Security: Difference between revisions

From bwCloud-OS
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(41 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<span id="In-a-Nutshell"></span>
{{InANutshell|
{{InANutshell|
<li>By default, VMs in bwCloud-OS are only accessible via <strong>SSH (port 22)</strong>; all other ports are initially '''closed''' for security reasons.</li>
<li>By default, bwCloud-OS VMs are only accessible via <strong>SSH (port 22)</strong> and  <strong>ICMP</strong> (e.g., ''ping'');  all other incoming traffic is blocked for security.</li>
<li>Additional ports (e.g. HTTPS/443) can be opened  via <strong>Security Groups</strong> in the Dashboard — changes take effect immediately without a reboot.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the <strong>Security Groups</strong> in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are <strong>centrally filtered</strong> in certain regions and cannot be opened manually; details are listed in the [[Reference:_Network_–_blocked/allowed_ports.|port overview]].</li>
<li>Some ports are <strong>centrally filtered</strong> in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>'''SSL certificates''' are not provided by bwCloud-OS, but can be obtained via services like <strong>Let’s Encrypt</strong>.</li>
<li>If you suspect a <strong>security incident</strong>, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
<li>If you suspect a <strong>security incident</strong>, stop the affected VMs and open a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}
}}


Line 10: Line 10:
__TOC__  
__TOC__  


=Ports=
= Access Control & Firewall Rules =
== security groups - Open a port for access==


By default, a new virtual machine in the bwCloud-OS is initially only accessible from outside only via SSH (Port 22). This is defined in the assigned security group, e.g., default. All other ports are closed, i. e. requests on these ports connot reach the instance. You will find some information about security and open ports [[Network & Security#Security|here]].
== What network access is allowed by default in bwCloud-OS instances? ==
<span id="Security-Default"></span>


As soon as the rules of a security group change, these changes take effect for all associated instances. The virtual machines therefore '''do not have to be rebooted'''.
By default, '''bwCloud-OS instances''' are accessible via:


=== Example: ===
* '''SSH (port 22)''' – for remote login and configuration
* A Web server needs to be accessible via HTTPS. The corresponding port (Port 443) must be opened n the security group.
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>


; The step-by-step instructions explain in detail how to open a port using the Dashboard.
This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.
# In the left menu, click '''''Network''''' '''''Security''' '''Groups'''''.. An overview of the currently defined security groups is displayed. The default group is named '''default'''.
# Click on the button '''''Manage Rules''''' in the corresponding line. An overview of all rules defined for this security group opens.
# If you want to add a new rule, click the button '''''Add Rule'''''. A dialog opens in which you can describe the new rule.
# There are two similar options from the drop-down menu:
## Select the '''''Rule''''' entry ''HTTPS''.
## Select the Custom TCP Rule item. Enter port number 443 in the Port field.
# Your server should not be accessible from everywhere on the internet. The entry in the field "CIDR" restricts the access to a specific network segment. Enter there the IP addresses that should be allowed.
#  In the "Direction" field you can define the direction:
## Ingress = Incoming connections
## Egress = Outgoing connections
# Click '''Add''', and the new rule is created. The page reloads, and the new rule appears in the list.
==Are some of the ports closed in bwCloud-OS? ==
Yes. In the different bwCloud-OS regions, different regulations apply for the use of the networks, due to the respective data centers of the universities. An individual opening of centrally blocked ports for virtual machines in the bwCloud regions is '''not possible'''.
Further information, also about the individual regions, is listed [[Reference:_Network_–_blocked/allowed_ports.|here]].


= SSL Certificates =
== How do I open additional ports for my instance? ==
<span id="Security-Rules"></span>


We do not offer certificates. However, your instance can obtain certificates from other institutions (e.g. Lets Encrypt) using the Cert Bot.
A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''.  All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.
 
To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.
 
----
 
=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.
 
'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear. 
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# In the dialog that appears, choose one of the following:
#* '''HTTPS''' from the '''Rule''' dropdown (automatically fills port 443), or
#* '''Custom TCP Rule''', then manually enter '''443''' in the '''Port''' field.
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>'''  from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Egress</code> = outgoing connections
# Click '''Add'''. The rule will be created and added to the list immediately.
 
== Are some ports blocked in bwCloud-OS? ==
<span id="Blocked-Ports"></span>
 
Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.
 
For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].
 
= SSL Certificates & Secure Services =
 
== Can I get SSL/TLS certificates via bwCloud-OS? ==
<span id="SSL-Certificates"></span>
 
No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.
 
This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].


=Security Incidents =
=Security Incidents =


== What do I do if I fear I've been hacked? ==
== What should I do if I suspect my VM has been compromised? ==
<span id="Security-Incident"></span>
 
If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.
 
If you suspect that your VM has been compromised, please take the following steps '''immediately''':
 
# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#*      Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?


If your own VMs are behaving "strangely", it may be that they have been hacked. In this case, please follow these steps:
Our team will contact you as soon as possible to help investigate and resolve the issue.
# Log in to the OpenStack Dashboard
# Stop the affected instances - do not delete!
# Submit a ticket Important information:
* Which instances are possibly affected?
* How can the strange behaviour be described?
* Which measures have already been implemented?
* We will contact you as soon as possible to clarify the situation.


== Does the bwCloud-OS operations group check the running instances, for example, through so-called penetration tests? ==
== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==
<span id="Security-Scans"></span>


No, the running instances are not checked for open ports or other characteristics. However, the entire bwCloud operating environment is monitored - for example, network monitoring covers current upstream and downstream traffic. If the network traffic here changes abruptly, significantly and atypically beyond normal levels, this is checked at the node and OpenStack monitoring level.
The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.


However, we do not look inside the virtual machines!
However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation —  including direct contact with the affected user.

Latest revision as of 18:15, 10 November 2025

In a Nutshell
  • By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ping); all other incoming traffic is blocked for security.
  • To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the Dashboard — changes take effect immediately.
  • Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this overview for region-specific details.
  • If you suspect a security incident, stop the affected VMs and submit a support ticket immediately.


Access Control & Firewall Rules

What network access is allowed by default in bwCloud-OS instances?

By default, bwCloud-OS instances are accessible via:

  • SSH (port 22) – for remote login and configuration
  • ICMP – to allow basic network diagnostics like ping and traceroute

This initial access is explicitly permitted by the automatically assigned security group (named default) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

How do I open additional ports for my instance?

A newly created virtual machine in bwCloud-OS is only accessible from the outside via SSH (port 22) and ICMP. All other inbound traffic is blocked by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to add a rule to the relevant security group. Changes to security group rules apply immediately to all instances using that group — there's no need to reboot the instance.

Example: Opening Port 443 for HTTPS Access

If you're running a web server that should be accessible via HTTPS, you typically need to open port 443 in a security group assigned to your instance.

Steps in the Dashboard:

  1. In the left menu, go to Network → Security Groups. A list of all defined security groups will appear.
    • Recommended: Consider creating a dedicated security group (e.g. named https-access), and assign it to your instance using Edit Security Groups in the instance menu before the next step.
  2. Find the relevant group and click Manage Rules. You’ll see all currently defined rules for that group.
  3. Click Add Rule to create a new one.
  4. In the dialog that appears, choose one of the following:
    • HTTPS from the Rule dropdown (automatically fills port 443), or
    • Custom TCP Rule, then manually enter 443 in the Port field.
  5. In the CIDR field, specify which IP addresses should be allowed to connect:
    • Use a specific IP range (e.g. 192.168.0.0/24) to limit access
    • ⚠️ Using 0.0.0.0/0 allows access from any IPv4 address, and ::/0 from any IPv6 address.
  6. Set the Direction of the rule:
    • Ingress = incoming connections (usually what you want)
    • Egress = outgoing connections
  7. Click Add. The rule will be created and added to the list immediately.

Are some ports blocked in bwCloud-OS?

Yes. Some ports are centrally blocked in certain bwCloud-OS regions due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page Blocked and Allowed Ports.

SSL Certificates & Secure Services

Can I get SSL/TLS certificates via bwCloud-OS?

No, bwCloud-OS does not provide SSL/TLS certificates. However, you can obtain certificates directly from public providers like Let’s Encrypt using tools such as Certbot, which you can install and run on your instance.

This allows you, for example, to enable HTTPS for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using security group rules.

Security Incidents

What should I do if I suspect my VM has been compromised?

If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps immediately:

  1. Log in to the Dashboard.
  2. Stop the affected instance(s). Do not delete them! This preserves data for further analysis.
  3. Submit a support ticket via the bwSupportPortal with the following details:
    • Which instance(s) are potentially affected?
    • How is the suspicious behavior observed? (e.g. logs, performance, alerts)
    • What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)?

The contents and configuration of user instances are not inspected — we do not perform penetration tests or port scans on the instances. We also never look inside user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Retrieved from "https://wiki.bwcloud-os.de/index.php?title=Security&oldid=1519"