YouTube Transcript:
Linux Security - SSH Security Essentials
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
[Music] before we get started with today's video i just want to take you through the structure of this particular series um so i've actually partnered with linux to bring you this series this series will involve two parts so if you head over to linux.com under events you should find the hack exploit linux live linux server security series and you can just click on more info here so this series is going to be a 12-part series on how to set up secure and audit linux servers uh and we'll begin on on the 1st of october and the first series will be available on youtube and will include ssh security essentials configuring sudo access securing apache 2 securing engine x and the uncomplicated firewall the second part of the series will be hosted on linux live and it's absolutely free you don't have to pay anything and again you can access you can actually register for that there this is going to be an advanced series that will build up or build off the first series and we'll cover things like brute force protection ip tables wordpress security and security auditing on linux with the linux tool um so to access that just click on the registration link on on the on24 platform and that will take you here so that will give you an idea of all the various web costs and when they're going to be posted and it'll give you a summary of what will be covered exactly these are advanced uh webcasts that will be about 40 minutes and you can register for them absolutely free of charge we've also partnered with lino to give you guys a free credit uh so again if you are interested in using lynode for your virtual private server or for your hosting whether you're a developer or a administrator uh you can get a hundred dollars of 90 day credit uh and this is for new accounts um so that's fantastic definitely do take advantage of this if you're getting started with linux or you're actually following uh you're following along with this series however make sure to actually redeem this offer or this code uh which is under promo.linu.com and the code is hackersploit100 this offer will only be limited till the 15th of december so definitely check that out that being said let's get started with today's video hey guys hackersploit here back again with another video welcome to the linux security series in this particular series we're going to be taking a look at how to secure linux systems and more specifically linux servers now as you've read from the title this video is going to be about ssh security so i'll be taking you through all these essentials of securing ssh we're not going to be taking a look at brute force protection where i'm just going to be showing you how to secure ssh and how to go about setting up ssh securely now in this particular video or in this particular series we'll be following a very important a premise here or an example if you will and the reason i'm doing this is to give the videos a bit more context in in regards to how you can apply these techniques yourself when setting up a server regardless of whether it's a personal server or whether you're setting up one for your organization or for your company it really doesn't matter so the way i'm going to be doing this is i'm going to be using somewhat intricate but basic examples again to give you a better idea of of how you can apply these techniques so in this particular case uh we are going to take a simple example of the fact that i'm an administrator and i've been hired uh to again manage the company's linux servers on the cloud and also some various on-premises servers that they have and the development team that's responsible for developing the web applications that they have actually told me the linux administrator to fire up a few servers on the cloud or virtual private servers uh for wordpress for a wordpress website so we have been given that that particular role or that particular task and our first order of business is to set up remote authentication so that the development team can connect to the server and do whatever they want and of course they're going to be using ssh to do this so ssh stands for secure shell it is a remote authentication and remote control remote remote control protocol and it allows you to connect to linux servers remotely or even windows servers right so now that we have set up the premise we can actually get started now uh we have partnered with linux to actually give you guys some free credits or free access and you can access this uh by going to lynnote.com and take a look at hackersploit so ford slash hack exploit and that will give you a free 20 credit so you can actually get started and follow along with this if you want to uh and again you can create as many linux as you want and you get about 20 dollars which is fantastic excellent so we can now get started now this is my dashboard and you can see where we're going or following along with the premise and these are the servers that i'm currently managing and i have the marketing server and a project management server here and now we've been told to create a new linux server with wordpress installed and we can go about setting up the security from the ground up so the first thing we're going to do is we're going to create a new linux so i'll click on newly node and again i can set up wordpress manually or i can go into the marketplace here which is great a great feature offered by lenoid and i have all of these applications that again are pre-configured to work right out of the box so i can set up a lamp server a lamp server i can also set up a postgresql database an open vpn instance so that i can actually set up my own openvpn server and then of course we have the game servers which is awesome we have we also have the ability to set up docker which is fantastic you can actually just get started immediately without setting up or installing anything in our case we're going for wordpress um so i'm just going to go to the bottom it's going to ask us for the wordpress options so again the development team is has given us some some basic credentials and of course we're just going to uh we're going to improvise a little bit so the user is going to be user at uh test.com and the admin username is going to be admin and of course i don't recommend doing that but that's another topic for another video and then of course for the password we're going to give it a super secure password right so i'll give it the best password i can and we're going to disable this gradually as we as we move along because password-based authentication with ssh is not really recommended uh because you know attackers can brute force the server or brute force ssh we then need to provide the database password which again make sure that is equally as secure and landlord gives you a password strength um level right over here and the website title we're just going to call this development development site this is where the you know the development team is going to just work on uh various betas or new new web apps that they're currently working on and we don't have a domain yet so we're not mapping it and the default uh image is going to be debian which is perfectly fine i then specify the region and of course you can specify the region that's most uh appropriate or advantageous to you based on uh what area or what part of the world you're in my case i'll just go for europe london uk as that's the closest to me and i can then specify my plan and of course these are based on cpu uh intensive or cpu dedicated cpus high memory based lino's and gpu based cleaners as well which is great for password cracking that's something i'll probably want to cover in another video um so i'll click on a one gigabyte uh ram and one gigabyte oh sorry one cpu a linode which is a nanode and that's about five dollars a month which is perfect so that'll be fine for a wordpress server and i'll just call this wordpress development that's the name of the server so wordpress development and i'll enter a root password now you can see a very interesting thing here with most cloud providers and you know linux in particular is the ability to set up ssh keys which we'll be doing but there's a there's there's a flaw here by default and that is the fact that you'll be logging in directly to the server with the root user account which is our first order of business that we want to change so we will stick to you know authenticating with the password first and i'll not add an ssh key yet because we're going to add it for a different user so i'll hit create and that's going to create the linux instant in instance for us so i'll just wait for that to provision and to start and uh yeah i'll just wait for that to complete all right the node is created so we can actually get started so i'm just going to copy the ipv4 address here and we're going to log in using openssh or the openssh client now as i said i'm currently using linux ubuntu to be specific and of course you can log in with various other you know ssh clients like uh you have putty on windows and of course you have the open ssh client installed by default on macos i i believe and on linux it's pretty much the same so you want to make sure you have the openssh client installed so sudo apt install um open ssh and we want to specify the the open ssh client i believe there we are and i'll just specify my password here and that's gonna tell me it's already installed fantastic so to authenticate via ssh we say ssh we specify the username and we'll paste in the ip of the server hit enter that's going to ask us for the root password um that we specified so i'll just specify the root password here and we are logged in fantastic so now that we have access to the server we can we can get started with our first our first priority which is to add another user because if i currently list out the users on the system you can see apart from the other service based uh user accounts like mysql users which is for the database and dub dub dub data you can see that we only have the root user and we don't have any other user accounts which is is a problem because when we talk about the root account and uh in and permissions in regards to the power of the root account the root account is like the administrator account which means you can pretty much do anything and if an attacker is able to get access to the root account remotely they can pretty they pretty much take over the entire system they can change passwords for the users they can they can you know delete databases dump contents of databases so on and so forth so our first order of business is to disable the uh disable authentication remote authentication to the server with the root account and the way we do that is first of all we segregate duties on the server right so for the development team we'll create a user for them so that they don't have to use the the root user to log in so to do that we use the user add command so user add and i'll say m to create a home directory and we specify the shell which in this case is going to be bin bash right and and i'll create the username which is just going to be dev and i hit enter so we've added the user dev and if i just print out the users now you can see at the bottom we have the user dev right over here and the home directory is listed as home dev so the next thing we want to do is we want to assign a password to the user dev so i say password and i specify the user dev so i say password dev it's going to ask us to specify a password for the user dev which i will do and there we are so we have now added the user dev and we can try and switch to that user by using this uh super user or switch user there we are so we say su and we move on to the dev account and you can see we can log in directly and if i go to the home directory you can see we are currently sorry pwd we are currently in the home dev directory here we can also switch back to the root account um like so and it's going to ask us for the root account password which works out fine so we our first order of business as i mentioned is to log in as to disable uh authentication remote authentication uh with the root account and to do this we need to uh we need to take a look at the ssh or the open ssh daemon configuration file because the thing you have to understand about ssh it is a client server based connection which means there's the client and the server this particular server is running open ssh server so we need to configure the openssh server settings so we'll click we'll use an editor i'm using vim you can use nano so we want to go into the etsy directory so hc ssh and we're looking for sshd now the reason we're looking for sshd the d represents the daemon which essentially means the service or the server service and we're looking and the sshd configuration file so i'm just going to hit enter and this is the configuration file over here now there's tons of options that you can change and these options are not related uh you know only to security uh they also pertain or are also related to things like networking we can change the default port that the service is currently running on that's also very helpful sometimes and of course there's tons of other options that we can change now the option we're looking for is an option called permit root login now the interesting thing you'll see about this file is the syntax that is used now by default within configuration files a hash or a pound symbol represents a comment which means that line of code or that line is not active now if you see a line without a hash or a pound that means that that line is currently active in this case all the lines with hashes or pound or the pound symbols means they're left to their default values and open open ssh will will actually use that by default so any custom options will will not have the pound or the the hash symbol in this case permit root login is set to yes we want to disable that to know now note this does not mean we cannot use the root user that's something we'll be disabling in another video this just means we cannot access the server via ssh using the root user after this we'll only be able to access it using the dev user so we'll say permit root login to no we want to say no to that and then to save this file i'll just use wnq to write and quit and we can now quit there we are fantastic so now i can just exit from the server so i'll just exit from both users there we are and if i try and access the server using the root user again you'll see something interesting happen here and of course i think i'll be able to authenticate because i haven't restarted the service so i'll just do that right now so sudo system control uh restart ssh and i'll that will restart the service and if i try and log in again now it's gonna ask me for my password and if i enter the password it's gonna tell me i'm unable to authenticate so we'll just wait there we are permission denied try again and that doesn't necessarily mean that my uh my password is incorrect or i've done anything wrong it just means that i cannot log in to the root user uh with a password i cannot authenticate with the root user of issh and of course you can see that that that option is explicitly defined within the configuration file because it does it does offer a a reprieve in terms of security because a lot of attackers will target the root account because it off it offers the lowest hanging fruit um right so that means we can only access the server via the dev user all right so i'll open up the dev user right over here fantastic so i'll specify the um i'll specify the password for the dev user and i have access and of course i can switch back into the root user if i want to by saying su root and there we are fantastic so again i can i can always access the root user but that's something we'll also want to be disabling because uh the dev user if compromised can still in some way access the root account if they have the password in most cases that's not going to be the case but now we have to secure the dev user and the way we're going to be doing that is by using ssh keys now as i said we can set up ssh keys by default with the cloud provider likely known however that does it for the root user we want to do this for the dev user so we are slowly segregating and uh lowering our our security risk because we are setting up users based on privilege and number two we are also increasing the the amount of uh authentication security in place so to get started what we want to do is i'll open up a new tab on in my terminal here and we want to generate our ssh key now or you can generate your ssh key very very simply on linux by specifying ssh keygen so if i say ssh keygen like so you can see it gives me the ability to generate a key so sh key then i can then specify t rsa that is the pro the algorithm that is being used and on windows you can do it you can also generate your ssh keys using using putty if you want and i'm going to enter and it's going to tell us it's generating the public private rsa key pair and it's going to save it into the default home directory under ssh here in most cases you just want to leave that as it is so i'm just going to enter and it's going to tell me it already exists and i'm going to overwrite this for a very important reason i'll hit enter now ssh keys also allow you to specify a passphrase this is like two-factor authentication because in addition to your ssh keys uh you can also uh secure them with a password so if someone gets a hold of your ssh key they'll not be able to authenticate without that particular passphrase in my case i'm not going to enter a passphrase so i'm just going to hit enter right and your your uh your keys are going to be stored within your home uh your home directory under ssh and the file is going to be called id rsa that's your private key and you have idrsa.pub which means public in that we can list out the contents of my ssh directory here so ssh and um if i list it you can see we have the private key this is what we want to keep securely and we have the public key now of course when we talk about the the public key as i said we need to copy this onto the server so how do we do this well we can we can copy it manually however much easier way of doing it is through a utility called ssh copy id so we say ssh copy id and then we specify the user that we we want to authenticate as so dev at and then i paste in the ip of the server and i hit enter and that's going to copy our public key to the server so we're just going to wait for that to prompt us to authenticate with the password so it's going to say enter our password for the dev user so there we are it's going to now tell us the number of keys added is two right so we've added two keys here and um there we are so we've added our key and that means we can now authenticate to the um we can all authenticate to the server without entering a password for the dev user that's only for us however a password-based authentication is still available so i'll just explain this to you shortly so if i try and log in to the ssh to the server of issh using the dev user you'll see that i'll be able to log in without entering a password so i'll hit enter it's going to use my private key and again we'll just sorry that is an incorrect ip let me just paste in the correct one which is this one right over here if i just paste that in here and you can see i'll now be able to authenticate without entering any password there we are i'm now logged in as dev at the lynnode instance right over here so i didn't have to enter any password although password-based authentication is still set up now if i try and authenticate using another system like my windows system with putty and i'll just open up lynode and copy the ip there and i try and log in let's open up putty again uh like so you can see that it still is going to ask me for my password so i'll say you log in as dev it's going to ask me for my password and i can still log in regardless of whether i've set up an ssh key we need to remedy this the way we remedy this is by disabling uh password logins or disabling uh password-based authentication so what i'm going to do is i'm just going to minimize that and i'll switch into the root user so i'll say su root and it's going to ask me for my root password there we are and we'll go back into the sshd configuration file so we're looking into the hc ssh and sshd configuration file and we want to go we want to go all the way to the bottom here right over it should be over here uh under authentication we have changed permit root login to no and we just want to go slightly to the bottom here on under disable tunneled clear text password so to disable tunnel clear text passwords change to no here so for password authentication we want to disable this so we we again will just get rid of the the pound or the hash symbol and we're going to set the option to no right so we'll set that to no now what this means is that under no circumstance are we going to be able to access this server using passwords the only way we're going to be accessing this server is through our ssh keys so that's something you want to take into consideration before you activate this particular option or this particular setting make sure you have the ssh key available because there'll be no way you'll be able to get access to this via ssh then so i'll write in i'll write the changes and save it and again in this case i'll just restart ssh so system control restart ssh sorry ssh like so and if i now exit or i log out again on this system i'll be able to log in without the password because i have the ssh key and i can then share this ssh key with the development team and they'll be able to log in using the ssh key so if i hit enter you'll be able to see there we are i have access i still have access here however if i go on over to my windows system and i try and uh log in using putty so what i'll do is i'll just open up a new session here i'll close that one and i'll just copy the ip one more time here just to make sure i have the right one and uh i'll open up putty let me just load my profile hit open you can now see if i try and say login as dev it's going to give me an error telling me no supported authentication methods available server sent public key so again that means that now on this server there's no way we are authenticating with with any password of any kind regardless of the user so again we've disabled uh the root user logins which is very important number two we've set up and secured the other user account which is the dev user the only way anyone is logging onto it now is through the ssh key and of course as i said the ssh key is going to be under your home directory in ssh uh and it's um it's the the file that is in uh that we're referring to is the id rsa key right over here so this is the file you want to share with the development team and again they can then use it to log in however as i mentioned it's very important to take into consideration the fact that you want to keep the private key as personal and as private as possible that's the reason it has the name private uh now of course in the next videos we'll be talking about uh giving the dev uh the dev user account the appropriate permissions to run administrative tasks like installing software updating software and we'll also then go a step further by disabling the root account permanently so that you cannot even switch to it in the event an attacker is able to compromise the system through one of the lower privileged accounts like the dev user they'll not be able to get access to the root account that being said that's going to be it for this video let me know what you thought in the comments if you have any questions or suggestions and i'll be seeing you in the next video i just want to take a moment to thank all our patreons at patreon.com forward slash hackersploit for all the support your support and help is truly appreciated you keep us making uh newer and fresher and better content so i just want to say thank you to all the patreons so thank you murph the surf daniel bork jonathan kyle adam mack jamal guillory defean barry jeremy nikolai marie harrah max ciao dustin empress michael hubbard and jerry speds you
Share:
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
How It Works
Copy YouTube Link
Grab any YouTube video URL from your browser
Paste & Extract
Paste the URL and we'll fetch the transcript
Use the Text
Search, copy, or save the transcript
Why you need YouTube Transcript?
Extract value from videos without watching every second - save time and work smarter
YouTube videos contain valuable information for learning and entertainment, but watching entire videos is time-consuming. This transcript tool helps you quickly access, search, and repurpose video content in text format.
For Note Takers
- Copy text directly into your study notes
- Get podcast transcripts for better retention
- Translate content to your native language
For Content Creators
- Create blog posts from video content
- Extract quotes for social media posts
- Add SEO-rich descriptions to videos
With AI Tools
- Generate concise summaries instantly
- Create quiz questions from content
- Extract key information automatically
Creative Ways to Use YouTube Transcripts
For Learning & Research
- Generate study guides from educational videos
- Extract key points from lectures and tutorials
- Ask AI tools specific questions about video content
For Content Creation
- Create engaging infographics from video content
- Extract quotes for newsletters and email campaigns
- Create shareable memes using memorable quotes
Power Up with AI Integration
Combine YouTube transcripts with AI tools like ChatGPT for powerful content analysis and creation:
Frequently Asked Questions
Is this tool really free?
Yes! YouTubeToText is completely free. No hidden fees, no registration needed, and no credit card required.
Can I translate the transcript to other languages?
Absolutely! You can translate subtitles to over 125 languages. After generating the transcript, simply select your desired language from the options.
Is there a limit to video length?
Nope, you can transcribe videos of any length - from short clips to multi-hour lectures.
How do I use the transcript with AI tools?
Simply use the one-click copy button to copy the transcript, then paste it into ChatGPT or your favorite AI tool. Ask the AI to summarize content, extract key points, or create notes.
Timestamp Navigation
Soon you'll be able to click any part of the transcript to jump to that exact moment in the video.
Have a feature suggestion? Let me know!Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.