Cheatsheet: christitus.com/secure-linux/

I was wondering why my pinephone kept playing hardbass, now I know...

You would be amazed at how many legacy systems are frozen in update time out of fear that running updates will break systems that no one remembers how to fix...

AFAIK, ufw allow 80 and 443 are only necessary if you are running a web server. The "default allow outgoing" will allow you to initiate connections on those ports to remote websites and receive their responses on the appropriate ports just fine. By including those allow rules, you're opening the ports for outsiders to _initiate_ incoming connections into your box on those ports. (Inconsequential if you don't have anything actually listening on them, but still important to understand.)

You have 200k subscribers already?! I remember back when it was like 10k! Keep up the great vids

Still nothing compares to my classmates automatically opening usb 16gb shortcuts in their pen drives.

Kernel 3.7? Dang, even my WiFi routers are running later versions... 😂

This is one of your better videos Chris. You going into the terminal and showing people what you mean and how to do things is what people want I think.

NSA/FBI: attacker, gray alien wearing a hoodie and shades. 🤔 Seems legit.

While it might be more complicated to use, I highly prefer iptables over uwf, it allows for better finetuning and mastery. The mean and short version: allow all "localhost traffic" allow outgoing traffic (mostly) log + allow incoming traffic only if you really use it (like your network printer, ...) preferably with its real IP address everything else, shoot on sight :-D (that includes forwarding traffic) TBH: if all you have is a desktop machine, you shouldn't have that much incoming traffic to begin with.

I salute you Chris, I couldn't finish reading the document, and great video.

Good stuff! A quick suggestion for your script would be to add comments to the UFW lines so that it's easier to remember what a rule does later on. Also there are certain presers for certain applications like ssh. So for example: ### ufw allow ssh comment 'Allows ssh on port 22' ufw allow http comment 'Allows http on port 80' ufw allow from 192.168.1.0/24 to any port 32400 comment 'Allows LAN connections to Plex server' #Which equals: ufw allow from any to any port 22 proto tcp comment 'Allows ssh on port 22' ufw allow from any to any port 80 proto tcp comment 'Allows http on port 80' ufw allow from 192.168.1.0/24 to any port 32400 comment 'Allows LAN connections to Plex server' ### Finally: ufw will ask for user input when enabling the firewall. You could automate (be careful to not lock yourself out!) the step with: ### echo y | ufw enable ### To view your rules you can: ### ufw status ufw status numbered ufw status verbose

Thank you Chris for another great video! The latest Kernel on Arch is 5.8.1,if you use Tails OS from a USB or even know how to use an Arch/Fedora even a simple Debian install with all the stuff that you need you are safe from this vulnerability, it's mostly made for ancient IoT devices and old servers as for Windows latest systems they have backdoors upon a fresh install,which are exploited constantly. If we are talking about live sample things I would say that running a Windows 10 with outlook account today is a lot less secure, than running any Linux OS,on Windows 10 you just need latest updates for another backdoor from MS to be installed on your machine. Majority of cybercrime targets Windows as main OS platform,on Windows all you have to do is hijack a browser by sending a link ot making an extension for crypto-mining or gathering data it is a much easier cyber attack pattern and much more profitable than to do a much more complex attack on a Kernel level on any Linux OS.

Thank you, Chris. Good content.

I've set my fail2ban to ban for 300days after 2 failed attempts (excluded localhost and white listed ip's) as well as enabling Apache2 , phpmyadmin and sendmail modules. Also i've noticed a few "embedded" systems using VERY old Linux kernels, they tend to be heavly proprietary devices that official support has lapsed and tend to be "set up and forgoten". So I'm not too surprised they needed to specify updating very old kernels (Heck 747 aircraft still use 3.25 floppy disks to update internal firmware!)

Regarding kernel version 3.7 or later...a lot of enterprise retail companies (Walmart, Ahold-Delhaize, etc) use much older kernels, such as 2.6, as they are unable (or unwilling) to update their systems past an ancient distro (something like RHEL 6.5). It's an unfortunate reality within larger organizations for us lowly engineers - one where the company refuses to upgrade because of the old "if it works, why fix it", and because there isn't really a single conglomerate like Microsoft forcing updates down their throats - thus allowing them to kinda just install it once and leave it alone for all of time and eternity.

'netstat' is replaced by 'ss'. Please stop using netstat and ifconfig, unless you are on a kernel older than 3.7

Thanks for the script! Could you make a more in-depth video on how to secure our system?

Secure boot is more of a last resort and can be a hassle. I'd say use a bios boot password, limit the media you can boot to by default, and encrypt your laptop instead in general.

Great information...thank you! However you must also disable the remote root login in the sshd_config file.

Thanks Chris, You give me knowledge that no one can give

None of my devices have the malware, but my tablet is stuck on the 3.0 kernel, so kernels older than 3.7 are still in service.

Useful information! I run Ubuntu on ZFS and that is not an UEFI install. I'm afraid of crashing the system, changing it to UEFI install. I did run the checks and my unsigned modules are 3 from VBox :) I moved all my "work/hobby" to Virtual Machines and with one exception, the Host OS and the VMs are closed for inbound traffic. The Ubuntu 16.04 LTS Banking VM has Linux 4.15.0-112, so I'm safe there, beside it is the VM, whose virtual disk is encrypted by Virtualbox :). The only systems with some open ports are my backup server and my laptop and they are powered-on for 1 hour/week (back-up server) and say 3 hours/week (laptop). If I go on the road, my Host OS on the laptop will be closed for all inbound traffic too, its VMs are an up-to-date copy of the desktop VMs :)

I'll get to setting up my honey pots to try and get a live sample for ya. I'll update the comment if I find anything

I find that the best way to avoid drovorub aside from making sure you have latest security updates and everything else is to act on internet like anybody else. Don't do anything that will make you stand out and you won't catch attention from bad guys since you won't be interesting to hackers and they won't attack your pc since you're basicaly nobody. Don't stand out on internet and you'll be safer than somebody who stands out for any reason.

Well I think it isn't meant for home users as much, but for enterprise users...I wouldn't be amazed if there are some small companies running an old application on CentOS 6 without any updates.

Very informative. Thank you so much. This helps me out today, and gives me things I may want to do in the next six months or so.

Having done some Embedded Linux development, I have had to use an old version of the Linux Kernel that was from something like 2.x because the audio chip wouldn't run on later kernels. We were also running on a very low power microprocessor, something with 144 pins and DDR memory. It happens, but in my experience, things like that aren't internet connected and are used for stability in the given task. There are edge cases, and it does happen, but it probably isn't very common.

With some more secure distros (like openSUSE) you need to put the check unsigned kernel command in a bash file and run with sudo.

Chris - good video enjoyed the coverage of ufw and fail2ban

Hey Chris. I want to thank you for all your Linux videos and windows videos, especially Linux they've helped me out greatly! I was wondering if you've ever used firejail? And regardless if you have or haven't, could you do a video on it?

Security always an interesting subject.

From what I understand is this malware embeds itself on your 5 1/4 floppy drive and 28.8 baud modem.

fail2ban blocks the ip; they just move on to the next ip in the subnet. You have to block the entire subnet.

I’m right with you in not using secureboot, every time I turn it on my Linux Razer laptop (whose motherboard isn’t inherently Linux-aware) fails to load the GUI since it fails to detect the GPU

Dear Mr. Titus, question about ufw ports. I use qBitTorrent and I'd like to know how to set "safely" the network tab. 1. Should I "allow" port 36013 in ufw? 2. Should I check "Use UPnP/NAP-PMP to open the router"? 3. Protocol: TCP & uTP, or TCP only? Should I set some server proxy? Many thanks in advance.

I always close port 22 altogether.

You’ll be amazed how many servers use linux kernel 2.6 still

Read Peter Riches comment on your web page and the following worked for me; "shortened the grep pattern: "signature" to "signat" and then none of them came up as unsigned." In Linux Mint 19.3, I now had only three; all Virtual Box related.

Great video, any plans to increase video production? :D

CTT "fighting the good fight" .......Salute.

Plz one video on your desktop customisation I like your desktop

Ok another night trying to learn Linux and it's advantages. Thank u for the video.

Some really good tips! Thanks Chris

Great video, as a newer user to Linux it's taking me awhile to review all terms mentioned, but I'm enjoying and learning from your videos. I have 116 (yeah that's right, 116) unsigned kernel modules in Linux Mint 19.3 Tricia. Wondering why?

I don't understand the Drovorub test. In Terminal: touch testfile; echo “ASDFZXCV:hf:testfile” > /dev/zero But I receive no answer from the Terminal...

Which Operating System are you using here? Please answer. It's look is amazing.

It didn't surprise me about the kernel version. At least they know that the Internet is full of Linux machine still running kernel under v3.7 which is notoriously bad especially router and IoT devices.

I love your content a lot. Hugs from Brazil

3.11 WFW!

Why isn't your router's firewall rules (which generally block all unsolicited traffic) good enough? is this just a secondary defense?

So what does the 'sudo sysctl mib' command do? Even in the video after you ran the script, the output read 'sysctl: cannot stat /proc/sys/mib: No such file or directory'.

Is deny incoming something you have to to do when the firewall is on?

I've tried reinstalling kali but the /media partition won't unmount which I'll assume is where the module is located. Or some process that doesn't want the partition unmounted, especially when it will be formated during the kali installation.

8:20 firewald can also do it but sadly is less uncomplicated.

thanks. helpful with the manjaro linux 6.9.1 i'm using....

Please make a video on making an owncloud storage solution and mounting external drives to it

Nice Vid! Thank you! Whatg for a gnu/linux did you use in this video?

My kali usb is non writable so I'm assuming the only way for them to continue this is to make it to where the partition that contains the necessary files for this to work.

some people say that fail2ban takes up a lot of ram; there is another project, called ossec that is said to do better

"there's a bug in Windows 7 and we need to be worried" lmao

a good video chris one problem is that secure boot is not safe to use sens there has been vulnerability in it, don't know if microsft have patch it but.

Can you or have you done a video on secure boot and signing modules, and what to do of you can't boot due to an unsigned module, etc?

What should the output of the modinfo script be? I have 119 item list of "no signature" and the module_name on Mint 19.3 install, is that expected? You didn't talk about what output was to be expected from running that for script. I believe you might want to grep -q for "signat" instead of "signature" since that is the actual field name output for modinfo on Mint, please correct me if I'm wrong. Thanks for all your content.

Yeah I'm new to the whole Linux scene, but even I know there's some Linux users holding ancient kernels, just because they can. Probably Arch users. ;) lol

I love you Chris, you are a awesome dude.

well, YT decided to unsub me at some point so yeah... anyway another tip for SSH is changing the ssh port you use like instead of 22 use 9342, granted yes you have to change it on all of your stuff but how many ssh attackers are going to bother to go through every single port to see if ssh is on 5142 instead of 22. so I change ssh port, then deny 22, and ban all 22 requests and then limit the port I am actually using for ssh

Windows viruses are easy to get Linux viruses hard but not impossible. It's arrogant to think no one would care to make viruses for it. Especially if Google Chrome and Steam bother to make ports to Linux! I donwload a bunch of crazy weird stuff, when I was using Windows10 I'd get a virus 1-2 times a week and got really sick of it and after using Ubuntu for 6 months I got 1 and then freaked out and format my hard drive and had frustration getting past the debian install but 8 hours later I figured it out and, feels awesome.

Great video, thank you!

Oh you've passes 200k. Nice

hey chris could u keep ur terminal up a little higher, when u enter commands the play button on you tube blocks its thank youuuu

Thank you very much for the video!

Thanks again for your Win_Debloat guide on your website. I get 92 Processes at idle...yesss!!!

I got "no signature for module: lkp_Ubuntu_5_4_0_42_46_generic_70 not found". Is it okay?

your terminal UI looks sick, how can I customize mine?

Me on windows: hahaha imagine getting a virus wait

I run Razor keyboard, Mouse and Headset - These kernels are unsigned. no signature for module: razerkbd no signature for module: razermouse

are there any viruses out there for linux that can actually attack your bios ???? I had to actually pull my bios battery on my desktop to get it to boot up with a video card plugged in. system wouldnt even power on with a beep until i did that.

Question - using a bootable flash drive loaded with linux mint using rufus on your computer ... is that safe to use, even when you connect it to the internet?

Please create a video with macOS in KVM/QEMU, the open core project isn't working for me , I even tried the foxlet project in GitHub but I was facing problems with VRAM.

Hi! I moved from Windows to Linux recently and using through dual boot. I'm currently running Ubuntu DDE distro. When I'm shutting down the computer after using for a small time it is shutting down normally. But after using for a long time ,when I'm trying to reboot or shutdown I'm getting the following message on blank screen, and I had to shut down using the power button. [5170.345535] nouveau 0000:01:00.0: bus: MMIO read of 00000000 FAULT at 6013d4 [IBUS] Is there any solution for this? Is there any possible reason for this problem? If I delete the Ubuntu and reinstall it will it be solved?

You should do an update to this video if it needs updating

Hi. I just would like to ask should one who Linux Kernel 5.4.0-42Genric care about this Malware? I use FerenOS KDE with this Linux Kernel. If I understand correct support for this Kernel ends 2023. I have Clam on my Linux laptop computer. The version of FerenOS I use is 2020.07. I hope some would know about this. Yours Christer

Just learn iptables with a few simple commands you can do everything fail2ban does without installing anything. UFW is completely unnecessary. Also outbound traffic will use a random unprivileged port to connect to 80 or whatever on the server

Your script is a one time thing or i need to rerun it each time I reboot my Linux box ? Thanks for that script by the way :)

Hi and thank you so much for the video. I was wondering if I need ufw even if I do not ssh into it from outside and the firewall is activated?

I'm from the Government, and I'm here to help. The 9 most scariest words in the English Dictionary. According to President Ronald Reagan. As a former worker for a U.S. government agency, I can completely understand why the report is this far outdated on systems information.

I recently bought a MintBox Mini 2 Pro,that comes with Mint 19.* installed. Surfing news (really) I got a Full Screen Microsoft Screen,which gave me a phone number to call for the KEY to unlock my MS computer. Imagine my surprise. No mouse or keyboard. So I unplugged. After a week,I got a sfck to work,but now my password will not work for installing updates. I do not have to use it for restarts.??. I have visited the Mint Forums, techmint(Great) and u tube, I am getting up courage to follow up to reset the password. The more I read the more confused I get. There seems to be a root password,and a password. ???. I got the Linux command line and shell scripting Bible,also great , but conventional. Where do I go or what do I read to better understand the implications of what people are suggesting,as all are similar but different.Is it jus experience or writing programs?

How to disable compilers in Linux.

just a warning, you need a huge range of open ports for Discord since Discord is dumb like that... i do love it as an application but i already block all non essential ports in UDP and TCP but have to disable the firewall for Discord when using it... i wish i could force Discord to use certain ports... (like a 2000 port range instead of the default 50000 one...)

i am using brave for a month now i really like the brave's ad blocking shield and ram usage is little bit lower then chrome but since a week brave reward ads stooped i tried every setting in windows and in brave but nothing works, any suggestion ?

Hi! can you make a NextDNS video for Linux?

I also use to change the default port of SSH to something like 1XXX. Do you think that adds to security or is it useless?

11:10 if there is no netstat, try ss :)

system76_io and system76_acpi are unsigned? Is that normal?

Hi Chris Titus Tech, I want to know whether using echo is supposed to return something or not. I'm trying to determine whether my machine is infected with drovorub (woodcutter) and find a course of action to remove it, or reformat my machine. As I type touch testfile and echo the /dev/zero I don't get anything in the terminal, but as a matter of fact, echo doesn't return anything in the terminal for me no matter what it is. I'll try updating and upgrading all my applications and packages and see if that changes things. Is /dev/zero supposed to be a folder? It appears like a file reference (That everything in linux is a "file" or an "icon") and I'm not sure where to find the testfile referenced in the script on your site. I enabled other security features mentioned in your video and things seem the same, perhaps I am in fact more secure. My "listening ports" show the same connections, I don't have many connections either. I turn off my internet periodically out of paranoia, that if I disconnect my internet I'll also stop any potential bad actor connections to my machine, and just reconnect when I need to do something. After I got back from vacation, my machine had missing vectors, now there is an "unknown chip xid" something something. I tried restoring my machine with Timeshift from before vacation, but the problem persisted, although I have not experienced anything strange other than those CLI messages before Linux Mint (with GUI) boots and puts me at the login screen. I think I may have damaged the machine by turning it off, flipping the power on the power supply on the back of my PC, and unplugging it. Perhaps when plugging the machine back in, and turning on the supply, there was a surge of static, but the operating system boots fine. Timeshift didn't really fix those CLI "soft" errors which have me concerned.

> Let's run this script with sudo This is one of the most common mistakes. DO NOT run unknown scripts, especially as root. At least check the source before running.

Can you please make a video on secure boot

Is UFW the new firewall package meant to simplify the use of IPTABLES?

Do I have to worry if I'm a desktop Linux user?