Security considerations when running a VM: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
No edit summary
(Added BitTorrent to the list of services not to run)
 
(8 intermediate revisions by 5 users not shown)
Line 9: Line 9:
<!--T:2-->
<!--T:2-->
This document is not a complete guide, but will set out some things you need to consider when creating a VM on the cloud.
This document is not a complete guide, but will set out some things you need to consider when creating a VM on the cloud.
==Basic security talk recording== <!--T:7-->
There is a recording of an ~1.5 hr talk on some basic security considerations when working with VMs in the cloud available on youtube called [https://youtu.be/l3CcXzaVpTs Safety First!].
<!--T:8-->
Below is a list of links to different sections of the recording for easier video navigation.
* [https://youtu.be/l3CcXzaVpTs?t=219 Talk overview]
* [https://youtu.be/l3CcXzaVpTs?t=354 Cloud service levels]
* [https://youtu.be/l3CcXzaVpTs?t=563 General security principles]
* [https://youtu.be/l3CcXzaVpTs?t=789 Key topics]
* [https://youtu.be/l3CcXzaVpTs?t=817 Creating a first VM (with some comments about security)]
* [https://youtu.be/l3CcXzaVpTs?t=1530 OpenStack security groups]
* [https://youtu.be/l3CcXzaVpTs?t=1964 SSH Security]
* [https://youtu.be/l3CcXzaVpTs?t=3281 Logs]
* [https://youtu.be/l3CcXzaVpTs?t=4180 Creating backups of VMs]


==Keep the operating system secured== <!--T:3-->
==Keep the operating system secured== <!--T:3-->
* Apply security updates on a regular basis (see [[Security considerations when running a VM#Updating your VM| updating your VM]]).
* Apply security updates on a regular basis (see [[Security considerations when running a VM#Updating your VM| updating your VM]]).
* Avoid using packages from unknown sources.
* Avoid using packages from unknown sources.
* Use a recent image; for example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
* Use a recent image; for example, don't use Ubuntu 14.04 when Ubuntu 18.04 is available.
* Use [https://docs.computecanada.ca/wiki/SSH_Keys SSH key] authentication instead of passwords.
* Use [https://docs.computecanada.ca/wiki/SSH_Keys SSH key] authentication instead of passwords. Cloud instances use SSH key authentication by default, and enabling password-based authentication is significantly less secure.
* Install [https://www.fail2ban.org fail2ban] to block [https://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks].
* Install [https://www.fail2ban.org fail2ban] to block [https://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks].


==Network security== <!--T:4-->
==Network security== <!--T:4-->
* Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form.
* Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form - in particular, don't create rules for "0.0.0.0" in the default security group, which applies automatically to all project instances.
** Be aware of the range you are opening with the netmask your are configuring.  
** Be aware of the range you are opening with the netmask your are configuring.  
* Do not bundle ranges of ports to allow access.
* Do not bundle ranges of ports to allow access.
* Think carefully about your security rules. Consider the following:
* Think carefully about your security rules. Consider the following:
** These services aren't meant to be publicly accessible:
** These services aren't meant to be publicly accessible:
*** ssh (22) - this service allows interactive login to your instance and MUST NOT be made publicly accessible
*** RDP (3389)  - this service allows interactive login to your instance and MUST NOT be made publicly accessible
*** mysql (3306)
*** mysql (3306)
*** VNC (5900-5906)  - this service allows interactive login to your instance and MUST NOT be made publicly accessible
*** postgresql (5432)
*** postgresql (5432)
*** nosql
*** nosql
*** RDP (3389)
*** tomcat
*** tomcat
*** ... many, many others
*** ... many, many others
Line 36: Line 53:
** In many case HTTP should only be used to redirect traffic to HTTPS.
** In many case HTTP should only be used to redirect traffic to HTTPS.
* Do NOT run a mail server.
* Do NOT run a mail server.
* Do NOT run a BitTorrent server.


==Updating your VM== <!--T:5-->
==Updating your VM== <!--T:5-->
To upgrade a Linux VM choose the commands below for your particular distribution. Note you will need to reconnect to your VM after rebooting.
In order to keep a VM's operating system secure, it must be regularly updated - ideally weekly, or as often as new packages become available. To upgrade a Linux VM choose the commands below for your particular distribution. Note you will need to reconnect to your VM after rebooting.
===Ubuntu/Debian===
===Ubuntu/Debian===
<source lang="console">
<source lang="console">
Line 55: Line 73:
$ sudo reboot
$ sudo reboot
</source>
</source>
==Further Reading==
==Further reading==
An amazon article on securing instances: [https://aws.amazon.com/articles/1233/ https://aws.amazon.com/articles/1233/]
An amazon article on securing instances: [https://aws.amazon.com/articles/1233/ https://aws.amazon.com/articles/1233/]
</translate>
</translate>
[[Category:CC-Cloud]]
[[Category:Cloud]]

Latest revision as of 17:48, 23 September 2024

Other languages:

Parent page: Cloud

On the cloud, you are responsible for the security of your virtual machines.

This document is not a complete guide, but will set out some things you need to consider when creating a VM on the cloud.

Basic security talk recording[edit]

There is a recording of an ~1.5 hr talk on some basic security considerations when working with VMs in the cloud available on youtube called Safety First!.

Below is a list of links to different sections of the recording for easier video navigation.

Keep the operating system secured[edit]

  • Apply security updates on a regular basis (see updating your VM).
  • Avoid using packages from unknown sources.
  • Use a recent image; for example, don't use Ubuntu 14.04 when Ubuntu 18.04 is available.
  • Use SSH key authentication instead of passwords. Cloud instances use SSH key authentication by default, and enabling password-based authentication is significantly less secure.
  • Install fail2ban to block brute-force attacks.

Network security[edit]

  • Limit who can access your service. Avoid using 0.0.0.0 in the CIDR field of the security group form - in particular, don't create rules for "0.0.0.0" in the default security group, which applies automatically to all project instances.
    • Be aware of the range you are opening with the netmask your are configuring.
  • Do not bundle ranges of ports to allow access.
  • Think carefully about your security rules. Consider the following:
    • These services aren't meant to be publicly accessible:
      • ssh (22) - this service allows interactive login to your instance and MUST NOT be made publicly accessible
      • RDP (3389) - this service allows interactive login to your instance and MUST NOT be made publicly accessible
      • mysql (3306)
      • VNC (5900-5906) - this service allows interactive login to your instance and MUST NOT be made publicly accessible
      • postgresql (5432)
      • nosql
      • tomcat
      • ... many, many others
    • Some services are meant to be accessible from the internet:
      • Apache (80, 443)
      • Nginx (80, 443)
      • ... others
  • Configure your web server to use HTTPS instead of HTTP.
    • In many case HTTP should only be used to redirect traffic to HTTPS.
  • Do NOT run a mail server.
  • Do NOT run a BitTorrent server.

Updating your VM[edit]

In order to keep a VM's operating system secure, it must be regularly updated - ideally weekly, or as often as new packages become available. To upgrade a Linux VM choose the commands below for your particular distribution. Note you will need to reconnect to your VM after rebooting.

Ubuntu/Debian[edit]

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo reboot

CentOS[edit]

$ sudo yum update
$ sudo reboot

Fedora[edit]

$ sudo dnf update
$ sudo reboot

Further reading[edit]

An amazon article on securing instances: https://aws.amazon.com/articles/1233/