Security considerations when running a VM: Difference between revisions

Revision as of 14:33, 6 September 2018

Other languages:

Parent page: Cloud

On the cloud, you are responsible for the security of your virtual machines.

This document is not a complete guide, but will set out some things you need to consider when creating a VM on the cloud.

Apply security updates on a regular basis (see updating your VM).
Avoid using packages from unknown sources.
Use a recent image; for example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
Use SSH key authentication instead of passwords.
Install fail2ban to block brute-force attacks.

Limit who can access your service. Avoid using 0.0.0.0 in the CIDR field of the security group form.
- Be aware of the range you are opening with the netmask your are configuring.
Do not bundle ranges of ports to allow access.
Think carefully about your security rules. Consider the following:
- These services aren't meant to be publicly accessible:
  - mysql (3306)
  - postgresql (5432)
  - nosql
  - RDP (3389)
  - tomcat
  - ... many, many others
- Some services are meant to be accessible from the internet:
  - Apache (80, 443)
  - Nginx (80, 443)
  - ... others
Configure your web server to use HTTPS instead of HTTP.
- In many case HTTP should only be used to redirect traffic to HTTPS.
Do NOT run a mail server.

To upgrade a Linux VM choose the commands below for your particular distribution. Note you will need to reconnect to your VM after rebooting.

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo reboot

$ sudo yum update
$ sudo reboot

$ sudo dnf update
$ sudo reboot

@@ Line 27: / Line 27: @@
 *** nosql
 *** RDP (3389)
+*** tomcat
 *** ... many, many others
 ** Some services are meant to be accessible from the internet: