WEBVTT 1 00:00:00.120 --> 00:00:03.799 Welcome to your personalized deep dive. Looks like someone serious 2 00:00:03.839 --> 00:00:07.040 about getting up to speed on Linux security. You've sent 3 00:00:07.120 --> 00:00:10.000 us a ton of stuff, Wow, excerpts from the textbook 4 00:00:10.080 --> 00:00:14.800 Security Strategies and Linux Platforms and Applications, chapters, tables, even 5 00:00:14.839 --> 00:00:15.439 the index. 6 00:00:15.679 --> 00:00:18.480 Definitely looks like you're aiming for a deep understanding of 7 00:00:18.519 --> 00:00:21.160 Linux security from the ground up. For sure, we can 8 00:00:21.199 --> 00:00:25.960 absolutely do that. Okay, let's walk through the core concepts, 9 00:00:26.600 --> 00:00:29.920 the strengths and weaknesses, and most importantly, how to put 10 00:00:29.960 --> 00:00:32.960 all that knowledge to work hardening your own systems. 11 00:00:33.079 --> 00:00:34.799 I love it, Okay, I have to ask the big 12 00:00:34.880 --> 00:00:38.200 question first. Sure is Linux really as secure as everyone 13 00:00:38.200 --> 00:00:38.759 says it is? 14 00:00:38.960 --> 00:00:41.719 That's always the starting point, isn't it. The interesting thing 15 00:00:41.759 --> 00:00:45.920 about Linux is that it inherits this whole legacy from Unix, 16 00:00:46.399 --> 00:00:47.320 both good and bad. 17 00:00:47.439 --> 00:00:49.799 Kind of like getting a classic car. Cool to look at, 18 00:00:50.119 --> 00:00:52.079 but maybe need some work under the hood before you 19 00:00:52.119 --> 00:00:53.039 take it on the highway. 20 00:00:53.280 --> 00:00:57.280 Perfect analogy. Linux has that many eyes benefit of open source, 21 00:00:57.759 --> 00:00:59.439 where you have a lot of people looking at the code, 22 00:00:59.439 --> 00:01:04.120 which can make more secure. But the FTP server hijacking 23 00:01:04.159 --> 00:01:07.599 incident back in twenty ten showed us the flip side 24 00:01:07.599 --> 00:01:11.040 of that, attackers can also exploit that openness. 25 00:01:11.239 --> 00:01:13.280 Oh yeah, that was a big one. I remember that 26 00:01:13.280 --> 00:01:15.760 someone actually managed to swap out the downloadable source code 27 00:01:15.760 --> 00:01:19.200 with a backdoor version using a vulnerability in the FTP 28 00:01:19.319 --> 00:01:20.040 server itself. 29 00:01:20.159 --> 00:01:23.719 Yeah, open source vulnerabilities can get fixed fast, but sometimes 30 00:01:23.760 --> 00:01:27.599 you need the more rigorous even if it's slower update 31 00:01:27.680 --> 00:01:30.959 processes that you see with commercial software like Microsoft. They're 32 00:01:31.000 --> 00:01:31.840 definitely trade. 33 00:01:31.599 --> 00:01:34.400 Offs either way, so it's like a race. Open source 34 00:01:34.480 --> 00:01:38.319 sprints ahead with quick fixes, but commercial software takes its time, 35 00:01:38.519 --> 00:01:39.760 double checking every step. 36 00:01:40.439 --> 00:01:44.120 Interesting. What about the idea that server distributions are more 37 00:01:44.159 --> 00:01:47.079 secure because they have fewer packages installed by defaults that 38 00:01:47.120 --> 00:01:48.560 really make a difference. Absolutely? 39 00:01:48.680 --> 00:01:48.840 Yea. 40 00:01:49.000 --> 00:01:52.120 The smaller the attack surface, the fewer places there are 41 00:01:52.120 --> 00:01:55.239 for vulnerabilities to hide. That's why so many people love 42 00:01:55.280 --> 00:01:58.879 those minimalist server distributions. It's like locking down a house. 43 00:01:59.400 --> 00:02:04.879 Fewer doors and windows mean fewer entry points for potential intruders. 44 00:02:04.599 --> 00:02:08.439 So less is more when it comes to security. Makes sense. 45 00:02:09.000 --> 00:02:12.319 But here's the thought. I've heard that Linux itself can 46 00:02:12.360 --> 00:02:16.120 be used as a security tool. That seems counterintuitive using 47 00:02:16.159 --> 00:02:17.800 the thing you were trying to protect as part of 48 00:02:17.840 --> 00:02:18.759 the protection system. 49 00:02:18.879 --> 00:02:21.240 It might sound strange, but it works incredibly well. Think 50 00:02:21.280 --> 00:02:24.560 about our tools like jerseyslog for collecting logs, Snort for 51 00:02:24.639 --> 00:02:28.080 intrusion detection. Even firewalls often run on Linux. 52 00:02:28.120 --> 00:02:31.759 Wow, that's actually really clever using Linux's strengths to protect itself. Okay, 53 00:02:31.800 --> 00:02:34.439 so we know Linux has a good security foundation, but 54 00:02:34.680 --> 00:02:39.759 isn't invulnerable. What are the absolute must knows the fundamentals 55 00:02:39.800 --> 00:02:43.680 of Linux security? What should someone learning this really focus on? 56 00:02:44.439 --> 00:02:46.599 The heart of it all is the kernel. Okay, It's 57 00:02:46.639 --> 00:02:48.439 like the brain of your Linux system. And there are 58 00:02:48.439 --> 00:02:53.159 different types, yeah, monolithic, modular, each with its own security considerations. 59 00:02:53.560 --> 00:02:56.599 You have to understand those kernel configuration options. It's like 60 00:02:56.719 --> 00:03:00.240 choosing the right materials to build a secure foundation. 61 00:03:00.080 --> 00:03:04.000 And compiling your own kernel. That's like handcrafting those materials right. 62 00:03:04.120 --> 00:03:05.199 Not for the faint of heart. 63 00:03:05.360 --> 00:03:07.719 You need a deep understanding of the system to go 64 00:03:07.840 --> 00:03:11.280 that route. But there are other basics that everyone should know, 65 00:03:11.479 --> 00:03:15.439 like physical security. You've got to control access to things 66 00:03:15.479 --> 00:03:18.599 like live CDs because they can give you password free 67 00:03:18.639 --> 00:03:19.800 admin access. 68 00:03:20.039 --> 00:03:22.360 It's like leaving a spare key under the mat. You 69 00:03:22.400 --> 00:03:24.080 only want trusted people to know it's there. 70 00:03:24.280 --> 00:03:28.360 Exactly now left talk about access controls. Okay, this is 71 00:03:28.400 --> 00:03:31.159 where things get really granular. Think about it like this. 72 00:03:31.960 --> 00:03:36.240 Linux has multiple layers of security, like those medieval castles 73 00:03:36.280 --> 00:03:38.360 with moats, walls and guard towers. 74 00:03:38.400 --> 00:03:40.800 Okay, I can picture that. So what are the layers 75 00:03:40.800 --> 00:03:41.319 in Linux? 76 00:03:41.599 --> 00:03:45.159 First you have discretionary access control where you use user 77 00:03:45.199 --> 00:03:48.960 and group permissions in those access control lists or acls. 78 00:03:49.080 --> 00:03:52.199 OH way to control who can access what acls. Those 79 00:03:52.199 --> 00:03:53.680 can get pretty complex, right. 80 00:03:53.759 --> 00:03:57.000 Yes, but they give you fine grain control. It's like 81 00:03:57.080 --> 00:03:59.879 having a security system where you can specify who can 82 00:04:00.080 --> 00:04:01.199 to which room in your castle. 83 00:04:01.360 --> 00:04:02.840 I love the analogy. What else? 84 00:04:03.280 --> 00:04:06.280 Then you've got the big guns, the mandatory access controls 85 00:04:06.319 --> 00:04:09.280 like Selenics and a parmer. They operate at a system 86 00:04:09.319 --> 00:04:13.360 wide level and restrict what processes can do, even if 87 00:04:13.400 --> 00:04:14.840 they're run by a privileged user. 88 00:04:14.960 --> 00:04:18.360 Yeah, I've heard Sylinics is powerful. Yeah, but can be 89 00:04:18.439 --> 00:04:19.680 a beast to configure. 90 00:04:20.000 --> 00:04:22.639 It can be. But that's where it's monitoring mode comes in. 91 00:04:23.040 --> 00:04:25.920 You can observe how Selenix policies would affect your system 92 00:04:25.920 --> 00:04:28.560 without actually enforcing them. I think of it like having 93 00:04:28.560 --> 00:04:31.800 a security camera system. It alerts you to suspicious activity 94 00:04:32.160 --> 00:04:33.439 without actually stopping it. 95 00:04:33.879 --> 00:04:36.399 That takes the pressure off. So we're talking about layers 96 00:04:36.399 --> 00:04:39.720 of defense. Now what about tools like Pseudo and PolicyKit. 97 00:04:39.759 --> 00:04:41.079 How do they fit in? Ah? 98 00:04:41.360 --> 00:04:44.720 Those are like giving certain people limited access passes to 99 00:04:44.839 --> 00:04:47.680 specific parts of the castle. Oh okay, you can give 100 00:04:47.720 --> 00:04:49.839 a guest a key to the garden, but not to 101 00:04:49.879 --> 00:04:50.519 the treasure room. 102 00:04:50.600 --> 00:04:50.839 Right. 103 00:04:51.360 --> 00:04:54.360 Sudo lets you run commands as another user, typically the 104 00:04:54.439 --> 00:04:58.120 root user, but with limits, and policy Kit is all 105 00:04:58.160 --> 00:05:02.279 about letting you manage system wide settings without giving users 106 00:05:02.279 --> 00:05:06.519 full admin rights. They're all about limiting the potential damage 107 00:05:06.680 --> 00:05:08.120 if something does go wrong. 108 00:05:08.279 --> 00:05:11.920 Makes sense. Don't give anyone more power than they absolutely need. 109 00:05:12.519 --> 00:05:15.160 We've talked about securing the system itself, but what about 110 00:05:15.199 --> 00:05:18.720 when our Linux machine needs to talk to others? Is 111 00:05:18.800 --> 00:05:21.000 all that communication secure by default? 112 00:05:21.439 --> 00:05:26.160 That's a great question. Yeah, we're getting better at encrypting communication, okay, 113 00:05:26.240 --> 00:05:29.199 with end to end encryption becoming more common, but there 114 00:05:29.199 --> 00:05:33.519 are still gaps. For example, some email transmission between servers 115 00:05:33.639 --> 00:05:35.399 still happens in plaintext, so. 116 00:05:35.319 --> 00:05:37.800 It's like setting a postcard instead of a sealed letter. 117 00:05:38.399 --> 00:05:40.720 Not great for confidential information exactly. 118 00:05:40.759 --> 00:05:42.079 There's always room for improvement. 119 00:05:42.160 --> 00:05:44.319 Okay, So we've covered the kernel and access controls. We're 120 00:05:44.319 --> 00:05:47.720 making progress, but there's a lot more to the Linux ecosystem. Right, 121 00:05:47.720 --> 00:05:50.920 We've got distributions, file systems, all that good stuff. Where 122 00:05:50.920 --> 00:05:53.480 do we even begin with all that? 123 00:05:53.720 --> 00:05:54.920 Let's start with distributions. 124 00:05:55.000 --> 00:05:55.240 Okay. 125 00:05:55.240 --> 00:05:57.600 They are the foundation of any Linux system. Think of 126 00:05:57.639 --> 00:06:00.680 them as the blueprint for your digital world. You've got 127 00:06:00.720 --> 00:06:05.480 a huge variety server distros, desktop distros, each with its 128 00:06:05.519 --> 00:06:07.800 own way of handling packages and updates. 129 00:06:08.000 --> 00:06:10.800 So it's kind of like choosing a neighborhood to live in. 130 00:06:11.120 --> 00:06:13.399 Each one has its own personality and comes with its 131 00:06:13.399 --> 00:06:15.279 own set of amenities exactly. 132 00:06:15.480 --> 00:06:16.879 And then you have to think about how you're going 133 00:06:16.920 --> 00:06:19.759 to set things up. Whether you installed directly on a 134 00:06:19.759 --> 00:06:23.319 physical machine or go with a cloud provider. Both have 135 00:06:23.360 --> 00:06:24.920 their own security implications. 136 00:06:25.199 --> 00:06:28.439 I've heard that opening up SSH to the Internet for 137 00:06:28.600 --> 00:06:31.040 cloud servers can be a bit of a security risk. 138 00:06:31.800 --> 00:06:32.439 Is that true? 139 00:06:32.519 --> 00:06:35.439 It definitely can be if it's not done carefully. Okay, 140 00:06:35.560 --> 00:06:38.439 you want to make sure you're using strong passwords, limiting 141 00:06:38.519 --> 00:06:42.240 access to trusted IP addresses, and keeping everything up to date. 142 00:06:42.720 --> 00:06:45.800 But let's move on to another fundamental piece of the puzzle. Okay, 143 00:06:45.879 --> 00:06:49.120 file systems. Okay, This is about how your data is 144 00:06:49.199 --> 00:06:52.639 structured and stored, and that directly affects security. 145 00:06:52.720 --> 00:06:56.000 Okay. File systems they always sounded a bit yeah, I 146 00:06:56.040 --> 00:06:58.600 don't know, technical to me, like something you don't really 147 00:06:58.680 --> 00:07:00.879 have to worry about unless something goes wrong. 148 00:07:01.240 --> 00:07:03.839 They might not be the flashiest part of Linux. Yeah, 149 00:07:03.839 --> 00:07:08.439 but trust me, they're essential okay. For example, journaled filesystems 150 00:07:08.439 --> 00:07:11.279 like XT three and XT four are much better at 151 00:07:11.279 --> 00:07:15.279 handling unexpected crashes than older filesystems like XT two. 152 00:07:15.639 --> 00:07:18.839 So if the power goes out where the system crashes, 153 00:07:19.120 --> 00:07:22.600 a journaled filesystem is more likely to keep my data safe. 154 00:07:22.639 --> 00:07:25.480 Exactly. It's like having a detailed log of all the 155 00:07:25.600 --> 00:07:28.720 changes made to your files. If something goes wrong, the 156 00:07:28.759 --> 00:07:32.319 file system can use that log to recover gracefully. Oh okay, 157 00:07:32.600 --> 00:07:35.519 And then there's the whole world of partition types in formatting. 158 00:07:35.839 --> 00:07:38.240 Partitioning always makes me a little nervous, like I'm performing 159 00:07:38.279 --> 00:07:39.399 surgery on my hard drive. 160 00:07:39.720 --> 00:07:42.639 It can seem intimidating. Yeah, but tools like f disc 161 00:07:42.759 --> 00:07:45.560 make it much more manageable. Okay, And remember, most of 162 00:07:45.600 --> 00:07:47.680 the time, the defaults will work just fine. 163 00:07:47.879 --> 00:07:48.120 Okay. 164 00:07:48.240 --> 00:07:52.879 For example, f disc automatically uses the standard Linux partition ID, yeah, 165 00:07:52.920 --> 00:07:55.480 which is eighty three. Okay, but you can customize it 166 00:07:55.519 --> 00:07:56.759 if you have specific needs. 167 00:07:56.920 --> 00:07:59.920 Good to know I have options. Now, let's talk about 168 00:08:00.079 --> 00:08:03.240 something everyone seems to be talking about these days, encryption. 169 00:08:03.319 --> 00:08:06.560 And for good reason. Encryption is one of the most 170 00:08:06.600 --> 00:08:10.160 powerful tools we have for protecting data. Linux has some 171 00:08:10.199 --> 00:08:15.560 great options here. For encrypting individual files. There's GPG, which 172 00:08:15.639 --> 00:08:17.079 uses public key cryptography. 173 00:08:17.279 --> 00:08:22.360 Ah, public key cryptography. That's like having two keys, one public, 174 00:08:22.519 --> 00:08:26.160 one private, and you need both to unlock the treasure chest. 175 00:08:26.279 --> 00:08:29.399 You got it. Yeah, just remember to be careful about 176 00:08:29.480 --> 00:08:32.440 verifying those public keys. Yeah, you want to be sure 177 00:08:32.480 --> 00:08:35.200 you're using the right key for the right person. Now, 178 00:08:35.240 --> 00:08:38.679 if you want to encrypt your entire hard drive, luks 179 00:08:38.759 --> 00:08:41.039 is the way to go. It uses crypt setup to 180 00:08:41.120 --> 00:08:44.440 create an encrypted volume that's like a virtual vault for 181 00:08:44.519 --> 00:08:45.120 your data. 182 00:08:45.159 --> 00:08:47.840 So even if someone stole my hard drive, they wouldn't 183 00:08:47.840 --> 00:08:50.480 be able to access my data without the key. That's reassuring. 184 00:08:50.960 --> 00:08:54.519 And if you only need to encrypt specific directories or folders, 185 00:08:55.159 --> 00:08:59.000 encrypts is a great option. It's perfect for protecting sensitive 186 00:08:59.039 --> 00:09:01.840 information without having to encrypt the entire drive. 187 00:09:02.159 --> 00:09:04.919 So many choices, it sounds like, you really can customize 188 00:09:04.919 --> 00:09:06.120 the level of security you want. 189 00:09:06.480 --> 00:09:07.039 Absolutely. 190 00:09:07.159 --> 00:09:07.360 Yeah. 191 00:09:07.399 --> 00:09:09.200 Now, before we move on, we have to talk about 192 00:09:09.240 --> 00:09:12.919 file permissions. Okay, this is one of those fundamental security 193 00:09:12.960 --> 00:09:16.039 practices that everyone needs to understand. Yeah, it's all about 194 00:09:16.080 --> 00:09:18.919 controlling who has access to your files and what they 195 00:09:18.919 --> 00:09:21.919 can do with them. The shmad command is your go 196 00:09:21.960 --> 00:09:26.000 to tool here, okay, and using the octal representation can 197 00:09:26.080 --> 00:09:27.120 really speed things up. 198 00:09:27.279 --> 00:09:30.080 Octal that's the base state number system, right, Instead of 199 00:09:30.159 --> 00:09:31.879 zero through nine, you have zero through seven. 200 00:09:32.000 --> 00:09:34.360 That's it. It might seem a little strange at first, Yeah, 201 00:09:34.399 --> 00:09:36.759 but it's actually the most efficient way to work with 202 00:09:36.799 --> 00:09:41.279 file permissions. And don't forget about the mass mask. It 203 00:09:41.399 --> 00:09:45.480 sets the default permissions for new files and directories. 204 00:09:45.559 --> 00:09:48.759 So it's like a template for permissions, right, you said 205 00:09:48.759 --> 00:09:51.279 it once, and applies to everything you create from then on. 206 00:09:51.799 --> 00:09:54.919 Clever. We've talked about locking down files with permissions and 207 00:09:55.000 --> 00:09:58.279 encrypting them, but what about sharing files? Doesn't that open 208 00:09:58.360 --> 00:09:59.360 up security holes? 209 00:09:59.600 --> 00:10:03.879 It can, but there are secure ways to share files. NFS, 210 00:10:03.919 --> 00:10:07.879 for instance, can be integrated with Carberos for authentication. Carberos 211 00:10:08.879 --> 00:10:11.720 that sounds pretty intense, like something out of Greek mythology. 212 00:10:11.759 --> 00:10:14.440 It's a powerful authentication system, that's for sure. And then 213 00:10:14.440 --> 00:10:19.440 there's Samba okay, which lets you share files securely with 214 00:10:19.559 --> 00:10:22.759 Windows systems, right, even those running older versions. 215 00:10:22.799 --> 00:10:25.120 I've tried to set up Samba before. It can be 216 00:10:25.159 --> 00:10:26.240 a bit of a challenge. 217 00:10:26.519 --> 00:10:29.279 It definitely has its quirks. Yeah, but it's a valuable 218 00:10:29.320 --> 00:10:32.240 tool if you need to work with Windows machines. And 219 00:10:32.279 --> 00:10:35.279 don't forget about quotas. They let you limit how much 220 00:10:35.399 --> 00:10:39.559 disk space users can use, which can help protect critical 221 00:10:39.600 --> 00:10:40.799 directories from being filled up. 222 00:10:40.840 --> 00:10:43.720 It's all about setting boundaries, making sure everyone has their 223 00:10:43.759 --> 00:10:46.720 space but doesn't step on each other's toes. Okay, so 224 00:10:46.759 --> 00:10:50.200 we've got secure file systems and safe ways to share data, 225 00:10:50.960 --> 00:10:53.559 but what about all those services that are constantly running 226 00:10:53.559 --> 00:10:57.600 on a Linux system. Aren't those potential entry points for attackers? 227 00:10:57.840 --> 00:11:01.879 Absolutely, every service that's run is a potential point of vulnerability. 228 00:11:02.399 --> 00:11:04.320 It's like having a bunch of doors and windows open 229 00:11:04.360 --> 00:11:06.080 in your house. You want to make sure they're all 230 00:11:06.120 --> 00:11:06.919 locked and secure. 231 00:11:07.440 --> 00:11:09.799 Makes sense, So how do we tackle this? Where do 232 00:11:09.840 --> 00:11:10.519 we even begin? 233 00:11:10.799 --> 00:11:14.080 It starts with understanding demons. Those are the processes that 234 00:11:14.159 --> 00:11:17.919 run in the background and keep things running smoothly. They 235 00:11:17.919 --> 00:11:21.639 can be essential, but if they're not properly configured, they 236 00:11:21.639 --> 00:11:23.879 can also introduce vulnerabilities. 237 00:11:24.080 --> 00:11:27.360 Demons. They always sound kind of mysterious, like something out 238 00:11:27.360 --> 00:11:28.399 of a fantasy novel. 239 00:11:28.879 --> 00:11:32.120 Think of them as the invisible workforce of your system. Okay, 240 00:11:32.360 --> 00:11:35.639 they're always there, working behind the scenes. The key is 241 00:11:35.679 --> 00:11:38.519 to make sure they're doing their jobs properly and not 242 00:11:38.559 --> 00:11:39.480 causing any trouble. 243 00:11:39.600 --> 00:11:41.120 So how do we keep them in line? 244 00:11:41.559 --> 00:11:43.240 Well, the first step is to choose the right in 245 00:11:43.360 --> 00:11:46.200 it system. Okay, that's the software that manages all the 246 00:11:46.240 --> 00:11:49.919 services and processes that start up when your system boots. 247 00:11:50.679 --> 00:11:54.559 You've got options like system v upstart, and system, each 248 00:11:54.600 --> 00:11:55.879 with its own way of doing things. 249 00:11:55.960 --> 00:11:58.320 So the in it system is like the conductor of 250 00:11:58.360 --> 00:12:00.559 an orchestra, making sure everyone plays a part at the 251 00:12:00.600 --> 00:12:01.720 right time exactly. 252 00:12:02.440 --> 00:12:04.919 And just like with a real orchestra, you want a 253 00:12:04.960 --> 00:12:08.279 conductor who's experience and knows how to keep everything running smoothly. 254 00:12:08.799 --> 00:12:11.240 Once you've got the right in net system in place, 255 00:12:11.960 --> 00:12:15.080 you need to focus on minimizing the attack surface. Okay, 256 00:12:15.200 --> 00:12:19.000 that means installing only the services you absolutely need and 257 00:12:19.039 --> 00:12:20.600 making sure they're configured securely. 258 00:12:21.000 --> 00:12:24.279 Sounds like the less is more principle again Exactly, Fewer 259 00:12:24.320 --> 00:12:28.159 services means fewer potential vulnerabilities. 260 00:12:27.320 --> 00:12:30.360 Exactly, And there are tools that can help you with this. 261 00:12:30.519 --> 00:12:30.840 Okay. 262 00:12:30.960 --> 00:12:37.159 Package managers like DNF, APT and portage all have ways 263 00:12:37.200 --> 00:12:40.399 to select only the packages you need and leave out 264 00:12:40.440 --> 00:12:40.799 the rest. 265 00:12:41.159 --> 00:12:44.960 It's like decluttering your digital house. Get rid of anything 266 00:12:45.000 --> 00:12:47.360 you don't really need, and it becomes easier to keep 267 00:12:47.440 --> 00:12:49.039 everything clean and organized. 268 00:12:49.360 --> 00:12:53.000 Perfect analogy. And once you've got your services installed, need 269 00:12:53.000 --> 00:12:56.240 to make sure they're running with the least privilege necessary. 270 00:12:56.320 --> 00:12:58.600 Don't give them any more access than they absolutely need 271 00:12:58.679 --> 00:13:02.000 to do their jobs. Systems has some great features for this, 272 00:13:02.480 --> 00:13:06.480 like private tampth and private devices, yeah, which isolate services 273 00:13:06.519 --> 00:13:08.960 and limit the damage they can do if they're compromised. 274 00:13:09.320 --> 00:13:12.480 So even if a service goes rogue, right, it's trapped 275 00:13:12.480 --> 00:13:13.799 in its own little sandbox. 276 00:13:14.480 --> 00:13:18.919 Clever. Okay, So we've minimized the number of services, made 277 00:13:18.919 --> 00:13:23.559 sure they're configured securely, and limited their privileges. What's next 278 00:13:23.879 --> 00:13:25.120 on our security checklist? 279 00:13:25.600 --> 00:13:28.879 Now we need to talk about network communication. Okay, This 280 00:13:28.919 --> 00:13:31.120 is where things can get a little tricky. Oh okay, 281 00:13:31.320 --> 00:13:34.440 every time your Linux system connects to the network. Yeah, 282 00:13:34.480 --> 00:13:37.039 it's opening itself up to potential risks. 283 00:13:37.679 --> 00:13:41.080 Yeah, I've heard about those open ports. They're like unlocked 284 00:13:41.080 --> 00:13:43.080 doors just waiting for someone to walk through. 285 00:13:43.360 --> 00:13:44.799 That's a great way to put it. And that's where 286 00:13:44.840 --> 00:13:45.679 firewalls come in. 287 00:13:45.759 --> 00:13:46.000 Okay. 288 00:13:46.080 --> 00:13:48.559 A firewall is like a security guard for your network, 289 00:13:49.039 --> 00:13:52.200 controlling which traffic is allowed in and which traffic is blocked. 290 00:13:52.279 --> 00:13:56.480 Okay, firewalls, I know they're important, but they always seem 291 00:13:56.559 --> 00:13:59.759 so complex to me. Right, where do you even start with? 292 00:13:59.799 --> 00:14:00.759 Can figuring one? 293 00:14:00.879 --> 00:14:03.840 It's definitely gotten easier over the years. We've come a 294 00:14:03.840 --> 00:14:07.639 long way from the days of manually editing iptables rules. 295 00:14:08.120 --> 00:14:10.879 Newer tools like firewalls, they get much more user friendly 296 00:14:11.200 --> 00:14:15.360 firewalled That sounds a lot less intimidating than iptables. What's 297 00:14:15.399 --> 00:14:16.120 the big difference? 298 00:14:16.440 --> 00:14:19.279 Firewalled is much more flexible and easier to manage. 299 00:14:19.399 --> 00:14:19.679 Okay. 300 00:14:20.200 --> 00:14:24.879 It uses zones to group network interfaces and apply different 301 00:14:24.960 --> 00:14:26.159 rules to each zone. 302 00:14:26.360 --> 00:14:26.639 Okay. 303 00:14:26.799 --> 00:14:29.759 For example, yeah, you might have a zone for your 304 00:14:30.120 --> 00:14:34.480 trusted internal network, a zone for the public Internet, and 305 00:14:34.519 --> 00:14:36.240 the zone for DMZ services. 306 00:14:36.399 --> 00:14:39.399 So it's like having different security levels for different parts 307 00:14:39.440 --> 00:14:42.559 of your castle. The inner keep is heavily guarded the 308 00:14:42.600 --> 00:14:46.440 outer courtyard is more open, and the surrounding forest is 309 00:14:46.440 --> 00:14:47.879 the wild unknown. 310 00:14:47.840 --> 00:14:51.399 Exactly, and firewalled makes it easy to define these zones 311 00:14:51.600 --> 00:14:53.320 and apply different rules to each one. 312 00:14:53.399 --> 00:14:56.720 Okay, so we've got firewalls in place to control network traffic. Right, 313 00:14:56.879 --> 00:14:59.279 we're really building up our defenses here. What else do 314 00:14:59.320 --> 00:15:00.000 we need to consider? 315 00:15:00.559 --> 00:15:02.720 We've covered a lot of ground, but there's always more 316 00:15:02.759 --> 00:15:03.159 to learn. 317 00:15:03.279 --> 00:15:03.639 Okay. 318 00:15:03.799 --> 00:15:06.240 There are some advanced security measures that can really take 319 00:15:06.279 --> 00:15:08.840 things to the next level. Okay, things like intrusion detection 320 00:15:08.960 --> 00:15:11.279 systems and vulnerability scanning. 321 00:15:11.639 --> 00:15:15.240 Intrusion detection, that sounds serious, like having a security team 322 00:15:15.320 --> 00:15:17.120 monitoring your system twenty four to seven. 323 00:15:17.240 --> 00:15:19.519 That's a good way to think about it. Intrusion detection 324 00:15:19.639 --> 00:15:24.240 systems or IDs are designed to detect suspicious activity on 325 00:15:24.279 --> 00:15:24.919 your network. 326 00:15:25.120 --> 00:15:25.240 Right. 327 00:15:25.440 --> 00:15:28.639 They analyze traffic patterns looking for anything that looks out 328 00:15:28.639 --> 00:15:29.000 of place. 329 00:15:29.120 --> 00:15:32.320 So they're like the watchdogs, always on alert for potential threats. 330 00:15:32.759 --> 00:15:35.480 What about vulnerability scanning? How does that work? 331 00:15:35.840 --> 00:15:38.799 Vulnerability scanners are like security auditors. 332 00:15:38.919 --> 00:15:39.240 Okay. 333 00:15:39.480 --> 00:15:42.679 They probe your systems, looking for known weaknesses, right that 334 00:15:42.720 --> 00:15:45.600 could be exploited by attackers. It's like having a team 335 00:15:45.639 --> 00:15:48.080 of experts come in and check for any cracks in 336 00:15:48.120 --> 00:15:48.559 your armor. 337 00:15:48.759 --> 00:15:51.840 That makes sense, So you're proactively looking for vulnerabilities before 338 00:15:51.879 --> 00:15:53.080 someone else can exploit them. 339 00:15:53.200 --> 00:15:53.679 Exactly. 340 00:15:53.759 --> 00:15:56.639 Are there any specific tools you recommend for these tasks? 341 00:15:56.960 --> 00:15:59.360 There are tons of great tools out there, both open 342 00:15:59.360 --> 00:16:04.720 source and commercial. For intrusion detection, yeah, Snort is a classic, 343 00:16:05.159 --> 00:16:07.320 been around forever and is super powerful. 344 00:16:07.519 --> 00:16:07.919 Okay. 345 00:16:08.240 --> 00:16:10.759 You can set it up to passively monitor your network 346 00:16:10.799 --> 00:16:15.000 traffic looking for suspicious patterns, or you can run it 347 00:16:15.080 --> 00:16:18.000 an inline mode actively blocking malicious traffic. 348 00:16:18.279 --> 00:16:22.039 So snort is like having a guard dog that can 349 00:16:22.080 --> 00:16:26.000 either just bark at intruders or actually bite them if 350 00:16:26.000 --> 00:16:26.840 they get too close. 351 00:16:27.039 --> 00:16:29.320 It's a good way to think about it. And then 352 00:16:29.840 --> 00:16:33.720 for vulnerability scanning, okay, you've got options like open VAS 353 00:16:33.720 --> 00:16:38.639 and nexpos. Open VS is open source and very popular. Well, 354 00:16:38.720 --> 00:16:42.360 nextpos is a commercial product with a lot of advanced features. 355 00:16:42.840 --> 00:16:46.120 Okay, So we've got our intrusion detection system watching for 356 00:16:46.159 --> 00:16:50.639 suspicious activity and our vulnerability scanner probing for weaknesses. But 357 00:16:50.759 --> 00:16:53.919 what happens if they actually find something? What do we 358 00:16:53.960 --> 00:16:55.639 do if there's a real security breach? 359 00:16:55.720 --> 00:16:58.440 That's where incident response planning comes in. Okay, you don't 360 00:16:58.440 --> 00:17:00.399 want to wait until you're under attack tore out what 361 00:17:00.440 --> 00:17:03.919 to do. You need a solid plan in place beforehand. 362 00:17:03.399 --> 00:17:06.000 So it's like having a fire escape plan. Hope you'll 363 00:17:06.000 --> 00:17:08.519 never need it, but if you do, you want to 364 00:17:08.559 --> 00:17:09.359 know exactly what. 365 00:17:09.400 --> 00:17:13.839 To do exactly. A good incident response plan will cover 366 00:17:13.960 --> 00:17:18.160 everything from identifying the source of the breach to containing 367 00:17:18.200 --> 00:17:21.680 the damage and recovering your systems. Yes, one crucial step 368 00:17:22.079 --> 00:17:25.799 is securing volatile memory. Okay, that's the data that's stored 369 00:17:25.839 --> 00:17:28.519 in RAM, and it can contain valuable evidence that could 370 00:17:28.559 --> 00:17:31.079 be lost if you shut down the system improperly. 371 00:17:31.160 --> 00:17:34.319 Volatile memory it's like a digital fingerprint that fades away quickly. 372 00:17:34.400 --> 00:17:36.119 You got it. You want to capture that memory as 373 00:17:36.200 --> 00:17:39.079 quickly as possible before it disappears. And then having a 374 00:17:39.119 --> 00:17:42.680 gold baseline system can be a life saver. This is 375 00:17:42.720 --> 00:17:46.079 a known, good, clean copy of your system you can 376 00:17:46.200 --> 00:17:48.000 use to restore things if necessary. 377 00:17:48.079 --> 00:17:50.359 So it's like having a backup castle just in case 378 00:17:50.400 --> 00:17:52.200 the first one gets overrun exactly. 379 00:17:52.519 --> 00:17:54.720 Now, let's be real for a minute. Not everyone has 380 00:17:54.759 --> 00:17:57.519 a team of security experts on call. What about the 381 00:17:57.519 --> 00:17:59.519 rest of us? Where do we turn for help when 382 00:17:59.559 --> 00:18:00.000 we need it. 383 00:18:00.640 --> 00:18:04.680 That's a good question. Linux can feel intimidating sometimes, especially 384 00:18:04.680 --> 00:18:08.319 when it comes to security. It's a vast and complex world, 385 00:18:08.599 --> 00:18:10.400 it is, and it's easy to feel lost. 386 00:18:10.759 --> 00:18:13.599 Well, the good news is that the Linux community is amazing. 387 00:18:13.880 --> 00:18:18.200 There's so much support available, from paid corporate options to 388 00:18:18.799 --> 00:18:21.440 the incredible wealth of knowledge in the open source community. 389 00:18:21.559 --> 00:18:26.640 You've got forums, mailing lists, online documentation, you name it. 390 00:18:26.640 --> 00:18:30.039 It's like having a global network of experts at your fingertip. 391 00:18:30.200 --> 00:18:35.319 Exactly. Just remember before you ask for help, do your homework, okay. 392 00:18:35.599 --> 00:18:39.039 The community really appreciates it when you've made an effort 393 00:18:39.079 --> 00:18:41.599 to solve the problem yourself, right, and when you were 394 00:18:41.640 --> 00:18:45.759 reporting bugs, be clear, okay, concise, and provide as much 395 00:18:45.799 --> 00:18:47.079 information as possible. 396 00:18:47.279 --> 00:18:47.559 Yeah. 397 00:18:47.680 --> 00:18:51.640 Bug tracking systems like Launchpad and Bugzilla can help streamline 398 00:18:51.680 --> 00:18:52.400 that process. 399 00:18:52.480 --> 00:18:55.000 So it's all about being a good citizen of the 400 00:18:55.000 --> 00:18:55.720 Linux community. 401 00:18:55.720 --> 00:18:58.920