WEBVTT 1 00:00:00.120 --> 00:00:04.160 Welcome to the deep dive. Today, we're tackling Linux security 2 00:00:04.160 --> 00:00:08.039 and hardening. It's not just about servers anymore, is it. 3 00:00:08.080 --> 00:00:12.240 I mean Linux is everywhere now, cloud stuff, IoT devices, 4 00:00:13.000 --> 00:00:15.279 even your smart fridge maybe. 5 00:00:15.119 --> 00:00:19.079 Right, So understanding how to lock these systems down is 6 00:00:19.280 --> 00:00:20.440 becoming way more critical. 7 00:00:20.719 --> 00:00:22.760 So our goal in this deep dive is really to 8 00:00:22.760 --> 00:00:25.719 pull out the most practical, actionable stuff from our sources 9 00:00:26.039 --> 00:00:28.879 help you build a more secure Linux setup exactly. 10 00:00:28.960 --> 00:00:31.000 We've gone through a lot of material covers pretty much 11 00:00:31.000 --> 00:00:34.840 everything from like the initial setup to more advanced things 12 00:00:35.119 --> 00:00:39.719 intrusion prevention, data protection, all that. Okay, we'll hit on updates, firewalls. 13 00:00:39.719 --> 00:00:43.240 Think of those as your digital border control, h encryption 14 00:00:43.359 --> 00:00:46.399 obviously access control, who gets to do what, and you know, 15 00:00:46.759 --> 00:00:48.920 tools to spot threats. We want to give you real 16 00:00:48.960 --> 00:00:52.840 world knowledge, but without drowning you in jargon. 17 00:00:52.960 --> 00:00:55.200 Good and to make it practical. A lot of the 18 00:00:55.240 --> 00:00:58.920 source materials suggests using virtual box for practice environments. 19 00:00:59.039 --> 00:01:02.240 Yeah, that's a great tip. Virtual box is fantastic. It's free, 20 00:01:02.320 --> 00:01:05.359 runs on almost anything, Windows, Linux, Mac. 21 00:01:05.359 --> 00:01:06.560 Even Solaris apparently. 22 00:01:06.640 --> 00:01:09.719 Ah yeah, if you're feeling nostalgic, and the examples will 23 00:01:09.760 --> 00:01:13.719 draw on used various Linux versions Bontouo server, Sento seven, 24 00:01:14.159 --> 00:01:19.439 Analynux eight eight and nine, Fedora two. So good mix, okay, 25 00:01:19.640 --> 00:01:22.959 And for anyone listening who's on Windows, connecting to those 26 00:01:23.000 --> 00:01:26.040 Linux vms is key, right right. So the sources mentioned 27 00:01:26.040 --> 00:01:28.879 tools like siguin or you know, the built in SSH 28 00:01:28.920 --> 00:01:31.760 client in Windows ten and eleven, they get you into 29 00:01:31.760 --> 00:01:32.480 your Linux lab. 30 00:01:32.840 --> 00:01:34.760 Perfect. Okay, So where do we start. 31 00:01:34.920 --> 00:01:37.120 Let's dive right in with the absolute foundation. 32 00:01:38.439 --> 00:01:42.560 Keeping systems updated updates always fun, though I guess it's 33 00:01:42.560 --> 00:01:46.959 maybe less painful on Linux than say Windows sometimes. 34 00:01:46.719 --> 00:01:50.319 Generally, yeah, it's often more streamlined, but it's completely non 35 00:01:50.319 --> 00:01:53.560 negotiable for security, you've got to patch those vulnerabilities. Think 36 00:01:53.599 --> 00:01:56.640 of it like regular checkups for your system's health. 37 00:01:57.040 --> 00:01:59.159 Makes sense. So how does it work on say a 38 00:01:59.200 --> 00:02:00.799 Buntu or Debi based systems. 39 00:02:00.840 --> 00:02:04.120 Pretty simple? Actually, two main steps. First, apped update that 40 00:02:04.239 --> 00:02:06.719 just refreshes the list of what packages are available, like 41 00:02:06.840 --> 00:02:09.960 checking the catalog. Then apped upgrade that's the part that 42 00:02:10.000 --> 00:02:13.400 actually downloads and installs the new versions. Puts the potentially 43 00:02:13.400 --> 00:02:15.000 more secure stuff in place. 44 00:02:14.759 --> 00:02:16.360 And you can automate this, right, I think I saw 45 00:02:16.400 --> 00:02:17.120 something about that. 46 00:02:17.039 --> 00:02:19.479 You absolutely can on a Buntu, you can tweak a 47 00:02:19.520 --> 00:02:23.319 file at captaped dot com dot D twenty auto auto upgrades. 48 00:02:23.439 --> 00:02:26.800 Right inside there, there's a setting apt dot periodic dot 49 00:02:26.879 --> 00:02:29.000 unattended upgrade. You can set it to one one for 50 00:02:29.080 --> 00:02:30.199 fully automatic. 51 00:02:29.800 --> 00:02:32.120 Installs, or you can just get notified. 52 00:02:31.680 --> 00:02:34.360 Exactly set it to zero one to disable the installed part. 53 00:02:34.400 --> 00:02:36.439 But you can still configure it to download or just 54 00:02:36.479 --> 00:02:39.919 notify you. Gives you that balance, you know, convenience versus control. 55 00:02:40.520 --> 00:02:43.960 Nice? And what about the red hat world CentOS on 56 00:02:44.039 --> 00:02:44.599 my Linux? 57 00:02:44.879 --> 00:02:47.919 Similar idea, different commands. You'll use YUM on older stuff 58 00:02:47.960 --> 00:02:51.080 like Cento AS seven or DNF on the newer ones 59 00:02:51.120 --> 00:02:53.680 like Almal Linux eight and nine. Same principle, they'll get 60 00:02:53.680 --> 00:02:55.159 those security patches installed. 61 00:02:55.199 --> 00:02:58.639 And if you really want to stay on top of vulnerabilities. 62 00:02:57.919 --> 00:03:01.719 The CVE database is your friend, Common Vulnerabilities and Exposures. 63 00:03:01.879 --> 00:03:07.039 It's at CVET minor dot org. Basically the public library 64 00:03:07.080 --> 00:03:10.319 of known security flaws, central reading. 65 00:03:10.000 --> 00:03:15.560 Really okay, updates covered next up firewalls building those digital walls. 66 00:03:15.680 --> 00:03:19.240 Yes, the bouncers for your network traffic, deciding who gets 67 00:03:19.240 --> 00:03:20.400 in who stays out. 68 00:03:20.759 --> 00:03:23.360 And for Ubuntu, the go to seems to be uf 69 00:03:24.759 --> 00:03:26.199 uncomplicated firewall. 70 00:03:26.360 --> 00:03:28.800 That's the one. Don't let the name fool you though. 71 00:03:28.879 --> 00:03:33.039 It's pretty capable for common tasks enabling it, disabling. 72 00:03:32.560 --> 00:03:35.080 It, allowing specific things like SSH so you don't lock 73 00:03:35.080 --> 00:03:36.280 yourself out crucial point. 74 00:03:36.360 --> 00:03:38.560 Yeah yeah, oof to allows sefsh is probably one of 75 00:03:38.560 --> 00:03:41.319 the first rules you'll set. It manages the underlying rules 76 00:03:41.319 --> 00:03:41.599 for you. 77 00:03:41.879 --> 00:03:44.639 So UFOs is like a front end for eptables or 78 00:03:44.759 --> 00:03:46.080 NF tables exactly. 79 00:03:46.240 --> 00:03:49.759 It simplifies managing them. On older systems, it was mainly iptables. 80 00:03:50.159 --> 00:03:53.240 Newer Ubuntu uses NF tables by default. Now okay, but 81 00:03:53.240 --> 00:03:55.879 oof is smart enough to translate your simple commands into 82 00:03:55.919 --> 00:03:58.360 the right rules for whichever back end is running. So 83 00:03:58.439 --> 00:04:00.919 even with NF tables handles the complexity. 84 00:04:01.080 --> 00:04:04.479 But understanding the basics of how iptables or NF tables work, 85 00:04:04.639 --> 00:04:07.280 chains rules matching packets is still useful. 86 00:04:07.360 --> 00:04:10.120 Oh definitely. It helps understand why the rules work. And 87 00:04:10.159 --> 00:04:14.159 modern firewalls like these are stateful stateful meaning meaning they 88 00:04:14.199 --> 00:04:18.040 track active connections. So if you initiate a connection out, 89 00:04:18.120 --> 00:04:20.439 the firewall knows to allow the return traffic for that 90 00:04:20.519 --> 00:04:24.160 specific conversation. It's much smarter than just basic packet filtering. 91 00:04:24.360 --> 00:04:25.600 Big security advantage. 92 00:04:25.720 --> 00:04:29.959 Gotcha. Now shifting to red hat systems, firewalled is the 93 00:04:29.959 --> 00:04:30.839 tool there, yep. 94 00:04:31.000 --> 00:04:34.360 Firewalled similar goal to rent managing rules, but it works 95 00:04:34.360 --> 00:04:36.519 a bit differently. You check its status, make sure it's. 96 00:04:36.399 --> 00:04:38.639 Running, and it uses zones, right. What's that about? 97 00:04:38.920 --> 00:04:43.480 Zones are a key concept like public home, internal DMZ. 98 00:04:44.000 --> 00:04:46.759 Each zone has a default trust level and a set 99 00:04:46.800 --> 00:04:48.120 of allowed services. 100 00:04:47.720 --> 00:04:51.240 Or ports, So you assign network interfaces to zones precisely. 101 00:04:51.600 --> 00:04:53.959 Your public facing web servers interface might be in the 102 00:04:53.959 --> 00:04:57.199 public zone, which is typically quite restrictive, and internal database 103 00:04:57.240 --> 00:04:59.399 server might be in a more trusted internal zone. 104 00:04:59.199 --> 00:05:03.759 And you add services like sshhttp HTTPS to specific zone. 105 00:05:03.480 --> 00:05:07.480 Exactly firewall CMD zone, public AD service permanent. That kind 106 00:05:07.480 --> 00:05:09.839 of thing permanent makes the change stick after a reboot. 107 00:05:09.959 --> 00:05:12.800 You can also add specific ports right like for DNS. 108 00:05:12.519 --> 00:05:15.240 Yeah fort fifty three. For DNS, TCP and UDP, you 109 00:05:15.279 --> 00:05:19.120 can specify the protocol firewall cmd ad port fifty three TCP. 110 00:05:19.399 --> 00:05:23.279 Interesting point about blocking ICMP like pings is that generally 111 00:05:23.279 --> 00:05:24.720 a good idea well, it. 112 00:05:24.639 --> 00:05:29.360 Can reduce your system's visibility slightly, but blocking pings specifically 113 00:05:29.560 --> 00:05:33.120 ICMP type eight echo requests and type zero echo replies 114 00:05:33.720 --> 00:05:37.360 can sometimes make troubleshooting harder. Our sources suggests maybe blocking 115 00:05:37.439 --> 00:05:40.639 redirect messages type five is more useful, but yeah, you 116 00:05:40.680 --> 00:05:43.800 might allow pings temporarily if you're diagnosing network issues. 117 00:05:43.879 --> 00:05:47.560 Okay. And firewalled has a panic mode. Sounds dramatic. 118 00:05:47.639 --> 00:05:49.399 It is. It's like the big red button if you 119 00:05:49.399 --> 00:05:53.199 think you're under active attack. Firewall cmd panic on. It 120 00:05:53.279 --> 00:05:57.000 drops all network traffic in and out instantly isolates the system. Wow. 121 00:05:57.120 --> 00:05:59.759 Okay, hopefully not need it often. And logging, can you 122 00:05:59.759 --> 00:06:00.680 see it's being blocked? 123 00:06:00.759 --> 00:06:04.839 Yes, boken log drop packets with check varlog, curn dot 124 00:06:04.839 --> 00:06:08.600 log usually okay. With firewalled on RHL type systems, it's 125 00:06:08.600 --> 00:06:11.639 typically varlog messages really useful for seeing if your rules 126 00:06:11.680 --> 00:06:14.480 are working as expected or something legitimate is being blocked. 127 00:06:14.680 --> 00:06:17.879 The sources mentioned rich rules in Fireworld. What are those? 128 00:06:18.360 --> 00:06:21.639 Ah? Rich rules give you much more fine grain control. 129 00:06:22.160 --> 00:06:25.519 You can create rules based on source, IP destination, port 130 00:06:25.720 --> 00:06:27.759 protocol specific actions. 131 00:06:29.040 --> 00:06:31.920 Very powerful, more complex than just adding a service. 132 00:06:31.639 --> 00:06:35.399 Way more flexible. Yeah, let's you build really specific policies. 133 00:06:35.120 --> 00:06:37.959 And you can directly mess with iptables or NF tables 134 00:06:38.000 --> 00:06:40.439 even when using Fireworld. But maybe shouldn't. 135 00:06:40.680 --> 00:06:44.079 Generally Yeah, especially with the direct rules feature in firewalled. Yeah, 136 00:06:44.160 --> 00:06:46.240 it's usually best to stick to the standard zone and 137 00:06:46.240 --> 00:06:50.720 service commands or rich rules. Direct rules are powerful, but 138 00:06:50.800 --> 00:06:53.480 easier to mess up and break your firewall. Last resort 139 00:06:53.519 --> 00:06:54.120 really got it? 140 00:06:54.360 --> 00:06:59.040 Okay, firewall's done. Let's talk encryption. Keeping secret secret absolutely. 141 00:06:58.600 --> 00:07:02.160 Essential scrambling data to only the right people or systems 142 00:07:02.319 --> 00:07:03.319 with a key can read. 143 00:07:03.199 --> 00:07:05.240 It, and Linux has quite a few tools for this. 144 00:07:05.439 --> 00:07:08.600 It does for individual files, GPGG and U. Privacy Guard 145 00:07:08.639 --> 00:07:09.800 is a classic. 146 00:07:09.800 --> 00:07:12.360 Very romantic, symmetric and asymmetric YEP. 147 00:07:12.959 --> 00:07:16.519 Symmetric uses one secret key for both locking and unlocking. 148 00:07:17.000 --> 00:07:20.120 Asymmetric uses a key pair public key to encrypt, private 149 00:07:20.199 --> 00:07:23.959 key to decrypt. The sources touch on creating keys, which 150 00:07:23.959 --> 00:07:27.519 involves understanding randomness or entropy for strong. 151 00:07:27.240 --> 00:07:30.480 Keys okay, and for whole discs or partitions. 152 00:07:30.680 --> 00:07:34.759 LUKS is the standard Linux unified key setup. Great for 153 00:07:34.800 --> 00:07:37.560 adding a new encrypted drive or encrypting a USB stick. 154 00:07:37.759 --> 00:07:40.399 You set a passphrase to unlock it right. Usually happens 155 00:07:40.399 --> 00:07:42.360 a boot time or when you plug the device. 156 00:07:42.079 --> 00:07:45.079 In, and E crypts that was for encrypting directories exactly. 157 00:07:45.079 --> 00:07:47.800 It encrypts just a specific folder within your file system 158 00:07:48.240 --> 00:07:49.439 creates an encrypted layer. 159 00:07:49.480 --> 00:07:50.800 How does that work in practice? 160 00:07:50.959 --> 00:07:54.199 You use a moult command basically mountain x t crypt's 161 00:07:54.360 --> 00:07:56.680 path do encrypted past to mount point. It asks for 162 00:07:56.680 --> 00:07:59.959 a passphrase encryption settings. Then your files are purity ECRYPTI 163 00:08:00.040 --> 00:08:02.160 in the mount point, but are stored encrypted underneath. 164 00:08:02.240 --> 00:08:06.920 Clever. Okay, move into network encryption TLSSSL certificates. We have 165 00:08:06.959 --> 00:08:07.959 to talk about Let's encrypt. 166 00:08:08.040 --> 00:08:10.639 Oh yeah, Let's encrypt has been a massive game changer. 167 00:08:10.959 --> 00:08:15.879 Free automated TLS certificates made HTTPS way more accessible compared to. 168 00:08:15.879 --> 00:08:17.560 The traditional certificate authorities. 169 00:08:17.839 --> 00:08:21.600 Right. Traditional cas often cost money, involve more manual validation, 170 00:08:22.040 --> 00:08:25.720 but might offer different warranty levels or support options. Depends 171 00:08:25.759 --> 00:08:26.439 on your needs. 172 00:08:26.560 --> 00:08:30.120 And sometimes you need to create your own self signed SERTs. 173 00:08:30.319 --> 00:08:33.080 Yeah, for internal testing maybe development. You use the open 174 00:08:33.080 --> 00:08:34.240 as a cell toolkit for that. 175 00:08:34.320 --> 00:08:39.759 The sources mentioned RSA and elliptic curve keys and NIST recommendations. 176 00:08:39.039 --> 00:08:43.200 Yep OpenSL can create both. NIST is recommending stronger keys 177 00:08:43.240 --> 00:08:47.360 now think three seventy two bit RSA or three hundred 178 00:08:47.480 --> 00:08:49.559 four bit ecdsa minimum. 179 00:08:49.600 --> 00:08:51.879 Why the push for stronger keys partly? 180 00:08:51.879 --> 00:08:55.399 Faster computers but also looking ahead to quantum computing longer 181 00:08:55.519 --> 00:08:58.240 RSA keys can have a slight performance hit, though elliptic 182 00:08:58.279 --> 00:09:00.559 curve is often faster for the same secure level. 183 00:09:00.720 --> 00:09:02.440 Interesting dog tag came up too. 184 00:09:02.279 --> 00:09:04.240 What's that dog tag? Is more of an enterprise thing. 185 00:09:04.399 --> 00:09:07.279 A full certificate system like running your own internal caa 186 00:09:07.720 --> 00:09:10.200 much bigger scale than just making one offserts with open 187 00:09:10.399 --> 00:09:12.399 SSL more complex. 188 00:09:11.960 --> 00:09:14.840 Too, and red hat has system wide crypto policies. 189 00:09:14.879 --> 00:09:17.320 Now yeah, RHL eight and later, let's use set a 190 00:09:17.399 --> 00:09:20.240 policy like default or legacy or future future. 191 00:09:20.240 --> 00:09:21.679 Being the strongest right. 192 00:09:22.000 --> 00:09:26.039 Enforces stronger algorithms and protocols across the whole system. SSHTLS 193 00:09:26.120 --> 00:09:28.799 everything helps keep things consistent. They also have fits mode 194 00:09:28.840 --> 00:09:29.679 for government. 195 00:09:29.320 --> 00:09:32.039 Compliance and even mentions of quantum resistant encryption. 196 00:09:32.399 --> 00:09:35.120 Looking way ahead, it's on the horizon, something to keep 197 00:09:35.159 --> 00:09:36.879 an eye on for long term data protection. 198 00:09:37.000 --> 00:09:40.000 Okay, fascinating stuff. Let's pivot to who gets access to 199 00:09:40.080 --> 00:09:43.240 what on this system. Discretionary access control or. 200 00:09:43.320 --> 00:09:47.559 DS the absolute basics of Linux permissions, file ownership and 201 00:09:47.679 --> 00:09:49.799 read write execute permissions. 202 00:09:49.919 --> 00:09:52.320 So chound to change the owner or. 203 00:09:52.360 --> 00:09:55.519 Group yep, chound user dot group file name. Pretty straightforward 204 00:09:55.600 --> 00:09:56.480 and shod. 205 00:09:56.159 --> 00:09:58.679 For the permissions themselves using letters or numbers. 206 00:09:58.840 --> 00:10:03.320 Both work. Symbol mode uses r WX for read, write, execute, 207 00:10:03.360 --> 00:10:07.559 and plus or to add or remove permissions for user, U, group, 208 00:10:07.600 --> 00:10:11.960 G or others. Oh like chamaud U plus xscript, dot sh. 209 00:10:11.759 --> 00:10:13.639 And the numbers octal mode. 210 00:10:13.360 --> 00:10:15.960 Right each permission. R w X has a number four 211 00:10:16.039 --> 00:10:18.440 two one you atom up for each category, user, group, other, 212 00:10:18.679 --> 00:10:20.679 So r WX is four plus two plus one and 213 00:10:20.720 --> 00:10:22.960 plus seven. R w is four plus two plus two 214 00:10:23.000 --> 00:10:23.480 U plus. 215 00:10:23.320 --> 00:10:25.399 Six R is four ah so six forty four. For 216 00:10:25.440 --> 00:10:28.200 a file means owner gets read right, six, group gets 217 00:10:28.200 --> 00:10:29.879 read four, others get read four. 218 00:10:29.960 --> 00:10:32.720 Exactly and seven to fifty five. For a directory is common. 219 00:10:33.080 --> 00:10:36.120 Owner gets read right, execute seven, group and others get 220 00:10:36.159 --> 00:10:38.799 red execute five Xcute on a directory means you can 221 00:10:38.919 --> 00:10:39.200 enter it. 222 00:10:39.279 --> 00:10:41.759 What about permissions like six hundred or seven hundred. That's 223 00:10:41.759 --> 00:10:42.799 a litt quiz you mentioned. 224 00:10:43.039 --> 00:10:45.679 Yeah. Six hundred means only the owner can read and write. 225 00:10:45.919 --> 00:10:49.639 Very common for private files like SSH keys. Seven hundred 226 00:10:49.679 --> 00:10:52.360 means only the owner can read, write, and executor. Good 227 00:10:52.360 --> 00:10:53.240 for private directories. 228 00:10:53.320 --> 00:10:57.440 Okay, special permissions too. SUI D and sg D they 229 00:10:57.480 --> 00:10:58.080 sound risky. 230 00:10:58.279 --> 00:11:01.840 They can be sid set user ID on an executable 231 00:11:02.000 --> 00:11:04.960 means it runs with the permissions of the file's owner, 232 00:11:05.279 --> 00:11:06.320 not the person running it. 233 00:11:06.360 --> 00:11:08.600 So if root owns a SUID file. 234 00:11:08.399 --> 00:11:11.120 Anyone running it runs it as route. Big security risk 235 00:11:11.200 --> 00:11:14.759 if that program has flaws. Privileged escalation waiting to happen. 236 00:11:14.639 --> 00:11:16.360 And SGID is similar, but for the. 237 00:11:16.279 --> 00:11:19.519 Group YEP runs with the file's group privileges necessary for 238 00:11:19.600 --> 00:11:22.919 some things like the passode command needs SUID to modify 239 00:11:22.960 --> 00:11:25.559 the shadow password file, but you need to be careful. 240 00:11:25.759 --> 00:11:27.000 How do you find these files? 241 00:11:27.000 --> 00:11:29.080 The fine command is great for that. Find it g 242 00:11:29.200 --> 00:11:32.840 tite F SUID nactusq and R NASHU four thousand, NASHUR 243 00:11:32.879 --> 00:11:36.440 two thousand ECGLS that searches for files with either the 244 00:11:36.559 --> 00:11:40.320 SUISH four thousand or SGID Nashua two thousand bit set. 245 00:11:40.600 --> 00:11:44.120 Good to know. Beyond standard permissions, there are extended attributes. 246 00:11:44.240 --> 00:11:47.799 Yeah check command. Let's use set extra flags like chat 247 00:11:47.799 --> 00:11:49.159 plus I file name. 248 00:11:49.320 --> 00:11:50.279 What does plus I do? 249 00:11:50.519 --> 00:11:54.759 Makes the file immutable? Can't be changed, deleted, renamed anything, 250 00:11:55.200 --> 00:11:58.039 even by route until you remove the flag with chat 251 00:11:58.159 --> 00:12:01.399 R great for protecting credit config files. 252 00:12:01.080 --> 00:12:04.720 And access control lists ACLS for more specific permissions. 253 00:12:04.799 --> 00:12:09.039 Right standard permissions are just owner, group others. ACLS let 254 00:12:09.120 --> 00:12:11.840 you give permissions to specific additional users or groups. 255 00:12:11.960 --> 00:12:13.000 How do you manage those? 256 00:12:13.120 --> 00:12:17.279 Set faclmu dot username dot rw filename to give a 257 00:12:17.320 --> 00:12:20.879 specific user ReadWrite get facul file name to see the ACLS. 258 00:12:21.080 --> 00:12:22.320 There's a mask too. 259 00:12:22.320 --> 00:12:24.759 Yeah, the mask can limit the effective permissions for named 260 00:12:24.840 --> 00:12:27.759 users and groups added via ACLS. It's an extra layer 261 00:12:27.759 --> 00:12:31.279 of control. You can remove ACLS with set facul maxx. 262 00:12:30.919 --> 00:12:34.559 Okay lots control. Air Let's shift to managing user accounts themselves. 263 00:12:34.639 --> 00:12:39.000 Account security using pseudo instead of root login seems key. 264 00:12:39.159 --> 00:12:41.559 Absolutely fundamental. Logging in is route all the time is 265 00:12:41.600 --> 00:12:44.720 just too risky. Pseudo let's specific users run specific commands 266 00:12:44.759 --> 00:12:47.279 as route or another user using their own passwords. And 267 00:12:47.279 --> 00:12:51.399 if it's better auditing for one pseudologs who ran what? Plus, 268 00:12:51.480 --> 00:12:54.440 you don't need to share the actual root password less. 269 00:12:54.240 --> 00:12:57.879 Exposure and you can figure it with the pseudo editing 270 00:12:58.360 --> 00:12:59.639 at serdalos of suters. 271 00:12:59.639 --> 00:13:03.639 Correct the pseudo locks the file and check syntax before saving, 272 00:13:03.840 --> 00:13:07.159 which is fafor. You can define rules there grant permissions 273 00:13:07.200 --> 00:13:08.679 to users or better yet. 274 00:13:08.759 --> 00:13:12.279 Groups like the wheel group. On some systems, exactly. 275 00:13:11.960 --> 00:13:14.240 Add users to the wheel group, then give that group 276 00:13:14.279 --> 00:13:17.360 pseudo rights and asceted to suitors. You can also set 277 00:13:17.399 --> 00:13:20.480 things like requiring a password every time defaults, time stamp 278 00:13:20.519 --> 00:13:21.200 timeout zero. 279 00:13:21.320 --> 00:13:23.919 You can get really specific with command aliases too, right, 280 00:13:24.159 --> 00:13:24.840 but be careful. 281 00:13:25.279 --> 00:13:28.360 You can create aliases for groups of users or commands, 282 00:13:28.759 --> 00:13:31.960 but broad command aliases like allowing all commands and users 283 00:13:32.000 --> 00:13:34.879 men can accidentally grant way more power than you intended. 284 00:13:35.279 --> 00:13:35.919 Be specific. 285 00:13:36.000 --> 00:13:38.720 Can you allow users to run commands as other users, 286 00:13:38.759 --> 00:13:39.679 not just route? 287 00:13:39.799 --> 00:13:42.919 Yes, other user command The tuterit does file lets you 288 00:13:42.960 --> 00:13:45.919 specify which users a user can run commands as, and. 289 00:13:45.879 --> 00:13:49.200 No pass WD entries avoid those generally. 290 00:13:48.840 --> 00:13:53.159 Yes, very risky. It lets users run pseudo commands without 291 00:13:53.200 --> 00:13:57.240 any password. Prompt only use it if absolutely necessary and 292 00:13:57.279 --> 00:13:59.360 for very specific limited commands. 293 00:13:59.440 --> 00:14:02.840 Good warning and a reminder about default accounts passwords on 294 00:14:02.879 --> 00:14:05.960 IoT devices, change them immediately critical. 295 00:14:06.399 --> 00:14:09.799 That's often the first thing attackers try publicly known defaults 296 00:14:09.840 --> 00:14:11.279 are a huge vulnerability. 297 00:14:11.559 --> 00:14:14.080 The source is also compared to aducer and user ad 298 00:14:14.159 --> 00:14:14.919 What's the difference? 299 00:14:15.080 --> 00:14:18.559 Aducer is usually more interactive, friendlier prompts you for info, 300 00:14:18.759 --> 00:14:21.639 creates the home directory, copy skeleton files. 301 00:14:21.399 --> 00:14:23.000 Can even encrypt the home directory. 302 00:14:23.120 --> 00:14:25.759 Yeah, if you have ecris utils installed aducer can set 303 00:14:25.759 --> 00:14:29.000 that up automatically. User ad is lower level, less interactive, 304 00:14:29.080 --> 00:14:31.799 more script friendly maybe, but you have to do more 305 00:14:31.799 --> 00:14:32.600 set up manually. 306 00:14:32.679 --> 00:14:36.559 Okay, let's talk passwords. Enforcing strong ones with PAM. 307 00:14:36.120 --> 00:14:39.960 PAM pluggable Authentication modules is the framework Linux uses for authentication. 308 00:14:40.039 --> 00:14:43.879 The punked hamduck You'll quality dot so module checks password strength. 309 00:14:44.120 --> 00:14:45.240 How do you configure it? 310 00:14:45.279 --> 00:14:47.960 In files? Under it set a channel d usually in 311 00:14:48.039 --> 00:14:51.519 system auth or password oth or similar common files. You 312 00:14:51.559 --> 00:14:56.399 can set minimum length, require different character types upper case, lowercase, digits, 313 00:14:56.759 --> 00:15:00.840 symbols prevent dictionary words, yep it checks again dictionaries and 314 00:15:00.879 --> 00:15:03.879 common patterns helps prevent really weak passwords. 315 00:15:04.000 --> 00:15:07.480 There's a debate about password expiration versus long pass phrases. 316 00:15:07.679 --> 00:15:11.320 There is Forcing frequent changes often leads people to pick simpler, 317 00:15:11.559 --> 00:15:15.480 guessable passwords or reuse patterns. The current thinking often leans 318 00:15:15.519 --> 00:15:19.919 towards using longer, complex but memorable passphrases and not forcing 319 00:15:19.960 --> 00:15:22.159 expiration unless there's a suspected compromise. 320 00:15:22.320 --> 00:15:26.840 Makes sense, and the peel and Quality package helps On Debiandubuntu. 321 00:15:26.360 --> 00:15:28.440 Yes provides tools in the library for this. 322 00:15:28.639 --> 00:15:31.080 What about checking if passwords have been leaked in breaches 323 00:15:31.320 --> 00:15:32.480 a good proactive step. 324 00:15:32.720 --> 00:15:35.320 You can use APIs like the have a Been Pound 325 00:15:35.399 --> 00:15:39.159 Passwords API. There are command line tools like using curl 326 00:15:39.360 --> 00:15:41.519 to check a hash of your password against the database. 327 00:15:41.600 --> 00:15:43.360 You check the hash, not the password itself. 328 00:15:43.559 --> 00:15:46.720 Crucially, yes, you don't send your actual password. You send 329 00:15:46.759 --> 00:15:48.919 a hash of it, and the service tells you if 330 00:15:48.960 --> 00:15:52.279 that hash exists in the breach data. Much safer, okay. 331 00:15:52.519 --> 00:15:55.919 And ensuring accounts don't stay active forever expiration policies. 332 00:15:56.200 --> 00:16:00.879 The change command is for that changeyyyy mmddd. Username sets 333 00:16:00.879 --> 00:16:02.080 an account expiration date. 334 00:16:02.519 --> 00:16:05.000 Can you force a password change on next log in? 335 00:16:05.120 --> 00:16:08.879 Yep change DoD zero username sets the last change date 336 00:16:08.919 --> 00:16:11.159 to epoc zero forcing a change immediately. 337 00:16:11.159 --> 00:16:14.039 What about locking accounts after too many failed logins? Route 338 00:16:14.039 --> 00:16:15.080 force prevention. 339 00:16:14.799 --> 00:16:18.080 Also done with PAM modules okay, pantally two. On older systems, 340 00:16:18.120 --> 00:16:19.440 PAM faylock is more common now. 341 00:16:19.559 --> 00:16:21.679 Can figure those in et cetera bat D as well. 342 00:16:21.840 --> 00:16:24.879 Yes, typically in files like log ner slide. You said 343 00:16:24.919 --> 00:16:27.279 how many failures trigger a lockout and for how long? 344 00:16:27.360 --> 00:16:28.159 Critical defense? 345 00:16:28.200 --> 00:16:29.720 Can you manually lock accounts too? 346 00:16:29.919 --> 00:16:32.960 Sure? User modeage to L username locks it, user motag 347 00:16:33.039 --> 00:16:36.120 to U unlocks or password to l and passwood you. 348 00:16:36.519 --> 00:16:38.960 The output might differ slightly between distros, but they do 349 00:16:39.000 --> 00:16:39.320 the job. 350 00:16:39.399 --> 00:16:43.919 And finally, BIOCEUEFI security and using a checklist important basics. 351 00:16:43.960 --> 00:16:48.080 Definitely secure boat firmwore passwords. Don't forget the physical or 352 00:16:48.120 --> 00:16:50.960 firmware level, and a checklist helps ensure you cover all 353 00:16:50.960 --> 00:16:51.960 the bases during setup. 354 00:16:52.039 --> 00:16:55.000 Right, let's secure remote access SSH is king. 355 00:16:54.799 --> 00:16:58.879 Here absolutely and securing SSH properly is paramount. First rule, 356 00:16:59.480 --> 00:17:01.879 Use SAH keys, not just passwords. 357 00:17:02.440 --> 00:17:03.840 Why are keys so much better? 358 00:17:04.039 --> 00:17:06.799 They're way harder to root force. A strong key is 359 00:17:06.839 --> 00:17:10.799 cryptographically secure, unlike potentially weak password. You generate a pair. 360 00:17:11.160 --> 00:17:13.799 Private key stays with you. Public key goes on the server. 361 00:17:13.960 --> 00:17:16.680 Generate with skegen recommendations on type and. 362 00:17:16.599 --> 00:17:19.319 Size Yes, cheek and following this guidance, aim for at 363 00:17:19.359 --> 00:17:22.279 least three seventy two bit RSA keys or maybe even 364 00:17:22.279 --> 00:17:25.640 better three hundred and eighty four bit ECDSA keys, stronger 365 00:17:25.640 --> 00:17:26.359 crypto okay. 366 00:17:26.400 --> 00:17:29.000 Then get the public key onto the server's dotch authorized 367 00:17:29.079 --> 00:17:29.559 keys file. 368 00:17:29.680 --> 00:17:31.799 Right this chash copy aid user at host is the 369 00:17:31.839 --> 00:17:33.799 easiest way, or just paste it in manually if you 370 00:17:33.799 --> 00:17:34.039 have to. 371 00:17:34.200 --> 00:17:37.279 Then crucially disabled password log in in et cetera. Strident 372 00:17:37.359 --> 00:17:38.319 fig yes. 373 00:17:38.359 --> 00:17:41.920 Set password authentication no, and also permit root log in no. 374 00:17:42.160 --> 00:17:44.960 Permit root log in no is vital. Don't log in 375 00:17:44.960 --> 00:17:47.119 directly as rootover SSH. 376 00:17:46.920 --> 00:17:50.920 Best practice absolutely log in as a regular user, then 377 00:17:51.079 --> 00:17:54.480 use pseudo. Some distros might default permit rootleg in differently, 378 00:17:54.519 --> 00:17:56.000 so always check and set it to know. 379 00:17:56.519 --> 00:18:00.759 What about two factor authentication for SSH, AD's another layer. 380 00:18:01.200 --> 00:18:04.400 You can use things like Google Authenticator with PAM. Install 381 00:18:04.480 --> 00:18:07.680 the PAM module them PAM Google Authenticator, configure it. 382 00:18:07.680 --> 00:18:09.799 And then you need your key and a code from 383 00:18:09.839 --> 00:18:11.000 your phone exactly. 384 00:18:11.119 --> 00:18:13.640 Time based code makes it much harder for someone even 385 00:18:13.680 --> 00:18:15.119 if they somehow get your private key. 386 00:18:15.559 --> 00:18:19.880 Understanding the SSH encryption algorithms themselves seems important to disabling 387 00:18:19.920 --> 00:18:21.079 weak ones definitely. 388 00:18:21.680 --> 00:18:25.559 SSH uses symmetric ciphers for the main data key exchange 389 00:18:25.559 --> 00:18:29.759 algorithms kex and max for integrity. You should disable older 390 00:18:29.839 --> 00:18:30.759 weaker ones. 391 00:18:30.519 --> 00:18:32.480 And should configure how do you know what you're weak? 392 00:18:32.880 --> 00:18:36.880 Check currentness recommendations, security advisories. Tools like nmap with the 393 00:18:36.960 --> 00:18:39.160 sish to enam algos script can show you what your 394 00:18:39.160 --> 00:18:42.640 server offers. Then you can figure cipher's m max kex algorithms, 395 00:18:42.640 --> 00:18:45.559 directives and should config to only allow strong ones. 396 00:18:45.400 --> 00:18:48.599 And on Alma Linix nine. Those crypto policies help here too. 397 00:18:49.039 --> 00:18:52.920 Yes, update crypto policies can manage the allowed SSH algorithms 398 00:18:52.960 --> 00:18:55.680 based on the policy level, Default, future, et cetera. 399 00:18:55.839 --> 00:19:00.319 Simplifies things, okay, beyond authentication controlling who can connect. 400 00:19:00.200 --> 00:19:03.680 Several ways in should config allow users and allow groups, 401 00:19:03.759 --> 00:19:06.599