maybe beginner/advanced videos.
Very interested in knowing how to setup security on for different types of users like beginners or if i need to setup for other users like family
a video on Linux firewalls would be great! please consider doing so in the future
The problem with Linux is the user base, not the software.
You can lock down Linux tighter than a nuns nasty, and you can achieve bulletproof (nearly) tin foil hat status, but, you need to know how, and that's where 9x% of people get in trouble. I've run dozens, maybe in the lower 100 counts of Linux servers, and I've the number of times I've seen an “experienced IT professional” do something that causes a head smack to crack your skull, is countless.
My list of stuff to check as a first pass. This won't bulletproof the tin foil, but it will shine. (Nick brought some of these up)
1. The first biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS.
2. The second-biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS.
3. The third-biggest issue, by far, is having permissive sudo settings! -DO NOT GIVE EVERYONE SUDO ACCESS.
4. Lock down SSH, and DO NOT change the port. Changing the port is not going to help you. If you're at the point that moving from 22 to 9022 is going to polish the top of your security walking stick, then fine, but if that's the case you're also going to agree it's usually pointless.
5. Lock down user accounts. Make sure user accounts are properly controlled, groups are reviewed, passwords policies are in effect, and review system permissions.
6. Use SELinux or another security framework, if SELinux is fighting you, in 9X% of cases, you've done something wrong.
7. Use IPTables, BPF Tables, and other tools to build the proper routing settings!
8. Sweep for kernel modules!
9. Manage keys correctly, don't have users with a single SSH key that use the same key on everything. 1 key = 1 service.
10. Use multifactor authentication. You are NOT too busy to have additional factors, PERIOD!
11. Monitor, Monitor, Monitor, oh and make sure you monitor. All logs should be sent to a remote server.
12. (Nick brought this up), remove the stupid GUI! It's a server, learn to use it.
13. Use VM's, for isolation.
14. Disable services you don't need, and close ports that shouldn't be open.
15. If you use an email server, FULLY ISOLATE IT. Seriously! Do not install an email server with other services.
If you follow these points, you'll be at least in a good default state, from there have fun polishing the tin foil even more.
Good tips, thanks!
You're very wrong . I stopped reading at paragraph 2. Tin foil hat please, just kidding, but you're very very wrong. You are right that most people, experts and admins will make a barely secure system much much more insecure on the first day though.
@@lince4824 What do you feel I got wrong and why? I don't mind disagreement, but I really don't see much wrong with my list as a basic first pass. Keep in mind you can do much more, and should.
Oh, and the #1 thing admins do, usually by accident or because they're busy, give everyone sudo, and sudo ALL=ALL. Actually, in a lot of case I recommend removing sudo, it's a very powerful tool, and you almost certainly don't actually need it.
I am using an thinkpad p52. I am planning to install latest version of Linux mint cinnamon. Their are 2 options cinnamon and cinnamon edge, cinnamon edge for latest hardware which one I should choose. I have heard that thinkpad p52 has bios issues. I need to use Nvidia graphics in hybrid like in windows 11. Could any P52 user provide me some info. I am stuck in windows 11 which is tacking lots of unnecessary internet data. I tried to install pop os but from installer lots of bug's.
Question about root login: I edit "/etc/passwd" and checking my file system I have both /sbin/nologin and /usr/sbin/nologin: Does it make a difference? Which one should I set to? I'm under Debian 12. I'm a newbie. Thx
Gonna answer myself: I just checked with the file manager (Thunar) and says that "/sbin" just links to "/usr/sbin" so it's the same thing I guess. Thanks Holger.
I was researching a system call restriction of an installed service. I eventually figured it out in the service config permissions, but I had app armor installed it seems like they had some overlap. I would love a video to teach more about both and if they do overlap.
Make a video on SeLinux and Apparmor configuration and how to add or remove policy 😊
I definitely would appreciate a firewall config video, and another on SELinux and AppArmor
Thanks LE. I’m relatively new to Linux so this is very good info.
Yes - give use one on how to replace the Fedora kernel with a unified kernel image. thanks for the video
There is also bubblewrap! It's used by flatpak under the hood.
Yes, please! Firewalls & Selinux videos!
Nice video. Please, more of this stuff!
Firewall configuration would be pretty interesting to see!
Excellente video. Vraiment utile. On a tjrs tendance à oublier les bonnes pratiques ...
Nice to know! Thx for the ep :)
I would like to see a video on firewalld, backup software, and logging software/logging analysis software. Thanks.
Yes, please do all security videos. Thanks.**
I'd also like to see a video on how to configure a firewall. :)
And thanks for this great video as well.
It would be amazing to have a firewall config video
Great content, You might mention boot hardware keys if their is a part 2
Question about partitions and disk encryption:
On Windows, I always do C:\ partition up to 50 GB and another one with rest of the drive's size. I install and keep most stuff outside C:\. This way the partition is easy to dispose, like for fresh install - most of my stuff remains untouched on the other one.
Can this be replicated on Linux? Recently I tried that, and doing separate partitions on btrfs was few extra intuitive steps, because otherwise they just merge into separate sub-volumes or something. I haven't tested if it works like I'd want yet, but disk encryption comes to equation too - what would happen if I encrypted the drive and then removed the 50 GB partition with everything non /home? Ideally I'd want best of both worlds - disposable partition in case something critically breaks, not lose my files on the other partition, and have it all encrypted too.
Its seems to be, i never did this tho, i only do the partition seperation haha, i did a search after reading what u said and there are results on brave search, but quite old ones, so yeah i can only say good luck, i am still hopefull its possible to this day thoe.
It's no problem to install with multiple partitions the way you describe and (IMO) the installers for Debian and Ubuntu make this easy. With encryption it should still work, but depending on the setup you might need two passphrases. But personally for your usecase btrfs subvolumes would work great. You can delete one subvolume without affecting others, but you can also take snapshots of subvolumes. Then if the OS breaks you can roll it back instantly. But if you do want to install clean you can as well, just be doubly sure the option to format the partition is unchecked.
Good tips. I guess every user should know at least a little bit about security these days.
Regarding full disc encryption, it is a good choice. Unfortunately, it is a pain in the ass to setup during installation for most of the distros I tried especially if you want to have multiple partitions. I see this as an area for improvement in Linux :)
Thanks. I really need this episode.
You’re welcome!
On GNU/Linux updates can also break features like your auto-fullscreen Chrome kiosk Ubuntu with some task bar iirc.
Lynis auditing tool. It scans your system and shows options on how to harden your system after it's finished. Needs to run as root.
I recommend adding one-time passcode step for the SSH login. That way, even if someone ever steals your password, they still won't be able to log in.
Little tip on systemctl: if you do systemctl disable service-name --now it stops and disables with the same command