Introduction

Introduction

...

Users are responsible for the security of the

...

virtualised resources under their control. This includes, but it is not limited to: virtual machines, network configuration, user accounts, disk volumes. 

Security reports 

...

Here are some security guidelines to help you secure your resources on the European Weather Cloud.

Table of Contents

Network 

It is very important to keep your network configuration as secure as possible, as it is the gate any intruder will use to enter in your system. It is relatively simple to apply some good practices that will give a good extra security layer. Here below few strategies are advised.

Restrictive firewall (white listing)

Your virtual machine instances should be configured so that they allow the minimum required access to run your application. By default, virtual machines have no external access, this means no single port is opened by default to the public Internet. In order to connect to them, or to provide any kind of service, access has to be explicitly added. It is important to only open the ports that need to be opened and only open it for the least amount of IPs possible.

Every virtual machine running in EWC comes with two firewalls: the firewall of the virtual machine itself (netfilter/iptables) and the Openstack Security groupsGroups. 
There are default Securityu Security Groups created by ECMWF admins which are adequate for many situations and environments, please use those.

Disable unneeded services

...

Tools such as denyhosts or Fail2ban can be used to analyse log files and ban IP addresses that are attempting to make brute-force attacks to your application. They are very powerful tools, but they have to be used used with care as they can lead to false positives, i.e. Banning IPs that should not be banned. These tools are a best practice to provide 24/7 services, while may not be necessary for single user VMs.

The images provided by ECMWF already come with fail2ban active and preconfigured to monitor SSH login attempts. Multiple, unsuccesful login attempts within a short timespan will lead to a temporary ban of that IP from connecting to that VM. 

DNS name

It is possible to ask CINECA for a DNS name association to the virtual machine by sending an email to superc@cineca.it. 

...

.

...

...

Software

Running secure software is also very important. It is not a trivial task to develop fully secure software, but there are some simple strategies that will help with the task.

...

For additional non security updates, the user is responsible and must plan accordingly. ECMWF We can only recommend the following:

• Kernel updates: Some updates, such as kernel upgrades, require rebooting the virtual machines. Please schedule this into your regular maintenance.
• If your use case does not support automatic updates, which is common for highly available setups, please make sure to schedule regular maintenance windows where the software upgrade is scheduled.
• Subscribe to security announcements for your OS, if there is a security problem in your operating system, you need to find it out as soon as possible. You can subscribe to an appropriate mailing list, RSS feed, ... to keep an eye out for anything that requires urgent action.

Only install from reputable sources

Be mindful of the sources for the software you install. Only install software from reputable sources. If possible, use the distribution's package manager (yum, dnf, apt, ...). Packages managers make it easy to install software, keep it updated, and uninstall it. If the desired software is not available in the distribution package manager repository, an official source must be used. Follow the instructions on the official website of the software you need. If more than one source is offered, think about using the one that provides an easier life-cycle (install/update/uninstall/...), like conda, snap or flatpak.

Be mindful about the user accounts in the VM

...