4x Affordable, 99.95% SLA, 24x& Video Support, 100+ Countires

7 Security Measures To Protect Your Cloud Servers

Introduction

When setting up infrastructure, getting your applications up and running will often be your capital concern. However, making your applications to function correctly without addressing the security needs of your infrastructure could have fatal consequences down the line.

In this lead, we will talk about some basic security practices that are best to configure before or as you set up your applications.

SSH Keys

SSH keys are a set of cryptographic keys that can be used to authenticate to a ssh server as an alternative to password-based logins. a private and public key set are created prior to authentication. The private key is kept unknown and secure by the user, while the public key can be overlapped with anyone.

SSH Keys diagram

To configure the SSH key authentication, you must place the user's public key on the server in an exclusive directory. When the user connects to the server, the server will question for proof that the case has the associated private key. The SSH case will use the private key to reply in a way that proves ownership of the private key. The server will then let the case connect without a password. To learn more about how SSH keys work, check out our article here.

How Do They Enhance Security?

With SSH, any category of authentication, including password authentication, is completely encoded . However, when password-based logins are allowed, malicious users can repeatedly strive to access the server. With modern reasoning energy, it is viable to attain arrival to a server by automating these strives and striving combination after combination until the right password is found.

Setting up SSH key authentication allows you to disable password-based authentication. SSH keys generally have many more bits of data than a password, conveying that there are significantly more feasible combinations that an attacker would have to run through. Many SSH key algorithms are considered uncrackable by modern reasoning hardware simply because they would demand too much moment to run through feasible matches.

How Difficult Is This to Implement?

SSH keys are very uncomplicated to set up and are the recommended way to log into any linux or Unix server environment remotely. a set of SSH keys can be generated on your device and you can transfer the public key to your servers within a few minutes.

To learn about how to set up keys, follow this lead. If you still feel that you need password authentication, consider implementing a success like fail2ban on your servers to maximum password guesses.

Firewalls

a firewall is a piece of software (or hardware) that commands what services are subjected to the network. This means blocking or restricting access to every port except for those that should be publicly accessible.

Firewall diagram

On a typical server, a number services may be running by failure. These can be reasoned into the following factions:

  • Public services that can be accesses by anyone on the internet, often anonymously. a good instance of this is a web server that might allow access to your site.
  • Private services that should only be accessed by a choose team of authorized accounts or from definite venues. an instance of this may be a database regulate body.
  • inner services that should be accessible only from within the server itself, without subjecting the service to the outside experience. For instance, this may be a database that only accepts local connections.

Firewalls can ensure that access to your software is restricted according to the categories above. Public services can be left ajar and accessible to everyone and private services can be restricted based on distinct ideals. inner services can be made completely outback to the outside experience. For ports that are not being used, access is blocked entirely in most configurations.

How Do They Enhance Security?

Firewalls are a necessary part of any server configuration. Even if your services themselves implement security features or are restricted to the interfaces you'd like them to run on, a firewall serves as an additional place of protection.

a properly configured firewall will restrict access to everything except the precise services you need to be ajar. subjecting only a few pieces of software reduces the ambush surface of your server, maximum the components that are vulnerable to exploitation.

How Difficult Is This to Implement?

There are many firewalls accessible for linux systems, some of which have a steeper learning curve than others. In general though, setting up the firewall should only take a few minutes and will only need to happen during your server's first setup or when you make actions in what services are offered on your computer.

an easy decision is the UFW firewall. Other actions are to use iptables or the CSF firewall.

VPNs and Private Networking

Private networks are networks that are only accessible to definite servers or users. For example, in F(x) data cloud, private networking is accessible in some regions as a data-center beamy network.

a vpn, or realistic private network, is a way to create secure connections between far experts and present the connection as if it were a local private network. This provides a way to configure your services as if they were on a private network and connect far servers over secure connections.

VPN diagram

How Do They Enhance Security?

Utilizing private instead of public networking for inner communication is almost always desirable given the decision between the two. However, since other users within the data center are able to access the same network, you still must implement extra measures to secure communication between your servers.

Using a vpn is, effectively, a way to map out a private network that only your servers can see. communication will be fully private and secure. Other applications can be configured to pass their traffic over the realistic interface that the VPN software exposes. This way, only services that are conveyed to be consumable by cases on the public internet need to be subjected on the public network.

How Difficult Is This to Implement?

Utilizing private networks in a datacenter that has this aptitude is as uncomplicated as enabling the interface during your server's creation and configuring your applications and firewall to use the private network. Keep in mind that data center-wide private networks share space with other servers that use the same network.

As for VPN, the first setup is a bit more involved, but the increased security is worthy it for most use-cases. Each server on a vpn must have the overlapped security and configuration data needed to establish the secure connection installed and configured. After the VPN is up and running, applications must be configured to use the VPN tunnel. To learn about setting up a vpn to securely connect your infrastructure, check out our OpenVPN tutorial.

Public Key Infrastructure and SSL/TLS Encryption

Public key infrastructure, or PKI, refers to a system that is designed to create, supervise, and validate certificates for identifying singles and encoding communication. SSL or TLS certificates can be used to authenticate dissimilar entities to one another. After authentication, they can also be used to established encoded communication.

SSL diagram

How Do They Enhance Security?

Establishing a certificate dominance and overseeing certificates for your servers allows each entity within your infrastructure to validate the other members identity and encrypt their traffic. This can prevent man-in-the-middle ambushes where an attacker imitates a server in your infrastructure to point traffic.

Each server can be configured to belief a centralized certificate dominance. Afterwards, any certificate that the dominance signs can be implicitly believed . If the applications and protocols you are using to communicate aid TLS/SSL encryption, this is a way of encoding your system without the overhead of a vpn tunnel (which also often uses SSL internally).

How Difficult Is This to Implement?

Configuring a certificate dominance and setting up the rest of the public key infrastructure can involve quite a bit of first effort. Furthermore, overseeing certificates can create a more administration burden when brand-new certificates need to be created, signed, or played .

For many users, implementing a full-fledged public key infrastructure will make more sense as their infrastructure needs grow. obtaining communications between components using VPN may be a good stop gap measure until you come a point where PKI is worthy the more administration values.

Service Auditing

Up until now, we have discussed some technology that you can implement to enhance your security. However, a huge section of security is analyzing your systems, understanding the accessible ambush surfaces, and locking down the components as best as you can.

Service auditing is a processes of discovering what services are running on the servers in your infrastructure. Often, the failure directing system is configured to run definite services at boot. Installing more software can sometimes pull in states that are also auto-started.

Service auditing diagram

Service auditing is a way of knowing what services are running on your system, which ports they are using for communication, and what protocols are accepted. This information can aid you configure your firewall environments.

How Does It Enhance Security?

Servers commence many processes for inner purposes and to handle outer cases. Each of these represents an extended ambush surface for malicious users. The more services that you have running, the large chance there is of a weakness existing in your accessible software.

Once you have a good concept of what network services are running on your appliance, you can commence to analyze these services. Some requests that you will want to request yourself for each one are:

  • Should this service be running?
  • Is the service running on interfaces that it doesn't needs to? Should it be move Synonyms/Hypernyms to an individual IP?
  • Are your firewall rules structured to allow authorized traffic pass to this service?
  • Are your firewall rules blocking traffic that is not authorized?
  • Do you have a mode of collecting security alerts about weaknesses for each of these services?

This symbol of service audit should be grade practice when configuring any brand-new server in your infrastructure.

How Difficult Is This to Implement?

Doing a basic service audit is incredibly easy. You can find out which services are listening to ports on each interface by using the netstat regulate. an uncomplicated instance that shows the app name, PID, and addresses being used for listening for TCP and UDP traffic is:

sudo netstat -plunt

You will see production that looks like this:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local addresses           Foreign Address         State       PID/app name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      887/sshd        
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      919/nginx       
tcp6       0      0 :::22                   :::*                    LISTEN      887/sshd        
tcp6       0      0 :::80                   :::*                    LISTEN      919/nginx

The important columns you need to be attention to are Proto, Local addresses, and PID/app name. If the addresses is 0.0.0.0, then the service is accepting connections on all interfaces.

File Auditing and Intrusion Detection Systems

register auditing is the processes of comparing the actual system against a record of the records and register characteristics of your system when it is a known-good attribute. This is used to detect actions to the system that may have been authorized.

File audit diagram

an intrusion detection system, or IDS, is a piece of software that monitors a system or network for self-appointed activity. Many host-based IDS implementations use register auditing as a mode of checking whether the system has changed.

How Do They Enhance Security?

akin to the above service-level auditing, if you are serious about ensuring a secure system, it is very helpful to be able to perform file-level audits of your system. This can be done periodically by the fiduciary or as part of an automated processes in an ids.

These strategies are some of the only ways to be absolutely convinced that your filesystem has not been modified by some user or processes. For many reasons, entrants often wish to be hidden so that they can continue to exploit the server for a diversified period of moment. They might replace binaries with agreed models. Doing an audit of the filesystem will tell you if any of the records have been modified , allowing you to be assured in the state of your server environment.

How Difficult Is This to Implement?

Implementing an ids or conducting register audits can be quite an intense processes. The first configuration involves telling the auditing system about any non-standard actions you've made to the server and being routes that should be excluded to create a line reading.

It also makes day-to-day operations more involved. It complicates modifying means as you will need to re-check the system prior to running updates and then recreate the line after running the modify to capture actions to the software models. You will also need to offload the reports to another venue so that an entrant cannot modify the audit to cover their tracks.

While this may increase your administration load, being able to check your system against a known-good copy is one of the only ways of ensuring that records have not been modified without your knowledge. Some well-kown register auditing / intrusion detection systems are Tripwire and Aide.

Isolated Execution Environments

Isolating action environments refers to any mode in which solo components are run within their own dedicated space.

Isolated environments diagram

This can convey separating out your separate application components to their own servers or may refer to configuring your services to operate in chroot environments or containers. The stage of separation depends heavily on your application's requirements and the experience of your infrastructure.

How Do They Enhance Security?

Isolating your processes into single action environments increases your ability to isolate any security difficulties that may become. akin to how bulkheads and spaces can aid include calyx failures in ships, separating your single components can maximum the access that an entrant has to other pieces of your infrastructure.

How Difficult Is This to Implement?

being on the symbol of containment you specify, isolating your applications can be relatively easy. By packaging your solo components in containers, you can quickly gain some measure of separation, but note that Docker does not consider its containerization a security feature.

Setting up a chroot environment for each piece can give some stage of separation as well, but this also is not infallible mode of separation as there are often ways of breaking out of a chroot environment. Moving components to dedicated devices is the best stage of separation, and in many cases may be the uncomplicated, but may cost more for the extra devices.

Conclusion

The strategies outlined above are only some of the improvements you can make to upgrade the security of your systems. It is all-important to accept that, while it's good late than never, security measures decrease in their effectiveness the longer you wait to implement them. Security cannot be an afterthought and must be implemented from the begin alongside the services and applications you are giving .

Reference: digitalocean