In a Nutshell

By default, bwCloud-OS VMs are only accessible via SSH (port 22) and ICMP (e.g., ping); all other incoming traffic is blocked for security. To allow access on additional ports (e.g. HTTPS/443), you can add rules via the Security Groups in the Dashboard — changes take effect immediately. Some ports are centrally filtered in specific bwCloud-OS regions and cannot be opened individually; refer to this overview for region-specific details. If you suspect a security incident, stop the affected VMs and submit a support ticket immediately.

By default, bwCloud-OS instances are accessible via:

• SSH (port 22) – for remote login and configuration
• ICMP – to allow basic network diagnostics like ping and traceroute

This initial access is explicitly permitted by the automatically assigned security group (named default) in our configuration. This is not the default behavior in OpenStack — it is provided by bwCloud-OS to simplify first-time access for users.

A newly created virtual machine in bwCloud-OS is only accessible from the outside via SSH (port 22) and ICMP. All other inbound traffic is blocked by default — meaning external traffic on other ports cannot reach the instance.

To allow access on other ports (e.g. for web servers or applications), you need to add a rule to the relevant security group. Changes to security group rules apply immediately to all instances using that group — there's no need to reboot the instance.

---

If you're running a web server that should be accessible via HTTPS, you typically need to open port 443 in a security group assigned to your instance.

Steps in the Dashboard:

1. In the left menu, go to Network → Security Groups. A list of all defined security groups will appear.
   • Recommended: Consider creating a dedicated security group (e.g. named https-access), and assign it to your instance using Edit Security Groups in the instance menu before the next step.
2. Find the relevant group and click Manage Rules. You’ll see all currently defined rules for that group.
3. Click Add Rule to create a new one.
4. In the dialog that appears, choose one of the following:
   • HTTPS from the Rule dropdown (automatically fills port 443), or
   • Custom TCP Rule, then manually enter 443 in the Port field.
5. In the CIDR field, specify which IP addresses should be allowed to connect:
   • Use a specific IP range (e.g. 192.168.0.0/24) to limit access
   • ⚠️ Using 0.0.0.0/0 allows access from any IPv4 address, and ::/0 from any IPv6 address.
6. Set the Direction of the rule:
   • Ingress = incoming connections (usually what you want)
   • Egress = outgoing connections
7. Click Add. The rule will be created and added to the list immediately.

---

➡️ Security Groups Guide

Yes. Some ports are centrally blocked in certain bwCloud-OS regions due to specific network policies at the participating university data centers. Centrally blocked ports cannot be opened individually.

For more details — including which ports are affected in each region — see the page Blocked and Allowed Ports.

The following checklist helps you harden your bwCloud-OS instance after creation.

• Read and apply the recommendations in the SSH guide.

Keeping your instance up to date is one of the most effective security measures: security updates fix known vulnerabilities that may otherwise be exploitable.

There are two common approaches:

• Manual updates (one-time / on demand): You run updates yourself (e.g., after login, on a regular schedule).
• Automatic updates: The system installs security updates automatically in the background. On Ubuntu/Debian this is commonly done via unattended-upgrades.

# Manual updates (one-time)
sudo apt update
sudo apt -y upgrade

# Automatic security updates (background)
sudo apt -y install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Only open the ports you actually need. This reduces the attack surface and limits who can reach services on your VM.

• Check your instance's security groups in the Dashboard and allow only the minimal required inbound rules.
• Restrict access by IP range (CIDR) wherever possible (avoid 0.0.0.0/0 unless truly required).
• For step-by-step instructions and examples, see: How do I open additional ports for my instance?
• Note: some ports may be centrally filtered in certain regions; see Blocked and Allowed Ports.

Security groups are the primary inbound filter in bwCloud-OS. A host firewall can provide an additional layer (defense-in-depth), e.g., to enforce local policies on the VM.

sudo apt -y install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (ideally restrict in the bwCloud-OS security group as well)
sudo ufw allow 22/tcp

# Example: allow HTTPS if you opened 443 in the security group
sudo ufw allow 443/tcp

sudo ufw enable
sudo ufw status verbose

Important: If you block SSH on the host firewall while only having SSH access, you may lock yourself out. Always ensure SSH remains permitted (and test from your client).

To operate and troubleshoot securely, keep a record of your instance configuration:

• Which security groups/rules are attached (ports, protocols, CIDRs)?
• Host firewall rules (if used), SSH hardening settings, update strategy.
• Installed services and exposed endpoints.
• Where secrets are stored/managed (avoid putting secrets in shell history or plain text files).

Backups are part of security (availability and recovery).

• Define what needs to be recoverable (system, application data, databases, configuration).
• Decide on backup frequency and retention (e.g., daily incremental + weekly full).
• Store backups separately from the instance (avoid a single point of failure).
• Regularly test restores (a backup that was never restored is an assumption, not a plan).

Snapshots capture the state of a VM or volume at a point in time (e.g., before risky changes). They can help with rollback, but they do not automatically replace a backup strategy.

• Learn more: Guide: Volumes and Images
• Recommended practice:
  • Take a snapshot before major changes (OS upgrades, large configuration changes).
  • Remove outdated snapshots according to your retention plan.

No, bwCloud-OS does not provide SSL/TLS certificates. However, you can obtain certificates directly from public providers like Let’s Encrypt using tools such as Certbot, which you can install and run on your instance.

This allows you, for example, to enable HTTPS for services running on your VM. Don't forget to open the necessary ports (e.g., 443) using security group rules.

If your virtual machine is behaving unexpectedly (e.g., high CPU/network load, unknown logins, suspicious processes), it could indicate a possible compromise.

If you suspect that your VM has been compromised, please take the following steps immediately:

1. Log in to the Dashboard.
2. Stop the affected instance(s). Do not delete them! This preserves data for further analysis.
3. Submit a support ticket via the bwSupportPortal with the following details:
   • Which instance(s) are potentially affected?
   • How is the suspicious behavior observed? (e.g. logs, performance, alerts)
   • What actions have you already taken?

Our team will contact you as soon as possible to help investigate and resolve the issue.

The contents and configuration of user instances are not inspected — we do not perform penetration tests or port scans on the instances. We also never look inside user virtual machines.

However, the overall bwCloud-OS operating environment is actively monitored. For example, network monitoring tracks current inbound and outbound traffic levels. If certain parameters deviate significantly from typical patterns, this may trigger further investigation — including direct contact with the affected user.