Security considerations when running a VM: Difference between revisions

Revision as of 18:58, 6 April 2017

Other languages:

On the cloud, you are responsible for the security of your VMs.

This document cannot be a complete guide, but will set out some things you need to consider when creating a VM on the cloud.

Apply security updates.
Avoid using packages from unknown sources.
Use a recent image. For example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
Do not allow password authentication for SSH. Use key authentication instead.
Install fail2ban to block brute-force attacks.

Limit who can access your service. Avoid using 0.0.0.0 in the CIDR field of the security group form.
Do not bundle ranges of ports to allow access.
Think carefully about your security rules. Consider the following:
- These services aren't meant to be publicly accessible:
  - mysql
  - postgresql
  - nosql
  - RDP
  - ... many, many others
- Some services are meant to be accessible from the internet:
  - Apache
  - Nginx
  - ... others
Configure your web server to use HTTPS instead of HTTP.
- In many case HTTP should only be used to redirect traffic to HTTPS.
Do not try to run a mail server.

@@ Line 2: / Line 2: @@
 <translate>
+<!--T:1-->
 On the [[CC-Cloud|cloud]], you are responsible for the security of your VMs.
+<!--T:2-->
 This document cannot be a complete guide, but will set out some things you need to consider when creating a VM on the cloud.
-==Keep the operating system secured==
+==Keep the operating system secured== <!--T:3-->
 * Apply security updates.
 * Avoid using packages from unknown sources.
@@ Line 13: / Line 15: @@
 * Install [https://www.fail2ban.org fail2ban] to block brute-force attacks.
-==Network security==
+==Network security== <!--T:4-->
 * Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form.
 * Do not bundle ranges of ports to allow access.