Linux VM Security – Basic Policies and Guidelines

I would recommend to have following minimum procedures in place to protect Linux VMs over internet.

• Never share root password to individuals (VM users)
• Only give root access to individuals through sudo list (if required).
• VM root password must be strong (use Strong Password Generator utility to generate password).
• Disable direct root access over SSH.
• Use non-conventional port for SSH instead of default port 22.
• Only enable RSA Key base access to SSH VM (disable password base access over SSH).
• Never use root to run Java or any other processes (until it is required).
• Always use least privileges VM User (possibly a user with no bash access) to run your Java application or any other processes.
• Must have a basic firewall enable for VM.
• Only enable http (80) or https (443) ports for global internet access.
• All required local processes must be listening locally (e.g 127.0.0.1:9000 instead of 0.0.0.0:9000)
• Pass all application (VM) traffic over http (80) or https  (443 – SSL tunneling) using front end proxy server like (Apache or Nginx).
• Enable SELinux on the VMs (if possible).
• Process User must not own the files and folders that application is going to serve.

 

About Farooq Sheikh

Senior Technical Consultant - Solution Architect - JAVA

‹ Useful Commands for Web Server Access Log Monitoring

Useful Commands To Monitor Network Traffic Using Netstate ›

Tagged with: apache, Apache 2.x, front end proxy server, Java EE, Linux, linux administrator, Linux Security, Linux/Unix, Networking, Nginx, Perl, PHP, root password, RSA Key, Shell scripting, Sockets, SQL, SSH, SSL tunneling, sudo, TCP, Tomcat, Ubuntu, VM, VM Security, X.509 certificate
Posted in Linux, Nginx, Security