I just want to caution everyone from enabling automatic updates on production systems. The best practice is to use scheduled maintenance windows and to always test updates in a test/dev/QA environment before making changes to prod :)

Definitely one of the top 3 videos of all time to date... changing TCP ports, encrypted authentication, and disabling ping. Love it... Thanks again Chuck!

Won 20 bucks in a networking class. Another student told me he could get into any computer remotely. I accepted his challenge and turned off my network card in the drivers. He was pissed.

Thanks

Linode, just to tell you - A really good choice for sponsorship! Keep going, his style is a remarkable combination of useful information and energetic hype!

You should use "apt upgrade" instead of "apt dist-upgrade" as the latter might also remove packages or change things in the system which might break your applications. "dist-upgrade" should be used if you want to upgrade to a new release of the distro, not if you just want the latest versions of your packages in order to get security fixes.

20:41 - The line was already there (the last entry in that section). All he had to do was change the ACCEPT to DROP. ICMP ping may be blocked but hackers can still find his server using the nmap utility. Great video though. Love the channel!

Just as a correction for macOS the command ssh-copy-id @ does also work.

This was great. I've just passed my Linux essentials exam and this helped learn a bit more about security. Btw, reloading the firewall did do the trick in my server. I didn't have to reboot .

Brilliant. Coming from a person who is very comfortable with Linux, is so nice to see the simple security aspects covered. And I always love how enthusiastic you are, making I.T fun!! Big fan here, over in London /UK! Keep it up, and great to see your channel growing as well. Keep you fed :)

The way you deliver content is outstanding. English is my second language, but you somehow manage to be quick, to the point, and very understandable. Kudos. Fantastic work.

This is the greatest presentation I've seen on hardening a cloud linux server. You're fast paced, but the whole video was understandable and easy to follow. Thank you so much for making this video. I've shared it with people and included links to it on my blog posts.

I have another suggestion tho. there's a firewall option that allows your port to be neither "open" nor "closed" .. but instead "filtered" , making your server accepts incoming connections only from a known ip adress. it might not be useful for everyone since not everyone have static ip adresses. but hey, if you do, then that's just the best layer of security you might add to your server.

spent a few hours trying to get key auth to work, found out Chuck left a part out in the video. You need to add the private key to the ssh agent so your computer knows which key to use. In windows, do these commands: Set-Service ssh-agent -StartupType Automatic Start-Service ssh-agent ssh-add NOW you should be able to log in :)

Perfect timing, man! Just fired up my first Linux server this week!

As a security professional I really found this video to be of good quality. You were to the point, informative but not overbearing, engaging while being authentic. Keep up the great work! ❤ 😍

Also a million Chuck! You well deserve it!

I don't manage Linux servers but this was so informative. I am a maker and have been looking to set up a server for my IoT devices and this is awesome to make sure my server isn't going to be hackable. AWESOME!! Thank you Chuck!!

@14:08 PasswordAuthentication no is not enough to disable password for ssh login. Make sure to set ChallengeResponseAuthentication no as well

if you have any issue getting linux-headers and unable to find the correct one - make sure to type in apt-cache search linux-headers and find the correct one for you. Thanks. Thank you again for another amazing video. !!!!!! You are amazing my friend. Continue to inspire people !

Oh my god, I need this so much, thanks you!!!! Edit: I need more... Moooreee. Lol, jokes away, I really like to see more about firewall managing. Great video, thanks!

Oh, I kinda like the padlock & the little key drew on the screen. Much appreciated!

Awesome tutorial, chuck. You are the man! Thanks for all that you do to help us newbies.

The only reason why i come back to watch your videos i seem to learn new things, commands, and get up to date with my passion for techstuff

Super useful. Followed all the steps in Arch Linux (some minor differences) in Linode (simpler to set up than AWS and less invasive than Azure at collecting personal data). This is really cool.

Just released my own SaaS and now I'm trying to make it more secure 😁

Great video chuck. for ssh this is what I do . I change the port like you do but I lock it down so I can only ssh from my home ip address. ufw allow from to any port Even if your public ip address changes you can still ssh back in from the linode web console and change the firewall rules.

I am learning more and more everytime...as soon as I finally move to linux, yours is the FIRST system I install as a firewall etc.

8:14 - "chmod" actually stands for "change mode" intead of "change modification"

I've had bad experiences with unattended updates, especially on a production server. They often tend to overwrite custom settings. For example, with PostgreSQL, an update might reset a custom database path, and similarly, Docker updates might alter the custom data path set for Docker.

I would always recommend protecting your private key. A private key with no protections on it is more commonly referred to as a back door. You can password protect your private key. Passwords are only useless in Windows these days, since Microsoft refuses to stop using unsalted MD4. Cracking a password for a 4096 bit RSA key, or a SHA512 hash? Yeah. Let me know how that works out for you. If you use a godawful password, sure, it can be done. If you take any steps to make a somewhat decent password, chances are extremely unlikely that someone's going to crack it. However, if you're taking all of these steps to secure your Linux boxen anyway, might as well step it up a notch. Get you a Yubikey, and use it to protect your private key, or use it as a 2nd factor. Yubico has some great documentation. Probably the hardest part about doing it is selecting which method you want to go with, since Yubikeys are extremely flexible.

I think a good thing to add would be "ufw limit [ssh port]" to protect from ssh bruteforce attacks as well

Good tips, simple to implement and well explained. Thank you!

Thanks a lot man. Every time I learn a lot from you!

3:53 "Coffee break" Puts an ad 21:22 "Coffee break" Puts another ad

Chuck, I searched and search. Your video was the only one that worked. Thanks!

Good job dude. i hope you do a video about forensics one day

I've got my 1st server and checked out everything you showd us. Fine, it work. Hungry to learn more... Keep up with this great work

For mac you can use ssh-copy-id as well!

this by far has to be the best video you have done... every time I deploy a new server, I go through this

13:48 this cracked me up 😂 Loved the tutorial. I'm gonna recommend it in my next video 👍

Great video chuck. I'm gonna do this on all of my Linux boxes from now on.

one more thing i would like to add is to get the linpeas enumeration script on your server and enumerate it, then try to secure as many attack vectors it can find

Thanks so much for another great video. I signed up on Linode. This is my first web hosting as I am just starting to toy around with servers, websites, and such. Your videos are fantastic and I always learn a lot. Thank you.

One other thing I would suggest is editing /etc/hosts.allow and hosts.deny. I know you have ufw, but adding another layer will not damage anything. Make sure your passwd file is shadowed. I've been doing this since the 90's Any and every install get's that treatment.

Great video!!!. Thanks

Nice Video 👍. I would recommend Lynis to audit the system.

Dude you are just awesome I`m a junior web developer who wants to keep learning about more fields from computers and software, Im about to study network administration and after that maybe some hardware grade or something. I see almost all your videos and I learn A LOT like wow. I just want to soy thank you for all this knowlegde. A hug from Spain!!

This was awesome. I am classes right now and we just went over ssh and private and public keys. This lab definitely helped reinforced my learning and best of all I now have a server.

I’ve learned so much from chuck. Became a coding teacher and now learn great instructional etiquette through chuck. Thank you so much haha

Automatic updates? Untested updates in a production environment?

Hey, the way you explain things are fun, easy to understand and short to the point. simply amazing!!!

Whenever "Chuck" says coffee break, I drink a beer. Cheers.

The activity in staring in a screen conglumerates that you want to have a correscending appleture of thought, recontextualizing the greatness that can be grown from that with the "Ryzen Five"

ufw by default allow established connections, that's why reloading ufw is not helping. you need to drop all established connections, what reboot does.

Using this on my RazPi!!! Great content as always.!!!

Please do more blue team stuff. Hacking into system as attacker is one thing, but at the end the whole idea of ethical hacking is to find vulnerability and then know how to secure them.

Awesome video Chuck! Thanks !!

Steps 1-4 I can understand and recommend too but the ping part in step 5 is just so unnecessary in my opinion. Sure you can block pings but any "good" hacker has many other tools to check if your server is still running (ahem.... nmap... ahem) I would also recommend any linux admin to install and set up at leas a basic fail2ban config to automatically block any recurring SSH logins or any other brute force attacks trying to get into your services

Legend!!! loving it every time I check your channel the subscribers are more every day. Looking forward to seeing you with 1M. You deserve it mate! all the best!

Exactly what I need

I always automatic update my servers and never see anyone talking about this (even in "how to security") Quality content++

How to be unhackable: do not connect to the internet.

Instructions unclear. Logged into Chuck's personal PC and traumatized by photo directory.

I miss the twitch live streams "Connection refused" is still saying "im here, scan my ports"

500K views! Congrats man. Love the vids.

Good starting guide and well explained, still missing tons of hardening activities, for example unattended upgrades and other. But I guess these things are better than what 90% of the folks implement out there so it's not about out-running the hungry lion, just running faster than the guy behind you...

Thanks, this really came in handy hardening the sever I just setup. We are living in amazing times when you can learn so much online these days.

$HOME also works as shorthand for your own user directory in Windows 10

The comments are allways great on Network Chuck's videos. Thanks for the content too..

Some good advice there. Security is always about layers. If one layer is breached the next should take over. I have found that limiting the allowed from address to SSH can make a big difference in how many break-in attempts you see. Even if you don't have a static IP, your ISP will only have a limited range of IPs he can give you and you can allow only that range. It's also a good idea to use something like fail2ban. It automatically bans IPs that e.g. have a certain number of failed SSH login attempts. Works rather well :-)

Excellent as always 😊

Auto updates- you make a great suggestion, but I have had automatic updates automatically break stuff... usually in the middle of the night or Friday at 4:30p.

hey man thanks for the Linode and some skill to go long with it, much respect!!!

Is moving port 22 elsewhere really any good when nmap exists?

Great video as usual chuck

i love the "warning" it gives when adding users not as root - with great power comes great responsibility

Great video Chuck. Thanks

So first off thank you so much Chuck for these. These are amazing. I am retired Navy and currently in HR but want to make the switch to IT. I LOVE computers but always got frustrated so I didn’t want to do it as a job, but learning makes it better. So I did this and followed your steps and secured my server. Problem is, I like to connected through terminus remotely from my IPhone/iPad. I would love a video how to add multiple authorization keys. I guess I could make multiple users each with their own key (user-iPad, or user-iPhone) but I was wondering how you would trackle multiple keys for one user. Also is it possible to stick the keys on. Thumb drive to use from another machine? I am reversing the steps because my dumb ass created keys on my windows machine for another server and overwrote the old keys *face palm* so now at am having trouble ssh’ing in.

This is a great video. Thank youuuuuuu 💙💙

Another great video Chuck, turns out I have already done most of these on my two linux VMs at home. Oh yeah and guess who just landed a new job as a Cloud Engineer ... ?

Another great video thank you networkchuck!!

Great video! I've learned much things. You always explain the things simple and understandable. If you don't mind, I just saw that in the final step you've added existing rule at the top for the `--icmp-type echo-request -j DROP`. I've tested it with simply changing that rule at the bottom and it works. Is it for a reason done this way? Also after the `ufw reload`, I've tried with just restarting the ping and it worked - for this I thing there is no need to reboot the whole server, except if it is under some kind of attack already.

Thanks for the video.

A good Linux tutorial by Chuck, yep these are the good measures discussed in this tutorial. I use ssl proxy (stunnel/nginx) to encapsulate SSH connection and also use SSLH to multiplex (more corrected ALPN based forwarding) ssl proxy encapsulated SSH connection through same port number as my web server (443).

It's just the best stuff I saw on KZbin, I mean it. Simple things, useful things, but man you have a style. Thanks a lot for your work!

It seems standard IT advice is to replace the password in ssh with the RSA key, but this thinking, I feel, is wrong. I would only do that if it was intranet only and I was feeling lazy. You can, and it's much better to, use both! What if a machine that had your RSA private key somehow gets compromised (I for one have multiple some of which are portable)? You would be done. Yes you can put a passphrase on the private key, but you are just buying yourself time, if you even know it was compromised in the first place. Having the password as well is a simple way to have MFA which is a must for any server you have on the internet. The RSA key is the thing you have, coupled with the thing you know i.e. password. Setup fail2ban on SSH, to protect against simple brute force, and you got a fairly strong setup. Even better is what I do and setup Google Authenticator on on that SSH stack, but I'll admit that maybe overkill :). Also another bit of SSH advice is make it so the SSH user has no administrative powers, don't even put them in the sudoers group. Remember sudo allows administrative privilege with the same password used to login. Once you login, you should elevate your privilege by using su to the an administrator account (someone who is in sudoers). This is the way cisco switches are by default and it's good practice. Security in layers :)

12:45 "etsie" is one of my favourite Linux-typical-directory nick names😄

All excellent with one nitpick: changing ssh port from 22 is sort of useless, as anyone who cares already has a port scanner and doesn't even bother checking just the default. (And, yeah, like others have said, I'd add fail2ban to the list, but that's for another video where you can talk through the details and reasons behind them.)

Excellent video, that is what I was looking for

Nice video! But you should have used a port number above 1024 :)

Love you Chuck, thanks man! I know everything you mentioned but enjoyed every moment of it.

Maybe you can also make an Video to take the SSH Security to the next Level with fail2ban and totp authentication😉, would be nice to see this.

BETTER explanation than my linux teacher. Excellent bro 👊🏼

Very informative video. It's a very big misconception that Linux systems are secure from hackers.. Everything with an operating system and a signal is not 100% secure..

Apart from automatic updates, been doing the rest. Great video, I leaned something new.

I think fail2ban is even more important than ufw

Love your videos, so well explained.

Just to be clear I love your videos. They are very informative and well produced. But I have to add some commentary on what you just showed (from a perspective of a professional pentester): - Although updates are crucial like you explained an automated update mechanism (even if it is just the stables) might break something upon updating. So you might consider automatic updates a risk depending on your situation. - The mac command to copy your public key to the server will also work on linux the exact same way (although your command is shorter and easier to remember) - Using a password upon generation of your key pair is recommended. So when your private key is getting hacked somehow it will be useless if the password is not easily guessable - In general just use strong (random) passwords and store them in a safe location like a password store. - Changing the port of your ssh listener is just security by obscurity. Any port scanner using a service scan can show you that ssh is listening on port 717 (like for example nmap -sSV ...) - Deactivating ping once again is security by obscurity. Nmap has the flag -Pn which will scan your ip address no matter if the server answers to a ping or not. Other than that your counter measures are very well designed and really good explained. Thanks for sharing that content.

Awesome and concise video. Thank you Chuk!