Security considerations when running a VM: Difference between revisions

Revision as of 20:18, 14 July 2017

Other languages:

On the cloud, you are responsible for the security of your virtual machines.

This document cannot be a complete guide, but will set out some things you need to consider when creating a VM on the cloud.

Apply security updates on a regular basis.
Avoid using packages from unknown sources.
Use a recent image. For example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
Use SSH key authentication instead of passwords.
Install fail2ban to block brute-force attacks.

Limit who can access your service. Avoid using 0.0.0.0 in the CIDR field of the security group form.
- Be aware of the range your are opening with the netmask your are configuring.
Do not bundle ranges of ports to allow access.
Think carefully about your security rules. Consider the following:
- These services aren't meant to be publicly accessible:
  - mysql (3306)
  - postgresql (5432)
  - nosql
  - RDP (3389)
  - ... many, many others
- Some services are meant to be accessible from the internet:
  - Apache (80, 443)
  - Nginx (80, 443)
  - ... others
Configure your web server to use HTTPS instead of HTTP.
- In many case HTTP should only be used to redirect traffic to HTTPS.
Do NOT run a mail server.

@@ Line 21: / Line 21: @@
 * Think carefully about your security rules. Consider the following:
 ** These services aren't meant to be publicly accessible:
-*** mysql
+*** mysql (3306)
-*** postgresql
+*** postgresql (5432)
 *** nosql
-*** RDP
+*** RDP (3389)
 *** ... many, many others
 ** Some services are meant to be accessible from the internet:
-*** Apache
+*** Apache (80, 443)
-*** Nginx
+*** Nginx (80, 443)
 *** ... others
 * Configure your web server to use HTTPS instead of HTTP.