WEBVTT 1 00:00:00.080 --> 00:00:03.319 Welcome back to the deep dive. We sort through well 2 00:00:03.399 --> 00:00:05.280 all the noise to bring you insights that really help 3 00:00:05.360 --> 00:00:09.359 you get properly informed. Today we're taking a journey into 4 00:00:09.400 --> 00:00:11.679 the world of Linux. Maybe you've heard about it, seen 5 00:00:11.720 --> 00:00:13.919 it around, maybe even you know tinkered a bit yourself. 6 00:00:14.720 --> 00:00:17.280 But have you ever thought about how to not just 7 00:00:17.519 --> 00:00:20.719 use it, but how to really secure it, like build 8 00:00:20.719 --> 00:00:24.239 an ironclad digital fortress. That's what we're diving into today. 9 00:00:24.359 --> 00:00:28.000 It's a really vital question actually, and it unlocks I think, 10 00:00:28.359 --> 00:00:31.079 the true potential of Linux. I mean, it's incredibly adaptable, 11 00:00:31.239 --> 00:00:34.000 very powerful, but because it's so open, you have to 12 00:00:34.079 --> 00:00:38.079 understand its security. It's not optional. Really. The source material 13 00:00:38.159 --> 00:00:42.280 we're looking at is pretty comprehensive, a great guide. It 14 00:00:42.320 --> 00:00:44.479 takes us right from the first boot up through to 15 00:00:44.520 --> 00:00:45.560 some quiet advanced stuff. 16 00:00:45.600 --> 00:00:47.920 It's a good roadmap for us absolutely. So the plan 17 00:00:48.000 --> 00:00:52.960 for you, the learner listening in, it's kind of three stages. First, 18 00:00:52.960 --> 00:00:54.719 we'll look at the safest way to even get started 19 00:00:54.759 --> 00:00:58.679 with Linux, no risks. Then we'll dig into the basic 20 00:00:58.719 --> 00:01:01.359 security stuff you absolutely need to know keep thinks safe. 21 00:01:01.640 --> 00:01:03.719 And finally we'll get a little peak behind the curtain. 22 00:01:03.960 --> 00:01:07.239 See how the pros, the security experts actually test these systems, 23 00:01:07.879 --> 00:01:10.959 look for weaknesses, goals for you to leave with some clear, 24 00:01:11.079 --> 00:01:16.239 actionable ideas. Feel confident you know, ready for your Linux adventure. Okay, 25 00:01:16.319 --> 00:01:20.920 let's unpack this first bit. Then imagine your Linux curious, right, 26 00:01:21.319 --> 00:01:23.200 you want to try it, maybe a specific version or 27 00:01:23.280 --> 00:01:26.760 just experiment, but you definitely don't want to mess up 28 00:01:26.799 --> 00:01:30.599 your Windows machine or your Mac, your daily driver. Understandable. 29 00:01:30.920 --> 00:01:33.879 This is exactly where virtual machines vms they become your 30 00:01:33.879 --> 00:01:36.680 best friend. Think of a VM as like a whole 31 00:01:36.680 --> 00:01:39.599 separate computer, but it runs inside your actual computer like 32 00:01:39.640 --> 00:01:43.159 a digital sandbox, exactly a sandbox. You can play, experiment, 33 00:01:43.239 --> 00:01:45.840 break things even, and your main system is totally untouched. 34 00:01:46.159 --> 00:01:48.599 The only real limit as well your actual hardware. You 35 00:01:48.599 --> 00:01:51.879 can't give the VM more memory than your PC physically has. 36 00:01:51.799 --> 00:01:54.799 Right, Right, And that's the beauty of using vms for 37 00:01:54.920 --> 00:01:57.920 trying Linux. It's safe, it's easy. You totally avoid dealing 38 00:01:57.920 --> 00:01:59.879 with dual booting, which, let's be honest, can be a 39 00:02:00.079 --> 00:02:03.560 real pain, especially for newcomers. Sometimes it can even mess 40 00:02:03.599 --> 00:02:07.879 things up. There are tools like VMware workstation Player. It's 41 00:02:07.879 --> 00:02:11.000 free for personal use, really accessible, pretty much. The only 42 00:02:11.039 --> 00:02:14.520 thing you need is a CPU, a processor that supports virtualization. 43 00:02:14.919 --> 00:02:17.680 Most modern ones do. Usually it's on by default. 44 00:02:17.759 --> 00:02:20.080 Okay, so you've got your virtual sandbox all set up, 45 00:02:20.240 --> 00:02:24.000 easy enough, but then you hit this wall of choice 46 00:02:24.639 --> 00:02:28.439 Linux distributions or distribus. It feels like there are hundreds, 47 00:02:28.479 --> 00:02:29.639 not just one Linux. 48 00:02:29.360 --> 00:02:30.879 No, there are many hundreds. 49 00:02:30.919 --> 00:02:33.319 Yeah, and for someone new, it's like looking at this 50 00:02:33.560 --> 00:02:36.719 huge menu. Right, everything looks interesting, but you've no idea 51 00:02:36.759 --> 00:02:40.199 what to order. So how do you choose, especially if 52 00:02:40.199 --> 00:02:41.960 you're just starting out. What's the secret? 53 00:02:42.039 --> 00:02:44.280 That's a great question, and it really just comes down 54 00:02:44.319 --> 00:02:46.879 to what do you want to do. Think of distros 55 00:02:46.919 --> 00:02:50.240 as different flavors, maybe different car models. Each one's tuned 56 00:02:50.280 --> 00:02:53.360 for something specific. You've got Ubuntu, which is kind of 57 00:02:53.360 --> 00:02:56.240 the reliable all rounder, good for general use, pretty easy 58 00:02:56.280 --> 00:02:57.240 to get started. 59 00:02:56.879 --> 00:02:58.960 With, Okay, like in Toyota Cari of Linux. 60 00:02:59.000 --> 00:03:02.639 Oh yeah that. Then if you're a gamer, maybe steam 61 00:03:02.680 --> 00:03:05.719 Os makes sense. It's built for that. Got the laptop 62 00:03:05.759 --> 00:03:08.479 you want to revive? Linux Light is super lightweight. Then 63 00:03:08.520 --> 00:03:11.280 you get into the specialists Qubes, I mean that's for 64 00:03:11.360 --> 00:03:15.319 extreme security. Nuts creates totally separate boxes for everything you do. 65 00:03:15.520 --> 00:03:15.800 Right. 66 00:03:15.879 --> 00:03:19.960 And for folks interested in security itself, like testing and whatnot, 67 00:03:20.120 --> 00:03:22.960 there's Collie Linux. It's like a digital Swiss Army knife 68 00:03:23.199 --> 00:03:24.360 packed with security tools. 69 00:03:24.360 --> 00:03:26.400 There hundreds of them apparently, yeah, over. 70 00:03:26.199 --> 00:03:29.199 Four hundred last I checked. So the key is figure 71 00:03:29.199 --> 00:03:33.520 out your goal, is it gaming, battery life, learning, security? 72 00:03:33.919 --> 00:03:37.680 And pick a distro that fits just a one small note. 73 00:03:38.240 --> 00:03:40.560 Some distros, like the ones for tiny computers like the 74 00:03:40.639 --> 00:03:44.560 Raspberry Pie, they use different processor types arm Usually those 75 00:03:44.599 --> 00:03:46.280 won't run easily on your typical laptop. 76 00:03:46.360 --> 00:03:48.919 VM, gotcha, pick the right tool for the job. Yeah, 77 00:03:49.080 --> 00:03:51.240 makes sense. Okay, so you've picked your distro, it's running 78 00:03:51.240 --> 00:03:54.039 in the VM. Now we hit like the first real 79 00:03:54.120 --> 00:03:57.800 security thing. Yeah, user accounts for building this digital fortress. 80 00:03:58.120 --> 00:04:00.319 Who gets the master key? Right? Who's in charge? 81 00:04:00.439 --> 00:04:04.400 Precisely? And this brings us straight to probably the single 82 00:04:04.400 --> 00:04:08.639 most important rule in Linux security. Never ever log in 83 00:04:08.719 --> 00:04:11.479 as the root user for your normal day to day stuff. 84 00:04:11.599 --> 00:04:13.639 Just don't. Okay, why is it so bad? I mean 85 00:04:13.719 --> 00:04:15.599 Windows has administrator. 86 00:04:14.960 --> 00:04:18.360 Accounts, it's different. The root user in Linux is well, 87 00:04:18.399 --> 00:04:21.439 it's god mode absolute power. Windows has that User account 88 00:04:21.480 --> 00:04:24.639 control UAC, that little pop up asking are you sure 89 00:04:24.720 --> 00:04:27.680 before big changes, annoying, pop up annoying maybe, but it's 90 00:04:27.680 --> 00:04:31.120 a safety net. Root in Linux by default doesn't have that. 91 00:04:31.199 --> 00:04:33.000 If you're logged in as root and you make one 92 00:04:33.040 --> 00:04:35.839 typo or run some dodgy script by accident, it can 93 00:04:35.879 --> 00:04:39.120 wipe your entire system, no questions asked. It has complete 94 00:04:39.120 --> 00:04:39.720 total control. 95 00:04:39.879 --> 00:04:42.480 Hikes. Okay, that is a big difference, a potential disaster. 96 00:04:42.600 --> 00:04:46.000 Like you said, so if root is this like loaded weapon, 97 00:04:46.279 --> 00:04:48.639 what's the safe way? How do we actually do admin 98 00:04:48.720 --> 00:04:50.519 things without risking blowing everything up. 99 00:04:50.759 --> 00:04:53.399 The safe way, and honestly, the standard way is using 100 00:04:53.480 --> 00:04:56.639 pseudo accounts. Think of pseudo it stands for super rousers 101 00:04:56.680 --> 00:04:59.000 do think of it as a very controlled loan of 102 00:04:59.040 --> 00:05:02.480 the master key in lots of distress. Now, like Abuntu, 103 00:05:03.000 --> 00:05:06.079 the actual root account is locked by default. You can't 104 00:05:06.079 --> 00:05:07.279 even log into it directly. 105 00:05:07.360 --> 00:05:08.079 Oh really okay? 106 00:05:08.199 --> 00:05:11.560 Yeah. Instead you have your normal user account, and when 107 00:05:11.560 --> 00:05:14.399 you need to do something administrative like install software or 108 00:05:14.519 --> 00:05:17.079 change a setting, you just type pseudo before the command 109 00:05:17.519 --> 00:05:21.319 pseudo app get update or whatever. It asks for your 110 00:05:21.519 --> 00:05:25.079 user password, not the root password. If you get it right, 111 00:05:25.120 --> 00:05:27.879 it grants you root powers, but only for that one 112 00:05:28.120 --> 00:05:30.920 single command. Then it takes the power away again. 113 00:05:31.079 --> 00:05:33.759 Ah okay, so it's like you borrow the master key 114 00:05:33.800 --> 00:05:36.639 for one specific lock, use it, and immediately end it. 115 00:05:36.560 --> 00:05:41.000 Back exactly that. It's temporary specific elevation of privileges. 116 00:05:40.600 --> 00:05:44.040 Which means if I accidentally run something nasty or make 117 00:05:44.079 --> 00:05:44.839 that typo. 118 00:05:44.839 --> 00:05:47.439 The damage is limited. It can only mess with things 119 00:05:47.480 --> 00:05:50.000 your normal user account has access to, like your own 120 00:05:50.040 --> 00:05:51.279 files and your home folder. 121 00:05:51.439 --> 00:05:54.120 It couldn't say, delete the entire operating. 122 00:05:53.720 --> 00:05:56.920 System, not unless you specifically told it to. With Pseudo, 123 00:05:57.319 --> 00:05:59.720 but yeah, a random malicious script running as your user 124 00:06:00.000 --> 00:06:02.839 such less dangerous than if it ran as root and 125 00:06:03.279 --> 00:06:06.759 modern Linux it takes us even further. There are systems 126 00:06:06.759 --> 00:06:09.519 like policy Kit. If Pseudo is borrowing the master key 127 00:06:09.560 --> 00:06:12.319 for a command, policy Kit is even more specific. It's 128 00:06:12.360 --> 00:06:14.839 like giving a mechanic a key that only starts the 129 00:06:14.879 --> 00:06:16.879 engine diagnostics, not the whole car. 130 00:06:18.040 --> 00:06:19.399 Okay, more fine grained. 131 00:06:19.240 --> 00:06:22.279 Very fine grained. It lets specific applications, or even just 132 00:06:22.360 --> 00:06:25.800 parts of applications get the permissions they need only when 133 00:06:25.800 --> 00:06:30.040 they need them, minimizes the risk even more so. Building 134 00:06:30.079 --> 00:06:32.560 on that, there are a few key user management things 135 00:06:32.560 --> 00:06:35.879 you absolutely should do first. Adding users is simple. It's 136 00:06:35.959 --> 00:06:39.279 usually a doucer username, then password username to set their password. 137 00:06:39.279 --> 00:06:41.360 Basic stuff. Okay, but here's. 138 00:06:41.120 --> 00:06:45.120 Where the security really kicks in remote access. If you're 139 00:06:45.120 --> 00:06:48.079 allowing people to log in over the network using SSH, 140 00:06:48.959 --> 00:06:52.720 you must disable root log in via SSH. Absolutely critical. 141 00:06:52.759 --> 00:06:53.720 Why is that so critical? 142 00:06:53.879 --> 00:06:56.160 Think about it. Every attacker on the planet knows a 143 00:06:56.240 --> 00:06:58.360 user named root exists on Linux systems. 144 00:06:58.360 --> 00:07:01.199 It's a default. Ah, right, Half the puzzle already solved 145 00:07:01.199 --> 00:07:01.519 for them. 146 00:07:01.839 --> 00:07:04.680 Exactly. They only need to guess the password. But if 147 00:07:04.680 --> 00:07:06.639 you disable root log in, they have to guess a 148 00:07:06.720 --> 00:07:09.759 valid user name A and D the password much much harder. 149 00:07:10.079 --> 00:07:13.120 You do this in the SSH canfig file usually etceter 150 00:07:13.279 --> 00:07:16.480 shyest config. Just find the line permit root log in 151 00:07:16.560 --> 00:07:17.680 and set it to now. 152 00:07:18.079 --> 00:07:22.360 Simple change, big impact. Okay, what about the passwords themselves? 153 00:07:22.360 --> 00:07:23.600 People are terrible. 154 00:07:23.279 --> 00:07:26.399 At passwords, terribly predictable. Yeah, which is why you need 155 00:07:26.439 --> 00:07:31.800 strong password policies. Linux uses something called PAM pluggable authentication modules. 156 00:07:31.839 --> 00:07:35.360 Think of PAM as the rulebook for logging in. And 157 00:07:35.399 --> 00:07:38.959 there's a module pam cracklib that lets you enforce password. 158 00:07:38.600 --> 00:07:40.839 Rules like length and complexity Exactly. 159 00:07:40.920 --> 00:07:43.360 You can force a minimum length, say eight characters, are 160 00:07:43.399 --> 00:07:47.079 more require uppercase, lowercase numbers, symbols. You can even stop 161 00:07:47.120 --> 00:07:49.759 people reusing their last few passwords. That's good. Yeah, you 162 00:07:49.800 --> 00:07:51.720 can figure it, and the system just won't accept weak 163 00:07:51.759 --> 00:07:54.879 passwords anymore. It forces users to be more secure. And 164 00:07:55.160 --> 00:07:59.000 one more SSH s trick. You can restrict SSH access 165 00:07:59.160 --> 00:08:01.879 to specific groups. So instead of letting any user on 166 00:08:01.959 --> 00:08:04.120 the system try to SSH in, you create a group, 167 00:08:04.240 --> 00:08:07.240 say schuizers, add only the people who need remote access. 168 00:08:07.120 --> 00:08:10.560 To that group, and tell SSH to only allow logins 169 00:08:10.600 --> 00:08:11.959 from that group precisely. 170 00:08:12.279 --> 00:08:14.600 Yeah, in the shotcunfig file again, you add a line 171 00:08:14.680 --> 00:08:17.759 like allow groups, Soelzers boom. Anyone else trying to log 172 00:08:17.800 --> 00:08:21.800 in remotely gets rejected instantly cuts down massively on brute 173 00:08:21.839 --> 00:08:22.480 force attempts. 174 00:08:22.560 --> 00:08:25.240 Wow. Okay, So taking all this together, what does it 175 00:08:25.319 --> 00:08:27.680 really mean for someone managing the Linux box, whether it's 176 00:08:27.720 --> 00:08:28.920 just their laptop or. 177 00:08:28.920 --> 00:08:32.519 A whole server means These aren't just you know, technical tweaks. 178 00:08:32.600 --> 00:08:37.000 They're fundamental. It's about accountability, knowing who did what. It's 179 00:08:37.000 --> 00:08:40.840 about limiting the blast radius if something goes wrong accidentally 180 00:08:41.000 --> 00:08:44.440 or maliciously. It makes the whole system way more robust, 181 00:08:44.559 --> 00:08:47.399 much harder to compromise. It's like building that fortress with 182 00:08:47.480 --> 00:08:50.159 a trusted crew and making sure everyone only has the 183 00:08:50.240 --> 00:08:51.919 keys they absolutely need, right, A. 184 00:08:51.960 --> 00:08:55.759 Trusted crew, limited keys. I like that. Okay, so we've 185 00:08:55.759 --> 00:08:58.440 got our crew sorted, keys managed. But even the best 186 00:08:58.519 --> 00:09:00.240 crew needs like a strong outer wall. 187 00:09:00.320 --> 00:09:00.399 Right. 188 00:09:00.480 --> 00:09:05.000 Let's talk firewalls. Server. Firewalls the gatekeeper for network traffic 189 00:09:05.720 --> 00:09:09.039 crucial air. So I think of it like the security 190 00:09:09.159 --> 00:09:12.120 checkpoint at a border crossing. It checks everything coming in 191 00:09:12.279 --> 00:09:16.320 that's ingress traffic and everything going out egress. Good analogy, 192 00:09:17.000 --> 00:09:19.759 And when we talk firewalls, we always hear about ports. 193 00:09:20.120 --> 00:09:22.519 These aren't physical things like USB ports, right, They're more 194 00:09:22.600 --> 00:09:24.879 like numbered lanes. 195 00:09:24.600 --> 00:09:28.159 Or docks exactly. They're virtual pathways in the operating system, 196 00:09:28.279 --> 00:09:31.679 different lanes for different types of traffic, like web traffic. 197 00:09:31.799 --> 00:09:36.360 Standard HTTP usually expects to arrive on port eighty. Secure 198 00:09:36.440 --> 00:09:39.200 web traffic HGTPS uses port four four to. 199 00:09:39.200 --> 00:09:41.480 Three, and SSH you mentioned is port twenty two. 200 00:09:41.799 --> 00:09:44.159 Right, So if you try to send, say, web traffic 201 00:09:44.200 --> 00:09:46.840 to port seventy nine, the system's just like, nope, nothing 202 00:09:46.919 --> 00:09:49.200 here for that. There's no service listening on that port number. 203 00:09:49.279 --> 00:09:51.960 Okay, So the firewall manages which of these lanes are 204 00:09:52.000 --> 00:09:53.159 open or closed. 205 00:09:53.000 --> 00:09:56.960 Precisely, and on many modern Linux systems, firewall cmd is 206 00:09:57.000 --> 00:09:59.000 the tool you use to talk to the firewall. The 207 00:09:59.159 --> 00:10:03.320 absolute core principle, the Golden rule is block everything by default. 208 00:10:03.480 --> 00:10:06.360 Start with all lanes closed, everything incoming. 209 00:10:06.480 --> 00:10:06.679 Yeah. 210 00:10:07.279 --> 00:10:10.799 Then you very deliberately open only the specific lanes the 211 00:10:10.919 --> 00:10:13.919 ports that you absolutely need for your services to work. 212 00:10:14.159 --> 00:10:16.320 Okay, So you minimize the attack surface right from the 213 00:10:16.360 --> 00:10:17.120 start exactly. 214 00:10:17.320 --> 00:10:21.559 Less open doors, less chance for unwanted guests. Firewalls also 215 00:10:21.720 --> 00:10:24.799 often use zones. Think of them as preset rule collections, 216 00:10:25.039 --> 00:10:30.039 like public, work, Home. Each zone has different default rules. 217 00:10:30.559 --> 00:10:33.679 Public is usually very restrictive. Home might be more trusting. 218 00:10:34.159 --> 00:10:36.720 You apply a zone to your network connection so you can. 219 00:10:36.720 --> 00:10:39.039 Quickly switch between security levels depending. 220 00:10:38.799 --> 00:10:41.080 On where you are kind of yeah, or just apply 221 00:10:41.159 --> 00:10:44.039 the right level of strictness from the start, and practically speaking, 222 00:10:44.200 --> 00:10:47.519 adding rules is straightforward. You might do ad service HTTP 223 00:10:47.679 --> 00:10:50.480 permanent to allow web traffic through. The permanent makes the 224 00:10:50.600 --> 00:10:52.320 change stick after a reboot. 225 00:10:52.039 --> 00:10:54.320 Or if you have a custom application, you can open. 226 00:10:54.200 --> 00:10:57.360 A specific port number like adport once into two to 227 00:10:57.440 --> 00:10:59.879 two TCP permanent if your app uses TCP ports. In 228 00:11:00.000 --> 00:11:02.799 teen twenty two. The power is in being explicit about 229 00:11:02.799 --> 00:11:04.639 what you allow in. You make conscious choices. 230 00:11:04.879 --> 00:11:07.080 And it sounds like firewall CND gives you a lot 231 00:11:07.200 --> 00:11:11.320 of control. You mentioned zones, services, specific ports. Can you 232 00:11:11.399 --> 00:11:12.559 get even more granular? 233 00:11:12.799 --> 00:11:15.759 Oh? Yeah, you can get really specific. You can block 234 00:11:15.840 --> 00:11:19.519 things like ICMP echo requests. That's the PIN command uses 235 00:11:19.559 --> 00:11:20.159 if you want. 236 00:11:20.039 --> 00:11:23.399 To be stuff, make the server invisible to basic scams. 237 00:11:23.279 --> 00:11:25.840 Sort of yeah. Or you can set up rules to 238 00:11:26.039 --> 00:11:29.720 only allow traffic from specific trusted IP addresses, like saying, 239 00:11:30.039 --> 00:11:33.480 only allow SSH connections from this specific office network. 240 00:11:33.600 --> 00:11:36.600 Okay, that's powerful. It's like having a security guard who 241 00:11:36.679 --> 00:11:39.399 not only checks IDs, but has a very specific guest 242 00:11:39.519 --> 00:11:42.559 list and knows who's definitely not allowed in exactly. 243 00:11:42.679 --> 00:11:45.600 It's about layers of control. Okay, So moving beyond that 244 00:11:45.679 --> 00:11:49.000 immediate network gate the firewall, we need to think about 245 00:11:49.080 --> 00:11:52.879 hardening the server itself and also protecting the data with encryption. 246 00:11:53.080 --> 00:11:55.919 These are the deeper foundations, maybe the internal vaults in 247 00:11:56.000 --> 00:11:57.039 our fortress analogy. 248 00:11:57.240 --> 00:11:59.440 Right, This stuff inside the walls first. 249 00:11:59.600 --> 00:12:02.360 And this sounds basic, but it's so important. Regular updates 250 00:12:02.679 --> 00:12:05.320 keep your system patched. That simple app get update and 251 00:12:05.360 --> 00:12:07.879 an app get upgrade command or whatever your district uses. 252 00:12:08.000 --> 00:12:09.600 The an F update on fedor sent to S. 253 00:12:10.000 --> 00:12:13.120 Right, it's not just about new features. It's mainly about 254 00:12:13.279 --> 00:12:16.919 fixing security holes that attackers are actively looking for. You 255 00:12:17.039 --> 00:12:19.159 have to keep it updated, non negotiable. 256 00:12:19.759 --> 00:12:22.240 Okay, what else you mentioned SSH earlier? 257 00:12:22.399 --> 00:12:27.120 Yes, for logins, SSH keys are way more secure than passwords. 258 00:12:27.639 --> 00:12:30.240 Instead of typing a password that could be guessed or cracked, 259 00:12:30.559 --> 00:12:34.039 you use a pair of cryptographic keys, one private kept 260 00:12:34.080 --> 00:12:37.240 secret on your machine, one public copied to the server. 261 00:12:37.440 --> 00:12:38.279 How do you set that up? 262 00:12:38.440 --> 00:12:41.320 Usually have stitsch again to create the keys, then stretch 263 00:12:41.399 --> 00:12:44.480 copy aid to securely copy the public key over. Once 264 00:12:44.519 --> 00:12:46.360 it's set up, you can log in without a password, 265 00:12:46.399 --> 00:12:48.600 but it's based on proving you possess the private key. 266 00:12:49.080 --> 00:12:53.399 Much stronger, nice, passwordless, but more secure. I like it? 267 00:12:53.919 --> 00:12:55.279 And what about adding another layer? 268 00:12:55.399 --> 00:12:59.519 Two factor authentication to FA Absolutely Even if someone somehow 269 00:12:59.559 --> 00:13:02.279 steals you your sshkey or your password, they still need 270 00:13:02.320 --> 00:13:04.480 that second factor, usually a code from an app on 271 00:13:04.519 --> 00:13:07.519 your phone, like Google Authenticator or offee. There are PAM 272 00:13:07.639 --> 00:13:10.720 modules for this too, like limpam Google Authenticator that make 273 00:13:10.759 --> 00:13:14.279 it relatively easy to add two FA to SSH logins 274 00:13:14.320 --> 00:13:15.159 on Linux. 275 00:13:14.960 --> 00:13:17.000 Extra hoop for attackers to jump through. Good. 276 00:13:17.240 --> 00:13:21.559 Then there's something called Sylinic Security Enhanced Linux or a PARMER, 277 00:13:21.799 --> 00:13:24.960 which is similar. This is well, it's a powerful deeper layer. 278 00:13:25.440 --> 00:13:27.720 It uses Mandatory Access Control MC. 279 00:13:28.000 --> 00:13:29.480 Mandatory access control. 280 00:13:29.720 --> 00:13:34.320 So standard Linux security is discretionary access control DAC user's 281 00:13:34.399 --> 00:13:38.519 own files and can decide who gets access MC is different. 282 00:13:38.919 --> 00:13:42.399 Sylinics applies system wide security policies that even the root 283 00:13:42.480 --> 00:13:46.279 user can't easily override. It watches every process and file 284 00:13:46.360 --> 00:13:49.840 access and enforces strict rules about what's allowed to interact 285 00:13:49.879 --> 00:13:50.879 with what like an. 286 00:13:50.799 --> 00:13:54.480 Internal affairs division for the operating system huh yeah, kind of. 287 00:13:54.600 --> 00:13:57.399 It has modes like permissive where it just logs violations 288 00:13:57.399 --> 00:14:00.519 and enforcing, where it actively blocks things that the rules. 289 00:14:00.799 --> 00:14:02.720 It can be complex to manage, but it adds a 290 00:14:02.799 --> 00:14:04.919 huge amount of security if configured properly. 291 00:14:05.039 --> 00:14:06.679 Okay, sounds heavy duty. 292 00:14:06.919 --> 00:14:10.000 It is then something a bit more practical for dealing 293 00:14:10.039 --> 00:14:12.200 with those log in attempts we talked about fail to ban. 294 00:14:12.320 --> 00:14:14.919 This is a great little tool. It watches system logs 295 00:14:15.080 --> 00:14:18.120 like your SSH log in attempts. If it sees the 296 00:14:18.200 --> 00:14:21.039 same IP address failing to log in multiple times within 297 00:14:21.080 --> 00:14:21.840 a short period. 298 00:14:21.960 --> 00:14:23.759 It assumes it's a brute force attack. 299 00:14:23.720 --> 00:14:26.840 Exactly, and it automatically updates your firewall rules to just 300 00:14:26.960 --> 00:14:29.480 block that IP address entirely for set amount. 301 00:14:29.240 --> 00:14:31.320 Of time, so it slams the door shut on them automatically. 302 00:14:31.399 --> 00:14:33.879 Pretty much. You can configure how many tries they get 303 00:14:34.039 --> 00:14:36.440 max retree and how long they get banned ban time. 304 00:14:36.879 --> 00:14:39.200 Very effective against noisy, persistent attackers. 305 00:14:39.320 --> 00:14:44.679 Okay, wow, updates keys two fa Sylenix failed to ban. 306 00:14:45.919 --> 00:14:48.799 That's quite a list for hardening. What about the absolute 307 00:14:48.919 --> 00:14:50.840 last resort? If everything fails? 308 00:14:50.960 --> 00:14:54.240 Backups? You absolutely must have a solid backup strategy. The 309 00:14:54.360 --> 00:14:56.519 gold standard is the three to two to one backup rule. 310 00:14:56.639 --> 00:14:57.240 Three two to one. 311 00:14:57.480 --> 00:15:00.480 What's that Three copies of your important data on at 312 00:15:00.559 --> 00:15:03.559 least two different types of storage media, and critically, at 313 00:15:03.639 --> 00:15:06.200 least one of those copies must be off site, off. 314 00:15:06.159 --> 00:15:09.120 Site like physically somewhere else or in the cloud. 315 00:15:09.320 --> 00:15:12.639 Either physically separate is best against things like fire or theft. 316 00:15:12.919 --> 00:15:15.679 Cloud works too. The point is, if your main location 317 00:15:15.840 --> 00:15:19.799 is compromised or destroyed, you still have a recoverable copy elsewhere. 318 00:15:19.840 --> 00:15:21.200 It's your ultimate safety net. 319 00:15:21.639 --> 00:15:24.639 Makes total sense. Okay, so that covers hardening the server 320 00:15:24.919 --> 00:15:27.200 but what about the actual data sitting on the hard 321 00:15:27.279 --> 00:15:30.879 drives inside those vaults. How do we protect that if someone, say, 322 00:15:31.200 --> 00:15:32.919 steals the server or pulls the drive. 323 00:15:33.120 --> 00:15:36.799 Yeah, good question. That's where encryption comes in, specifically encryption 324 00:15:37.039 --> 00:15:41.360 at rest. Linux supports various ways to encrypt things. Passwords 325 00:15:41.360 --> 00:15:45.120 stored by the system are hashed using strong algorithms. Communications 326 00:15:45.120 --> 00:15:48.679 can be secured with things like pgp SSLTLS for websites, 327 00:15:48.960 --> 00:15:53.440 and SSH itself encrypts the connection right data in transit exactly. 328 00:15:54.039 --> 00:15:56.480 But for data at rest, the files sitting on the disc, 329 00:15:56.519 --> 00:15:59.840 you need tools like gm MPG for encrypting individual files 330 00:16:00.399 --> 00:16:03.919 or very crypt for creating encrypted containers or drives. But 331 00:16:04.039 --> 00:16:07.480 the real standard for Linux disc encryption is crypt setup, 332 00:16:07.840 --> 00:16:10.679 usually using the LAKS standard Linux Unified. 333 00:16:10.399 --> 00:16:12.320 Key Setup LUKS. Okay, what does that do? 334 00:16:12.559 --> 00:16:15.559 LUKS lets you encrypt entire hard drive partitions or even 335 00:16:15.600 --> 00:16:18.360 the swap space where temporary data might be stored. When 336 00:16:18.360 --> 00:16:20.519 the system boots, you have to enter a passphrase to 337 00:16:20.600 --> 00:16:23.720 unlock the encrypted volume. Without that passphrase, the data on 338 00:16:23.759 --> 00:16:26.120 the drive is just complete gibberish, unreadable. 339 00:16:26.320 --> 00:16:28.200 So even if someone physically steals the. 340 00:16:28.240 --> 00:16:31.519 Hard drive, the data is useless. To them without the key. 341 00:16:31.960 --> 00:16:35.720 It's a critical layer for protecting sensitive information. If the 342 00:16:35.759 --> 00:16:39.240 physical hardware is compromised, it turns your data into an 343 00:16:39.320 --> 00:16:40.559 indecipherable block. 344 00:16:40.720 --> 00:16:47.600 Wow. Okay, that's incredibly important. Encryption at rest with luks. 345 00:16:47.600 --> 00:16:50.120 Got it all? Right? So we've spent a lot of 346 00:16:50.159 --> 00:16:54.679 time talking about building this really impressive digital fortress, right 347 00:16:55.159 --> 00:16:59.200 user accounts, firewalls, hardening the server itself, encrypting the data. 348 00:16:59.399 --> 00:17:01.320 But how do you know? How do you know if 349 00:17:01.360 --> 00:17:03.559 all that work actually holds up against someone trying to 350 00:17:03.600 --> 00:17:04.359 get in? Ah? 351 00:17:04.599 --> 00:17:05.759 The million dollar question. 352 00:17:05.960 --> 00:17:08.640 This brings us to the flip side, the world of 353 00:17:08.720 --> 00:17:10.720 penetration testing or pen. 354 00:17:10.640 --> 00:17:13.599 Testing offensive security, and the go to tool for this. 355 00:17:13.680 --> 00:17:17.400 The district you mentioned earlier is Collie Linux. This specialized toolkit. 356 00:17:17.200 --> 00:17:19.680 That's the one it comes pre loaded with. Yeah, hundreds 357 00:17:19.720 --> 00:17:23.000 of tools designed specifically for testing security, finding vulnerabilities. 358 00:17:23.160 --> 00:17:25.000 So how do the pros actually use this stuff? Is 359 00:17:25.039 --> 00:17:27.759 it just randomly trying tools? Oh? No, not at all. 360 00:17:27.880 --> 00:17:32.079 There's a methodology, a structure. It's often called the penetration 361 00:17:32.240 --> 00:17:35.880 testing life cycle, usually described in five stages. You can 362 00:17:35.960 --> 00:17:39.720 think of it like a military operation, almost scouting and 363 00:17:39.839 --> 00:17:40.920 then engaging a target. 364 00:17:41.079 --> 00:17:42.680 Okay, lay it out for us. Stage one. 365 00:17:43.039 --> 00:17:47.680 Stage one is reconnaissance. Recon just like scouting enemy territory. 366 00:17:47.880 --> 00:17:52.880 You're gathering information about your target anything you can find publicly, websites, 367 00:17:52.960 --> 00:17:56.720 employee names, technologies they use, maybe even some non public 368 00:17:56.759 --> 00:17:59.480 info if you can get it ethically. It's about understanding 369 00:17:59.480 --> 00:18:01.160 the landscape, building intel. 370 00:18:01.640 --> 00:18:02.799 Okay. Stage two. 371 00:18:03.000 --> 00:18:06.839 Stage two is scanning. Now you start actively probing the target, 372 00:18:07.319 --> 00:18:10.279 using tools to find out which computers are actually online, 373 00:18:10.559 --> 00:18:13.279 what ports are open on those machines, what services are 374 00:18:13.319 --> 00:18:16.559 running on those ports, maybe even what operating system they're using. 375 00:18:16.960 --> 00:18:19.200 Like that scout reporting back with a detailed map of 376 00:18:19.240 --> 00:18:22.240 the enemy camp. There's a guard tower here, barracks there. 377 00:18:22.200 --> 00:18:24.920 Exactly like that. You're building a technical blueprint. 378 00:18:24.519 --> 00:18:26.599 Of their defenses. Got it? Stage three. 379 00:18:27.000 --> 00:18:31.400 Stage three is exploitation or gaining access. This is where 380 00:18:31.440 --> 00:18:35.000 you take the information from scanning and try to actually 381 00:18:35.240 --> 00:18:38.599 use a vulnerability to get inside. Maybe there's an old 382 00:18:38.759 --> 00:18:42.759 unpatched service running, or a week password you discovered. You 383 00:18:42.880 --> 00:18:46.440 try to leverage that weakness to gain unauthorized access. 384 00:18:46.200 --> 00:18:48.559 Finding the open door, climbing the weak wall right. 385 00:18:49.079 --> 00:18:52.039 Stage four is maintaining access once you're in You often 386 00:18:52.079 --> 00:18:53.519 want to make sure you can get back in later, 387 00:18:53.599 --> 00:18:56.200 so you might install some kind of persistent backdoor or 388 00:18:56.359 --> 00:18:57.640 create another user account. 389 00:18:58.000 --> 00:19:02.200 The goals to maintain your foothold, and the final stage. 390 00:19:02.240 --> 00:19:06.759 Stage five reporting. This is absolutely critical, especially for professional 391 00:19:06.880 --> 00:19:09.240 pent testers. You have to document everything you did, how 392 00:19:09.279 --> 00:19:11.799 you got in, what vulnerabilities you used, what data you 393 00:19:11.839 --> 00:19:15.680 could access, the potential impact, and crucially you provide recommendations 394 00:19:15.720 --> 00:19:17.799 on how to fix the weaknesses you found. It's the 395 00:19:17.880 --> 00:19:20.680 debriefing after the mission, telling the defenders how to strengthen 396 00:19:20.759 --> 00:19:21.160 their walls. 397 00:19:21.440 --> 00:19:24.119 That makes perfect sense, a structured approach. And just to 398 00:19:24.160 --> 00:19:27.920 give people a taste that scanning stage stage two where 399 00:19:27.920 --> 00:19:31.400 you're building the blueprint. What were some common tools used 400 00:19:31.440 --> 00:19:33.119 there besides Collie itself? 401 00:19:33.279 --> 00:19:36.319