Security considerations when running a VM: Difference between revisions
Jump to navigation
Jump to search
(copy-edit, add some links) |
(add translate tags) |
||
| Line 1: | Line 1: | ||
<languages/> | |||
<translate> | |||
On the [[CC-Cloud|cloud]], you are responsible for the security of your VMs. | On the [[CC-Cloud|cloud]], you are responsible for the security of your VMs. | ||
| Line 27: | Line 30: | ||
** In many case HTTP should only be used to redirect traffic to HTTPS. | ** In many case HTTP should only be used to redirect traffic to HTTPS. | ||
* Do not try to run a mail server. | * Do not try to run a mail server. | ||
</translate> | |||
Revision as of 18:58, 6 April 2017
On the cloud, you are responsible for the security of your VMs.
This document cannot be a complete guide, but will set out some things you need to consider when creating a VM on the cloud.
Keep the operating system secured[edit]
- Apply security updates.
- Avoid using packages from unknown sources.
- Use a recent image. For example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
- Do not allow password authentication for SSH. Use key authentication instead.
- Install fail2ban to block brute-force attacks.
Network security[edit]
- Limit who can access your service. Avoid using 0.0.0.0 in the CIDR field of the security group form.
- Do not bundle ranges of ports to allow access.
- Think carefully about your security rules. Consider the following:
- These services aren't meant to be publicly accessible:
- mysql
- postgresql
- nosql
- RDP
- ... many, many others
- Some services are meant to be accessible from the internet:
- Apache
- Nginx
- ... others
- These services aren't meant to be publicly accessible:
- Configure your web server to use HTTPS instead of HTTP.
- In many case HTTP should only be used to redirect traffic to HTTPS.
- Do not try to run a mail server.