YouTube Transcript:
Linux Security - SSH Security Essentials

[Music]
before we get started with today's video
i just want to take you through the
structure of
this particular series um so i've
actually partnered with linux to bring
you this series
this series will involve two parts so if
you head over to linux.com under
events you should find the hack exploit
linux live
linux server security series and you can
just click on more info here
so this series is going to be a 12-part
series on how to set up secure and audit
linux servers
uh and we'll begin on on the 1st of
october
and the first series will be available
on youtube and will include ssh security
essentials configuring sudo access
securing apache 2
securing engine x and the uncomplicated
firewall
the second part of the series will be
hosted on linux live
and it's absolutely free you don't have
to pay anything
and again you can access you can
actually register for that there this is
going to be an
advanced series that will build up or
build off
the first series and we'll cover things
like brute force protection
ip tables wordpress security and
security auditing on linux with
the linux tool um so to access that just
click on the registration link
on on the on24 platform and that will
take you here so that will give you an
idea of all the various web costs
and when they're going to be posted and
it'll give you a summary of what will be
covered exactly these are advanced uh
webcasts that will be about 40 minutes
and you can register for them absolutely
free of charge we've also
partnered with lino to give you guys a
free credit uh so again if you
are interested in using lynode for your
virtual private server or for your
hosting whether you're a developer or a
administrator uh you can get a hundred
dollars of 90 day credit
uh and this is for new accounts um so
that's fantastic
definitely do take advantage of this if
you're getting started with linux or
you're actually following uh you're
following along with this series
however make sure to actually redeem
this offer or this code
uh which is under promo.linu.com
and the code is hackersploit100 this
offer will only be limited till the
15th of december so definitely check
that out that being said let's get
started with today's video
hey guys hackersploit here back again
with another video welcome to the linux
security series
in this particular series we're going to
be taking a look at how to secure linux
systems and
more specifically linux servers now as
you've read from the title this video is
going to be about ssh security
so i'll be taking you through all these
essentials of securing ssh
we're not going to be taking a look at
brute force protection where i'm just
going to be showing you how to secure
ssh
and how to go about setting up ssh
securely
now in this particular video or in this
particular series we'll be following a
very important
a premise here or an example if you will
and the reason i'm doing this is to give
the videos a bit more context in in
regards to how you can apply these
techniques yourself when setting up a
server regardless of whether it's a
personal server
or whether you're setting up one for
your organization or for your company it
really doesn't matter
so the way i'm going to be doing this is
i'm going to be using
somewhat intricate but basic examples
again to give you
a better idea of of how you can apply
these techniques so
in this particular case uh we are going
to take a simple example of
the fact that i'm an administrator and
i've been
hired uh to again manage the company's
linux servers
on the cloud and also some various
on-premises servers that they have
and the development team that's
responsible for developing the web
applications that they have actually
told me the linux administrator to fire
up a few servers on the cloud
or virtual private servers uh for
wordpress
for a wordpress website so we have been
given that
that particular role or that particular
task and
our first order of business is to set up
remote authentication so that the
development
team can connect to the server and do
whatever they want and of course they're
going to be using ssh to do this so ssh
stands for secure shell it is a
remote authentication and remote control
remote
remote control protocol and it allows
you to connect to
linux servers remotely or even windows
servers
right so now that we have set up the
premise we can actually get started now
uh we have partnered with linux to
actually give you guys
some free credits or free access and you
can access this uh by going to
lynnote.com
and take a look at hackersploit so ford
slash hack exploit
and that will give you a free 20 credit
so you can actually
get started and follow along with this
if you want to uh and again you can
create as many linux as you want
and you get about 20 dollars which is
fantastic
excellent so we can now get started now
this is my dashboard
and you can see where we're going or
following along with the premise and
these are the servers that i'm currently
managing and i have the marketing server
and a project management server here
and now we've been told to create a new
linux server
with wordpress installed and we can go
about setting up
the security from the ground up so the
first thing we're going to do
is we're going to create a new linux so
i'll click on newly node
and again i can set up wordpress
manually or i can go into the
marketplace here which is great
a great feature offered by lenoid and i
have all of these
applications that again are
pre-configured to work
right out of the box so i can set up a
lamp server a lamp server
i can also set up a postgresql database
an open vpn
instance so that i can actually set up
my own openvpn server and then of course
we have the game servers which is
awesome
we have we also have the ability to set
up docker
which is fantastic you can actually just
get started immediately without setting
up or installing anything
in our case we're going for wordpress um
so i'm just going to go to the bottom
it's going to ask us for the wordpress
options
so again the development team is has
given us some some basic credentials and
of course
we're just going to uh we're going to
improvise a little bit so the user is
going to be user at uh test.com
and the admin username is going to be
admin and of course i don't recommend
doing that but that's
another topic for another video and then
of course for the password we're going
to give it a super secure password right
so i'll give it the best password i can
and we're going to disable this
gradually as we as we move along because
password-based authentication with ssh
is
not really recommended uh because you
know attackers can brute force the
server or brute force ssh
we then need to provide the database
password which again make sure that is
equally as
secure and landlord gives you a password
strength um
level right over here and the website
title we're just going to call this
development
development site this is where the you
know the development team is
going to just work on uh various
betas or new new web apps that they're
currently working on
and we don't have a domain yet so we're
not mapping it and the default uh
image is going to be debian which is
perfectly fine i then specify the region
and of course you can specify the region
that's most uh appropriate or
advantageous to you based on
uh what area or what part of the world
you're in
my case i'll just go for europe london
uk as that's the closest to me
and i can then specify my plan and of
course these are based on cpu uh
intensive or cpu dedicated cpus high
memory
based lino's and gpu based cleaners as
well which is great for
password cracking that's something i'll
probably want to cover in another video
um so i'll click on a one gigabyte uh
ram and one gigabyte oh sorry one cpu
a linode which is a nanode and that's
about five dollars a month
which is perfect so that'll be fine for
a wordpress server
and i'll just call this wordpress
development that's the name of the
server so wordpress development
and i'll enter a root password now you
can see a very interesting thing here
with most cloud providers and you know
linux
in particular is the ability to set up
ssh keys
which we'll be doing but there's a
there's there's a flaw here by default
and that is
the fact that you'll be logging in
directly to the server with the root
user account which is
our first order of business that we want
to change so we will stick to
you know authenticating with the
password first and i'll not add an ssh
key
yet because we're going to add it for a
different user
so i'll hit create and that's going to
create the linux instant in
instance for us so i'll just wait for
that to provision and to start and uh
yeah i'll just wait for that to complete
all right the node is created so we can
actually get started so i'm just going
to copy the ipv4 address here and we're
going to log in
using openssh or the openssh client now
as i said i'm currently
using linux ubuntu to be specific and of
course you can log in with various other
you know ssh clients like uh you have
putty on windows
and of course you have the open ssh
client installed by default on macos i i
believe
and on linux it's pretty much the same
so you want to make sure you have the
openssh client installed so sudo apt
install
um open ssh and we want to specify the
the open ssh client i believe there we
are and i'll just specify my password
here
and that's gonna tell me it's already
installed fantastic so to authenticate
via ssh we say ssh we specify the
username and
we'll paste in the ip of the server hit
enter that's going to ask us for the
root password um that we specified so
i'll just specify the root password here
and
we are logged in fantastic so now that
we have access to the server we can we
can get started with our first
our first priority which is to add
another user because
if i currently list out the users on the
system
you can see apart from the other service
based uh user accounts like mysql users
which is for the database and dub dub
dub data
you can see that we only have the root
user and we don't have any other user
accounts which is
is a problem because when we talk about
the root account
and uh in and permissions in regards to
the power of the root account
the root account is like the
administrator account which means you
can pretty much do
anything and if an attacker is able to
get access to the root account
remotely they can pretty they pretty
much take over the entire system they
can change passwords for the users they
can
they can you know delete databases dump
contents of databases so on and so forth
so
our first order of business is to
disable
the uh disable authentication remote
authentication to the server
with the root account and the way we do
that is first of all we segregate
duties on the server right so for the
development team we'll create
a user for them so that they don't have
to use the
the root user to log in so to do that we
use the user add command so user add
and i'll say m to create a home
directory and we specify the shell
which in this case is going to be bin
bash right and
and i'll create the username which is
just going to be dev and i hit enter so
we've added the user dev
and if i just print out the users now
you can see at the bottom we have the
user dev right over here and the home
directory
is listed as home dev so the next thing
we want to do is we want to assign a
password to the user dev so i say
password
and i specify the user dev so i say
password dev it's going to ask us to
specify a password for the user dev
which i will do and there we are so we
have now
added the user dev and we can try and
switch to that user by using this uh
super user or switch user there we are
so we say su
and we move on to the dev account and
you can see we can log in directly
and if i go to the home directory
you can see we are currently sorry pwd
we are currently in the home dev
directory here
we can also switch back to the root
account um like so and it's going to ask
us for the root account password
which works out fine so we our first
order of business as i mentioned
is to log in as to disable uh
authentication remote authentication
uh with the root account and to do this
we need to uh
we need to take a look at the ssh or the
open ssh daemon configuration file
because the thing you have to understand
about ssh it is a client server based
connection
which means there's the client and the
server this particular server is running
open ssh server so we need to
configure the openssh server settings so
we'll click we'll use
an editor i'm using vim you can use nano
so we want to go into the etsy directory
so
hc ssh and we're looking for sshd
now the reason we're looking for sshd
the d represents the daemon which
essentially means the service or the
server service and we're looking
and the sshd configuration file so i'm
just going to hit enter
and this is the configuration file over
here now there's tons of options that
you can change
and these options are not related uh you
know only to security
uh they also pertain or are also related
to things like networking we can change
the
default port that the service is
currently running on that's also very
helpful sometimes
and of course there's tons of other
options that we can change now the
option we're looking for
is an option called permit root login
now the interesting thing you'll see
about this file
is the syntax that is used now by
default within configuration files
a hash or a pound symbol represents a
comment which means that line
of code or that line is not active now
if you
see a line without a hash or a pound
that means that that
line is currently active in this case
all the lines with hashes or pound or
the pound symbols means they're left to
their default values
and open open ssh will will actually use
that by default
so any custom options will will not have
the pound or the
the hash symbol in this case permit root
login is set
to yes we want to disable that to know
now note this does not mean we cannot
use the root user that's something we'll
be disabling
in another video this just means we
cannot access
the server via ssh using the root user
after this we'll only be able to access
it using the dev user
so we'll say permit root login to no we
want to say no to that
and then to save this file i'll just use
wnq
to write and quit and we can now quit
there we are fantastic
so now i can just exit from the server
so i'll just exit from both users there
we are
and if i try and access the server using
the root user again
you'll see something interesting happen
here and of course i think i'll be able
to authenticate because i haven't
restarted the service
so i'll just do that right now so sudo
system control uh restart
ssh and i'll that will restart the
service and if i try and log in again
now it's gonna ask me for my password
and if i enter the password
it's gonna tell me i'm unable to
authenticate so we'll just wait there we
are permission denied try again
and that doesn't necessarily mean that
my uh my password is incorrect or i've
done anything wrong
it just means that i cannot log in to
the root user
uh with a password i cannot authenticate
with the root user of issh and of course
you can see that that
that option is explicitly defined within
the configuration file because
it does it does offer a a reprieve in
terms of security because
a lot of attackers will target the root
account because it off
it offers the lowest hanging fruit um
right so that means we can only access
the server via the dev user
all right so i'll open up the dev user
right over here fantastic so i'll
specify the
um i'll specify the password for the dev
user and i have access and of course
i can switch back into the root user if
i want to by saying su
root and there we are
fantastic so again i can i can always
access the root user but that's
something we'll also want to be
disabling because
uh the dev user if compromised can still
in some way
access the root account if they have the
password in most cases that's not going
to be the case
but now we have to secure the dev user
and the way we're going to be doing that
is
by using ssh keys now as i said
we can set up ssh keys by default with
the cloud provider likely known however
that does it for the root user
we want to do this for the dev user so
we are slowly segregating
and uh lowering our our security risk
because we are setting up users based on
privilege
and number two we are also increasing
the
the amount of uh authentication security
in place
so to get started what we want to do is
i'll open up a new tab on in my terminal
here
and we want to generate our ssh key now
or you can generate your ssh key
very very simply on linux by specifying
ssh
keygen so if i say ssh keygen
like so you can see it gives me the
ability to generate a key so
sh key then i can then specify t rsa
that is the pro
the algorithm that is being used and
on windows you can do it you can also
generate your ssh keys
using using putty if you want and i'm
going to
enter and it's going to tell us it's
generating the public
private rsa key pair and it's going to
save it into the default home directory
under ssh here
in most cases you just want to leave
that as it is so i'm just going to enter
and it's going to tell me it already
exists and i'm going to overwrite this
for a very important reason i'll hit
enter
now ssh keys also allow you to specify a
passphrase this is like two-factor
authentication because
in addition to your ssh keys uh you can
also
uh secure them with a password so if
someone gets a hold of your ssh key
they'll not be able to authenticate
without that particular passphrase in my
case i'm not going to enter a passphrase
so i'm just going to hit enter right and
your your uh your keys are going to be
stored
within your home uh your home directory
under ssh
and the file is going to be called id
rsa that's your private key
and you have idrsa.pub which means
public in that we can
list out the contents of my ssh
directory here
so ssh and um if i list it you can see
we have the private key this is what we
want to keep securely
and we have the public key now of course
when we talk about
the the public key as i said we need to
copy this onto the server
so how do we do this well we can we can
copy it manually however much easier way
of doing it
is through a utility called ssh copy id
so we say ssh copy
id and then we specify the user that we
we want to authenticate as so dev
at and then i paste in the ip of the
server and i hit enter and that's going
to copy our public key to the server
so we're just going to wait for that to
prompt us to authenticate with the
password
so it's going to say enter our password
for the dev user so there we are
it's going to now tell us the number of
keys added is two
right so we've added two keys here and
um there we are so we've added our key
and that means we can now authenticate
to the um
we can all authenticate to the server
without entering a password for the dev
user that's only for
us however a password-based
authentication is still available so
i'll just explain this to you shortly so
if i try and log in to the ssh
to the server of issh using the dev user
you'll see that i'll be able to log in
without entering a password so i'll hit
enter
it's going to use my private key and
again we'll just
sorry that is an incorrect ip let me
just paste in the correct one
which is this one right over here if i
just paste that in here
and you can see i'll now be able to
authenticate without entering any
password there we are
i'm now logged in as dev at the lynnode
instance right over here
so i didn't have to enter any password
although password-based authentication
is still set up
now if i try and authenticate using
another system like my windows system
with putty
and i'll just open up lynode and copy
the ip there and i try and log in
let's open up putty again uh like so
you can see that it still is going to
ask me for my
password so i'll say you log in as dev
it's going to ask me for my password
and i can still log in regardless of
whether i've set up an ssh key we need
to remedy this
the way we remedy this is by disabling
uh password logins or disabling uh
password-based authentication so what
i'm going to do is i'm just going to
minimize that and i'll switch into the
root user
so i'll say su root and it's going to
ask me for my root password
there we are and we'll go back into the
sshd
configuration file so we're looking into
the
hc ssh and sshd
configuration file and we want to go
we want to go all the way to the bottom
here right over
it should be over here uh under
authentication
we have changed permit root login to no
and we just want to go slightly to the
bottom here on
under disable tunneled clear text
password so
to disable tunnel clear text passwords
change to no here so
for password authentication we want to
disable this so we
we again will just get rid of the the
pound or the hash symbol
and we're going to set the option to no
right so we'll set that to no
now what this means is that under no
circumstance are we going to be able to
access this server
using passwords the only way we're going
to be accessing this server
is through our ssh keys so that's
something you want to take into
consideration before you activate this
particular option or this particular
setting
make sure you have the ssh key available
because there'll be no way you'll be
able to get access to this via ssh then
so i'll write in i'll write the changes
and save it and again in this case i'll
just restart ssh so
system control restart ssh
sorry ssh like so and if i now exit or i
log out
again on this system i'll be able to log
in without the password because i have
the ssh key
and i can then share this ssh key with
the development team and they'll be able
to log in using the ssh key
so if i hit enter you'll be able to see
there we are i have access i still have
access here
however if i go on over to my windows
system and i try and
uh log in using putty so what i'll do is
i'll just
open up a new session here i'll close
that one
and i'll just copy the ip one more time
here just to make sure i have the right
one
and uh i'll open up putty
let me just load my profile hit open
you can now see if i try and say login
as dev it's going to give me an error
telling me no supported authentication
methods available
server sent public key so again that
means that
now on this server there's no way we are
authenticating with
with any password of any kind regardless
of the user
so again we've disabled uh the root user
logins which is very important number
two
we've set up and secured the other user
account which is the dev user the only
way
anyone is logging onto it now is through
the ssh key
and of course as i said the ssh key is
going to be under your home directory in
ssh
uh and it's um it's the the file that is
in uh
that we're referring to is the id rsa
key right over here so this is the file
you want to share with the development
team
and again they can then use it to log in
however as i mentioned it's very
important
to take into consideration the fact that
you want to keep the private key
as personal and as private as possible
that's the reason it has the name
private uh now of course in the next
videos we'll be talking about uh giving
the dev uh the dev user account the
appropriate permissions to run
administrative tasks
like installing software updating
software and we'll also then go a step
further
by disabling the root account
permanently so that you cannot even
switch to it in the event an attacker is
able to compromise the system
through one of the lower privileged
accounts like the dev user they'll not
be able to get
access to the root account that being
said that's going to be it for this
video
let me know what you thought in the
comments if you have any questions or
suggestions and i'll be seeing you
in the next video i just want to take a
moment to thank all our patreons at
patreon.com forward slash hackersploit
for all
the support your support and help is
truly appreciated you keep us making uh
newer and fresher
and better content so i just want to say
thank you to all the patreons
so thank you murph the surf daniel bork
jonathan kyle
adam mack jamal guillory defean barry
jeremy nikolai
marie harrah max ciao dustin empress
michael hubbard and jerry speds
you