10 Tips for Hardening your Linux Servers

I think the wording you were looking for is that you were not looking to incite baseles panic. It is always good to know that you don't know what you don't know, which can be scary when you have a lot hanging on the line.

how about some examples?

Pls consider timestamps

Looking forward to it! Great first video.

No chapter marks, no meaningful description about the content. One has to skip through the video to learn what these "great" 10 tips are. I wouldn't call it hardening, but consumer-ish admins who never thought twice about what they install and run have to start somewhere. Very clickbaity. Of course you have to have lighting like a dance club or a brothel. Day in, day out, sustainability doesn't matter.

If it was only (not) patching the servers... I so hate it that at my new workplace their lifecycling policies just plain suck. E.g. distributions such as Ubuntu 14.04 and Debian 7.x have been EOL+EOS for quite some time now.... but there are still tons of those servers around, still allowed to run :( It's a tiring uphill battle I'm fighting here. :´(

Port scanning and what to shut off as determined by the server's role.

Plans vs accessibility: in the DMZ [needs a public IP] vs behind a NAT firewall vs only accessed externally via VPN.

Keeping server up to date is important, although it's worth noting auto-updates can break your server and your service could be down for some time before fixing it

quality stuff

Good growth of the channel. Hard work and consistency paying of.

#3 Number 3, best is no passwords at all...

I've actually experienced failed no-boot backups (not on my own environment and none I was in charge of, luckily). Not fun.

Also a nice tip for important admin web interfaces like Portainer, Traefik, etc. is to put it behind Cloudflare Access, which will require a one-time password from your email address before allowing anybody to connect to it and can set all kinds of device-based authentication rules.

Great video Jay. A multi part on Locking down a public facing server to maybe DOD levels would be great. Your common sense approach is refreshing.

1.I have a queston. What about really system critical servers? One thing is hosting website, other medical/milirary/finantial stuff. Example from real life. I'm worling in company related with cryptocurrency, and lets say we need to store hot wallet - real actiall money on servers. We have some lowering risk procedures, like managing balances to only what we need, but I'm wondering what others do. For example if only option to be relative secure (im ignoring inside/phisical attack), is to disconnect from public network?

In addition to patching the OS, don't forget about driver & firmware updates.

You really found your speciality.. Excellent videos. Best for your success!

U r doing a good job with these videos my friend.. keep it up..

Video chapters would be nice. That way viewers can rewatch topics they need to refresh themselves on.

Great work 🥳 Thank you 💜

Can you make traps too

In windows I have administrative policies, where I change the rules for remote users. My rules is 3 wrong passwords and then block a user account. What the Linux have on his board?

What the program for backups Linux have on his board?

One moment I configured My Linux work machine, after I upgraded my Linux machine and after she had problems with programs that have stopped working. It's ok, or did I something wrong?

Thank you for your lessons.

Is there any real content in this video except Ads?

Going into my second year into System Administration, I'm very much thankful for your information. I will be looking forward to apply them in my company's servers.

A note about patching. many patches open new security holes. it's really a double edge sword. if a patch breaks business continuity then it could be just as costly as getting hacked, and if the patch opens up another security issue, doing nothing and "taking the gamble" (risk acceptance) is what business owners try to do.

1.5x speed is just right

This is gold. Thanks!

Have you considered doing a desktop hardening, for those who use Linux as a daily driver?

for point 10, that's why kubernetes (and harvester) are there as a true solution for HA and self remedy ;)

Do you have any plan to make a video about SELinux?

Very helpful video sir. May I have the link of next videos in this series?

I am using deepin how to secure it ?

Thank you for your invaluable guidance! I’ve recently set up my first home server using Ubuntu, and I’m currently running an open-source application called Immich. This app serves as a great alternative to Google Photos and operates with Docker.

While I didn’t identify any security risks when running it on my local server, I’ve noticed that the application’s capabilities significantly expand when connected to the internet. To expose it, I’ve employed a Cloudflare Tunnel. However, as I’m not an expert in network security, I’m unable to fully assess all potential risks. As you’ve rightly pointed out, any risk is possible.

I would appreciate your insights on tunneling and any advice you might have to enhance the security of this service.

Thanks!

Before locking down SSH (or messing with login or sudo) is to have, running in another terminal window, an SSH/root connection active. Then, when you lock EVERYBODY out (oops, did that mean me, too?), you can restore the original configuration (you preserved it?) or fix.

As an aspiring Linux System Administrator, this video is invaluable. Thank you

The DISA STIGS and Center for Internet Security have security checklists that go into enough detail to configure security settings to make a grown man cry.

Adjust your mindset? Really?
Patch your servers? Obviously!
Strengthen your passwords? No shit!
Don't open services to the public internet (unless...) Sure, fine. Still obvious though.
Lock down SSH. Good, we got a decent tip here.

Now we got a banger tip...
Implement as many as layers of security as possible.
ARE YOU JOKING!?!
Aren't you supposed to tell us these security layers right now!?
That is like saying "How to harden you system: Step one, take as many hardening steps as possible"
That is like saying "How to get stronger: Step one, do as many strength exercises as possible"

After that you either give us more basic tips that has barley anything to do with hardening a system if anything at al, or you give us business tips...
The video is titled "10 Tips for Hardening your Linux Servers" and not "10 Tips for basic security and some business advice for dummy's".
Where are tips for settings to change, software to install, things to disable/enable, deep things to look out for?
This video was 50% life advice and 50% how to basic.
Somehow I got triggered enough by this shit to write my first hate comment ever that I have spend valuable time on because this is way to long.
Have a very nice day