Quick tips to improve Linux Security on your desktop, laptop, or server (hardening for beginners)
Try out Proton Mail, the secure email that protects your privacy: https://proton.me/mail/TheLinuxEXP
Grab a brand new laptop or desktop running Linux: https://www.tuxedocomputers.com/en#
👏 SUPPORT THE CHANNEL:
Get access to a weekly podcast, vote on the next topics I cover, and get your name in the credits:
YouTube: https://www.youtube.com/@thelinuxexp/join
Patreon: https://www.patreon.com/thelinuxexperiment
Liberapay: https://liberapay.com/TheLinuxExperiment/
Or, you can donate whatever you want: https://paypal.me/thelinuxexp
👕 GET TLE MERCH
Support the channel AND get cool new gear: https://the-linux-experiment.creator-spring.com/
🎙️ LINUX AND OPEN SOURCE NEWS PODCAST:
Listen to the latest Linux and open source news, with more in depth coverage, and ad-free! https://podcast.thelinuxexp.com
🏆 FOLLOW ME ELSEWHERE:
Website: https://thelinuxexp.com
Mastodon: https://mastodon.social/web/@thelinuxEXP
Pixelfed: https://pixelfed.social/TLENick
PeerTube: https://tilvids.com/c/thelinuxexperiment_channel/videos
Discord: https://discord.gg/mdnHftjkja
#Linux #security #cybersecurity
00:00 Intro
00:56 Sponsor: Proton Mail
02:32 Software and updates
04:04 Services and SSH
06:38 User management
10:10 Physical Security
11:35 SELinux, AppArmor, and firewall
14:04 Parting Thoughts
15:15 Sponsor: Get a PC made to run Linux
16:30 Support the channel
Password complexity tips: https://www.networkworld.com/article/2726217/how-to-enforce-password-complexity-on-linux.html
Tips to secure SSH: https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
The more software you use, the larger the attack surface for your Linux install is. It's always good to take a look at all the installed applications, and libraries, and remove what you don't use anymore. You can also remove packages that aren't linked to anything else and aren't used by anything.
On Debian or Ubuntu, for example, you can find these by running sudo apt autoremove
And on a desktop, you probably already apply updates, or your distro has auto updates enabled. But on a server, it's easy to let things slide, and forget to log in regularly and make sure things are up to date. I'm guilty of that myself.
And just like with packages, libraries, and apps, you should also make sure you only run the services you actually use. You can list all services running with:
systemctl list-unit-files
To stop a service you don't need, you can run
systemctl stop SERVICE
To stop the service from starting with the system, you can run
systemctl disable SERVICE
If you're on a server, the general rule of thumb is also NOT to run a graphical desktop on it. It will often be much more secure to use SSH to log in to the server remotely.
But you might also need to secure SSH first. If you have multiple users, make sure only the ones who need it have SSH access. To do that, you can edit the /etc/ssh/sshd_config file, and type AllowUsers then the names of the users that will actually have access to SSH.
Now, something that might be useful in general, for a server or a desktop, is making sure all the users are correctly handled. The first thing will be to disable root login.
If you decide to disable the root account, make sure at least one user has admin privileges though, or you'll have a system without any way to access any task with sudo. Once you're certain everything is ok, you can use the following method:
Edit /etc/passwd, and change the first line, by replacing /bin/bash, or whatever other shell root currently logs into, by /sbin/nologin (or /usr/sbin/nologin depending on the distro)
If you prefer, you can simply disable root login through SSH, so the account is still there if you want it locally, but remote attackers won't be able to login as root. To do so, you can edit /etc/ssh/sshd_config, and uncomment the PermitRootLogin line, and then set its value to no. Restart SSH with sytemctl restart sshd, and you're done.
To remove the ability to use USB, Thunderbolt or Firewire, you can add the following lines to their respective files (create them if need be). To revert this, just remove the lines that have been added in the various files by the commands.
Add: install usb-storage /bin/true to /etc/modprobe.d/disable-usb-storage.conf
Add blacklist firewire-core to /etc/modprobe.d/firewire.conf
Add blacklist thunderbolt to /etc/modprobe.d/thunderbolt.conf
Видео Quick tips to improve Linux Security on your desktop, laptop, or server (hardening for beginners) канала The Linux Experiment
Grab a brand new laptop or desktop running Linux: https://www.tuxedocomputers.com/en#
👏 SUPPORT THE CHANNEL:
Get access to a weekly podcast, vote on the next topics I cover, and get your name in the credits:
YouTube: https://www.youtube.com/@thelinuxexp/join
Patreon: https://www.patreon.com/thelinuxexperiment
Liberapay: https://liberapay.com/TheLinuxExperiment/
Or, you can donate whatever you want: https://paypal.me/thelinuxexp
👕 GET TLE MERCH
Support the channel AND get cool new gear: https://the-linux-experiment.creator-spring.com/
🎙️ LINUX AND OPEN SOURCE NEWS PODCAST:
Listen to the latest Linux and open source news, with more in depth coverage, and ad-free! https://podcast.thelinuxexp.com
🏆 FOLLOW ME ELSEWHERE:
Website: https://thelinuxexp.com
Mastodon: https://mastodon.social/web/@thelinuxEXP
Pixelfed: https://pixelfed.social/TLENick
PeerTube: https://tilvids.com/c/thelinuxexperiment_channel/videos
Discord: https://discord.gg/mdnHftjkja
#Linux #security #cybersecurity
00:00 Intro
00:56 Sponsor: Proton Mail
02:32 Software and updates
04:04 Services and SSH
06:38 User management
10:10 Physical Security
11:35 SELinux, AppArmor, and firewall
14:04 Parting Thoughts
15:15 Sponsor: Get a PC made to run Linux
16:30 Support the channel
Password complexity tips: https://www.networkworld.com/article/2726217/how-to-enforce-password-complexity-on-linux.html
Tips to secure SSH: https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
The more software you use, the larger the attack surface for your Linux install is. It's always good to take a look at all the installed applications, and libraries, and remove what you don't use anymore. You can also remove packages that aren't linked to anything else and aren't used by anything.
On Debian or Ubuntu, for example, you can find these by running sudo apt autoremove
And on a desktop, you probably already apply updates, or your distro has auto updates enabled. But on a server, it's easy to let things slide, and forget to log in regularly and make sure things are up to date. I'm guilty of that myself.
And just like with packages, libraries, and apps, you should also make sure you only run the services you actually use. You can list all services running with:
systemctl list-unit-files
To stop a service you don't need, you can run
systemctl stop SERVICE
To stop the service from starting with the system, you can run
systemctl disable SERVICE
If you're on a server, the general rule of thumb is also NOT to run a graphical desktop on it. It will often be much more secure to use SSH to log in to the server remotely.
But you might also need to secure SSH first. If you have multiple users, make sure only the ones who need it have SSH access. To do that, you can edit the /etc/ssh/sshd_config file, and type AllowUsers then the names of the users that will actually have access to SSH.
Now, something that might be useful in general, for a server or a desktop, is making sure all the users are correctly handled. The first thing will be to disable root login.
If you decide to disable the root account, make sure at least one user has admin privileges though, or you'll have a system without any way to access any task with sudo. Once you're certain everything is ok, you can use the following method:
Edit /etc/passwd, and change the first line, by replacing /bin/bash, or whatever other shell root currently logs into, by /sbin/nologin (or /usr/sbin/nologin depending on the distro)
If you prefer, you can simply disable root login through SSH, so the account is still there if you want it locally, but remote attackers won't be able to login as root. To do so, you can edit /etc/ssh/sshd_config, and uncomment the PermitRootLogin line, and then set its value to no. Restart SSH with sytemctl restart sshd, and you're done.
To remove the ability to use USB, Thunderbolt or Firewire, you can add the following lines to their respective files (create them if need be). To revert this, just remove the lines that have been added in the various files by the commands.
Add: install usb-storage /bin/true to /etc/modprobe.d/disable-usb-storage.conf
Add blacklist firewire-core to /etc/modprobe.d/firewire.conf
Add blacklist thunderbolt to /etc/modprobe.d/thunderbolt.conf
Видео Quick tips to improve Linux Security on your desktop, laptop, or server (hardening for beginners) канала The Linux Experiment
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
RHEL drops older PCs? Linux is at 4%, Mozilla's AI pivot - Linux & Open Source News
Linux Graphics Drivers explained: AMD, NVIDIA, INTEL, Open Source and Proprietary
Wayland breaks everything? FOSS licenses aren't enough, more AI regulation: Linux & Open Source News
Red Hat, you're harming the entire Linux ecosystem.
SteamOS CONSOLE: the BEST gaming experience, but not worth it
Tuxedo OS 2 is one of the BEST KDE Plasma distributions (+ Tuxedo Stellaris 16 review)
The Best Web Browsers for Privacy
Huge Nextcloud improvements, Pop! OS Cosmic update, GNOME mobile roadmap: Linux & Open Source News
NIX OS: the BEST package manager on the MOST SOLID Linux distribution
LINUX vs WINDOWS: the graphical gap is still there
Investigated for using Linux, Windows 11 loses users, FOSS Firmware - Linux & Open Source News
DEBIAN 12: more relevant than ever as a Linux desktop
15 LINUX FACTS that your loved ones will never tire hearing about 😬
Immutable Ubuntu, Red Hat drops LibreOffice RPMs & BIG GNOME updates: Linux & Open Source news
Windows, macOS & Linux PRIVACY compared: why do they need ALL THIS DATA?!
Fedora KDE ditches X11, Android vulnerability, Intel to drop 32bit?: Linux & Open Source News
The END of DISTRO HOPPING? All Linux distros in one single system with VanillaOS
The FOSS & privacy champion you didn't know about: FRAMASOFT
More HDR work for Linux, Ubuntu revamps PPAs, KeePass security flaw: Linux & Open Source News
Why the BAD design of WINDOWS hurts LINUX desktops
COSMIC will be customizable, AMD's FOSS firmware & Plasma 6 changes: Linux & Open Source News