Security

2026-02-16T17:25:25Z

Jl: Add Security Checklist

{{InANutshell|
<li>By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ''ping''); all other incoming traffic is blocked for security.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>If you suspect a security incident, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}

__TOC__

= Access Control & Firewall Rules =

== What network access is allowed by default in bwCloud-OS instances? ==


By default, '''bwCloud-OS instances''' are accessible via:

* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>

This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

== How do I open additional ports for my instance? ==


A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''. All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.

----

=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.

'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>''' from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.

----

=== Example: Opening a Port only for Access from Certain IP Ranges ===
'''➡️''' [[Guide: Security Group|Security Groups Guide]]

== Are some ports blocked in bwCloud-OS? ==


Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].

= Security Checklist =

The following checklist helps you harden your bwCloud-OS instance after creation.

== 1) Secure SSH access ==
* Read and apply the recommendations in the [[Guide:_SSH|SSH guide]].

== 2) Keep the system updated ==
Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:
* '''Manual updates (one-time / on demand):''' You run updates yourself (e.g., after login, on a regular schedule).
* '''Automatic updates:''' The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via <code>unattended-upgrades</code>.

=== Example (Ubuntu/Debian) ===
<pre>
# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
</pre>

== 3) Allow only the minimal required ports in bwCloud-OS Security Groups ==
Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

* Check your instance's security groups in the [https://portal.bw-cloud.org/ Dashboard] and allow only the minimal required inbound rules.
* Restrict access by IP range (CIDR) wherever possible (avoid <code>0.0.0.0/0</code> unless truly required).
* For step-by-step instructions and examples, see: [[Security#Security-Rules|How do I open additional ports for my instance?]]
* Note: some ports may be centrally filtered in certain regions; see [[Blocked_and_Allowed_Ports|Blocked and Allowed Ports]].

== 4) Optional host firewall (e.g., UFW on Ubuntu) ==
Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

=== Example (Ubuntu with UFW) ===
<pre>
sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose
</pre>

''Important:'' If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

== 5) Document your configuration ==
To operate and troubleshoot securely, keep a record of your instance configuration:

* Which security groups/rules are attached (ports, protocols, CIDRs)?
* Host firewall rules (if used), SSH hardening settings, update strategy.
* Installed services and exposed endpoints.
* Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

== 6) Plan and test a backup strategy ==
Backups are part of security (availability and recovery).

* Define what needs to be recoverable (system, application data, databases, configuration).
* Decide on backup frequency and retention (e.g., daily incremental + weekly full).
* Store backups separately from the instance (avoid a single point of failure).
* Regularly test restores (a backup that was never restored is an assumption, not a plan).

== 7) Snapshots and images ==
Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

* Learn more: [[Guide:_Volumes_and_Images|Guide: Volumes and Images]]
* Recommended practice:
** Take a snapshot before major changes (OS upgrades, large configuration changes).
** Remove outdated snapshots according to your retention plan.

= SSL Certificates & Secure Services =

== Can I get SSL/TLS certificates via bwCloud-OS? ==


No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.

This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].

=Security Incidents =

== What should I do if I suspect my VM has been compromised? ==


If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps '''immediately''':

# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#* Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==


The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

bwCloud-OS - User contributions [en]

Security