Quick Tips to Improve Linux Security on Your Desktop, Laptop, or Server (Beginner Strengthening)

HomeOther ContentQuick Tips to Improve Linux Security on Your Desktop, Laptop, or Server (Beginner Strengthening)
Channel: The Linux Experiment Sourced: Youtube Published 9 months ago
Quick Tips to Improve Linux Security on Your Desktop, Laptop, or Server (Beginner Strengthening)
Quick Tips to Improve Linux Security on Your Desktop, Laptop, or Server (Beginner Strengthening)
Try Proton Mail, the secure email that protects your privacy: https://proton.me/mail/TheLinuxEXP

Get a brand new laptop or desktop running Linux: https://www.tuxedocomputers.com/en#

SUPPORT THE CHANNEL:
Access a weekly podcast, vote on the next topics I cover and get your name in the credits:

YouTube: https://www.youtube.com/@thelinuxexp/join
Patreon: https://www.patreon.com/thelinuxexperiment
Liberapay: https://liberapay.com/TheLinuxExperiment/

Or you can donate what you want: https://paypal.me/thelinuxexp

GET TLE PRODUCTS
Support the channel AND get cool new hardware: https://the-linux-experiment.creator-spring.com/

️ LINUX AND OPEN SOURCE NEWS PODCAST:
Hear the latest Linux and open source news, with deeper, ad-free coverage! https://podcast.thelinuxexp.com

FOLLOW ME ELSEWHERE:
Website: https://thelinuxexp.com
Mastodon: https://mastodon.social/web/@thelinuxEXP
Pixelfed: https://pixelfed.social/TLENick
PeerTube: https://tilvids.com/c/thelinuxexperiment_channel/videos
Discord: https://discord.gg/mdnHftjkja

#Linux #security #cybersecurity

00:00 Introduction
00:56 Sponsor: Proton Mail
02:32 Software and updates
04:04 Services and SSH
06:38 User management
10:10 a.m. Physical security
11:35 a.m. SELinux, AppArmor and firewall
14:04 Parting thoughts
3:15 p.m. Sponsor: Get a PC designed to run Linux
4:30 p.m. Support the channel

Password complexity tips: https://www.networkworld.com/article/2726217/how-to-enforce-password-complexity-on-linux.html

Tips for securing SSH: https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

The more software you use, the larger the attack surface of your Linux installation. It's always good to take a look at all installed apps and libraries and remove the ones you no longer use. You can also remove packages that aren't linked to anything else and aren't used by anything.

On Debian or Ubuntu, for example, you can find them by running sudo apt autoremove

And on a desktop, you're probably already applying updates or your distribution has automatic updates enabled. But on a server it's easy to let things go and forget to log in regularly and make sure things are up to date. I am guilty of this myself.

And just like with packages, libraries, and applications, you also need to make sure that you're only running the services that you actually use. You can list all services run with:

systemctl file-device-list

To stop a service you don't need, you can run

systemctl stop SERVICE

To prevent the service from starting with the system, you can run

systemctl disable SERVICE

If you are on a server, the general rule is also NOT to run a graphical desktop there. It will often be much more secure to use SSH to connect to the server remotely.

But you may also need to secure SSH first. If you have multiple users, make sure only those who need it have SSH access. To do this, you can edit the /etc/ssh/sshd_config file, and type AllowUsers then the names of the users who will actually have access to SSH.

Now, what can be helpful in general, for a server or desktop, is to make sure that all users are properly managed. The first thing will be to disable root login.

If you decide to disable the root account, make sure at least one user has administrator privileges, otherwise you will have a system with no way to access a task with sudo. Once you are sure everything is fine, you can use the following method:

Edit /etc/passwd and change the first line, replacing /bin/bash, or whatever root shell is currently logging into, with /sbin/nologin (or /usr/sbin/nologin depending on the distribution)

If you prefer, you can simply disable root login via SSH, so the account will still be there if you want it locally, but remote attackers won't be able to log in as root. To do this, you can edit /etc/ssh/sshd_config and uncomment the PermitRootLogin line, then set its value to no. Restart SSH with sytemctl restart sshd and you're done.

To remove the ability to use USB, Thunderbolt or Firewire, you can add the following lines to their respective files (create them if necessary). To reverse this, simply delete the lines that were added in the different files by the commands.

Add: install usb-storage /bin/true in /etc/modprobe.d/disable-usb-storage.conf
Add Firewire-core blacklist to /etc/modprobe.d/firewire.conf
Add Thunderbolt to blacklist at /etc/modprobe.d/thunderbolt.conf

Please take the opportunity to connect and share this video with your friends and family if you find it useful.

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Policy | Terms of Services | Contact us | DMCA

We adhere to fair use guidelines when quoting from other sources. We provide brief excerpts and proper attribution.

Redway © 1999-2024