hideAre you looking for a fast, affordable way to caption your videos and grow your audience?
💡 Amara.org has a cloud-base solution for you! Learn more about Amara Plus !

< Return to Video

10 Tips for Hardening your Linux Servers

  • 0:01 - 0:10
    [Music]
  • 0:10 - 0:11
    hello again everyone
  • 0:11 - 0:14
    and welcome back to learn linux tv today
  • 0:14 - 0:16
    i am launching a brand new series on my
  • 0:16 - 0:17
    channel
  • 0:17 - 0:20
    enterprise linux security and in this
  • 0:20 - 0:21
    series i'm going to talk about
  • 0:21 - 0:24
    well enterprise linux security this is a
  • 0:24 - 0:26
    series that i've been wanting to launch
  • 0:26 - 0:27
    for quite a while and
  • 0:27 - 0:29
    today's the day this is episode number
  • 0:29 - 0:31
    one and in this video
  • 0:31 - 0:34
    i'm going to go over 10 tips for
  • 0:34 - 0:36
    hardening your linux servers
  • 0:36 - 0:38
    now some of you out there that are more
  • 0:38 - 0:40
    seasoned when it comes to security than
  • 0:40 - 0:40
    others
  • 0:40 - 0:42
    you might feel that some of the tips
  • 0:42 - 0:43
    that i'm giving you in this video are a
  • 0:43 - 0:44
    little
  • 0:44 - 0:47
    well entry level and that's not
  • 0:47 - 0:48
    completely untrue
  • 0:48 - 0:50
    this is episode number one and we do
  • 0:50 - 0:52
    have to start from somewhere
  • 0:52 - 0:54
    but i really do feel that the tips that
  • 0:54 - 0:55
    i'm going to give you in this video are
  • 0:55 - 0:58
    the most important things to focus your
  • 0:58 - 0:58
    attention
  • 0:58 - 1:00
    to when it comes to hardening your linux
  • 1:00 - 1:03
    servers now before we get into it i want
  • 1:03 - 1:04
    to take a moment to mention the sponsor
  • 1:04 - 1:08
    for this video kernel care
  • 1:08 - 1:10
    keeping servers safe compliant and
  • 1:10 - 1:13
    ensuring constant uptime is a full-time
  • 1:13 - 1:14
    job
  • 1:14 - 1:16
    one that can't be left a chance and one
  • 1:16 - 1:18
    that must be fully automated
  • 1:18 - 1:21
    and fully supported to do that
  • 1:21 - 1:23
    you need a live patching tool that
  • 1:23 - 1:24
    integrates with automation tools and
  • 1:24 - 1:26
    vulnerability scanners
  • 1:26 - 1:28
    supported with the latest patches and
  • 1:28 - 1:30
    one that lets you decide which patches
  • 1:30 - 1:32
    are rolled out across your organization
  • 1:32 - 1:34
    and runs within your firewall and
  • 1:34 - 1:36
    kernelcare enterprise does this
  • 1:36 - 1:37
    it provides you with more integration
  • 1:37 - 1:40
    support and control
  • 1:40 - 1:42
    it works in your local infrastructure
  • 1:42 - 1:43
    via e-portal
  • 1:43 - 1:45
    a dedicated patch server that runs
  • 1:45 - 1:48
    internally but outside your firewall
  • 1:48 - 1:50
    it acts as a bridge between internal
  • 1:50 - 1:52
    patch servers and the main kernel care
  • 1:52 - 1:54
    patch server
  • 1:54 - 1:56
    this approach is ideal for staging and
  • 1:56 - 1:57
    production environments that need strict
  • 1:57 - 2:00
    isolation from external networks
  • 2:00 - 2:02
    or require more stringent controls over
  • 2:02 - 2:05
    the patches that are to be applied
  • 2:05 - 2:06
    kernel care enterprise is available for
  • 2:06 - 2:09
    all major linux distributions
  • 2:09 - 2:12
    and includes priority support 24x7 via
  • 2:12 - 2:13
    live chat
  • 2:13 - 2:16
    email or ticket system check out kernel
  • 2:16 - 2:18
    care enterprise via the url that's on
  • 2:18 - 2:19
    the screen right now
  • 2:19 - 2:20
    or give the link that's in the
  • 2:20 - 2:23
    description to click
  • 2:23 - 2:26
    and thank you so much to kernel care for
  • 2:26 - 2:27
    sponsoring this video
  • 2:27 - 2:29
    as well as many other videos on this
  • 2:29 - 2:31
    channel i really appreciate it
  • 2:31 - 2:34
    now let's get into my list of 10 things
  • 2:34 - 2:35
    that you can do
  • 2:35 - 2:50
    to harden your linux servers
  • 2:50 - 2:52
    now when it comes to my first tip this
  • 2:52 - 2:55
    is not actually a system tweak or a
  • 2:55 - 2:57
    system change or anything like that
  • 2:57 - 3:00
    it's all about your mindset now for all
  • 3:00 - 3:02
    i know you could be a system
  • 3:02 - 3:04
    administrator you could be a security
  • 3:04 - 3:08
    professional or you might even be a cto
  • 3:08 - 3:10
    either way it's very important to
  • 3:10 - 3:12
    understand what an appropriate mindset
  • 3:12 - 3:12
    is
  • 3:12 - 3:14
    when it comes to the security of your
  • 3:14 - 3:17
    servers so what do i mean by that
  • 3:17 - 3:19
    the thing is it's important to
  • 3:19 - 3:21
    understand what is feasible
  • 3:21 - 3:23
    and infeasible when it comes to the
  • 3:23 - 3:25
    security of your servers
  • 3:25 - 3:27
    namely is it possible to have a
  • 3:27 - 3:30
    completely unhackable server
  • 3:30 - 3:32
    that nobody can break into that is
  • 3:32 - 3:34
    completely bulletproof
  • 3:34 - 3:36
    well yeah absolutely you could
  • 3:36 - 3:37
    definitely set up a server that is
  • 3:37 - 3:38
    unhackable
  • 3:38 - 3:40
    basically you just put that server under
  • 3:40 - 3:42
    your desk you don't power it on
  • 3:42 - 3:44
    and you certainly don't connect a
  • 3:44 - 3:46
    network cable to it and i guarantee you
  • 3:46 - 3:47
    nobody's going to hack it
  • 3:47 - 3:49
    but we need to be realistic a lot of
  • 3:49 - 3:52
    companies out there maybe even yours
  • 3:52 - 3:54
    they make money by selling things to the
  • 3:54 - 3:55
    public or
  • 3:55 - 3:57
    providing a service to the public which
  • 3:57 - 4:00
    requires a public facing server
  • 4:00 - 4:01
    and the thing is there's all kinds of
  • 4:01 - 4:03
    vulnerabilities out there that are being
  • 4:03 - 4:04
    leveraged every day
  • 4:04 - 4:06
    and new ones are discovered every single
  • 4:06 - 4:07
    day so
  • 4:07 - 4:08
    you could be the victim of a
  • 4:08 - 4:11
    vulnerability that hasn't even been
  • 4:11 - 4:12
    publicly disclosed yet
  • 4:12 - 4:14
    if you follow every tip in this video
  • 4:14 - 4:16
    you should be relatively fine but
  • 4:16 - 4:18
    you want to adjust your mindset you
  • 4:18 - 4:20
    don't want to have the mentality that
  • 4:20 - 4:21
    you are
  • 4:21 - 4:23
    going to be like creating perfect
  • 4:23 - 4:25
    servers that cannot be hacked or you
  • 4:25 - 4:27
    have just hired this awesome security
  • 4:27 - 4:28
    person
  • 4:28 - 4:30
    and now all your worries are just you
  • 4:30 - 4:32
    know not worries anymore
  • 4:32 - 4:34
    and you can't have that mindset you have
  • 4:34 - 4:36
    to have the mindset that anything is
  • 4:36 - 4:38
    possible and you need to be ready for it
  • 4:38 - 4:39
    at all times
  • 4:39 - 4:41
    now i'm not trying to scare you well
  • 4:41 - 4:43
    actually am i not trying to scare you
  • 4:43 - 4:44
    well i kind of am but
  • 4:44 - 4:46
    the reality of the situation is if you
  • 4:46 - 4:48
    follow everything in this video like i
  • 4:48 - 4:49
    mentioned you should be good
  • 4:49 - 4:51
    but you should always be prepared for
  • 4:51 - 4:56
    what could happen
  • 4:56 - 5:05
    [Music]
  • 5:05 - 5:08
    for number two on my list i really do
  • 5:08 - 5:09
    think that this is going to be one of
  • 5:09 - 5:11
    those things that's going to be
  • 5:11 - 5:13
    painfully obvious to the majority of you
  • 5:13 - 5:15
    guys that are watching this video
  • 5:15 - 5:17
    but i don't think i can create a
  • 5:17 - 5:19
    security series especially not an
  • 5:19 - 5:20
    introduction
  • 5:20 - 5:22
    to a security series and not mention the
  • 5:22 - 5:23
    importance of patching
  • 5:23 - 5:25
    now the thing is if patching is so
  • 5:25 - 5:28
    obvious then why do so many companies
  • 5:28 - 5:29
    out there do a
  • 5:29 - 5:31
    terrible job of keeping their servers up
  • 5:31 - 5:32
    to date i mean
  • 5:32 - 5:34
    it's almost appalling to me at this
  • 5:34 - 5:35
    point i've had so many companies out
  • 5:35 - 5:36
    there
  • 5:36 - 5:38
    that i have worked with personally when
  • 5:38 - 5:39
    i tell them you need to patch your
  • 5:39 - 5:41
    servers there's something critical that
  • 5:41 - 5:41
    is
  • 5:41 - 5:44
    basically going around right now and the
  • 5:44 - 5:45
    response i'll get
  • 5:45 - 5:48
    is yeah maybe next month i don't think
  • 5:48 - 5:49
    we can do that right now
  • 5:49 - 5:50
    we have this really important release we
  • 5:50 - 5:52
    got to get out the door but
  • 5:52 - 5:54
    i think things should slow down in a
  • 5:54 - 5:56
    month or so and maybe we'll have you pat
  • 5:56 - 5:57
    your servers then
  • 5:57 - 5:59
    and then a week later oh my god we got
  • 5:59 - 6:02
    hacked what do we do how did this happen
  • 6:02 - 6:04
    it's obvious how this happened you
  • 6:04 - 6:06
    didn't take security patching seriously
  • 6:06 - 6:09
    and now you've been owned by one of the
  • 6:09 - 6:10
    vulnerabilities that one of those
  • 6:10 - 6:11
    patches
  • 6:11 - 6:13
    would have protected you from and i get
  • 6:13 - 6:15
    it rebooting your servers
  • 6:15 - 6:17
    or patching your servers which often
  • 6:17 - 6:19
    does require a reboot
  • 6:19 - 6:21
    it's not easy to do it's annoying it's
  • 6:21 - 6:22
    tedious
  • 6:22 - 6:24
    and it's even harder to design your
  • 6:24 - 6:26
    infrastructure in a way that you don't
  • 6:26 - 6:28
    need to reboot after patching
  • 6:28 - 6:30
    it causes service disruption you have to
  • 6:30 - 6:32
    test the patches before you roll them
  • 6:32 - 6:32
    out
  • 6:32 - 6:34
    it's a big deal for a lot of people and
  • 6:34 - 6:35
    quite often
  • 6:35 - 6:38
    some of these patches are created for
  • 6:38 - 6:40
    very important reasons i mean
  • 6:40 - 6:42
    security researchers and people that
  • 6:42 - 6:44
    write these security patches i mean they
  • 6:44 - 6:44
    don't do it
  • 6:44 - 6:47
    because they have nothing better to do
  • 6:47 - 6:48
    they do it because they're actually
  • 6:48 - 6:49
    patching
  • 6:49 - 6:51
    real vulnerabilities so you need to keep
  • 6:51 - 6:53
    your servers up to date and
  • 6:53 - 6:55
    if you don't currently have a way to do
  • 6:55 - 6:58
    that then i highly recommend you find a
  • 6:58 - 7:00
    way to do that or at least work that
  • 7:00 - 7:02
    into your workflow in some way now
  • 7:02 - 7:05
    kernel care the sponsor of this video
  • 7:05 - 7:07
    they actually offer a service called
  • 7:07 - 7:08
    kernel care
  • 7:08 - 7:10
    and what that service does is it enables
  • 7:10 - 7:11
    you the administrator to
  • 7:11 - 7:13
    live patch your servers and if you can
  • 7:13 - 7:15
    live patch your servers
  • 7:15 - 7:16
    then that's even easier because you
  • 7:16 - 7:18
    won't need a reboot
  • 7:18 - 7:21
    a live patch is the process of injecting
  • 7:21 - 7:23
    a patch right into the running kernel
  • 7:23 - 7:24
    which means you can benefit from that
  • 7:24 - 7:27
    security fix if it is a kernel related
  • 7:27 - 7:28
    security fix
  • 7:28 - 7:31
    right then and there no reboot required
  • 7:31 - 7:32
    but even if you don't go with a service
  • 7:32 - 7:34
    like kernel care at least
  • 7:34 - 7:36
    enable unattended upgrades various linux
  • 7:36 - 7:37
    distributions have
  • 7:37 - 7:40
    a similar solution like unattended
  • 7:40 - 7:41
    upgrades
  • 7:41 - 7:42
    it's different per distribution but you
  • 7:42 - 7:44
    get the idea automatic
  • 7:44 - 7:46
    updates are your friend because they'll
  • 7:46 - 7:48
    keep your servers up to date
  • 7:48 - 8:00
    and that's a very important thing
  • 8:02 - 8:05
    for number three it's probably even more
  • 8:05 - 8:06
    obvious than number two
  • 8:06 - 8:08
    and that is the importance of secure
  • 8:08 - 8:10
    passwords and by secure i mean
  • 8:10 - 8:13
    randomly generated passwords the thing
  • 8:13 - 8:15
    is you would be surprised by how many
  • 8:15 - 8:16
    hacks out there
  • 8:16 - 8:18
    were done solely because there were weak
  • 8:18 - 8:20
    passwords involved so
  • 8:20 - 8:22
    definitely have randomly generated
  • 8:22 - 8:25
    secure passwords for all of your very
  • 8:25 - 8:27
    important servers and services it's
  • 8:27 - 8:29
    critical and that also implies good
  • 8:29 - 8:31
    password management hygiene
  • 8:31 - 8:33
    something like bit warden or lastpass
  • 8:33 - 8:35
    something like that is very important to
  • 8:35 - 8:37
    keep your passwords because if you
  • 8:37 - 8:38
    forget your passwords then
  • 8:38 - 8:40
    that's even worse right because you
  • 8:40 - 8:42
    can't even get into your own servers but
  • 8:42 - 8:44
    having really good password hygiene is
  • 8:44 - 8:45
    extremely
  • 8:45 - 8:47
    important again i'm not going to spend a
  • 8:47 - 8:48
    lot of time on this because i think it
  • 8:48 - 8:49
    speaks for itself
  • 8:49 - 8:52
    but if you as the administrator for your
  • 8:52 - 8:52
    company
  • 8:52 - 8:55
    if you notice some very easy or insecure
  • 8:55 - 8:56
    passwords
  • 8:56 - 8:58
    you really do need to change them on the
  • 8:58 - 8:59
    spot
  • 8:59 - 9:01
    because if you don't you could have a
  • 9:01 - 9:02
    very long day
  • 9:02 - 9:10
    or week ahead of you
  • 9:11 - 9:16
    [Music]
  • 9:16 - 9:19
    now number four on my list is all about
  • 9:19 - 9:21
    not making things publicly available
  • 9:21 - 9:24
    unless you absolutely have to
  • 9:24 - 9:26
    now i get it a lot of companies out
  • 9:26 - 9:28
    there have a public facing website
  • 9:28 - 9:30
    that's very important because you do
  • 9:30 - 9:32
    want your customers to reach your
  • 9:32 - 9:33
    website
  • 9:33 - 9:35
    in that case that server does truly need
  • 9:35 - 9:37
    to be open to the public internet
  • 9:37 - 9:39
    there's just no way around that
  • 9:39 - 9:42
    however if a server or service does not
  • 9:42 - 9:44
    need to be public facing make sure that
  • 9:44 - 9:45
    it's not
  • 9:45 - 9:47
    implement firewall rules that block its
  • 9:47 - 9:49
    ability to be reached from the outside
  • 9:49 - 9:52
    now don't just assume that a service on
  • 9:52 - 9:54
    your company's network is not reachable
  • 9:54 - 9:55
    from the outside
  • 9:55 - 9:58
    after you apply that firewall rule
  • 9:58 - 10:00
    actually check to make sure that it's
  • 10:00 - 10:00
    not
  • 10:00 - 10:03
    for example you can use your phone just
  • 10:03 - 10:04
    make sure you're not on the company
  • 10:04 - 10:05
    wi-fi
  • 10:05 - 10:08
    and try to access that service make sure
  • 10:08 - 10:09
    that you can't do that
  • 10:09 - 10:11
    that's the only way to be sure that it's
  • 10:11 - 10:14
    not publicly reachable from the outside
  • 10:14 - 10:16
    if you are allowed to do so and you have
  • 10:16 - 10:18
    permission to do so
  • 10:18 - 10:19
    you could try a port scan from the
  • 10:19 - 10:21
    outside that'll really let you know
  • 10:21 - 10:23
    if a service is accessible from the
  • 10:23 - 10:25
    outside but either way you do want to
  • 10:25 - 10:26
    make sure of that
  • 10:26 - 10:28
    now one particularly sore point for me
  • 10:28 - 10:31
    is when people make database servers
  • 10:31 - 10:33
    accessible from the outside and there is
  • 10:33 - 10:34
    almost never
  • 10:34 - 10:36
    an excuse to make a database server
  • 10:36 - 10:38
    accessible from the public internet
  • 10:38 - 10:40
    unless your company actually offers
  • 10:40 - 10:42
    managed database services
  • 10:42 - 10:44
    then in that case yeah you do need to
  • 10:44 - 10:46
    make that database server publicly
  • 10:46 - 10:46
    available
  • 10:46 - 10:48
    and i'm sure the majority of you guys
  • 10:48 - 10:50
    are not in the business of providing
  • 10:50 - 10:53
    managed database services so definitely
  • 10:53 - 10:55
    make sure that your database servers are
  • 10:55 - 10:56
    internal only
  • 10:56 - 10:58
    because they're probably the backend to
  • 10:58 - 11:00
    your web server or something like that
  • 11:00 - 11:02
    just make sure they're not publicly
  • 11:02 - 11:04
    available it's very important
  • 11:04 - 11:06
    having a database server publicly
  • 11:06 - 11:08
    available is one of the scariest things
  • 11:08 - 11:10
    because there could be personally
  • 11:10 - 11:12
    identifiable information on that server
  • 11:12 - 11:14
    and your company could end up on the
  • 11:14 - 11:16
    news for all the wrong reasons
  • 11:16 - 11:19
    long story made short just make sure
  • 11:19 - 11:21
    that your database servers
  • 11:21 - 11:23
    as well as any other servers that don't
  • 11:23 - 11:25
    need to be publicly available are not
  • 11:25 - 11:29
    publicly available
  • 11:29 - 11:38
    [Music]
  • 11:38 - 11:42
    now number five on my list is closing
  • 11:42 - 11:42
    down
  • 11:42 - 11:46
    ssh openssh or simply ssh for short
  • 11:46 - 11:48
    is one of the greatest things in the
  • 11:48 - 11:50
    linux community at least one of the most
  • 11:50 - 11:52
    convenient things in the linux community
  • 11:52 - 11:54
    because it allows you the administrator
  • 11:54 - 11:56
    to manage your servers or your company
  • 11:56 - 11:57
    servers
  • 11:57 - 11:59
    from the comfort of your home office
  • 11:59 - 12:01
    your company's office
  • 12:01 - 12:02
    basically you don't even have to get out
  • 12:02 - 12:05
    of your chair to manage your servers
  • 12:05 - 12:06
    and think about it we used to have to
  • 12:06 - 12:08
    walk into the data center to do
  • 12:08 - 12:10
    basically most of the things that we use
  • 12:10 - 12:12
    ssh for nowadays
  • 12:12 - 12:15
    ssh is awesome but it's also
  • 12:15 - 12:19
    a very very very large target because
  • 12:19 - 12:22
    if a remote attacker gets access to ssh
  • 12:22 - 12:24
    especially as root they will wreak havoc
  • 12:24 - 12:26
    on your servers you definitely want to
  • 12:26 - 12:27
    lock down
  • 12:27 - 12:29
    ssh and there's multiple things that you
  • 12:29 - 12:30
    can do
  • 12:30 - 12:31
    in order to do that and i have a
  • 12:31 - 12:34
    dedicated video that talks about
  • 12:34 - 12:36
    how to lock down ssh you should check
  • 12:36 - 12:37
    out that video
  • 12:37 - 12:38
    because it'll tell you everything that
  • 12:38 - 12:40
    you need to know but
  • 12:40 - 12:42
    in summary some of the things that you
  • 12:42 - 12:43
    want to do to lock down ssh
  • 12:43 - 12:46
    include but aren't limited to ensuring
  • 12:46 - 12:48
    that root access is disabled you don't
  • 12:48 - 12:49
    want to allow
  • 12:49 - 12:53
    root authentication to ssh in addition
  • 12:53 - 12:53
    to that
  • 12:53 - 12:55
    you should also disable password
  • 12:55 - 12:57
    authentication as well
  • 12:57 - 13:00
    and only allow key based authentication
  • 13:00 - 13:02
    to your servers via ssh
  • 13:02 - 13:04
    going a step further you can lock down
  • 13:04 - 13:05
    ssh to
  • 13:05 - 13:08
    approved or white-listed ip addresses to
  • 13:08 - 13:09
    ensure that
  • 13:09 - 13:11
    ip addresses on the public internet
  • 13:11 - 13:12
    cannot access
  • 13:12 - 13:15
    ssh on any of your servers if you have a
  • 13:15 - 13:16
    vpn endpoint
  • 13:16 - 13:18
    then you can lock down ssh to be
  • 13:18 - 13:21
    accessible only from the ip address
  • 13:21 - 13:23
    of your vpn endpoint and that would be
  • 13:23 - 13:25
    another step in the right direction
  • 13:25 - 13:27
    the more you lock down ssh the better
  • 13:27 - 13:29
    because it's usually the first target
  • 13:29 - 13:32
    that hackers try to get access to
  • 13:32 - 13:34
    when they want access to your servers
  • 13:34 - 13:46
    [Music]
  • 13:46 - 13:48
    now item number six on my list is all
  • 13:48 - 13:50
    about having multiple
  • 13:50 - 13:53
    layers of security and what that means
  • 13:53 - 13:55
    is that you should never rely on just
  • 13:55 - 13:57
    one thing so like i mentioned i
  • 13:57 - 13:59
    recommended that you lock down
  • 13:59 - 14:02
    ssh which is great but if that's
  • 14:02 - 14:04
    all you do then maybe someone will get
  • 14:04 - 14:06
    access to your servers by
  • 14:06 - 14:09
    another method so the more layers of
  • 14:09 - 14:10
    security you have the better
  • 14:10 - 14:13
    for example you could consider fail to
  • 14:13 - 14:15
    ban on your servers as another layer of
  • 14:15 - 14:16
    protection
  • 14:16 - 14:19
    maybe you already have a firewall on
  • 14:19 - 14:20
    that server as well
  • 14:20 - 14:23
    and you are locking down ssh the more
  • 14:23 - 14:25
    layers of security the more hoops you
  • 14:25 - 14:27
    force hackers to try to get through in
  • 14:27 - 14:29
    order to get access to your servers the
  • 14:29 - 14:31
    better because you are making it that
  • 14:31 - 14:33
    much harder on them to access your
  • 14:33 - 14:34
    server
  • 14:34 - 14:36
    and after a while maybe that person will
  • 14:36 - 14:37
    give up and then move on to another
  • 14:37 - 14:38
    server which is
  • 14:38 - 14:41
    exactly what you want and only very
  • 14:41 - 14:43
    targeted attacks would continue past
  • 14:43 - 14:44
    that point
  • 14:44 - 14:46
    by having multiple layers of security
  • 14:46 - 14:47
    for example fail to ban
  • 14:47 - 14:49
    or a similar service that looks for
  • 14:49 - 14:51
    intrusions in the logs
  • 14:51 - 14:53
    and then blocks ip addresses that
  • 14:53 - 14:54
    basically try to bypass
  • 14:54 - 14:56
    the rules that you've set that's a good
  • 14:56 - 14:59
    step to have and other tools as well
  • 14:59 - 15:01
    the more you have the better so try to
  • 15:01 - 15:03
    have multiple layers of security on your
  • 15:03 - 15:04
    servers
  • 15:04 - 15:06
    and make it that much harder for outside
  • 15:06 - 15:14
    intruders to break in
  • 15:15 - 15:20
    [Music]
  • 15:20 - 15:23
    now number seven can be argued that it's
  • 15:23 - 15:23
    not
  • 15:23 - 15:26
    really a security specific thing but
  • 15:26 - 15:28
    i think it's important to include on
  • 15:28 - 15:30
    this list because it is very important
  • 15:30 - 15:34
    and that is the concept of backups and
  • 15:34 - 15:34
    not just
  • 15:34 - 15:38
    any backups tested backups any backups
  • 15:38 - 15:40
    that you have not tested
  • 15:40 - 15:42
    and any backups that are not in at least
  • 15:42 - 15:44
    three different places are not truly
  • 15:44 - 15:45
    backups
  • 15:45 - 15:47
    so you want to have your backups in like
  • 15:47 - 15:49
    i mentioned three different places
  • 15:49 - 15:50
    one of which should definitely be
  • 15:50 - 15:53
    off-site and you want to do
  • 15:53 - 15:55
    test restores on those backups to make
  • 15:55 - 15:57
    sure that the backups are good
  • 15:57 - 15:58
    because trust me if your servers go down
  • 15:58 - 16:00
    and you need to restore from a backup
  • 16:00 - 16:03
    you don't want to explain to your boss
  • 16:03 - 16:04
    that you can't restore the servers
  • 16:04 - 16:07
    because the backups aren't working and i
  • 16:07 - 16:09
    have seen this happen
  • 16:09 - 16:11
    it's horrifying and it's not a good
  • 16:11 - 16:12
    experience for
  • 16:12 - 16:15
    anyone involved definitely have backups
  • 16:15 - 16:17
    and have multiple layers of backups in
  • 16:17 - 16:18
    multiple different locations
  • 16:18 - 16:21
    but especially test those backups and
  • 16:21 - 16:22
    that ensures that if you are
  • 16:22 - 16:25
    actually facing a security incident and
  • 16:25 - 16:27
    your servers are completely turned
  • 16:27 - 16:27
    inside out
  • 16:27 - 16:30
    you have backups so you're probably
  • 16:30 - 16:32
    going to be good yes it's going to be
  • 16:32 - 16:34
    very inconvenient to have a security
  • 16:34 - 16:36
    incident but you have backups
  • 16:36 - 16:38
    you can at least get up and running
  • 16:38 - 16:40
    quickly and their company's data is not
  • 16:40 - 16:41
    in jeopardy and not
  • 16:41 - 16:44
    lost forever which is very important
  • 16:44 - 16:46
    especially if your company is housing
  • 16:46 - 16:48
    very important blueprints for products
  • 16:48 - 16:49
    and things like that
  • 16:49 - 16:50
    you definitely want to make sure that
  • 16:50 - 16:52
    those items are backed up and they're
  • 16:52 - 17:05
    backed up securely
  • 17:05 - 17:08
    now for number eight it's very important
  • 17:08 - 17:10
    to keep an eye on all of your servers
  • 17:10 - 17:12
    and the overall health of your servers
  • 17:12 - 17:14
    and monitoring tools will help you do
  • 17:14 - 17:16
    just that
  • 17:16 - 17:18
    nagios and zabx are two that come to
  • 17:18 - 17:19
    mind immediately
  • 17:19 - 17:21
    if there's any kind of issue and you
  • 17:21 - 17:23
    have the appropriate checks configured
  • 17:23 - 17:25
    then you will be notified that there's
  • 17:25 - 17:27
    an issue and if you know about the
  • 17:27 - 17:29
    problem before your customers know about
  • 17:29 - 17:29
    it
  • 17:29 - 17:31
    then you actually appear as a very
  • 17:31 - 17:33
    competent i.t professional because you
  • 17:33 - 17:35
    are ahead of the game
  • 17:35 - 17:37
    you are aware of everything that's going
  • 17:37 - 17:38
    on
  • 17:38 - 17:39
    and it's not just you know a matter of
  • 17:39 - 17:42
    having these monitoring tools enabled
  • 17:42 - 17:43
    although that goes a long way
  • 17:43 - 17:44
    you want to make sure that they're
  • 17:44 - 17:46
    checking the right things you don't want
  • 17:46 - 17:48
    to for example be checking for
  • 17:48 - 17:50
    uptime only and then have the server
  • 17:50 - 17:52
    fall over because the disk is full
  • 17:52 - 17:54
    you should be checking disk space as
  • 17:54 - 17:55
    well and
  • 17:55 - 17:57
    obviously website availability goes
  • 17:57 - 17:59
    without saying if it's a web server
  • 17:59 - 18:02
    and you could even have user checks on
  • 18:02 - 18:03
    your monitoring tools if there's more
  • 18:03 - 18:04
    than one user
  • 18:04 - 18:06
    that is on that server it should send
  • 18:06 - 18:08
    you alert and you could even configure
  • 18:08 - 18:08
    it that if
  • 18:08 - 18:10
    so much as one user logs into your
  • 18:10 - 18:12
    server it sends you an alert so if
  • 18:12 - 18:14
    you're working on the server for example
  • 18:14 - 18:15
    and you're doing some administration
  • 18:15 - 18:15
    work
  • 18:15 - 18:17
    you get that alert that someone is
  • 18:17 - 18:19
    logged into your server oh yeah that's
  • 18:19 - 18:21
    fine that's me actually i'm on my server
  • 18:21 - 18:22
    right now
  • 18:22 - 18:24
    and i'm installing some updates but if
  • 18:24 - 18:25
    you get that alert and
  • 18:25 - 18:28
    there's no maintenance planned that's a
  • 18:28 - 18:29
    red flag someone got in
  • 18:29 - 18:30
    so there's all kinds of different
  • 18:30 - 18:32
    security checks that you can configure
  • 18:32 - 18:34
    it's very important to have monitoring
  • 18:34 - 18:43
    tools in place
  • 18:43 - 18:47
    [Music]
  • 18:47 - 18:51
    now for number nine and i have to say of
  • 18:51 - 18:52
    all the things
  • 18:52 - 18:54
    on this list number nine is definitely
  • 18:54 - 18:57
    the hardest it's the most expensive
  • 18:57 - 18:59
    if you are working for a company and you
  • 18:59 - 19:00
    have some very
  • 19:00 - 19:03
    important services that are running and
  • 19:03 - 19:05
    maybe you even store personally
  • 19:05 - 19:06
    identifiable information you really
  • 19:06 - 19:09
    should have a third-party security audit
  • 19:09 - 19:12
    now it's one thing that you know you the
  • 19:12 - 19:13
    administrator
  • 19:13 - 19:15
    you're checking everything all the time
  • 19:15 - 19:17
    and that's awesome
  • 19:17 - 19:18
    but you're only one person you need
  • 19:18 - 19:20
    someone on the outside to check your
  • 19:20 - 19:22
    servers and make sure that there's
  • 19:22 - 19:23
    nothing that you've missed
  • 19:23 - 19:25
    but the problem with this though is that
  • 19:25 - 19:28
    third-party security audits are
  • 19:28 - 19:30
    extremely expensive so this is only for
  • 19:30 - 19:32
    those of you out there that work for
  • 19:32 - 19:34
    enterprises that can afford such a thing
  • 19:34 - 19:36
    but even if you can't afford such a
  • 19:36 - 19:38
    thing right now
  • 19:38 - 19:39
    you definitely should keep this on the
  • 19:39 - 19:41
    list because if your company grows
  • 19:41 - 19:43
    and you actually have the ability to
  • 19:43 - 19:45
    hire someone on the outside to
  • 19:45 - 19:46
    basically audit your servers you
  • 19:46 - 19:48
    definitely should do that because
  • 19:48 - 19:50
    they could find something that you've
  • 19:50 - 19:52
    missed and they might even save you from
  • 19:52 - 19:54
    a major incident
  • 19:54 - 20:06
    [Music]
  • 20:06 - 20:08
    now for number 10 the last item on my
  • 20:08 - 20:11
    list it's all about business continuity
  • 20:11 - 20:14
    how are you as the administrator going
  • 20:14 - 20:16
    to ensure that your company is back
  • 20:16 - 20:19
    up and running quickly after an incident
  • 20:19 - 20:21
    and how long do you think it'll take you
  • 20:21 - 20:23
    to get everything back up and running
  • 20:23 - 20:25
    if your answer to that question is well
  • 20:25 - 20:27
    a week because i have to rebuild
  • 20:27 - 20:29
    everything i have to install all the
  • 20:29 - 20:30
    operating systems i have to patch
  • 20:30 - 20:32
    everything i have to
  • 20:32 - 20:34
    reinstall all the applications if that's
  • 20:34 - 20:36
    the answer you're doing it wrong
  • 20:36 - 20:38
    you should have some sort of automation
  • 20:38 - 20:39
    images
  • 20:39 - 20:42
    backups or something that is going to
  • 20:42 - 20:43
    get you back up and running as
  • 20:43 - 20:46
    quickly as possible the quicker you can
  • 20:46 - 20:48
    get everything up and running the better
  • 20:48 - 20:49
    and if you have an
  • 20:49 - 20:51
    auto healing environment which means if
  • 20:51 - 20:53
    a server falls over that a new server
  • 20:53 - 20:55
    like a virtual server is provisioned
  • 20:55 - 20:57
    automatically in its place
  • 20:57 - 20:58
    and that's especially true with
  • 20:58 - 21:00
    containers for example you're doing it
  • 21:00 - 21:00
    right
  • 21:00 - 21:02
    you're doing a great job because the
  • 21:02 - 21:04
    answer to that question is well
  • 21:04 - 21:05
    the server's never down because it
  • 21:05 - 21:07
    automatically brings one back up
  • 21:07 - 21:09
    and that's really cool but your answer
  • 21:09 - 21:11
    to this question really determines how
  • 21:11 - 21:13
    good of a business continuity plan you
  • 21:13 - 21:14
    actually have
  • 21:14 - 21:16
    and if you don't have a plan you really
  • 21:16 - 21:18
    should draft one if all of your servers
  • 21:18 - 21:20
    fell over tomorrow what would be the
  • 21:20 - 21:22
    process for getting everything built
  • 21:22 - 21:22
    back
  • 21:22 - 21:24
    up where it was before you had that
  • 21:24 - 21:26
    incident and that's going to determine
  • 21:26 - 21:28
    what goes into your business continuity
  • 21:28 - 21:28
    plan
  • 21:28 - 21:30
    now this is something that we could talk
  • 21:30 - 21:31
    about in a future video
  • 21:31 - 21:33
    but i wanted to plant that seed right
  • 21:33 - 21:35
    now because a business continuity plan
  • 21:35 - 21:36
    is very
  • 21:36 - 21:38
    important to have so there you go those
  • 21:38 - 21:40
    are my 10 tips for hardening the
  • 21:40 - 21:42
    security of your linux servers i hope it
  • 21:42 - 21:44
    was helpful
  • 21:44 - 21:46
    now i know that a lot of those tips were
  • 21:46 - 21:47
    somewhat entry level
  • 21:47 - 21:49
    but again this is the first episode of
  • 21:49 - 21:50
    this series
  • 21:50 - 21:52
    and i wanted to give you guys the
  • 21:52 - 21:54
    overall list of
  • 21:54 - 21:56
    important things to consider and then in
  • 21:56 - 21:58
    future videos we will take a look at
  • 21:58 - 22:00
    more of these concepts in greater detail
  • 22:00 - 22:02
    so what are some concepts that you think
  • 22:02 - 22:04
    i should cover in this series what's
  • 22:04 - 22:05
    important to you
  • 22:05 - 22:07
    let me know in the comments down below i
  • 22:07 - 22:09
    look forward to hearing what you have to
  • 22:09 - 22:09
    say
  • 22:09 - 22:12
    and i will go ahead and create episode 2
  • 22:12 - 22:14
    in this series as soon as i possibly can
  • 22:14 - 22:16
    so definitely subscribe to my channel if
  • 22:16 - 22:18
    you haven't already done so
  • 22:18 - 22:20
    and i'll see you again very soon thanks
  • 22:20 - 22:28
    for watching
  • 22:28 - 22:47
    [Music]
  • 22:47 - 22:49
    you
Title:
10 Tips for Hardening your Linux Servers
Description:

more » « less
Video Language:
English
Duration:
22:48
OEVIDEOS edited English subtitles for 10 Tips for Hardening your Linux Servers Jun 18, 2025, 4:42 PM
OEVIDEOS edited English subtitles for 10 Tips for Hardening your Linux Servers Jun 18, 2025, 3:29 PM

English subtitles

Revisions Compare revisions