...
- Use security-groups to limit access to your services:
- Administrative interfaces (SSH, Remote-Desktop, VNC etc.) should ONLY be allowed from known networks.
- NTNU uses many address-ranges but allowing access from 129.241.0.0/16 and 10.0.0.0/8 should cover the majority.
- Check the addresses used at your systems if they are not covered by these ranges.
- Access to services should only be given globally to the specific ports needed.
- For web-applications this typically means TCP port 80 (HTTP) and 443 (HTTPS).
- You should not give global access to services intended for internal use in your applications, like databases, message-queues, cache-layers etc.
- Administrative interfaces (SSH, Remote-Desktop, VNC etc.) should ONLY be allowed from known networks.
- Keep your services updated
- It is particularly important to keep services available to the global internet updated, to avoid having knows security bugs that can be exploited.
- We recommend to enable automatic updates to automaticly keep things somewhat up to date.
Practical implementation
When having access to more than one external network in openstack you should be avare of a couple of limitations:
...