-
[Music]
-
hello again everyone
-
and welcome back to learn linux tv today
-
i am launching a brand new series on my
-
channel
-
enterprise linux security and in this
-
series i'm going to talk about
-
well enterprise linux security this is a
-
series that i've been wanting to launch
-
for quite a while and
-
today's the day this is episode number
-
one and in this video
-
i'm going to go over 10 tips for
-
hardening your linux servers
-
now some of you out there that are more
-
seasoned when it comes to security than
-
others
-
you might feel that some of the tips
-
that i'm giving you in this video are a
-
little
-
well entry level and that's not
-
completely untrue
-
this is episode number one and we do
-
have to start from somewhere
-
but i really do feel that the tips that
-
i'm going to give you in this video are
-
the most important things to focus your
-
attention
-
to when it comes to hardening your linux
-
servers now before we get into it i want
-
to take a moment to mention the sponsor
-
for this video kernel care
-
keeping servers safe compliant and
-
ensuring constant uptime is a full-time
-
job
-
one that can't be left a chance and one
-
that must be fully automated
-
and fully supported to do that
-
you need a live patching tool that
-
integrates with automation tools and
-
vulnerability scanners
-
supported with the latest patches and
-
one that lets you decide which patches
-
are rolled out across your organization
-
and runs within your firewall and
-
kernelcare enterprise does this
-
it provides you with more integration
-
support and control
-
it works in your local infrastructure
-
via e-portal
-
a dedicated patch server that runs
-
internally but outside your firewall
-
it acts as a bridge between internal
-
patch servers and the main kernel care
-
patch server
-
this approach is ideal for staging and
-
production environments that need strict
-
isolation from external networks
-
or require more stringent controls over
-
the patches that are to be applied
-
kernel care enterprise is available for
-
all major linux distributions
-
and includes priority support 24x7 via
-
live chat
-
email or ticket system check out kernel
-
care enterprise via the url that's on
-
the screen right now
-
or give the link that's in the
-
description to click
-
and thank you so much to kernel care for
-
sponsoring this video
-
as well as many other videos on this
-
channel i really appreciate it
-
now let's get into my list of 10 things
-
that you can do
-
to harden your linux servers
-
now when it comes to my first tip this
-
is not actually a system tweak or a
-
system change or anything like that
-
it's all about your mindset now for all
-
i know you could be a system
-
administrator you could be a security
-
professional or you might even be a cto
-
either way it's very important to
-
understand what an appropriate mindset
-
is
-
when it comes to the security of your
-
servers so what do i mean by that
-
the thing is it's important to
-
understand what is feasible
-
and infeasible when it comes to the
-
security of your servers
-
namely is it possible to have a
-
completely unhackable server
-
that nobody can break into that is
-
completely bulletproof
-
well yeah absolutely you could
-
definitely set up a server that is
-
unhackable
-
basically you just put that server under
-
your desk you don't power it on
-
and you certainly don't connect a
-
network cable to it and i guarantee you
-
nobody's going to hack it
-
but we need to be realistic a lot of
-
companies out there maybe even yours
-
they make money by selling things to the
-
public or
-
providing a service to the public which
-
requires a public facing server
-
and the thing is there's all kinds of
-
vulnerabilities out there that are being
-
leveraged every day
-
and new ones are discovered every single
-
day so
-
you could be the victim of a
-
vulnerability that hasn't even been
-
publicly disclosed yet
-
if you follow every tip in this video
-
you should be relatively fine but
-
you want to adjust your mindset you
-
don't want to have the mentality that
-
you are
-
going to be like creating perfect
-
servers that cannot be hacked or you
-
have just hired this awesome security
-
person
-
and now all your worries are just you
-
know not worries anymore
-
and you can't have that mindset you have
-
to have the mindset that anything is
-
possible and you need to be ready for it
-
at all times
-
now i'm not trying to scare you well
-
actually am i not trying to scare you
-
well i kind of am but
-
the reality of the situation is if you
-
follow everything in this video like i
-
mentioned you should be good
-
but you should always be prepared for
-
what could happen
-
[Music]
-
for number two on my list i really do
-
think that this is going to be one of
-
those things that's going to be
-
painfully obvious to the majority of you
-
guys that are watching this video
-
but i don't think i can create a
-
security series especially not an
-
introduction
-
to a security series and not mention the
-
importance of patching
-
now the thing is if patching is so
-
obvious then why do so many companies
-
out there do a
-
terrible job of keeping their servers up
-
to date i mean
-
it's almost appalling to me at this
-
point i've had so many companies out
-
there
-
that i have worked with personally when
-
i tell them you need to patch your
-
servers there's something critical that
-
is
-
basically going around right now and the
-
response i'll get
-
is yeah maybe next month i don't think
-
we can do that right now
-
we have this really important release we
-
got to get out the door but
-
i think things should slow down in a
-
month or so and maybe we'll have you pat
-
your servers then
-
and then a week later oh my god we got
-
hacked what do we do how did this happen
-
it's obvious how this happened you
-
didn't take security patching seriously
-
and now you've been owned by one of the
-
vulnerabilities that one of those
-
patches
-
would have protected you from and i get
-
it rebooting your servers
-
or patching your servers which often
-
does require a reboot
-
it's not easy to do it's annoying it's
-
tedious
-
and it's even harder to design your
-
infrastructure in a way that you don't
-
need to reboot after patching
-
it causes service disruption you have to
-
test the patches before you roll them
-
out
-
it's a big deal for a lot of people and
-
quite often
-
some of these patches are created for
-
very important reasons i mean
-
security researchers and people that
-
write these security patches i mean they
-
don't do it
-
because they have nothing better to do
-
they do it because they're actually
-
patching
-
real vulnerabilities so you need to keep
-
your servers up to date and
-
if you don't currently have a way to do
-
that then i highly recommend you find a
-
way to do that or at least work that
-
into your workflow in some way now
-
kernel care the sponsor of this video
-
they actually offer a service called
-
kernel care
-
and what that service does is it enables
-
you the administrator to
-
live patch your servers and if you can
-
live patch your servers
-
then that's even easier because you
-
won't need a reboot
-
a live patch is the process of injecting
-
a patch right into the running kernel
-
which means you can benefit from that
-
security fix if it is a kernel related
-
security fix
-
right then and there no reboot required
-
but even if you don't go with a service
-
like kernel care at least
-
enable unattended upgrades various linux
-
distributions have
-
a similar solution like unattended
-
upgrades
-
it's different per distribution but you
-
get the idea automatic
-
updates are your friend because they'll
-
keep your servers up to date
-
and that's a very important thing
-
for number three it's probably even more
-
obvious than number two
-
and that is the importance of secure
-
passwords and by secure i mean
-
randomly generated passwords the thing
-
is you would be surprised by how many
-
hacks out there
-
were done solely because there were weak
-
passwords involved so
-
definitely have randomly generated
-
secure passwords for all of your very
-
important servers and services it's
-
critical and that also implies good
-
password management hygiene
-
something like bit warden or lastpass
-
something like that is very important to
-
keep your passwords because if you
-
forget your passwords then
-
that's even worse right because you
-
can't even get into your own servers but
-
having really good password hygiene is
-
extremely
-
important again i'm not going to spend a
-
lot of time on this because i think it
-
speaks for itself
-
but if you as the administrator for your
-
company
-
if you notice some very easy or insecure
-
passwords
-
you really do need to change them on the
-
spot
-
because if you don't you could have a
-
very long day
-
or week ahead of you
-
[Music]
-
now number four on my list is all about
-
not making things publicly available
-
unless you absolutely have to
-
now i get it a lot of companies out
-
there have a public facing website
-
that's very important because you do
-
want your customers to reach your
-
website
-
in that case that server does truly need
-
to be open to the public internet
-
there's just no way around that
-
however if a server or service does not
-
need to be public facing make sure that
-
it's not
-
implement firewall rules that block its
-
ability to be reached from the outside
-
now don't just assume that a service on
-
your company's network is not reachable
-
from the outside
-
after you apply that firewall rule
-
actually check to make sure that it's
-
not
-
for example you can use your phone just
-
make sure you're not on the company
-
wi-fi
-
and try to access that service make sure
-
that you can't do that
-
that's the only way to be sure that it's
-
not publicly reachable from the outside
-
if you are allowed to do so and you have
-
permission to do so
-
you could try a port scan from the
-
outside that'll really let you know
-
if a service is accessible from the
-
outside but either way you do want to
-
make sure of that
-
now one particularly sore point for me
-
is when people make database servers
-
accessible from the outside and there is
-
almost never
-
an excuse to make a database server
-
accessible from the public internet
-
unless your company actually offers
-
managed database services
-
then in that case yeah you do need to
-
make that database server publicly
-
available
-
and i'm sure the majority of you guys
-
are not in the business of providing
-
managed database services so definitely
-
make sure that your database servers are
-
internal only
-
because they're probably the backend to
-
your web server or something like that
-
just make sure they're not publicly
-
available it's very important
-
having a database server publicly
-
available is one of the scariest things
-
because there could be personally
-
identifiable information on that server
-
and your company could end up on the
-
news for all the wrong reasons
-
long story made short just make sure
-
that your database servers
-
as well as any other servers that don't
-
need to be publicly available are not
-
publicly available
-
[Music]
-
now number five on my list is closing
-
down
-
ssh openssh or simply ssh for short
-
is one of the greatest things in the
-
linux community at least one of the most
-
convenient things in the linux community
-
because it allows you the administrator
-
to manage your servers or your company
-
servers
-
from the comfort of your home office
-
your company's office
-
basically you don't even have to get out
-
of your chair to manage your servers
-
and think about it we used to have to
-
walk into the data center to do
-
basically most of the things that we use
-
ssh for nowadays
-
ssh is awesome but it's also
-
a very very very large target because
-
if a remote attacker gets access to ssh
-
especially as root they will wreak havoc
-
on your servers you definitely want to
-
lock down
-
ssh and there's multiple things that you
-
can do
-
in order to do that and i have a
-
dedicated video that talks about
-
how to lock down ssh you should check
-
out that video
-
because it'll tell you everything that
-
you need to know but
-
in summary some of the things that you
-
want to do to lock down ssh
-
include but aren't limited to ensuring
-
that root access is disabled you don't
-
want to allow
-
root authentication to ssh in addition
-
to that
-
you should also disable password
-
authentication as well
-
and only allow key based authentication
-
to your servers via ssh
-
going a step further you can lock down
-
ssh to
-
approved or white-listed ip addresses to
-
ensure that
-
ip addresses on the public internet
-
cannot access
-
ssh on any of your servers if you have a
-
vpn endpoint
-
then you can lock down ssh to be
-
accessible only from the ip address
-
of your vpn endpoint and that would be
-
another step in the right direction
-
the more you lock down ssh the better
-
because it's usually the first target
-
that hackers try to get access to
-
when they want access to your servers
-
[Music]
-
now item number six on my list is all
-
about having multiple
-
layers of security and what that means
-
is that you should never rely on just
-
one thing so like i mentioned i
-
recommended that you lock down
-
ssh which is great but if that's
-
all you do then maybe someone will get
-
access to your servers by
-
another method so the more layers of
-
security you have the better
-
for example you could consider fail to
-
ban on your servers as another layer of
-
protection
-
maybe you already have a firewall on
-
that server as well
-
and you are locking down ssh the more
-
layers of security the more hoops you
-
force hackers to try to get through in
-
order to get access to your servers the
-
better because you are making it that
-
much harder on them to access your
-
server
-
and after a while maybe that person will
-
give up and then move on to another
-
server which is
-
exactly what you want and only very
-
targeted attacks would continue past
-
that point
-
by having multiple layers of security
-
for example fail to ban
-
or a similar service that looks for
-
intrusions in the logs
-
and then blocks ip addresses that
-
basically try to bypass
-
the rules that you've set that's a good
-
step to have and other tools as well
-
the more you have the better so try to
-
have multiple layers of security on your
-
servers
-
and make it that much harder for outside
-
intruders to break in
-
[Music]
-
now number seven can be argued that it's
-
not
-
really a security specific thing but
-
i think it's important to include on
-
this list because it is very important
-
and that is the concept of backups and
-
not just
-
any backups tested backups any backups
-
that you have not tested
-
and any backups that are not in at least
-
three different places are not truly
-
backups
-
so you want to have your backups in like
-
i mentioned three different places
-
one of which should definitely be
-
off-site and you want to do
-
test restores on those backups to make
-
sure that the backups are good
-
because trust me if your servers go down
-
and you need to restore from a backup
-
you don't want to explain to your boss
-
that you can't restore the servers
-
because the backups aren't working and i
-
have seen this happen
-
it's horrifying and it's not a good
-
experience for
-
anyone involved definitely have backups
-
and have multiple layers of backups in
-
multiple different locations
-
but especially test those backups and
-
that ensures that if you are
-
actually facing a security incident and
-
your servers are completely turned
-
inside out
-
you have backups so you're probably
-
going to be good yes it's going to be
-
very inconvenient to have a security
-
incident but you have backups
-
you can at least get up and running
-
quickly and their company's data is not
-
in jeopardy and not
-
lost forever which is very important
-
especially if your company is housing
-
very important blueprints for products
-
and things like that
-
you definitely want to make sure that
-
those items are backed up and they're
-
backed up securely
-
now for number eight it's very important
-
to keep an eye on all of your servers
-
and the overall health of your servers
-
and monitoring tools will help you do
-
just that
-
nagios and zabx are two that come to
-
mind immediately
-
if there's any kind of issue and you
-
have the appropriate checks configured
-
then you will be notified that there's
-
an issue and if you know about the
-
problem before your customers know about
-
it
-
then you actually appear as a very
-
competent i.t professional because you
-
are ahead of the game
-
you are aware of everything that's going
-
on
-
and it's not just you know a matter of
-
having these monitoring tools enabled
-
although that goes a long way
-
you want to make sure that they're
-
checking the right things you don't want
-
to for example be checking for
-
uptime only and then have the server
-
fall over because the disk is full
-
you should be checking disk space as
-
well and
-
obviously website availability goes
-
without saying if it's a web server
-
and you could even have user checks on
-
your monitoring tools if there's more
-
than one user
-
that is on that server it should send
-
you alert and you could even configure
-
it that if
-
so much as one user logs into your
-
server it sends you an alert so if
-
you're working on the server for example
-
and you're doing some administration
-
work
-
you get that alert that someone is
-
logged into your server oh yeah that's
-
fine that's me actually i'm on my server
-
right now
-
and i'm installing some updates but if
-
you get that alert and
-
there's no maintenance planned that's a
-
red flag someone got in
-
so there's all kinds of different
-
security checks that you can configure
-
it's very important to have monitoring
-
tools in place
-
[Music]
-
now for number nine and i have to say of
-
all the things
-
on this list number nine is definitely
-
the hardest it's the most expensive
-
if you are working for a company and you
-
have some very
-
important services that are running and
-
maybe you even store personally
-
identifiable information you really
-
should have a third-party security audit
-
now it's one thing that you know you the
-
administrator
-
you're checking everything all the time
-
and that's awesome
-
but you're only one person you need
-
someone on the outside to check your
-
servers and make sure that there's
-
nothing that you've missed
-
but the problem with this though is that
-
third-party security audits are
-
extremely expensive so this is only for
-
those of you out there that work for
-
enterprises that can afford such a thing
-
but even if you can't afford such a
-
thing right now
-
you definitely should keep this on the
-
list because if your company grows
-
and you actually have the ability to
-
hire someone on the outside to
-
basically audit your servers you
-
definitely should do that because
-
they could find something that you've
-
missed and they might even save you from
-
a major incident
-
[Music]
-
now for number 10 the last item on my
-
list it's all about business continuity
-
how are you as the administrator going
-
to ensure that your company is back
-
up and running quickly after an incident
-
and how long do you think it'll take you
-
to get everything back up and running
-
if your answer to that question is well
-
a week because i have to rebuild
-
everything i have to install all the
-
operating systems i have to patch
-
everything i have to
-
reinstall all the applications if that's
-
the answer you're doing it wrong
-
you should have some sort of automation
-
images
-
backups or something that is going to
-
get you back up and running as
-
quickly as possible the quicker you can
-
get everything up and running the better
-
and if you have an
-
auto healing environment which means if
-
a server falls over that a new server
-
like a virtual server is provisioned
-
automatically in its place
-
and that's especially true with
-
containers for example you're doing it
-
right
-
you're doing a great job because the
-
answer to that question is well
-
the server's never down because it
-
automatically brings one back up
-
and that's really cool but your answer
-
to this question really determines how
-
good of a business continuity plan you
-
actually have
-
and if you don't have a plan you really
-
should draft one if all of your servers
-
fell over tomorrow what would be the
-
process for getting everything built
-
back
-
up where it was before you had that
-
incident and that's going to determine
-
what goes into your business continuity
-
plan
-
now this is something that we could talk
-
about in a future video
-
but i wanted to plant that seed right
-
now because a business continuity plan
-
is very
-
important to have so there you go those
-
are my 10 tips for hardening the
-
security of your linux servers i hope it
-
was helpful
-
now i know that a lot of those tips were
-
somewhat entry level
-
but again this is the first episode of
-
this series
-
and i wanted to give you guys the
-
overall list of
-
important things to consider and then in
-
future videos we will take a look at
-
more of these concepts in greater detail
-
so what are some concepts that you think
-
i should cover in this series what's
-
important to you
-
let me know in the comments down below i
-
look forward to hearing what you have to
-
say
-
and i will go ahead and create episode 2
-
in this series as soon as i possibly can
-
so definitely subscribe to my channel if
-
you haven't already done so
-
and i'll see you again very soon thanks
-
for watching
-
[Music]
-
you