Server Security


This article explores some high-level concepts around securing SpinUp Cloud Servers. We highly recommend performing these actions on any resource deployed in the cloud, if applicable.

Basic Cloud Server security

This article describes how to set up some basic security for your Linux Cloud Servers running Ubuntu® and for your Windows® Cloud Server.

Overview

Securing your Cloud Server is one of the most important steps that you should take after creating it. This article provides steps to set up basic security for your Cloud Server, but this is not necessarily the most secure configuration. Be sure to write secure application code as well as securing your Cloud Server.

Prerequisites

Before you use the following steps, log in as the root user on your Cloud Server. If you are not logged in as root, you might be locked out of your virtual machine (VM).

Be sure that Secure Shell (SSH), sudo, and iptables are configured correctly on your Cloud Server. If not, you might be locked out of your system when you follow these steps. If you are locked out, log in to the Control Panel and use the console or rescue mode to repair the configuration settings.

Use the steps in the tabs below to set up basic security for your Cloud Server.

Secure your Cloud Server

Step 1: Upgrade your Cloud Server

Upgrade your Cloud Server to ensure that you have the most recent version by running the following commands:

  
      

  apt-get update
  apt-get -y upgrade


  

apt-get is the command-line tool for handling packages. For more information about apt-get, see the Linux man page.

Step 2: Disable root SSH access

There are many bots that attempt to gain access to your Cloud Server over SSH. If the bot is able to access your root user information, it gains unlimited access to your Cloud Server. Disabling root SSH access adds an additional layer of security between bot attackers and your Cloud Server.

Run the following commands to disable root SSH access:

  
      

  sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
  sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
  service ssh restart


  

sed enables you to find and replace text. For more information, see the Linux man page.

Step 3: Block ports

Blocking all ports except for HTTP, HTTPS, and SSH reduces the ways that someone could use to access your Cloud Server. Use the following commands to block all ports except for HTTP, HTTPS, and SSH:

  
      

  ufw default deny
  ufw allow ssh
  ufw allow http
  ufw allow https
  ufw --force enable
    

  

ufw manages a Linux firewall. For more information, see the Ubuntu man page.

Step 4: Prevent brute force attacks

Brute force attacks are an attempt to discover your password by systematically trying every possible combination of letters, numbers, and symbols. Use the following command to install a package to help prevent brute force attacks:

  
      

  apt-get -y install fail2ban
 

  

Fail2ban blocks repeated attempts at access by adding firewall rules to ignore requests from repeat offenders. For more information, see the Fail2ban documentation.

Step 5: Enable automatic security updates

Use the following commands to enable automatic security updates and to update a file with the security patches that are installed:

  
      

  apt-get -y install unattended-upgrades
  echo 'APT::Periodic::Update-Package-Lists "1";' >> /etc/apt/apt.conf.d/20auto-upgrades
  echo 'APT::Periodic::Unattended-Upgrade "1";' >> /etc/apt/apt.conf.d/20auto-upgrades
    

  

Step 6: Set up a new non-root user

Use the following command to create a new user for your Cloud Server:

  
      

  username 
  

  

Replace with the user that you want to create.

You are then prompted to set and confirm the new user’s password. Be sure to choose a strong password. After you confirm the password, you should see the following success message:

  
      

  (out)passwd: password updated successfully


  

Next, you are prompted to enter the new user’s basic information. You can accept the default and leave all of the information blank by pressing Enter at the prompt. The prompts should look similar to the following example:

  
      

  (out)Changing the user information for username
  (out)Enter the new value, or press ENTER for the default
  (out)Full Name []:
  (out)Room Number []:
  (out)Work Phone []:
  (out)Home Phone []:
  (out)Other []:
  (out)Is the information correct? [Y/n]
  

  

Press the Y key to confirm that the information is correct and finish setting up the new user.

Step 7: Add the new user to the sudo group

Adding the user to the sudo group means that the user has sudo privileges, meaning that it has the same permissions as the root user. Run the following command to add the user to the sudo group:

  
      

  usermod -aG sudo 
    

  

Replace with the user that you created in step 6

Step 8: Copy the public key to the new user

Use the following commands to copy the public key to the new user. Be sure to replace <username> with the user that you created in step 6.

  
      

  mkdir /home//.ssh
  cp .ssh/authorized_keys /home//.ssh/
  chown -R : /home//.ssh
  chmod 0700 /home//.ssh
  chmod 0600 /home//.ssh/authorized_keys


  
  • cp copies files and directories. For more information, see the Linux man page.

  • chown changes the user or group ownership of a given file. For more information, see the Linux man page.

  • chmod changes the file mode bits of a given file. For more information, see the Linux man page.

What’s next?

See the Ubuntu security guide for more information about setting up a secure server environment.

Step 1: Enable Automatic Updates.

Windows 2008

  1. Connect to the server by using the Remote Desktop Protocol (RDP).
  2. From the Start menu, select Control Panel > System and Security.
  3. In the Windows Update section, click Turn automatic updating on or off.
  4. In the drop-down menu, select Install updates automatically (recommended).
  5. Select the check box under Recommended Updates so that the recommended updates are automatic.
  6. To allow all users the option to install updates on the server, select the check box under Who can install updates.

Windows 2012

  1. Connect to the server via RDP.
  2. Click the Windows icon in the lower-left corner and select Control Panel > System and Security.
  3. In the Windows Update section, click Turn automatic updating on or off.
  4. In the drop-down menu, select Install updates automatically (recommended).
  5. Select the check box under Recommended Updates so that the recommended updates are automatic.
  6. To enable updates for other Microsoft products at the same time that Windows updates are completed, select the check box under Microsoft Update.

Step 2: Configure local firewall rules

By default, Cloud Servers do not have a dedicated firewall device in front of them to manage traffic. This means that the Windows firewall is the only layer of defense between your server and anybody with access to an Internet connection. It’s best to disable all rules on the firewall that you do not need. Disabling rules means that fewer ports are open and accessible over the public interface, which helps to limit the server’s exposure to the Public Network.

Step 3: Enact a strong password policy

At the minimum, passwords should consist of at least 8 to 10 characters that include uppercase and lowercase letters, numbers, and special characters (such as !, #, $, and %). Using simple passwords can be extremely dangerous for servers exposed to the public net. You can also set an expiration date for each user’s password. While it might be inconvenient for user to set and remember a new password periodically, this practice helps you to manage security on your server.

Next steps

Check the security logs for your server regularly.

Next steps

Securing your server is one of the first things that you should do after creating it. The steps in this article help you set up some basic security, and provide tips to help users operate securely as well. SpinUp recommends the preceding steps as minimum guidelines. You should determine if your infrastructure requires more security and set that up if needed. To this end, SpinUp recommends following the documentation for your selected operating systems.


Related Content