6.4. (Reference): Configuring the Normal Security Level Settings upon the OS.¶
Here are examples of recommended Security settings. You need to run Security to prevent against any malicious attacks from external environments when connecting a Baremetal Server or a Virtual Server directly to Internet Gateways.
Note
Almost all parts of this page describe operations outside of Support Coverage provided by Service Provider. Therefore, we strongly advise making backups of relevant settings in advance.
6.4.1. Setting a Secure Password for the Guest OS Password¶
You are STRONGLY advised to change the password after initially signing into the Virtual Server. We recommend configuring strong and secure passwords based on the following password policy.
Password length of 8 characters or more.
Password to include the following three character types: uppercase letters, lowercase letters (both of the ISO Latin alphabetic character (A to Z, a to z), and non-alphabetic characters.
Password must NOT use common words, such as “password” & “admin” which are known by everyone, your full name or others full name, and/or partially changing any of the preceding.
6.4.2. IP Filter and Firewall Access Limitations with Guest OS¶
We STRONGLY advise you set up the Guest OS Firewall without opening any unnecessary ports. The following examples show how to set it up on CentOS7.1 and Windows Server 2012 R2. Since both the Virtual Server and Baremetal Server don’t need direct access to a global network, security can be enhanced by deploying a dedicated gateway via a dedicated network.
6.4.2.1. Example: CentOS 7.1¶
1.Change “firewalld”. On the command line verify “firewalld” is “Active(Running)” and “Enabled”.
$ /bin/systemctl start firewalld
$ /bin/systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sun 2015-12-27 13:56:12 UTC; 1s ago
Main PID: 9844 (firewalld)
CGroup: /system.slice/firewalld.service
9844 /usr/bin/python -Es /usr/sbin/firewalld --nofork –nopid
$ /bin/systemctl enable firewalld
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
$ /bin/systemctl list-unit-files -t service | grep firewalld
firewalld.service enabled
2.Add required services. Following shows adding the “https” service. Verify the service was set with the “–list-service” option.
$ /bin/firewall-cmd --list-service
dhcpv6-client ssh
$ /bin/firewall-cmd --add-service=https --permanentsuccess
NOTE 1: If you find any unnecessary services, you can delete them with “/bin/firewall-cmd –remove-service=XXX –permanent”. Replace XXX with the service to be deleted.
$ /bin/firewall-cmd --reload
success
$ /bin/firewall-cmd --list-service
dhcpv6-client https ssh
NOTE 2: If you would like to add any services, we recommend adding only required services paying careful attention to authentications and vulnerabilities.
6.4.2.2. Example: Windows Server 2012 R2 Settings¶
1.Firewall is available in the Windows default settings.
Verify settings, by opening “Server Manager” then “Local Server”. Click the link to open the Windows Firewall setting screen.
2.After the Windows Firewall screen has opened, click “Advanced Settings” as shown below:
3.At the “Windows Firewall with Advanced Security” screen, click on “Inbound Rules” as shown below:
4.After the “Inbound Rules” screen opens, click “New Rules”.
5.Add a new inbound rule as shown below:
We recommend limiting ports and scope IP Addresses as much as possible. For more information, please refer to the Microsoft website: https://technet.microsoft.com/en/library/cc753558.aspx