091.Security.discussion.hoolio.md

Lesson 090 (45 min)

-- Slide --

A Security Discussion

-- Slide End --

-- Slide --

A Shared Responsibility Model

NeCTAR look after the cloud

You look after the stuff you put in it

-- Slide End --

-- Slide --

A good scout always:

• Knows what can happen
• Is prepared for it -- Slide End --

-- Slide --

But i'm not a scout..

NeCTAR images do alot for you already:

• Blocks SSH access after N failed attempts
• Password auth is disabled
• Provides up to date images
• Default security group is empty

..but there is a lot left up to you -- Slide End --

-- Slide --

It is true:

the minute you put a server onto the internet, automated scanners start probing it for weaknesses. -- Slide End --

-- Slide --

Exercise

1. Run firefox on your instance
2. Go to: https://www.grc.com/shieldsup
3. Click on the 'Proceed' button
4. then select 'All Service Ports'

what do we see?

R = Help me!
G = Ask me for help!
-- *Slide End* --

-- Slide --

The red dots are open ports

A port is like a door to your instance. That's the conduit through which the baddies will get in.

Ideally you should have:

• As few open ports as possible
• Each locked up nice and tight -- Slide End --

-- Slide --

Q: If all you need is SSH, do you need 10 ports open?

A: No

-- Slide End --

-- Slide --

Security groups

They control which ports are open to your instance.

Ports are like the doors and windows to your home -- Slide End --

-- Slide -- ##Exercise: Blocking the front door

• Remove ssh from the security group on your VM
• Try to ssh in – and fail!
• Create a special ssh only security group
• Add it to your running VM
• Try to ssh in: success?

R = Help me!
G = Ask me for help!
-- *Slide End* --

-- Slide --

A recommendation

Have a dedicated security group for ssh

Every new instance will use the default security group. Changing it thusly effects every instance. -- Slide End --

-- Slide -- Q: Who do you let into your home?

A: Only people you trust.

-- Slide End --

-- Slide --

A recommendation

Don't share your private SSH key to anyone

-- Slide End --

-- Slide -- abracadabra -- Slide End --

-- Slide --

A recommendation

Don't enable password auth

it's much easier to crack -- Slide End --

-- Slide --

Exercise: Batten down the hatches

Apply system updates:

sudo apt-get update && sudo apt-get upgrade

R = Help me!
G = Ask me for help! -- *Slide End* --

-- Slide --

Q: Why would you not enable automatic upgrades?

A: Upgraded packages might break your software

-- Slide End --

-- Slide --

Exercise: enable automatic updates

sudo dpkg-reconfigure unattended-upgrades

R = Help me!
G = Ask me for help!
-- *Slide End* --

-- Slide --

A recommendation

Apply package updates

Or at very least, just security updates -- Slide End --

-- Slide --

A recommendation

Avoid running mail server

• Use ssmtp (server email via imap)
• Use a paid service such as MailChimp
• Talk to TPAC via mailto:[email protected] -- Slide End --

-- Slide --

NeCTAR's security guidelines

NeCTAR has a set of security guidelines that can be found at:

• http://tinyurl.com/nectar-security-guidelines -- Slide End --

-- Slide --

Do you have some better doco on all this?

• http://tinyurl.com/ResBaz-Links -- Slide End --