The Biggest Linux Security Mistakes



Security is a journey, not a destination

So after making a couple videos showing how to increase performance in desktop computers running Linux, I was overwhelmed by the sheer scale of comments worried about mitigations. If you are worried about that, you should be even more worried about the things below.

Website Guide: https://christitus.com/linux-security-mistakes/

Support My Work
———————————————————————————–
►► Chris Titus Tech Digital Downloads ➜ https://www.cttstore.com/downloads
►► Product and Service Recommendations ➜ https://christitus.com/recommendations
►► My YouTube Gear and Computers ➜ https://www.amazon.com/shop/christitustech

Other Places to Find Me
———————————————————————————–
►► Titus Tech Talk ➜ https://www.youtube.com/c/TitusTechTalk
►► Titus Tech Gaming ➜ https://www.youtube.com/c/TitusTechGaming
►► Chris Titus Crypto ➜ https://www.youtube.com/c/ChrisTitusCrypto
►► Twitch ➜ https://www.twitch.tv/christitustech
►► Twitter ➜ https://twitter.com/christitustech

DISCLAIMER: This video and description contain affiliate links, which means that if you click on one of the product links, I’ll receive a small commission. This helps supports the channel and allows us to continue to make videos like this. Thank you for your support!

source

49 thoughts on “The Biggest Linux Security Mistakes

  1. Those firewalls rules are very easy to do with nftables and iptables. In nftables it takes less than 10 lines. Why would desktop users need to open incoming traffic to 80/443 ? Why would desktop users need to allow incoming SSH connections over IPv6? That makes it likely the SSH port is open to the whole world because IPv6 is not behind a NAT firewall and incoming connections on the router may not be blocked. LIMIT SSH in the firewall is not fail2ban, it is rate limiting connections to SSH. It's just slowing down the bruteforcing of SSH to where it's impractical. SSH needs to be secured on it's own. Logins with passwords disabled, root logins disabled, all cryptography algos that you don't use disabled. mDNS is not just DNS. It's zeroconf Apple stuff that is usually useless and an extra liability. It should be disabled in systemd-networkd and it's traffic blocked too.

  2. Why does just "ufw default deny" nothing on my system? while "ufw default deny incoming/outgoing" do something? I am asking this because "ufw default deny" is what the Arch wiki example shows. Is the Arch wiki outdated here, or just completely wrong with it's example??

  3. Chris, thanks for this video. the funny thing is, after applying the UFW rules and for some odd reason, Brave was longer able to access certain websites! I thought it was something else but Firefox had no problems. have to keep an eye on that Brave browser!

  4. I use gufw and I block the host and all my VMs, except one, for all inbound traffic. All PCs and VMs are connected to an own router and also there all inbound traffic is blocked, password and user name are changed and admin access is only allowed from the MAC addresses from my laptop and desktop. The backup server and laptop have a few open ports, but they are connected to my own router and they are only powered on for 1 to 2 hours per week. The easiest way to get into a desktop is of course through email; social media or the browser, basically everything that could seduce you to click on an infected file.

  5. Hey Chris, I was wondering if you could give some information on Pacstall. I just heard about it through another YT channel. My concerns are after hearing that the packages being installed through it can be packaged by anyone. If that's true how secure would that be. Kind of sounds very insecure? Thank you

  6. I don't think it's worth watching this video. 1. Limiting ssh is not required in the desktop case – usually there's no ssh server running, and if, then hacking the user password would take ages, and still not possible because the port is not forwarded; 2. adding repositories: It doesn't really matter, using any non-free repository can have a potential virus and usually repositories aren't even running if they're outdated – the creator lost interrest; 3. not using apparmor or selinux: apparmor (and selinux) are pretty much useless in the desktop-case.

  7. I also like to lock down SSH by using the /etc/sshd_config such that root can't login through ssh, only certain users can login via ssh, and disable password authentication in favor of public key authentication. Then if I want to get real spicy I'll use my distros firewall to restrict incoming ssh requests by admin computer IP.

  8. Chris, can you please update your The Ultimate Linux Gaming Guide on your site for fedora 36 because I want to install nvidia drivers and optimus but every tutorial I found is for x-org and/or for older version of fedora and I'm on fedora 36 kde spin and it uses wayland.

  9. One of the firstthings I do is setting up ssh-keygen and block ssh access through a password.. fail2ban is brilliant and shocking to see in your logs, how many attempts to login you see on a day.

  10. Hi Chris, thank you for these great tips. Can you do a video (or two videos, one on each) about how to configure and use SELinux and AppArmor?

  11. I actually completely disagree with you when it comes to fail2ban and firewalls. While neither of those things are bad, they're honestly secondary defenses.
    Fail2ban is kinda pointless if you're using rsa key login. The universe will likely already have suffered a heat death before someone bruteforces an ssh key. Unless you're using a super high entropy password, you're better off generally just disabling password login in ssh or any other service you're using and going along with rsa keys. But, if you are using password login, then fail2ban can really help (but again, why use password login in the first place? the better, more secure option is to use rsa keys).
    Firewalls give people a false sense of security and are (almost) completely pointless. About the only time that a firewall actually helps is when someone has already in some way infiltrated your server and opens up an application listening (or phoning home) on an unused port. Firewalls will mitigate that–and basically only that–one single attack vector. In fact, if someone is able to actually hack your server, say by using some server side attack by some vulnerability in your php application and gain root access, your firewall isn't going to do anything because they can just disable it. Even more, if you don't have any applications listening on those ports, then there's not really even a need to shut down those ports (except see the earlier attack I was talking about, which is actually a pretty niche case). Honestly, for me, the most helpful thing about a firewall is that it forces me to think about what applications are critical to the server or not, and that can be solved by just planning better rather than relying on a complex piece of software to do your thinking for you.
    Fail2ban and firewalls are the absolute most over rated security "hardening" tips. They do more to make you feel safe rather than actually make you safe.

  12. when are people gonna get sick and tired of these vids where someone simply "shows off" ??? ……these people who make these vids are sick puppies.

  13. The amount of people who use a live demo usb and then put in their passwords for gmail, yahoo etc… Let alone anyone with the IP address can easily log in to your live demo usb.

  14. Opinion: I know Linux is extremely customizable and apart from other issues like fragmentation and lack of app support Linux is just plain ugly; I have yet to see a Linux OS that looks better than MacOS. . Even Windows 11 looks better than most Linux OS. I'm not trying to be be inflammatory just pointing out what most Linux people brag about isn't appealing to the average user.

  15. Selinux is enabled by default in Fedora workstation it's not in permissive mode and the rules these days are generally pretty decent so you typically don't get spammed with alerts anymore. In terms of firewall, as a lot of people have already mentioned, Fedora comes with firewalld enabled and configured, you just need to set the profile (in KDE you can do it directly from the NIC configuration) and you can configure additional rules if needed using the firewall-cmd command

  16. Thanks for the information, I'm always learning from your videos. I wonder if you might be able to comment on the proper configuration when running virtual machines on a Linux desktop using QEMU / KVM. Is it sufficient to run a firewall on only the host machine? Are there any special considerations when setting up QEMU? Perhaps the subject for another video…. Thanks again!

  17. Great video, thank you! I'm currently a Junior Penetration Tester, and I think this touches on something we don't generally get taught.

    Load up Kali, fire off nmap, poke a few ports and send off a fairly standard report full of accepted mitigations.

    More videos on general hardening for Mac, Linux and Windows (I know, Windows will take years off your life) would help to give something different back to clients on top of the usual advice. I don't know anyone at work who's ever mentioned it.

  18. I let pfsense handle all my Firewall rules as its firewall protects you in your local network and on the internet and frankly its a pain in the arse to be double firewalled.

  19. Thanks for this video. Please make a video about AppArmor, how do use it in the correct way. This application is on my linux system and I does not notice it, before I watch your video. So, I hope there is time for do that. otherwise give me a hint – where I can looking at. The right way. Thanks for helping – to understanding linux better.

  20. Linux desktop by default is pretty much insecure. But almost none of these points matter.

    On a NAT network like home, firewall is not that useful. Also there is no point in allowing 80 and 443 incoming ports. Usually people doesn't run webserver on desktop.

    Repo pinning is a valid point but a better approach would be not to add repo at all. Use a container like podman for such softwares.

    Selinux or apparmour comes by default on standard desktops like Fedora or Ubuntu. These are MAC and has nothing to do with app security. For that use sandbox like bubblewrap (flatpak), landlock and secure display protocol like wayland.

Leave a Reply

Your email address will not be published.