Skip to end of metadata
Go to start of metadata

Security Best Practices

Xandr takes every possible security precaution in its network infrastructure.  But there are steps that individual customers can take within their inventory in order to minimize the risk of security issues.  We strongly recommend the following measures:

1.  Use your firewall / ACLs to block all unused traffic

  • When completing with firewall rules via the initial customer questionnaire start from the "deny all" rule.  Open each destination port only if you are really going to use it; narrow the source and destination IP lists to the set you really need (e.g., for SSH, the source could be just your office workstation(s); for HTTP, port 80, destination could be only the instance where the web server is really running). See Networking and Firewalls and How to Set Firewall Rules for more information.

2.  Disable root login to your instances

  • Please note that there is no root password on the base Xandr image by default, as public / private key pair authorization is used.  If you decide to use password-enabled public keys or set a root password, please make sure they are strong.
  • Ideally, your employees log in to instances using their personal accounts, then switch to superuser mode when necessary using sudo and entering their passwords.  If some employees need a limited set of rights, it is best to grant them sudo access to a subset of commands only.

3.  Use strong passwords for all your users / services

  • A password shouldn't be a dictionary word or a set of digits.  A strong password contains at least eight symbols, including letters (both lower and upper case), digits, and preferably some special symbols (examples: "12345" is a weak password, "marie1" is a weak password, "GyP74^Bdw9" is a strong password).
  • To check how strong your passwords are, you can use "John the Ripper"—a password cracker tool.

4.  Keep your software updated

5.  Switch SSH traffic to a different port

6.  Do not send passwords in any "open" way (plain text authorization, unencrypted e-mail, IM, etc.)

  • In particular, this means that if you need LDAP / MySQL / something similar to work over an Internet connection (not just inside your VLAN), switch to SSL.


    The above list is just an initial recommendation.  Lots of attacks are due to the "human factor": attaching a note with one's password to one's monitor, not logging off while leaving one's desk, using suspicious machines (an unknown Internet cafe) for connection to one's inventory etc.


    Both password-based and key-based authentications have their disadvantages (in the former case, the password could be guessed; in the latter case, the private key file could be copied / stolen).  You can increase security by using passphrase-protected keys.

Further Reading

Linux Security HOWTO
Linux Security
Linux Security for Beginners

As always, please create a ticket at if you have any questions or concerns.

  • No labels