The NeCTAR Cloud doesn't provide a specific API for security purposes. The only security relevant operation is to manage security groups through the Nova API. If you want to know the Nova API, You can find the related information from the articles in the 'Instance Management' section.
This article describes some techniques to help you to secure a Linux based virtual machine in the NeCTAR cloud.
As security is a very broad topic, the techniques showed here only provides a basic introduction. You can always go to Internet and find more useful information about security.
The instructions below assume your operating system is debian/ubuntu.
You need to encourage all the users on your system to use SSH certificate authentication and disable password login. In addition, you need to avoid logging into the system using SSH as root and use alternative methods to become root, such as su or sudo.
To change the SSH configuration, you can edit the configuration file on the virtual machine, in '/etc/ssh/sshd_config'.
A basic description of some important configuration items:
You need to set this to 'no' to avoid root access via SSH
For better security, you can change the SSH port to other port number
This should be always 'no', for non-empty password access
This directive allows only certain users to have access via SSH to this machine.
You should set this to 'no' to disable user loggin using password
After you have changed the '/etc/ssh/sshd_config file', you can execute
sudo service ssh restart
to apply the new changes.
If you are using an SSH client to access your Virtual Machine, you need to make sure both SSH server and client are using the same version of protocols.
You can also restrict access to file transfer only if you want to allow accounts on your Virtual Machine to transfer files. You can do it by giving users a restricted shell such as scpoly or rssh. These shells restrict the commands available to the users to execute. You can change an account's shell by editing '/etc/passwd' file.
If you don't want your Apache web service available to public, you can use the Listen or BindAddress directives in '/etc/apache2/apache2.conf'.
Using Listen: Listen 127.0.0.1:80 Using BindAddress: BindAddress 127.0.0.1
Then you can restart your apache service with
sudo service apache2 restart
The default Apache installation in Debian permits users to publish content under the '$HOME/public_html'. This content can be retrieved remotely using an URL such as: http://your_apache_server/~user.
You can restrict the default configuration by editing '/etc/apache2/mods-enabled/userdir.conf'
You can also make sure the permission of log files can only be read/write by the required user and groups. The default permission for the log files may be readable by anyone.
By default, Apache web files are located under /'var/www'. The default file provides some hints on the system like what is the operating system. You should substitute the default web pages with your own.
To further strengthen the Apache security, you can run Apache by chroot. See this instruction to set up Apache.
Keep System Update to Date
In debian/ubuntu, you run
sudo apt-get update regularly to keep system
security patch update to date.
Setup Local Firewall
A local firewall can also be installed with filtering rules to protect access to the system. You can use IPtable tools to create rules to filter network traffic. It is advised to use Security Group to manage which ports to open as it is simple to do. The below only provides basic introduction to IPtables, for more information, please refer to IPtables MAN page.
To list all current rules, execute:
sudo iptables --list
By default, the IPtables defines 3 chains. The INPUT Chain is for incoming traffic , the Forward Chain is for forwarded traffic and the OUTPUT Chain is for outgoing traffic. Which chains you need to add rules depends on what traffic you want to filter.
IPtables also defines policies that defines actions for rules:
Accept, accept traffic
Reject, reject traffic by sending back an error packet
Drop, reject traffic by dropping traffic
The below shows an example how to enable SSH and HTTP/HTTPS traffic in IPtables.
Firstly, you need to allow connections that are already connected to your server:
sudo iptables - I INPUT 1 -p tcp --dport 22 -j ACCEPT
Secondly, you need to allow SSH connections:
sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
Thirdly, you can allow HTTP/HTTPS traffic:
sudo iptables -I INPUT 1 -p tcp -dport 80 -j ACCEPT
sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
Finally, you need to drop all other traffic. You need to make sure you have set to allow SSH connection, otherwise you will lose access to the Virtual Machine:
sudo iptables -P INPUT DROP
You can save your IPtables changes by (Ubuntu):
iptables-save > /etc/iptables.rules
The SSH daemon itself is a Linux service that exposed to the Internet and creates a security risk for the system. fail2ban can mitigate this problem by creating rules that can automatically alter your your IPtables firewall and ban unsuccessful login attempts based on a predefined number.
You can use the below commands to install fail2ban in Ubuntu:
sudo apt-get update
sudo apt-get install fail2ban
To setup the fail2ban, please follow this instruction.
Disable Unneeded Services
Unneeded services are a potential security risk, so you can execute
sudo service --status-all
to list all available services. You can examine the output carefully and disable
any services not desired.