How To Provision a Linux Cloud Server With Security In Mind
Cloud computing is all the rage these days. Initially cloud computing encompassed a number of different things. Basically, it allows for computing resources, storage, and other computer utilities to be virtualized in a transparent way in a “cloud” of various computing hardware all networked together and configured to work together in a seamless way. This allows resources to be quickly and seamlessly provisioned for some specific task, or if needed, to be rededicated to other areas in need of additional resources. This could optimally be done automatically with little need for “hand-tuning” by human operators.
With the ability to rapidly deploy servers such as Linux, some obscure issues can come up which can force tuning by administrators, either by hand or by automation as special cases. This is especially true if security issues are involved and with the increasing use of cloud deployments by online criminals who make use of cloud resources to hide their activities. One seemingly minor instance is the use of cryptographic keys and SSH. Each new server should have its own privately generated SSH public/private keys. Image based cloning of servers can clone the same keys as well if the administrators are not careful.
Another seemingly minor issue involves SSH is the reverse and forward DNS lookups. If the forward and reverse DNS map to completely different names, SSH may complain and think that something bad is going on (and in some cases that would be true). But with cloned machines, it can be largely alleviated by making sure that the correct forward/reverses are in your /etc/hosts file. Once a public key has been added to the known_hosts file, the issue is largely mitigated. But prepopulating known_hosts files with proper keys and making judicious use of pre-populated /etc/hosts.allow and /etc/hosts.deny files in cloud deployed machines can help prevent freshly provisioned servers from being quickly targeted and compromised.
The cloud as we know it is not a fad and will likely continue to grow in use. This is why it is important to keep security best practices in mind for new cloud deployments. Online criminals will not rest or give up easily. Some are quite silent but determined, as the recent Target breach proves. But ever vigilant administrators can do much to minimize the impact of or even prevent such security breaches. This builds confidence in customers that their online servers and resources are safe and secure.