How To Protect Your Linux Server From Hackers!

Based

@disabling root
For me that recommendation made sense since it decreases your brute force attack surface: with any other username ssh attackers don't know your username and can't try to brute force the password

A few caveats:

I run a couple of servers for my private use. What I noticed is that most brute force attacks, scanning and scripted probing happens on port 22 with user ‘root’. I disabled remote root login and moved sshd to a custom port and all malicious activities dropped to nearly zero. My self hosted server dropped in resources and power usage. There is very little to none downsides to it.

Key vs. passwords: I have proper, randomly generated passwords for all of my logins and use remmina to log in. As quick as a key and more flexible as I can log in from random machines if I need to by typing passwords. I don’t like keys as they are too much hassle to use from different machines (including my phone).

Firewall: I use a properly configured firewall to make sure that no ports are accidentally open. I have to open each one of them manually(there are other mitigations as well). Other than that I wrote a quick Python script that runs through my logs and adds all those Russian, Chinese and other IPs that tried to brute force a ssh login for good to my firewall with the DROP directive. The firewall is very handy to reduce the attack surface, that could be widened accidentally. Yeah, in proper production environment before anything is open I would test my setup on a testing machine before establishing correct procedures of implementing any new service, so firewall for blocking ports in that case would be useless, but that is not time efficient for private servers.

So, yeah, you are correct, for professional environments those googled security measures are next to useless, but a professional sysadmin would not Google that. For a home or private server in a VPS they could be useful.

you look like a manly Michael Cera.

SSH Keys > SSH password -- not because of the unlikely scenarios you described, but because they cannot feasibly be brute forced or dictionary attacked. Also SSH keys can be encrypted which act's as a form of multi-factor authentication. So, SSH keys DO make your server more secure. A more beneficial use of your time might be to break into systems rather than reading the man pages.

This is why Chuck is one of the best out there. He's a dedicated learner. I'm subscribed to both channels and I learn a ton every time I open their videos.

The port changing actually does you good. As you say, it fends off scripts. And scripts might exloit an issue you are a week late with fixing because you are on holiday. So yes, it's unnecessary in an ideal world. But: the cost of changing the port is nearly zero, so even if the amount of added security is small and safeguards only against you being stupidly slow with patching - why not do it? It's not snake oil, more like drinking tea with lemon for a cold.

Linux is spyware to begin with. One day you people will realize this. You people want to harden your Linux, but they are already in lol. Even back to gnu and stallman. He was a dam hacker that said passwords are stupid and people shouldn't use them lol. You people don't trust corporations and their software, but do trust random people who have no incentive to protect your system. All stemming from a dam hacker, if you're on GNU anything. But any frees OS, screams spyware to begin with. I use Linux, but not for safety. I don't have anything valuable for hackers to steal or use. So doesn't matter to me much if they get in. But most of you do. So consider that all you people considering switching to Linux because you have been sold the lie that Linux is safer than windows or Mac. Its not at all. And don't use a password manager on a computer. It may seem more convenient, but if its on your computer, hellooooooooo lol. I use a note book that I keep next to my computer, with all the different passwords and login infos for everything that I might use on my computer. Eventually you just remember them all. And don't need to go back to look. But if you really want to be safe. You should be changing passwords at least once a month anyways.

Do not create any server, then you get secured from "hacker"!

well, that hurts.

it's complexly simple 😀just use a double firewall for your internal split dns servers and zerotrust services for no open ports 😁

I don't get it. You don't explain how to protect a server. You just explain why certain things don't work and don't even give suggestions about any security measures. Also, it's kinda dumb since there are countless wrong things people say (like the ipv6 thing), but few correct. And you focus only on the wrong ones. That's the easy way to make a video...

For the firewall, I stopped midway so you might mention it later in the video. Something a firewall can do that just opening or closing a port can't is you can set it so it checks the connection source. So you can set it up so it'll only allow a connection to a given port from a given ip addresss like for example the local network, or even a specific ip on the local network. That's not really useful for a remote server unless you have a static ip at home or wherever you're accessing it from that you can restrict it to.

Video title doesn't describe the content well enough. I clicked to see what to do, not to see what has any substance

👏👏
The island of reason in the ocean of silliness.
Thank you for the Great content!

You seem very intelligent. I really enjoyed the way you questioned and dismantled these widely accepted and parroted "truths". Thank you! Subscribed.

I'm watching this video To set up my own network xD of course I'm not ready! Got pihole, jellyfin, only top level DNS queries on my own DNS server so far. I'm worried about port forwarding 8*** to my jellyfin docker image on my NAS... I hope they can't get out of that

a better way of securing ssh is to use a peer2peer vpn tunnle and only have the ssh server listen/allow on that vpn subnet.

you can secure your ssh keys with a password. so even if the client system gets compromised and the attacker gets your private key, he still needs to crack the password to use it

"Here's the gospel, follow my disciples" 😆😂🤣😆😂🤣😆😂🤣 rofl! Good one! 😎😁👏🤘

Thanks! Also loved the networking related videos!

what about
...
I only use ipv6 aaaand change the default port? 🤣

It's a because of a smear campaign

I have a lot of famous people who bully me

It's a long story

In all technicality it's been longer but no one believed me

They've been hacking me for over a year

I thought they got away with it by paying people for silence

Oh my God you know what I'm talking about thank god

I agree with a lot of these points, but...

Although security through obscurity is widely challenged, I would argue that this, too, is a bit of cargo cult "best practices"!

If there is a zero-day exploit for SSH, you can get that the scanners will be running around the clock on the default port first! They may get to other ports, but in practice, they don't.

"Best defense not be there" - Miyagi (Karate Kid)

you are very perfect in explaining very best lots of means very lots of doubts has been cleared and got root level knowledge...

fail2ban is brilliant to just stop brute force password attacks

Want to know how you can make your next server really secure? Disconnect it from the net work, boom no you are really secure

I’ve always told people, never ever enable automatic upgrades on a server, one of my friends is hosting websites for people and they have automatic upgrades enable, if a package breaks during an update you’re not gonna know what the source of the package

"Hey, do this!... which is useless. Okay, now do this... which is a tad less useless."

the only bit I disagreed with you on was the last bit of advice. We may be agree but for different reasons. With serverless, containers and WASM the need to run your own server is diminishing. But running your own code, as you mentioned with Heroku, is a very good pattern for accomplishing your goals beyond just learning. I doubt your audience is filled with non-technical users, so for that small percentage, yes this is good advice. This video is likely targetted at new system admins, in which case, this is bad advice. The better advice is become exceptional at your trade craft.

You have pipes in your home or apartment, you're not a plumber, so you'd likely hire a professional to take care of them. But let's say you're a teenager growing up in that same home and you like working with your hands, the trades like working with wood and fixing things and a career as a plumber sounds interesting. Yes, you should absolute play around with a lab and try to fix your own problems provided you're not over your head.

So as with everything in IT, it depends.

This video actually made me check what services are running on my server. And it actually made me install a firewall (ufw). I noticed that there is a mail service that I did not know about but apparently it's needed for some error message communication. Thanks to ufw, I don't need to figure out how to configure it to stop listening to external traffic. I simply allowed everything that I knew about in ufw.

Servers are sheep, not pets 🙂

I thought disabling the ssh access for root user was mostly about not giving hackers a well known user name to work with? Someone who tries to break into your server is more likely to try guessing the password for "root" than for "XXX_Pu$$ySl4yer69"

This is why I love TOR and Nipe.

I remember seeing this video a while back I and was kinda offended, because I would do all of the above and believe, that it is crucial to security. But since, I've really grown up in the field (work as a sysadmin now) and yeah. Its true :D All of what you say its true and reasonable. I guess the fear mongering is real problem on some tutorial websites. They do it for the clicks I guess

Your SUDO technic is not working alias sudo='sudo id; sudo'

To the firewall thing: if no service is listening on a port but you try to access it any computer will not know which service should respond to that request and just block it, even without `ufw` or any other firewall.
("Error: connection refused" is the most common error message the requesting program shows)