Security considerations when running a VM: Difference between revisions

Jump to navigation Jump to search

Security considerations when running a VM (view source)

Revision as of 18:57, 6 April 2017

24 bytes removed ,  7 years ago
copy-edit, add some links
(copy-edit, add some links)
Line 1: Line 1:
On the cloud, you are responsible for the security of your VMs.
On the [[CC-Cloud|cloud]], you are responsible for the security of your VMs.


This document is not intended to be a complete guide but only to give you some basic guidelines on things your need to consider when creating a VM on the cloud.
This document cannot be a complete guide, but will set out some things you need to consider when creating a VM on the cloud.


=Keeping the Operating System secured=
==Keep the operating system secured==
* Apply security updates
* Apply security updates.
* Avoid using packages from unknown sources
* Avoid using packages from unknown sources.
* use an updated image (ex: don't use Ubuntu 14.04 when ubuntu 16.04 avalaible, or cent
* Use a recent image. For example, don't use Ubuntu 14.04 when Ubuntu 16.04 is available.
* Do not allow password authentication for SSH (key authentication by default)
* Do not allow password authentication for SSH. Use key authentication instead.
* Install fail2ban to block authentication failure
* Install [https://www.fail2ban.org fail2ban] to block brute-force attacks.


=Network security=
==Network security==
* Limit who can access your service, avoid using '''0.0.0.0''' in the CIDR field of the security group form.
* Limit who can access your service. Avoid using '''0.0.0.0''' in the CIDR field of the security group form.
* do not bundles ranges of ports to allow access
* Do not bundle ranges of ports to allow access.
* Be careful when creating your security rules, consider the following
* Think carefully about your security rules. Consider the following:
** Most services aren't meant to be publicly accessible:
** These services aren't meant to be publicly accessible:
*** mysql
*** mysql
*** postgresql
*** postgresql
Line 20: Line 20:
*** RDP
*** RDP
*** ... many, many others
*** ... many, many others
** Some services are meant to be accessible from the internet to deliver a service
** Some services are meant to be accessible from the internet:
*** Apache
*** Apache
*** Nginx
*** Nginx
Line 26: Line 26:
* Configure your web server to use HTTPS instead of HTTP.
* Configure your web server to use HTTPS instead of HTTP.
** In many case HTTP should only be used to redirect traffic to HTTPS.
** In many case HTTP should only be used to redirect traffic to HTTPS.
* others:
* Do not try to run a mail server.
** Do not try to run a mail server.
Rdickson
Bureaucrats, cc_docs_admin, cc_staff
2,879

edits

Retrieved from "https://docs.alliancecan.ca/wiki/Special:MobileDiff/11156"

Navigation menu