In this video, you will learn how to secure a web server. The parts of the video are ufw setup, ssh keys, system modifications for networking, and checking which ports are open.
Webpage Guide: https://www.christitus.com/secure-web-server/
Upcloud VPS ($25 Credit): http://bit.ly/upcloud-ctt .
►► Digital Downloads ➜ https://www.cttstore.com
►► Patreon ➜ https://www.patreon.com/christitustech
►► Twitch ➜ https://www.twitch.tv/christitustech
►► Website and Guides ➜ https://christitus.com
If you need to know how to setup a Web Server. Here is the video I did that goes over setting it up from Scratch:
https://youtu.be/1JBCKNIT2Ys
thank you … for the lesson 🙂
This is just great, the best I've seen in past few years. Thanks
Chris, am putting up virtualized servers, web & email & DNS. Should I consider a Sonicwall TZ-300 (my line is 300/25Mb) TZ can do 750Mb. Robust enough? Consider something like their NSA series instead?
Please what can i do this is really urgent.
or probably PubKeyAuthentication was set to no
please what can I do, mistakenly i set the "PermitRootLogin" to "yes", and now I can't log in telling me permission denied
I always always always recommend people set up a passphrase on their SSH keys. Being able to jump from box to box without entering a password is convenient, but I feel like people should remember that outside of SSH keys, we call that a backdoor.
Very helpful I will definitely use this advise.
13:06 I already did the root login no on my server. I also changed the SSH port because port 22 is a big target. Using limit like you did is another good way to limit the number of hits on the SSH port. Thanks for this video. Also Fail2ban is another option which temporarily bans an IP with to many wrong login attempts.
Hey Chris,
Better late than never. I’m looking for ways to secure ssh against attacks mainly sobI can ssh between my machines. Your video is exactly what I was looking for. Thanks 2 year later. 😂
Hi Chris, fabulous video. I have a question please.. I have followed your instructions and everything works like charm, but can I use the same steps to secure a DNS server? Will it have any impact on the functionality?
what do you do if brute force SSH is tried on your server but on different/random ports? Does UFW offer some filter by protocol instead of by port?
I always come back and watch this from time to time- some very good fundamental information. Thought it'd make good practice for securing a local IRC daemon machine. Appreciate the detail you went into!
I just stumbled onto your video and want to say thank you! Very informative and understandable…… If there is a "better" way 2 years later.. would you do an update video on this topic?
Chris! I've come back to this video as I'm starting up a minecraft server again. nearly the end of the video I realized I am not subscribed anymore, albeit I WAS subscribed with the bell rung to All. Just thought I should post this comment as this isn't the first time youtube has auto-unsubbed me. Also, thanks for all the various ways you have helped me!
Thank you so much. This was extremely helpful
One good advice, always have some reverse proxy on other ip, so you don't expose your main server's ip. There are attacks you can't defend from because for example your channel isn't wide enough. If you're getting attacked you can just swap that proxy with some better solution without reinstalling everything
21:05 fail2ban doesn't detect DDoS I think
Do you have a tripwire video?
Great stuff ðŸ‘
does this hurt SEO?
After installing Fail2Ban it says this code is bad /etc/host.conf ​
order bind,hosts
multi on
nospoof on
That’s a pretty nice IP address
You losing your touch, horrible and sloppy video.
I have a server in my home that is having all the ssh access to my vps servers. Plus i have access on my desktop. I have regula passwordbauth on that server (its not facing the internet in any ways), use a unique password
You should make this an ansible script
Use sudo -i to login once in for all as the super user so you can omit all the subsequent sudos.
on my files /etc/host.conf, nospoof on is bad command, pls help
So in this case, as a minecraft server you would need first In ufw to open port TCP: 25565, right?
This is nice, how can be an expert in this please
If you redirect someones traffic to the next address, like you said – to the governments website, will they not see your IP as the attacker?
HI Chris ,while doing "sudo systemctl start fail2ban" I gott an error message "/etc/host.conf: line 3: bad command `nospoof on'". is that command not needed anymore?
Thank you so much for this educational web security video! Just a quick question, would you recommend this should be applied to web servers hosted on the GCP platform?
Hey, you mentioned you were going to do a video after this one about monitoring. I can't find it on your channel..
this is still uo to date ?
iptables became outdated? I'm not so sure ufw's a viable replacement for server/security administrators…
I just saw another video you did on this and posted a comment that recommended making your rules before enabling ufw. Nice to see you've corrected that.
Why doesn't "sudo ufw enable" work. I can't even get started with this… what is going on
FYI, On ubuntu 20.04 sshd_config is located at /etc/ssh/sshd_config and setting 'UsePAM no' like in the tutorial will disable public key authentication if not ssh login in general. Also, in host.conf, if you replace 'multi on' with 'nospoof on', it will raise an error when you install fail2ban.
Thanks for explaining my tool, man. I really appreciate it.
All hail CHRIS