Security: Difference between revisions

From bwCloud-OS
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(31 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<span id="In-a-Nutshell"></span>
{{InANutshell|
{{InANutshell|
<li>By default, VMs in bwCloud-OS are only accessible via <strong>SSH (port 22)</strong>; all other ports are initially '''closed''' for security reasons.</li>
<li>By default, bwCloud-OS VMs are only accessible via <strong>SSH (port 22)</strong> and  <strong>ICMP</strong> (e.g., ''ping'');  all other incoming traffic is blocked for security.</li>
<li>Additional ports (e.g. HTTPS/443) can be opened  via <strong>Security Groups</strong> in the Dashboard — changes take effect immediately without a reboot.</li>
<li>To allow access on additional ports (e.g. HTTPS/443), you can add rules via the <strong>Security Groups</strong> in the [https://portal.bw-cloud.org/ Dashboard] — changes take effect immediately.</li>
<li>Some ports are <strong>centrally filtered</strong> in certain regions and cannot be opened manually; details are listed in the [[Reference:_Network_–_blocked/allowed_ports.|port overview]].</li>
<li>Some ports are <strong>centrally filtered</strong> in specific bwCloud-OS regions and cannot be opened individually; refer to this [[Blocked_and_Allowed_Ports|overview]] for region-specific details.</li>
<li>'''SSL certificates''' are not provided by bwCloud-OS, but can be obtained via services like <strong>Let’s Encrypt</strong>.</li>
<li>If you suspect a <strong>security incident</strong>, stop the affected VMs and submit a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
<li>If you suspect a <strong>security incident</strong>, stop the affected VMs and open a [https://bw-support.scc.kit.edu/ support ticket] immediately.</li>
}}
}}


Line 10: Line 10:
__TOC__  
__TOC__  


=Ports=
= Access Control & Firewall Rules =


== What network access is allowed by default in bwCloud-OS instances? ==
== What network access is allowed by default in bwCloud-OS instances? ==
By default, a newly created virtual machine in '''bwCloud-OS''' is accessible from the outside via:
<span id="Security-Default"></span>
 
By default, '''bwCloud-OS instances''' are accessible via:


* '''SSH (port 22)''' – for remote login and configuration
* '''SSH (port 22)''' – for remote login and configuration
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>
* '''ICMP''' – to allow basic network diagnostics like <code>ping</code> and <code>traceroute</code>


This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not a default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.
This initial access is explicitly permitted by the '''automatically assigned security group''' (named <code>default</code>) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.


== How do I open additional ports for my instance? ==
== How do I open additional ports for my instance? ==
By default, a newly created virtual machine in bwCloud-OS is initially only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''.  All other inbound traffic is '''blocked''' by default — meaning external traffic on those ports '''cannot reach''' the instance.
<span id="Security-Rules"></span>
 
A newly created virtual machine in bwCloud-OS is only accessible from the outside via '''SSH (port 22)''' and '''ICMP'''.  All other inbound traffic is '''blocked''' by default — meaning external traffic on other ports cannot reach the instance.


To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.
To allow access on other ports (e.g. for web servers or applications), you need to '''add a rule''' to the relevant '''security group'''. ''Changes to security group rules apply immediately to all instances using that group'' — there's no need to reboot the instance.
Line 28: Line 32:


=== Example: Opening Port 443 for HTTPS Access ===
=== Example: Opening Port 443 for HTTPS Access ===
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group attached to your instance.
If you're running a web server that should be accessible via '''HTTPS''', you typically need to open '''port 443''' in a security group assigned to your instance.


'''Steps in the [https://dashboard.bw-cloud.org/ Dashboard]:'''
'''Steps in the [https://portal.bw-cloud.org/ Dashboard]:'''
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.   
# In the left menu, go to '''Network → Security Groups'''. A list of all defined security groups will appear.   
#*'''Recommended:''' Consider '''creating a''' '''dedicated security group''' (e.g. named <code>https-access</code>), and '''assign the group to your instance''' using the option '''Edit Security Groups''' in the instance menu before the next step.
#* '''Recommended:''' Consider creating a dedicated security group (e.g. named <code>https-access</code>), and assign it to your instance using '''Edit Security Groups''' in the instance menu before the next step.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Find the relevant group and click '''Manage Rules'''. You’ll see all currently defined rules for that group.
# Click '''Add Rule''' to create a new one.
# Click '''Add Rule''' to create a new one.
Line 40: Line 44:
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
# In the '''CIDR''' field, specify which IP addresses should be allowed to connect:
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* Use a specific IP range (e.g. <code>192.168.0.0/24</code>) to '''limit access'''
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' would allow access from '''any IPv4 address''', '''<code>::/0</code>'''  from '''any IPv6 address'''.
#* ⚠️ Using '''<code>0.0.0.0/0</code>''' allows access from '''any IPv4 address''', and '''<code>::/0</code>'''  from '''any IPv6 address'''.
# Set the '''Direction''' of the rule:
# Set the '''Direction''' of the rule:
#* <code>Ingress</code> = incoming connections (usually what you want)
#* <code>Ingress</code> = incoming connections (usually what you want)
Line 47: Line 51:


== Are some ports blocked in bwCloud-OS? ==
== Are some ports blocked in bwCloud-OS? ==
Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. An individual opening of centrally blocked ports in a bwCloud-OS region for virtual machines is '''not possible'''.
<span id="Blocked-Ports"></span>


For more details — including which ports are affected in each region — see [[Reference: Network – blocked/allowed ports.|this overview]].
Yes. Some ports are '''centrally''' '''blocked''' in '''certain''' '''bwCloud-OS regions''' due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.  


= SSL Certificates =
For more details — including which ports are affected in each region — see the page [[Blocked and Allowed Ports]].


We do not offer certificates. However, your instance can obtain certificates from other institutions (e.g. Lets Encrypt) using the Cert Bot
= SSL Certificates & Secure Services =


##
== Can I get SSL/TLS certificates via bwCloud-OS? ==
# Your server should not be accessible from everywhere on the internet. The entry in the field "CIDR" restricts the access to a specific network segment. Enter there the IP addresses that should be allowed.
<span id="SSL-Certificates"></span>
#  In the "Direction" field you can define the direction:
## Ingress = Incoming connections
## Egress = Outgoing connections
# Click '''Add''', and the new rule is created. The page reloads, and the new rule appears in the list.
==Are some of the ports closed in bwCloud-OS? ==
Yes. In the different bwCloud-OS regions, different regulations apply for the use of the networks, due to the respective data centers of the universities. An individual opening of centrally blocked ports for virtual machines in the bwCloud regions is '''not possible'''.
Further information, also about the individual regions, is listed [[Reference:_Network_–_blocked/allowed_ports.|here]].


= SSL Certificates =
No, bwCloud-OS does '''not''' provide '''SSL/TLS certificates.''' However, you can obtain certificates directly from public providers like '''Let’s Encrypt''' using tools such as '''[https://certbot.eff.org/ Certbot]''', which you can install and run on your instance.


We do not offer certificates. However, your instance can obtain certificates from other institutions (e.g. Lets Encrypt) using the Cert Bot.
This allows you, for example, to enable '''HTTPS''' for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using [[Security#Security-Rules|security group rules]].


=Security Incidents =
=Security Incidents =


== What do I do if I fear I've been hacked? ==
== What should I do if I suspect my VM has been compromised? ==
<span id="Security-Incident"></span>
 
If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.
 
If you suspect that your VM has been compromised, please take the following steps '''immediately''':
 
# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard].'''
# '''Stop the affected instance(s).''' ''Do not delete them!'' This preserves data for further analysis.
# '''Submit a support ticket''' via the [https://bw-support.scc.kit.edu/ bwSupportPortal] with the following details:
#*      Which instance(s) are potentially affected?
#* How is the suspicious behavior observed? (e.g. logs, performance, alerts)
#* What actions have you already taken?


If your own VMs are behaving "strangely", it may be that they have been hacked. In this case, please follow these steps:
Our team will contact you as soon as possible to help investigate and resolve the issue.
# Log in to the OpenStack Dashboard
# Stop the affected instances - do not delete!
# Submit a ticket Important information:
* Which instances are possibly affected?
* How can the strange behaviour be described?
* Which measures have already been implemented?
* We will contact you as soon as possible to clarify the situation.


== Does the bwCloud-OS operations group check the running instances, for example, through so-called penetration tests? ==
== Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)? ==
<span id="Security-Scans"></span>


No, the running instances are not checked for open ports or other characteristics. However, the entire bwCloud operating environment is monitored - for example, network monitoring covers current upstream and downstream traffic. If the network traffic here changes abruptly, significantly and atypically beyond normal levels, this is checked at the node and OpenStack monitoring level.
The '''contents and configuration of user instances are not inspected''' — we do '''not''' perform penetration tests or port scans on the instances. We also '''never look inside''' user virtual machines.


However, we do not look inside the virtual machines!
However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation —  including direct contact with the affected user.

Latest revision as of 18:15, 10 November 2025

In a Nutshell
  • By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ping); all other incoming traffic is blocked for security.
  • To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the Dashboard — changes take effect immediately.
  • Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this overview for region-specific details.
  • If you suspect a security incident, stop the affected VMs and submit a support ticket immediately.


Access Control & Firewall Rules

What network access is allowed by default in bwCloud-OS instances?

By default, bwCloud-OS instances are accessible via:

  • SSH (port 22) – for remote login and configuration
  • ICMP – to allow basic network diagnostics like ping and traceroute

This initial access is explicitly permitted by the automatically assigned security group (named default) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

How do I open additional ports for my instance?

A newly created virtual machine in bwCloud-OS is only accessible from the outside via SSH (port 22) and ICMP. All other inbound traffic is blocked by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to add a rule to the relevant security group. Changes to security group rules apply immediately to all instances using that group — there's no need to reboot the instance.

Example: Opening Port 443 for HTTPS Access

If you're running a web server that should be accessible via HTTPS, you typically need to open port 443 in a security group assigned to your instance.

Steps in the Dashboard:

  1. In the left menu, go to Network → Security Groups. A list of all defined security groups will appear.
    • Recommended: Consider creating a dedicated security group (e.g. named https-access), and assign it to your instance using Edit Security Groups in the instance menu before the next step.
  2. Find the relevant group and click Manage Rules. You’ll see all currently defined rules for that group.
  3. Click Add Rule to create a new one.
  4. In the dialog that appears, choose one of the following:
    • HTTPS from the Rule dropdown (automatically fills port 443), or
    • Custom TCP Rule, then manually enter 443 in the Port field.
  5. In the CIDR field, specify which IP addresses should be allowed to connect:
    • Use a specific IP range (e.g. 192.168.0.0/24) to limit access
    • ⚠️ Using 0.0.0.0/0 allows access from any IPv4 address, and ::/0 from any IPv6 address.
  6. Set the Direction of the rule:
    • Ingress = incoming connections (usually what you want)
    • Egress = outgoing connections
  7. Click Add. The rule will be created and added to the list immediately.

Are some ports blocked in bwCloud-OS?

Yes. Some ports are centrally blocked in certain bwCloud-OS regions due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page Blocked and Allowed Ports.

SSL Certificates & Secure Services

Can I get SSL/TLS certificates via bwCloud-OS?

No, bwCloud-OS does not provide SSL/TLS certificates. However, you can obtain certificates directly from public providers like Let’s Encrypt using tools such as Certbot, which you can install and run on your instance.

This allows you, for example, to enable HTTPS for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using security group rules.

Security Incidents

What should I do if I suspect my VM has been compromised?

If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps immediately:

  1. Log in to the Dashboard.
  2. Stop the affected instance(s). Do not delete them! This preserves data for further analysis.
  3. Submit a support ticket via the bwSupportPortal with the following details:
    • Which instance(s) are potentially affected?
    • How is the suspicious behavior observed? (e.g. logs, performance, alerts)
    • What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

Does the bwCloud-OS operations team inspect running instances (e.g. through penetration tests)?

The contents and configuration of user instances are not inspected — we do not perform penetration tests or port scans on the instances. We also never look inside user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.

Retrieved from "https://wiki.bwcloud-os.de/index.php?title=Security&oldid=1519"