Tutorial

Security Checkpoint

Security Checkpoint

Introduction

This checkpoint is intended to help you assess what you learned from our introductory articles on security, where we introduced recommended security practices and commonly used security tools. You can use this checkpoint to assess your knowledge of these topics, review key terms and commands, and find resources for continued learning.

To run a cloud application efficiently, you should implement industry recommended security practices when configuring your server. Securing your server is critical for protecting your users and personal information. You can set up effective security measures for both the cloud server itself and your web applications.

This checkpoint will focus on securing your server. You’ll find two sections that synthesize the central ideas from the introductory articles: a brief overview of key security terminology and practices, followed by a section on using the command line with subsections related to specific security tools. Each of these sections has interactive components to help you test your knowledge. At the end of this checkpoint, you will find opportunities for continued learning about containers.

Resources

What Is Security?

When you secure your cloud server, you are able to manage vulnerabilities in your infrastructure and protect against potential harm and malicious attackers.

It’s important to have familiarity with several key terms to understand security practices for cloud computing.

Terms To Know

Define each of the following terms, then use the dropdown feature to check your work.

Encryption

Encryption refers to the process of encoding information through an algorithmic transformation, which can then be used for safe transmission or storage.

You can use symmetrical or asymmetrical encryption to achieve your goals, depending on your needs.

SSH

SSH refers to the Secure Shell protocol, which enables you to administer your remote servers safely through cryptographically secure connections.

For more on how SSH works, you can review Understanding the SSH Encryption and Connection Process.

Firewall

A firewall controls connections for your server in two main ways: detailing what kind of traffic can be routed to and from the servers; and defining what servers are exposed to the network.

When working on your server, you should know whether you are using its IPv4 (32-bit numeric) or IPv6 (128-bit alphanumeric) IP address. Both IPv4 and IPv6 can be used, though we recommend moving to IPv6.

Once your server is set up, it will participate in public key infrastructure (PKI) for certificate management, identification, and communication encryption. TLS/SSL encryption is often used to provide that extra level of security, mostly commonly by providing a certificate from a legitimate certificate authority (CA) to update from an HTTP to an HTTPS server.

Check Yourself

Use the dropdown feature to get the answers.

What is a TLS handshake?

TLS, which refers to Transport Layer Security, is an encryption protocol for web traffic. In a TLS handshake, a client and a server exchange messages, verify that the message is from the authentic source, and determine an encryption method (a cipher suite) that will manage communications for the secure transfer of information.

How does a TLS handshake differ from shared key encryption?

The TLS protocol uses a public and private key encryption method known as asymmetric encryption. In this process, there is a key pair.

With shared key encryption, there is an identical key cipher that both the sender and the recipient will use to decrypt messages. This process is known as symmetric encryption and uses a single key.

You can use Let’s Encrypt as a certificate authority to obtain free TLS/SSL certificates. You can also generate self-signed certificates. However, a self-signed certificate will not validate your server for users, so you might try installing an SSL certificate from a commercial certificate authority.

In the following sections, you’ll review the core tenets for connecting to your server via SSH, running VPNs, using firewalls, and monitoring your network security.

Connecting with SSH

In the SSH Essentials article from our introductory series on cloud servers, you generated an SSH key pair. That key pair uses an asymmetric encryption method that generates both a private key and a public key. You used that key pair to access your server as a non-root user in the Initial Server Setup.

Check Yourself

Use the dropdown feature to get the answers.

Where are SSH keys typically stored?

In the ~/.ssh/authorized_keys folder.

What ports do SSH, HTTP, and HTTPS typically run on?

SSH typically runs on port 22.

HTTP/HTTPS typically run on ports 80 and 443, respectively.

How can you change default port access?

To update SSH port access, modify the Port 22 specification in your server’s sshd_config file to reference an unused port of your choosing, then restart your SSH daemon.

When you have changed the SSH port, you must specify the new port every time you want to log in to your remote server.

For additional protection, you can harden OpenSSH and the OpenSSH client on your server. By hardening OpenSSH on both the server-side and client-side, you will improve the security around remote access to your server.

To use SSH, you need to configure SSH access with your firewall.

Using Firewalls

Firewalls control traffic in and out of your server, which can be configured according to your needs. When you choose an effective firewall policy, you have to consider what kind of policies you want for your server(s) and how different firewall programs will respond to requests.

Some commonly used firewall programs include the Uncomplicated Firewall (UFW) and firewalld, which both act as high-level interfaces to iptables or nftables. If you’re using an Ubuntu or Debian distro, you’ll likely use UFW as it comes pre-built with the system. For CentOS or Rocky Linux, you’re more likely to use firewalld. To learn more about iptables, you can refer to our articles on How the Iptables Firewall Works and Iptables Essentials: Common Firewall Rules and Commands.

You can use both IPv4 and IPv6 when configuring your firewall, though you may need to update your firewall to manage IPv6 as well. UFW, for example, manages only IPv4 by default and needs to be configured manually to write rules for IPv6.

Running VPNs

A VPN provides an encrypted tunnel through which you can connect to the internet, which can be beneficial for both developers and consumers. For developers, VPNs enable you to access your own infrastructure from various locales so that you don’t need to leave a sensitive port open. As a consumer, a VPN enables you to access the internet securely even when you are connected to an untrusted network (such as WiFi at a coffeeshop or library).

Check Yourself

What is the difference between a VPC and a VPN?

VPC refers to a Virtual Private Cloud network, which is a private network interface for your resources. Resources in a VPC can only connect to each other via an internal network and cannot be accessed through the public internet unless ingress gateways are set. A VPC can scale to your needs, providing benefits in workload management and secure connections.

A VPN, or virtual private network, simulates a private network between remote computers over the internet as if they were on a local private network. VPNs provide a secure gateway to shared network information.

WireGuard and OpenVPN are two commonly deployed VPN solutions. In our introductory articles, you set up a WireGuard VPN and an OpenVPN server.

Once you have set up your network, whether with a VPN or not, you’ll want to manage your system long-term for secure and sustainable processes.

Managing Network Security

Configuring your server setup is one of many steps to ensuring secure practices. You can maintain your server by keeping it up to date, hardening the network, and monitoring your network security.

To keep an Ubuntu server up-to-date, you might want to update your systemd configuration file or schedule a cron job for automated rebooting. You can also set up your package manager to complete automatic updates with the unattended-upgrades service that you can manage with systemctl. If you prefer running a Rocky Linux server, you can refer to our guide on How To Keep Rocky Linux 9 Servers Updated.

Sometimes you may need to run updates at the kernel level in order to patch system-wide bugs and vulnerabilities. While you can run the unattended-upgrades tool for apt, it may result in some downtime for your system. If you need to ensure consistent uptime, you might use a load balancer to redirect traffic while different servers run the kernel updates. You can also use a live patching service, like the Canonical Livepatch Service or Kernelcare, to run in the background.

You can also scan and monitor network traffic, looking for vulnerabilities or suspicious packets. You installed Suricata as a network monitoring system, defining rulesets for the service to manage on your behalf.

Connecting to and managing your server is often done via the command line, which you used across these articles on security.

Using the Command Line

You began to use the Linux command line with our introductory articles on cloud servers, configured a web server with the articles on web server solutions, managed your database with articles on databases, and configured a container solution with the articles on containers.

In the introduction to security practices, you have continued to develop familiarity with the command line through commands such as:

  • add-apt-repository as your sudo-enabled user to add software repository information to your server.
  • cat to output a file’s content to the terminal.
  • chmod to change file permissions.
  • cp to copy files on one server and scp to copy files between servers.
  • cut to remove a section of a file, using the -c option to cut the specified string).
  • date to output a timestamp, using the +%s%N options to output seconds (%s) and minutes (%N).
  • grep to search text and strings in a specified file.
  • jq to read and filter entries as specified by the command syntax.
  • kill as your sudo-enabled user to specify a signal by which a service should be stopped.
  • ln with the -s option to create a symlink between files.
  • printf to display a given string.
  • sha1sum to print and check a checksum.
  • ss to list all TCP/UDP ports in use, paired with the -plunt options for additional information.
  • sysctl as your sudo-user to configure kernel parameters and load new values for your terminal session.
  • systemctl to manage services, including OpenVPN as a systemd service and Suricata as a networking monitoring package.
  • resolvectl dns to identify the DNS resolvers used by your server.
  • tail to output lines from a file specified with the -f option.
  • tee as your sudo-user to redirect an output into a new file.

You used the ip command and associated subcommands to configure your network interfaces:

  • ip addr to look up your network interfaces. You then used the output with the ufw allow command to enable incoming traffic via the selected network interface.
  • ip address show to find the public IP address for the system.
  • ip route to find the public network interface.

If you opted to run a live patching service for kernel-level updates to your Ubuntu server, you ran subcommands for the canonical-livepatch service as your sudo-enabled user:

  • canonical-livepatch enable your-key to enable the tool.
  • canonical-livepatch status to check the status of the background service.

You also used the pipe operator (|) to chain together multiple commands.

Running UFW from the Command Line

In our Initial Server Setup, you set up a basic firewall with the Uncomplicated Firewall. You then used sudo access to modify your firewall with various subcommands in How To Set Up a Firewall with UFW on Ubuntu 22.04:

  • ufw default deny incoming to deny all incoming connections (this is the default state).
  • ufw default allow outgoing to allow all outgoing connections (this is the default state).
  • ufw allow ssh to allow incoming SSH connections on port 22, such as when you wish to manage a remote server.
  • ufw allow port_number to specify a port for incoming connections.
  • ufw enable to make the firewall active.
  • ufw status to check the status of your firewall and ufw status verbose to see all the rules that are set.
  • ufw allow http or ufw allow 80 to allow incoming connections from unencrypted web servers over HTTP.
  • ufw allow https or ufw allow 443 to allow incoming connections from unencrypted web servers over HTTPs.
  • ufw allow port_number:port_number/tcp and ufw allow port_number:port_number/udp to allow a range of ports, specifying the TCP/UDP protocols.
  • ufw allow from your_ip_address to allow connects from a specific IP address. You can add to any port port_number to direct the IP address to a specific port.
  • subnets
  • ufw deny http to deny HTTP connections and ufw deny from your_ip_address to deny all connections from a specific IP address.
  • ufw status numbered to generate a numbered list of firewall rules.
  • ufw delete to delete rules, using a list number or using the allow rule (such as ufw delete allow http).
  • ufw disable to deactivate all rules you have created.
  • ufw reset to disable UFW and delete any rules you created.

You can continue to work on your UFW setup with our article on UFW Essentials: Common Firewall Rules and Commands.

Running VPNs from the Command Line

In addition to configuring your firewalls, you also managed WireGuard and OpenVPN, two different VPN tools.

When setting up your WireGuard VPN, you ran the following WireGuard commands across both the WireGuard server and its Peer server:

  • wg to manage your WireGuard server.
  • wg genkey and wg pubkey to create a private and public key pair for a WireGuard server.
  • wg set with an allowed-ips settings and a list of specific IP addresses to manage access to your WireGuard VPN.
  • wg-quick establish your VPN connection manually with the up argument to start the tunnel and the down argument to disconnect from the VPN.

When setting up your OpenVPN server, you ran a series of modified scripts across your OpenVPN server and the CA server that validates certificates, setting configuration directives like the tls-crypt directive, to improve cryptographic communications.

Through these articles and best practices, you now know the basics to protect your cloud server.

What’s Next?

In these articles introducing security practices for cloud servers, you have learned about best practices and commonly used tools for building robust security measures in your cloud servers. To ensure that your infrastructure begins with a secure base configuration, you can continue to follow industry best practices for encryption, private networking, security monitoring, and service auditing.

To continue building your server security, try these tutorials next:

You can transfer files across your system with these tutorials:

If you’d like to implement security practices for your DigitalOcean Kubernetes cluster, try these tutorials next:

If you haven’t already, you can also install an SSL certificate from a commercial certificate authority for a domain associated with your server.

With your newfound knowledge of security, you are ready to continue your cloud journey. If you haven’t yet, check out our introductory articles on cloud servers, web servers, databases, and containers.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about us


Tutorial Series: Getting Started With Cloud Computing

This curriculum introduces open-source cloud computing to a general audience along with the skills necessary to deploy applications and websites securely to the cloud.

About the authors
Default avatar

Technical Editor

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
Leave a comment


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel