Security considerations when running a VM: Difference between revisions

Security considerations when running a VM (view source)

Revision as of 18:57, 6 April 2017

24 bytes removed , 7 years ago

copy-edit, add some links

Rdickson

Bureaucrats, cc_docs_admin, cc_staff

2,879

edits

@@ Line 1: / Line 1: @@
-On the cloud, you are responsible for the security of your VMs.
+On the [[CC-Cloud|cloud]], you are responsible for the security of your VMs.
-This document is not intended to be a complete guide but only to give you some basic guidelines on things your need to consider when creating a VM on the cloud.
+This document cannot be a complete guide, but will set out some things you need to consider when creating a VM on the cloud.
-=Keeping the Operating System secured=
+==Keep the operating system secured==
-* Apply security updates
+* Apply security updates.
-* Avoid using packages from unknown sources
+* Avoid using packages from unknown sources.
-* use an updated image (ex: don't use Ubuntu 14.04 when ubuntu 16.04 avalaible, or cent
+* Use a recent image. For example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
-* Do not allow password authentication for SSH (key authentication by default)
+* Do not allow password authentication for SSH. Use key authentication instead.
-* Install fail2ban to block authentication failure
+* Install [https://www.fail2ban.org fail2ban] to block brute-force attacks.
-=Network security=
+==Network security==
-* Limit who can access your service, avoid using '''0.0.0.0''' in the CIDR field of the security group form.
+* Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form.
-* do not bundles ranges of ports to allow access
+* Do not bundle ranges of ports to allow access.
-* Be careful when creating your security rules, consider the following
+* Think carefully about your security rules. Consider the following:
-** Most services aren't meant to be publicly accessible:
+** These services aren't meant to be publicly accessible:
 *** mysql
 *** postgresql
@@ Line 20: / Line 20: @@
 *** RDP
 *** ... many, many others
-** Some services are meant to be accessible from the internet to deliver a service
+** Some services are meant to be accessible from the internet:
 *** Apache
 *** Nginx
@@ Line 26: / Line 26: @@
 * Configure your web server to use HTTPS instead of HTTP.
 ** In many case HTTP should only be used to redirect traffic to HTTPS.
-* others:
+* Do not try to run a mail server.
-** Do not try to run a mail server.