Running a virtual machine in an IaaS environment with a publicly routed IP address is a privilege that comes with a high responsibility! Once your VM has booted, it is open for attacks from the world-wide internet. And be sure: it will be attacked! Since this is an IaaS environment you are responsible for the security of your VMs! LRZ reserves the right to perform scans (port scans, PW scans, etc.) against all VMs in its Cloud. LRZ will monitor all network traffic. In case of possible abuse (unusually high traffic in or out, or high volume traffic on suspicious ports) we reserve the right to block or shut down your VM without prior notification.
With the LRZ Cloud we want to support your research, not hinder it, therefore no firewall rules are applied, all ports are open, also for incoming traffic, so that you can freely use all the software and connectivity you need. It is up to you, the user, to properly configure the VMs for packet filtering, if needed. The user also has to take care of possible threats that could come to the VM due to outdated software or weak security features. If machines are hacked or if we detect insecure configurations, users may be banned from future Cloud usage.
Here are some security recommendations you should observe. This list is just a starting point and not comprehensive!
- If you don't need remote access via IP, then don't configure any IP interfaces! You can still access your VM via VNC. This is the most secure option and should be used whenever possible.
- If you don't want to provide a server that is reachable world-wide, but if you do need some kind of external connectivity, e.g., to upload data, then limit accessibility to the MWN. You can still reach your VM from anywhere (e.g., your DSL home line) if you first establish a VPN to the MWN. Do not provide a public IP address for your VM unless absolutely necessary!
- Always keep your operating system updated. It is especially important to apply all security updates/patches in a timely fashion!
- Change all default passwords of your VM image! If you use a publicly available image (from a repository/marketplace) then you can safely assume that an attacker knows all the passwords, including the root PW of this image. The same applies to all default passwords of installed software packages, like tomcat, MySQL, Apache, etc. Therefore, always change all passwords, best before booting, but at least within the first minute of runtime of your VM:
- root PW
- all other account PWs
- PW for MySQL server
- PW for Apache, tomcat, etc.
- Install a firewall on your VM and close all incoming ports that you do not absolutely need.
- Turn off all system services (daemons or xinetd services) that you do not absolutely need (stealth mode, e.g., disable ping, ICMP echo).
- Follow the best practices of the BSI for server protection.
If you think this is all too complicated and too much work, then please do yourself and us a favour and do not use the LRZ Cloud service!