Security considerations when running a VM: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
(copy-edit, add some links)
Line 1: Line 1:
On the cloud, you are responsible for the security of your VMs.
On the [[CC-Cloud|cloud]], you are responsible for the security of your VMs.


This document is not intended to be a complete guide but only to give you some basic guidelines on things your need to consider when creating a VM on the cloud.
This document cannot be a complete guide, but will set out some things you need to consider when creating a VM on the cloud.


=Keeping the Operating System secured=
==Keep the operating system secured==
* Apply security updates
* Apply security updates.
* Avoid using packages from unknown sources
* Avoid using packages from unknown sources.
* use an updated image (ex: don't use Ubuntu 14.04 when ubuntu 16.04 avalaible, or cent
* Use a recent image. For example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
* Do not allow password authentication for SSH (key authentication by default)
* Do not allow password authentication for SSH. Use key authentication instead.
* Install fail2ban to block authentication failure
* Install [https://www.fail2ban.org fail2ban] to block brute-force attacks.


=Network security=
==Network security==
* Limit who can access your service, avoid using '''0.0.0.0''' in the CIDR field of the security group form.
* Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form.
* do not bundles ranges of ports to allow access
* Do not bundle ranges of ports to allow access.
* Be careful when creating your security rules, consider the following
* Think carefully about your security rules. Consider the following:
** Most services aren't meant to be publicly accessible:
** These services aren't meant to be publicly accessible:
*** mysql
*** mysql
*** postgresql
*** postgresql
Line 20: Line 20:
*** RDP
*** RDP
*** ... many, many others
*** ... many, many others
** Some services are meant to be accessible from the internet to deliver a service
** Some services are meant to be accessible from the internet:
*** Apache
*** Apache
*** Nginx
*** Nginx
Line 26: Line 26:
* Configure your web server to use HTTPS instead of HTTP.
* Configure your web server to use HTTPS instead of HTTP.
** In many case HTTP should only be used to redirect traffic to HTTPS.
** In many case HTTP should only be used to redirect traffic to HTTPS.
* others:
* Do not try to run a mail server.
** Do not try to run a mail server.

Revision as of 18:57, 6 April 2017

On the cloud, you are responsible for the security of your VMs.

This document cannot be a complete guide, but will set out some things you need to consider when creating a VM on the cloud.

Keep the operating system secured[edit]

  • Apply security updates.
  • Avoid using packages from unknown sources.
  • Use a recent image. For example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
  • Do not allow password authentication for SSH. Use key authentication instead.
  • Install fail2ban to block brute-force attacks.

Network security[edit]

  • Limit who can access your service. Avoid using 0.0.0.0 in the CIDR field of the security group form.
  • Do not bundle ranges of ports to allow access.
  • Think carefully about your security rules. Consider the following:
    • These services aren't meant to be publicly accessible:
      • mysql
      • postgresql
      • nosql
      • RDP
      • ... many, many others
    • Some services are meant to be accessible from the internet:
      • Apache
      • Nginx
      • ... others
  • Configure your web server to use HTTPS instead of HTTP.
    • In many case HTTP should only be used to redirect traffic to HTTPS.
  • Do not try to run a mail server.

HyperText Transfer Protocol

Retrieved from "https://docs.alliancecan.ca/mediawiki/index.php?title=Security_considerations_when_running_a_VM&oldid=11156"