Security Best Practices
Xandr takes every possible security precaution in its network infrastructure. But there are steps that individual customers can take within their inventory in order to minimize the risk of security issues. We strongly recommend the following measures:
1. Use your firewall / ACLs to block all unused traffic
- When completing with firewall rules via the initial customer questionnaire start from the "deny all" rule. Open each destination port only if you are really going to use it; narrow the source and destination IP lists to the set you really need (e.g., for SSH, the source could be just your office workstation(s); for HTTP, port 80, destination could be only the instance where the web server is really running). See Networking and Firewalls and How to Set Firewall Rules for more information.
2. Disable root login to your instances
- Please note that there is no root password on the base Xandr image by default, as public / private key pair authorization is used. If you decide to use password-enabled public keys or set a root password, please make sure they are strong.
- Ideally, your employees log in to instances using their personal accounts, then switch to superuser mode when necessary using
sudoand entering their passwords. If some employees need a limited set of rights, it is best to grant them
sudoaccess to a subset of commands only.
3. Use strong passwords for all your users / services
- A password shouldn't be a dictionary word or a set of digits. A strong password contains at least eight symbols, including letters (both lower and upper case), digits, and preferably some special symbols (examples: "12345" is a weak password, "marie1" is a weak password, "GyP74^Bdw9" is a strong password).
- To check how strong your passwords are, you can use "John the Ripper"—a password cracker tool.
4. Keep your software updated
- Make sure you track software security bugs (CentOS announcements, Debian—Security, …).
- Install the appropriate patches according to security notifications.
5. Switch SSH traffic to a different port
6. Do not send passwords in any "open" way (plain text authorization, unencrypted e-mail, IM, etc.)
In particular, this means that if you need LDAP / MySQL / something similar to work over an Internet connection (not just inside your VLAN), switch to SSL.
The above list is just an initial recommendation. Lots of attacks are due to the "human factor": attaching a note with one's password to one's monitor, not logging off while leaving one's desk, using suspicious machines (an unknown Internet cafe) for connection to one's inventory etc.
Both password-based and key-based authentications have their disadvantages (in the former case, the password could be guessed; in the latter case, the private key file could be copied / stolen). You can increase security by using passphrase-protected keys.
As always, please create a ticket at https://help.xandr.com if you have any questions or concerns.