cc_staff
8
edits
Security considerations when running a VM: Difference between revisions
Security considerations when running a VM (view source)
Revision as of 22:54, 15 March 2019
, 5 years agono edit summary
No edit summary |
No edit summary |
||
| Line 14: | Line 14: | ||
* Avoid using packages from unknown sources. | * Avoid using packages from unknown sources. | ||
* Use a recent image; for example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available. | * Use a recent image; for example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available. | ||
* Use [https://docs.computecanada.ca/wiki/SSH_Keys SSH key] authentication instead of passwords. | * Use [https://docs.computecanada.ca/wiki/SSH_Keys SSH key] authentication instead of passwords. Cloud instances use SSH key authentication by default, and enabling password-based authentication is significantly less secure. | ||
* Install [https://www.fail2ban.org fail2ban] to block [https://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]. | * Install [https://www.fail2ban.org fail2ban] to block [https://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]. | ||
==Network security== <!--T:4--> | ==Network security== <!--T:4--> | ||
* Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form. | * Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form - in particular, don't create rules for "0.0.0.0" in the default security group, which applies automatically to all project instances. | ||
** Be aware of the range you are opening with the netmask your are configuring. | ** Be aware of the range you are opening with the netmask your are configuring. | ||
* Do not bundle ranges of ports to allow access. | * Do not bundle ranges of ports to allow access. | ||
* Think carefully about your security rules. Consider the following: | * Think carefully about your security rules. Consider the following: | ||
** These services aren't meant to be publicly accessible: | ** These services aren't meant to be publicly accessible: | ||
*** ssh (22) - this service allows interactive login to your instance and MUST NOT be made publicly accessible | |||
*** RDP (3389) - this service allows interactive login to your instance and MUST NOT be made publicly accessible | |||
*** mysql (3306) | *** mysql (3306) | ||
*** postgresql (5432) | *** postgresql (5432) | ||
*** nosql | *** nosql | ||
*** tomcat | *** tomcat | ||
*** ... many, many others | *** ... many, many others | ||
| Line 38: | Line 39: | ||
==Updating your VM== <!--T:5--> | ==Updating your VM== <!--T:5--> | ||
To upgrade a Linux VM choose the commands below for your particular distribution. Note you will need to reconnect to your VM after rebooting. | In order to keep a VM's operating system secure, it must be regularly updated - ideally weekly, or as often as new packages become available. To upgrade a Linux VM choose the commands below for your particular distribution. Note you will need to reconnect to your VM after rebooting. | ||
===Ubuntu/Debian=== | ===Ubuntu/Debian=== | ||
<source lang="console"> | <source lang="console"> | ||