There are many developers and data science experts using cloud servers to do development or data science projects. However, I have found that most of them are always overlooking the basic security protection for these servers.
I would like to declare that I am NOT a CISSP. Nevertheless, I would like to share my experiences on the basic protection on servers (both physical and virtual) when building our computer lab and private cloud.
An insecure server may lead to terrible results, such as:
- Data Breaches
- Lost on Vital Digital Assets (such as source code, sensitive business information, etc.)
For public cloud services, they are always connecting to the Internet and exposed to attacks. Anyone could able to access your server and may hack into it for stealing data or injecting malware for further “follow-ups”.
Fundamental Protection Work
There are several “must-have” actions to implement. If you are using a Linux node, it is suggested to try the following actions to improve the security.
- Linux Hardening:
- Use Strong and Unique passwords
- Generate an SSH Key Pair
- Update your Software Regularly
- Enable Automatic Updates on OS and Software Level
- Avoid Unnecessary Software to reduce Unnecessary Risks
- Disable Booting from External Devices (like “chmod 000” on the /Media mount point)
- Close Hidden Open Ports to Minimize Attack Surfaces
- Scan Log Files with Fail2ban to avoid Brute Force Intrusions
- Utilize Backups and Test Restore in Regular Basis
- Perform Security Audits by IT Security Professionals
- Firewall – turn on the IPTables to open the necessary service ports only
- Anti-virus – install anti-virus software whether it is a paid subscription. If you have cost concerns, it is still fine to install ClamAV for the fundamental projection.
- IDS – it is suggested to install an Intrusion detection system to monitor network traffic.
- SSH access:
- Disable password access and allow SSH keys only.
- restrict specific IP addresses and usernames to logon to your server via SSH
- Port number – change port number of vital services from default ports. For example, you can change your SSH port to 3122 or whatever you like.
- DDos Attack – it is not possible to protect servers against DDos at the server level. It is more likely the work of your data center or network service provider. However, it is possible to limit the traffic at the NGINX level like the maximum number of http request for the same IP address within 1 second.
- Spam Mail Filtering – install an anti-spam tool such as SpamAssassin to classify and block spam email.
The above suggestions are the basic protections on your server without significant investment. It is important to note that the above suggestions should be implemented with your deployment of server – especially those servers connecting to the Internet directly. For server on-premises, it is expected that there is a firewall sitting in-front and the servers are being protected at the DMZ.
If you have any other question, it is welcome to send me a message via the contact form.
Samuel Sum