Security considerations when running a VM: Difference between revisions
Jump to navigation
Jump to search
(Created page with "On the cloud, you are responsible for the security of your VMs. This document is not intended to be a complete guide but only to give you some basic guidelines on things your...") |
(Added BitTorrent to the list of services not to run) |
||
| (34 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
<languages/> | |||
<translate> | |||
<!--T:6--> | |||
''Parent page: [[Cloud]]'' | |||
<!--T:1--> | |||
On the [[CC-Cloud|cloud]], you are responsible for the security of your virtual machines. | |||
<!--T:2--> | |||
This document is not a complete guide, but will set out some things you need to consider when creating a VM on the cloud. | |||
Network security | ==Basic security talk recording== <!--T:7--> | ||
* Limit who can access your service | There is a recording of an ~1.5 hr talk on some basic security considerations when working with VMs in the cloud available on youtube called [https://youtu.be/l3CcXzaVpTs Safety First!]. | ||
* Be | |||
** | <!--T:8--> | ||
*** mysql | Below is a list of links to different sections of the recording for easier video navigation. | ||
*** postgresql | * [https://youtu.be/l3CcXzaVpTs?t=219 Talk overview] | ||
* [https://youtu.be/l3CcXzaVpTs?t=354 Cloud service levels] | |||
* [https://youtu.be/l3CcXzaVpTs?t=563 General security principles] | |||
* [https://youtu.be/l3CcXzaVpTs?t=789 Key topics] | |||
* [https://youtu.be/l3CcXzaVpTs?t=817 Creating a first VM (with some comments about security)] | |||
* [https://youtu.be/l3CcXzaVpTs?t=1530 OpenStack security groups] | |||
* [https://youtu.be/l3CcXzaVpTs?t=1964 SSH Security] | |||
* [https://youtu.be/l3CcXzaVpTs?t=3281 Logs] | |||
* [https://youtu.be/l3CcXzaVpTs?t=4180 Creating backups of VMs] | |||
==Keep the operating system secured== <!--T:3--> | |||
* Apply security updates on a regular basis (see [[Security considerations when running a VM#Updating your VM| updating your VM]]). | |||
* Avoid using packages from unknown sources. | |||
* Use a recent image; for example, don't use Ubuntu 14.04 when Ubuntu 18.04 is available. | |||
* Use [https://docs.computecanada.ca/wiki/SSH_Keys SSH key] authentication instead of passwords. Cloud instances use SSH key authentication by default, and enabling password-based authentication is significantly less secure. | |||
* Install [https://www.fail2ban.org fail2ban] to block [https://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]. | |||
==Network security== <!--T:4--> | |||
* Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form - in particular, don't create rules for "0.0.0.0" in the default security group, which applies automatically to all project instances. | |||
** Be aware of the range you are opening with the netmask your are configuring. | |||
* Do not bundle ranges of ports to allow access. | |||
* Think carefully about your security rules. Consider the following: | |||
** These services aren't meant to be publicly accessible: | |||
*** ssh (22) - this service allows interactive login to your instance and MUST NOT be made publicly accessible | |||
*** RDP (3389) - this service allows interactive login to your instance and MUST NOT be made publicly accessible | |||
*** mysql (3306) | |||
*** VNC (5900-5906) - this service allows interactive login to your instance and MUST NOT be made publicly accessible | |||
*** postgresql (5432) | |||
*** nosql | *** nosql | ||
*** | *** tomcat | ||
*** ... many, many others | *** ... many, many others | ||
** Some services are meant to be accessible from the internet | ** Some services are meant to be accessible from the internet: | ||
*** Apache | *** Apache (80, 443) | ||
*** Nginx | *** Nginx (80, 443) | ||
*** ... others | *** ... others | ||
* | * Configure your web server to use HTTPS instead of HTTP. | ||
** Do | ** In many case HTTP should only be used to redirect traffic to HTTPS. | ||
* Do NOT run a mail server. | |||
* Do NOT run a BitTorrent server. | |||
==Updating your VM== <!--T:5--> | |||
In order to keep a VM's operating system secure, it must be regularly updated - ideally weekly, or as often as new packages become available. To upgrade a Linux VM choose the commands below for your particular distribution. Note you will need to reconnect to your VM after rebooting. | |||
===Ubuntu/Debian=== | |||
<source lang="console"> | |||
$ sudo apt-get update | |||
$ sudo apt-get dist-upgrade | |||
$ sudo reboot | |||
</source> | |||
===CentOS=== | |||
<source lang="console> | |||
$ sudo yum update | |||
$ sudo reboot | |||
</source> | |||
===Fedora=== | |||
<source lang="console> | |||
$ sudo dnf update | |||
$ sudo reboot | |||
</source> | |||
==Further reading== | |||
An amazon article on securing instances: [https://aws.amazon.com/articles/1233/ https://aws.amazon.com/articles/1233/] | |||
</translate> | |||
[[Category:Cloud]] | |||
Latest revision as of 17:48, 23 September 2024
Parent page: Cloud
On the cloud, you are responsible for the security of your virtual machines.
This document is not a complete guide, but will set out some things you need to consider when creating a VM on the cloud.
Basic security talk recording[edit]
There is a recording of an ~1.5 hr talk on some basic security considerations when working with VMs in the cloud available on youtube called Safety First!.
Below is a list of links to different sections of the recording for easier video navigation.
- Talk overview
- Cloud service levels
- General security principles
- Key topics
- Creating a first VM (with some comments about security)
- OpenStack security groups
- SSH Security
- Logs
- Creating backups of VMs
Keep the operating system secured[edit]
- Apply security updates on a regular basis (see updating your VM).
- Avoid using packages from unknown sources.
- Use a recent image; for example, don't use Ubuntu 14.04 when Ubuntu 18.04 is available.
- Use SSH key authentication instead of passwords. Cloud instances use SSH key authentication by default, and enabling password-based authentication is significantly less secure.
- Install fail2ban to block brute-force attacks.
Network security[edit]
- Limit who can access your service. Avoid using 0.0.0.0 in the CIDR field of the security group form - in particular, don't create rules for "0.0.0.0" in the default security group, which applies automatically to all project instances.
- Be aware of the range you are opening with the netmask your are configuring.
- Do not bundle ranges of ports to allow access.
- Think carefully about your security rules. Consider the following:
- These services aren't meant to be publicly accessible:
- ssh (22) - this service allows interactive login to your instance and MUST NOT be made publicly accessible
- RDP (3389) - this service allows interactive login to your instance and MUST NOT be made publicly accessible
- mysql (3306)
- VNC (5900-5906) - this service allows interactive login to your instance and MUST NOT be made publicly accessible
- postgresql (5432)
- nosql
- tomcat
- ... many, many others
- Some services are meant to be accessible from the internet:
- Apache (80, 443)
- Nginx (80, 443)
- ... others
- These services aren't meant to be publicly accessible:
- Configure your web server to use HTTPS instead of HTTP.
- In many case HTTP should only be used to redirect traffic to HTTPS.
- Do NOT run a mail server.
- Do NOT run a BitTorrent server.
Updating your VM[edit]
In order to keep a VM's operating system secure, it must be regularly updated - ideally weekly, or as often as new packages become available. To upgrade a Linux VM choose the commands below for your particular distribution. Note you will need to reconnect to your VM after rebooting.
Ubuntu/Debian[edit]
$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo reboot
CentOS[edit]
$ sudo yum update
$ sudo reboot
Fedora[edit]
$ sudo dnf update
$ sudo reboot
Further reading[edit]
An amazon article on securing instances: https://aws.amazon.com/articles/1233/