When setting up cloud infrastructure, getting your applications up and running will often be your primary concern. However, making your applications function correctly without addressing the security needs of your infrastructure could have devastating consequences down the line, so it is worthwhile to consider this as part of your initial infrastructure setup.
In this guide, we will go through some fundamental security practices to support you as you configure and set up your infrastructure.
SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a server, you’ll likely spend most of your time in a terminal session connected to your server through SSH. A more secure alternative to password-based logins, cryptographic SSH keys provide a secure way of logging into your server and are recommended for all users.
With SSH keys, a private and public key pair are created for the purpose of authentication. The private key is kept secret and secure by the user, while the public key can be shared.
To configure the SSH key authentication, you must place the user’s public key on the server in a special directory. When the user connects to the server, the server will ask for proof that the client has the associated private key. The SSH client will use the private key to validate ownership of the private key. The server will then let the client connect without a password. To learn more about how SSH keys work, check out our article, Understanding the SSH Encryption and Connection Process.
How Do SSH Keys Enhance Security?
With SSH, any kind of authentication — including password authentication — is completely encrypted. However, when password-based logins are allowed, malicious users can repeatedly attempt to access the server, especially with servers that have public-facing IP addresses. With modern computing power, it is possible to gain entry to a server by automating these attempts and trying combination after combination until the right password is found.
Setting up SSH key authentication allows you to disable password-based authentication. SSH keys generally have many more bits of data than a password, meaning that there are significantly more possible combinations that an attacker would have to run through. Many SSH key algorithms are considered uncrackable by modern computing hardware because they would require too much time to run through all of the feasible matches.
How to Implement SSH Keys
SSH keys are the recommended way to log into any Linux server environment remotely. A pair of SSH keys can be generated on your local machine and you can transfer the public key to your servers within a few minutes.
To learn about how to set up keys, follow one of our guides on SSH, such as How to Set Up SSH Keys on Ubuntu 20.04. If you would still like password authentication, consider implementing a solution like fail2ban on your servers to limit password guesses.
A firewall is a piece of software that controls what services are exposed to the network. This means blocking or restricting access to every port except for those that should be publicly available.
On a typical server, a number of services may be running by default. These can be categorized into the following groups:
- Public services that can be accessed by anyone on the internet, often anonymously. Anexample of this is a web server that might allow access to your site.
- Private services that should only be accessed by a select group of authorized accounts or from certain locations. An example of this may be a database control panel.
- Internal services that should be accessible only from within the server itself, without exposing the service to the outside world. For example, this may be a database that only accepts local connections.
Firewalls can ensure that access to your software is restricted according to the categories above with varying degrees of granularity. Public services can be left open and available to everyone and private services can be restricted based on different criteria, such as connection types. Internal services can be made completely inaccessible to the outside world. For ports that are not being used, access is blocked entirely in most configurations.
How Do Firewalls Enhance Security?
Firewalls are an essential part of any server configuration. Even if your services themselves implement security features or are restricted to the interfaces you’d like them to run on, a firewall serves as an extra layer of protection.
A properly configured firewall will restrict access to everything except the specific services you need to remain open. Exposing only a few pieces of software reduces the attack surface of your server, limiting the components that are vulnerable to exploitation.
How to Implement Firewalls
There are many firewalls available for Linux systems, some are more complex than others. In general though, setting up the firewall should only take a few minutes and will only need to happen during your server’s initial setup or when you make changes in what services are offered on your computer. Here are some options to get up and running:
Virtual Private Cloud (VPC) networks are private networks for your infrastructure’s resources. VPC networks provide a more secure connection among resources because the network’s interfaces are inaccessible from the public internet and other VPC networks in the cloud.
How Do VPC Networks Enhance Security
Utilizing private instead of public networking for internal communication is almost always preferable given the choice between the two, as VPC networks allow you to isolate groups of resources into specific private networks. VPC networks will only connect to each other using their private network interfaces over an internal network, whichmeans that the traffic among your resources will not be routed through public internet where it could be exposed or intercepted. VPC networks can also be used to isolate execution environments and tenants.
Additionally, you can set up internet gateways as the single point of access between your VPC network’s resources and the public internet, giving you more control and visibility into the public traffic connecting to your resources.
How to Implement VPC Networks
Most cloud infrastructure providers enable you to create and add resources to a VPC network inside their datacenters. For example, DigitalOcean places each applicable resource (Droplets, load balancers, Kubernetes Clusters, and databases) into a VPC upon creation at no additional cost.
Manually configuring your own private network can require advanced server configurations and networking knowledge.
A big portion of security involves analyzing our systems, understanding the available attack surfaces, and locking down the components as best as you can.
Service auditing is a process of discovering what services are running on the servers in your infrastructure. Often, the default operating system is configured to run certain services at boot. Installing additional software can sometimes pull in dependencies that are also auto-started.
Service auditing is a way of knowing what services are running on your system, which ports they are using for communication, and what protocols are accepted. This information can help you configure your firewall settings.
How Does Service Auditing Enhance Security?
Servers start many processes for internal purposes and to handle external clients. Each of these represents an expanded attack surface for malicious users. The more services that you have running, the greater chance there is of a vulnerability existing in your accessible software.
Once you have a good idea of what network services are running on your machine, you can begin to analyze these services. Some questions that you will want to ask yourself for each one are:
- Should this service be running?
- Is the service running on network interfaces that it shouldn’t be running on?
- Should it be bound to a single IP?
- Are my firewall rules structured to pass legitimate traffic to this service?
- Are my firewall rules blocking traffic that is not legitimate?
- Do I have a method of receiving security alerts about vulnerabilities for each of these services?
This type of service audit should be standard practice when configuring any new server in your infrastructure. Performing service audits every 6 months will also help you catch any services with configurations that may have changed unintentionally.
How to Perform Service Audits
To do a basic service audit, you can find out which services are listening to ports on each interface by using the
netstat command. Anexample command that shows the program name, PID, and addresses being used for listening for TCP and UDP traffic is:
You will receive output that looks like this:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 887/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 919/nginx
tcp6 0 0 :::22 :::* LISTEN 887/sshd
tcp6 0 0 :::80 :::* LISTEN 919/nginx
The main columns that need your attention are the Proto, Local Address, and PID/Program name columns. If the address is
0.0.0.0, then the service is accepting connections on all network interfaces.
Maintaining updates on a server can be a powerful tool for security. Unpatched servers are responsible for the majority of compromises, but regular updates can prevent vulnerabilities.
Traditional updates require an administrator to manually check for and install updates for the various packages on their server; this can be time-intensive and it’s possible to forget or miss a major update. By contrast, unattended updates allow the system to update a majority of packages automatically.
How Do Unattended Updates Enhance Security?
Implementing unattended updates lowers the level of effort required to keep your server secure and shorten the amount of time your server is vulnerable to a known bug. Even with very regular updates, a bad bug being fixed on a Thursday or Friday means you’ll likely be unpatched — and vulnerable — until at least Monday.
In conjunction with the service auditing previously mentioned, performing updates automatically can greatly reduce your exposure to attacks and lower the amount of time spent on maintaining the security of your server
How to Implement Unattended Updates
Most server distributions now feature unattended updates as an option. For example, on Ubuntu an administrator can run:
- sudo apt install unattended-upgrades
For more details on how to implement unattended updates, check out these guides for Ubuntu and Fedora.
Note: These mechanisms will only auto-update software installed through your system’s package manager. Make sure that any additional software you may be running (e.g. web applications) are either configured for automatic updates or checked manually on a regular basis.
Disable Directory Indexes
Most web servers are configured by default to display directory indexes when a user accesses a directory that lacks an index file. For example, if you were to create a directory called downloads on your web server without any additional configuration, all of the files would be visible to anyone browsing the directory. For many cases, this is not a security concern, but it’s very possible that something confidential could be exposed. For example, if you were to create an index directory on your web server for your website, the directory may contain the file for your website’s homepage and a configuration file that contains credentials to the website’s backend database. Without disabling the directory’s indexes, both of the files in the folder would be visible to anyone browsing the directory.
How Does Disabling Director Indexes Enhance Security?
Directory indexes have legitimate purposes, but they often unintentionally expose files to visitors. Disabling directory indexes as the default for your web server eliminates the risk of accidental data loss, leakage, or exploitation by making the directory files invisible to visitors. Visitors can still reach the files if they exist in the directory, but disabling indexing makes the files much more difficult to discover unintentionally.
How to Disable Directory Indexes
For most cases, disabling directory indexes is a matter of adding one line to your web server configuration.
This tutorial contains in-depth instructions on how to disable directory indexes for several popular web servers.
Back Up Frequently
While this may not seem like a security tip, backups can be critical in saving compromised systems and data, as well as analyzing how the system was compromised to begin with. For instance, if your server is compromised by ransomware, a lack of backups may mean your only choice is to pay ransom to get your data back. If your systems and data are regularly backed up, you may be able to access and recover your data without interacting with the compromised system.
How Do Frequent Backups Enhance Security?
Backups help reduce risk of accidental deletions and mitigate the risk of data loss by retaining uncompromised copies of the data before attacks happen.
In addition to ransomware cases, regular backups can help with forensic analysis of long-term attacks. If you don’t have a history of your data, it can be difficult or even impossible to determine when an attack began and what data was compromised.
How to Implement Frequent Backups
Unlike the others on this list, backup implementation can range from trivial to extremely difficult. When enabling backups, you should ask yourself: if my server disappears tomorrow, how can we get it back up and running?
Here are a few other questions to consider when developing a disaster recovery plan:
- Should the latest backup always be used? Depending on how frequently your data changes, it may reduce risk to instead default to an older backup
- What is the actual process for restoring the backup? Do you need to create a new server or restore over the existing one?
- How long can you survive without this server in action?
- Do I need offsite backups?
If you are using DigitalOcean Droplets, you can enable weekly backups from the control panel.
The strategies outlined above provide you with an overview of some of the enhancements you can make to improve the security of your systems. It is important to recognize that, while it’s better late than never, security measures decrease in their effectiveness the longer you wait to implement them. Security cannot be an afterthought and must be implemented from the start alongside the services and applications you are providing.