I would recommend to have following minimum procedures in place to protect Linux VMs over internet.
- Never share root password to individuals (VM users)
- Only give root access to individuals through sudo list (if required).
- VM root password must be strong (use Strong Password Generator utility to generate password).
- Disable direct root access over SSH.
- Use non-conventional port for SSH instead of default port 22.
- Only enable RSA Key base access to SSH VM (disable password base access over SSH).
- Never use root to run Java or any other processes (until it is required).
- Always use least privileges VM User (possibly a user with no bash access) to run your Java application or any other processes.
- Must have a basic firewall enable for VM.
- Only enable http (80) or https (443) ports for global internet access.
- All required local processes must be listening locally (e.g 127.0.0.1:9000 instead of
0.0.0.0:9000) - Pass all application (VM) traffic over http (80) or https (443 – SSL tunneling) using front end proxy server like (Apache or Nginx).
- Enable SELinux on the VMs (if possible).
- Process User must not own the files and folders that application is going to serve.
Leave a comment