Security Checkpoint

Introduction

This checkpoint is intended to help you assess what you learned from our introductory articles on security, where we introduced recommended security practices and commonly used security tools. You can use this checkpoint to assess your knowledge of these topics, review key terms and commands, and find resources for continued learning.

To run a cloud application efficiently, you should implement industry recommended security practices when configuring your server. Securing your server is critical for protecting your users and personal information. You can set up effective security measures for both the cloud server itself and your web applications.

This checkpoint will focus on securing your server. You’ll find two sections that synthesize the central ideas from the introductory articles: a brief overview of key security terminology and practices, followed by a section on using the command line with subsections related to specific security tools. Each of these sections has interactive components to help you test your knowledge. At the end of this checkpoint, you will find opportunities for continued learning about containers.

Resources

• Recommended Security Measures to Protect Your Servers
• How To Set Up a Firewall with UFW on Ubuntu 22.04
• How To Set Up WireGuard on Ubuntu 22.04
• How To Set Up and Configure an OpenVPN Server on Ubuntu 22.04
• How to Keep Ubuntu 22.04 Servers Updated
• How To Install Suricata on Ubuntu 20.04

What Is Security?

When you secure your cloud server, you are able to manage vulnerabilities in your infrastructure and protect against potential harm and malicious attackers.

It’s important to have familiarity with several key terms to understand security practices for cloud computing.

When working on your server, you should know whether you are using its IPv4 (32-bit numeric) or IPv6 (128-bit alphanumeric) IP address. Both IPv4 and IPv6 can be used, though we recommend moving to IPv6.

Once your server is set up, it will participate in public key infrastructure (PKI) for certificate management, identification, and communication encryption. TLS/SSL encryption is often used to provide that extra level of security, mostly commonly by providing a certificate from a legitimate certificate authority (CA) to update from an HTTP to an HTTPS server.

You can use Let’s Encrypt as a certificate authority to obtain free TLS/SSL certificates. You can also generate self-signed certificates. However, a self-signed certificate will not validate your server for users, so you might try installing an SSL certificate from a commercial certificate authority.

In the following sections, you’ll review the core tenets for connecting to your server via SSH, running VPNs, using firewalls, and monitoring your network security.

Connecting with SSH

In the SSH Essentials article from our introductory series on cloud servers, you generated an SSH key pair. That key pair uses an asymmetric encryption method that generates both a private key and a public key. You used that key pair to access your server as a non-root user in the Initial Server Setup.

For additional protection, you can harden OpenSSH and the OpenSSH client on your server. By hardening OpenSSH on both the server-side and client-side, you will improve the security around remote access to your server.

To use SSH, you need to configure SSH access with your firewall.

Using Firewalls

Firewalls control traffic in and out of your server, which can be configured according to your needs. When you choose an effective firewall policy, you have to consider what kind of policies you want for your server(s) and how different firewall programs will respond to requests.

Some commonly used firewall programs include the Uncomplicated Firewall (UFW) and firewalld, which both act as high-level interfaces to iptables or nftables. If you’re using an Ubuntu or Debian distro, you’ll likely use UFW as it comes pre-built with the system. For CentOS or Rocky Linux, you’re more likely to use firewalld. To learn more about iptables, you can refer to our articles on How the Iptables Firewall Works and Iptables Essentials: Common Firewall Rules and Commands.

You can use both IPv4 and IPv6 when configuring your firewall, though you may need to update your firewall to manage IPv6 as well. UFW, for example, manages only IPv4 by default and needs to be configured manually to write rules for IPv6.

Running VPNs

A VPN provides an encrypted tunnel through which you can connect to the internet, which can be beneficial for both developers and consumers. For developers, VPNs enable you to access your own infrastructure from various locales so that you don’t need to leave a sensitive port open. As a consumer, a VPN enables you to access the internet securely even when you are connected to an untrusted network (such as WiFi at a coffeeshop or library).

WireGuard and OpenVPN are two commonly deployed VPN solutions. In our introductory articles, you set up a WireGuard VPN and an OpenVPN server.

Once you have set up your network, whether with a VPN or not, you’ll want to manage your system long-term for secure and sustainable processes.

Managing Network Security

Configuring your server setup is one of many steps to ensuring secure practices. You can maintain your server by keeping it up to date, hardening the network, and monitoring your network security.

To keep an Ubuntu server up-to-date, you might want to update your systemd configuration file or schedule a cron job for automated rebooting. You can also set up your package manager to complete automatic updates with the unattended-upgrades service that you can manage with systemctl. If you prefer running a Rocky Linux server, you can refer to our guide on How To Keep Rocky Linux 9 Servers Updated.

Sometimes you may need to run updates at the kernel level in order to patch system-wide bugs and vulnerabilities. While you can run the unattended-upgrades tool for apt, it may result in some downtime for your system. If you need to ensure consistent uptime, you might use a load balancer to redirect traffic while different servers run the kernel updates. You can also use a live patching service, like the Canonical Livepatch Service or Kernelcare, to run in the background.

You can also scan and monitor network traffic, looking for vulnerabilities or suspicious packets. You installed Suricata as a network monitoring system, defining rulesets for the service to manage on your behalf.

Connecting to and managing your server is often done via the command line, which you used across these articles on security.

Using the Command Line

You began to use the Linux command line with our introductory articles on cloud servers, configured a web server with the articles on web server solutions, managed your database with articles on databases, and configured a container solution with the articles on containers.

In the introduction to security practices, you have continued to develop familiarity with the command line through commands such as:

• add-apt-repository as your sudo-enabled user to add software repository information to your server.
• cat to output a file’s content to the terminal.
• chmod to change file permissions.
• cp to copy files on one server and scp to copy files between servers.
• cut to remove a section of a file, using the -c option to cut the specified string).
• date to output a timestamp, using the +%s%N options to output seconds (%s) and minutes (%N).
• grep to search text and strings in a specified file.
• jq to read and filter entries as specified by the command syntax.
• kill as your sudo-enabled user to specify a signal by which a service should be stopped.
• ln with the -s option to create a symlink between files.
• printf to display a given string.
• sha1sum to print and check a checksum.
• ss to list all TCP/UDP ports in use, paired with the -plunt options for additional information.
• sysctl as your sudo-user to configure kernel parameters and load new values for your terminal session.
• systemctl to manage services, including OpenVPN as a systemd service and Suricata as a networking monitoring package.
• resolvectl dns to identify the DNS resolvers used by your server.
• tail to output lines from a file specified with the -f option.
• tee as your sudo-user to redirect an output into a new file.

You used the ip command and associated subcommands to configure your network interfaces:

• ip addr to look up your network interfaces. You then used the output with the ufw allow command to enable incoming traffic via the selected network interface.
• ip address show to find the public IP address for the system.
• ip route to find the public network interface.

If you opted to run a live patching service for kernel-level updates to your Ubuntu server, you ran subcommands for the canonical-livepatch service as your sudo-enabled user:

• canonical-livepatch enable your-key to enable the tool.
• canonical-livepatch status to check the status of the background service.

You also used the pipe operator (|) to chain together multiple commands.

Running UFW from the Command Line

In our Initial Server Setup, you set up a basic firewall with the Uncomplicated Firewall. You then used sudo access to modify your firewall with various subcommands in How To Set Up a Firewall with UFW on Ubuntu 22.04:

• ufw default deny incoming to deny all incoming connections (this is the default state).
• ufw default allow outgoing to allow all outgoing connections (this is the default state).
• ufw allow ssh to allow incoming SSH connections on port 22, such as when you wish to manage a remote server.
• ufw allow port_number to specify a port for incoming connections.
• ufw enable to make the firewall active.
• ufw status to check the status of your firewall and ufw status verbose to see all the rules that are set.
• ufw allow http or ufw allow 80 to allow incoming connections from unencrypted web servers over HTTP.
• ufw allow https or ufw allow 443 to allow incoming connections from unencrypted web servers over HTTPs.
• ufw allow port_number:port_number/tcp and ufw allow port_number:port_number/udp to allow a range of ports, specifying the TCP/UDP protocols.
• ufw allow from your_ip_address to allow connects from a specific IP address. You can add to any port port_number to direct the IP address to a specific port.
• subnets
• ufw deny http to deny HTTP connections and ufw deny from your_ip_address to deny all connections from a specific IP address.
• ufw status numbered to generate a numbered list of firewall rules.
• ufw delete to delete rules, using a list number or using the allow rule (such as ufw delete allow http).
• ufw disable to deactivate all rules you have created.
• ufw reset to disable UFW and delete any rules you created.

You can continue to work on your UFW setup with our article on UFW Essentials: Common Firewall Rules and Commands.

Running VPNs from the Command Line

In addition to configuring your firewalls, you also managed WireGuard and OpenVPN, two different VPN tools.

When setting up your WireGuard VPN, you ran the following WireGuard commands across both the WireGuard server and its Peer server:

• wg to manage your WireGuard server.
• wg genkey and wg pubkey to create a private and public key pair for a WireGuard server.
• wg set with an allowed-ips settings and a list of specific IP addresses to manage access to your WireGuard VPN.
• wg-quick establish your VPN connection manually with the up argument to start the tunnel and the down argument to disconnect from the VPN.

When setting up your OpenVPN server, you ran a series of modified scripts across your OpenVPN server and the CA server that validates certificates, setting configuration directives like the tls-crypt directive, to improve cryptographic communications.

Through these articles and best practices, you now know the basics to protect your cloud server.

What’s Next?

In these articles introducing security practices for cloud servers, you have learned about best practices and commonly used tools for building robust security measures in your cloud servers. To ensure that your infrastructure begins with a secure base configuration, you can continue to follow industry best practices for encryption, private networking, security monitoring, and service auditing.

To continue building your server security, try these tutorials next:

• How To Set Up a Firewall Using firewalld on Rocky Linux 9
• How to Configure a Droplet as a VPC Gateway
• How To Set Up and Configure a Certificate Authority (CA)
• How To Harden OpenSSH Client on Ubuntu 20.04

You can transfer files across your system with these tutorials:

• How To Use SFTP to Securely Transfer Files with a Remote Server
• How To Use Rsync to Sync Local and Remote Directories

If you’d like to implement security practices for your DigitalOcean Kubernetes cluster, try these tutorials next:

• Recommended Steps to Secure a DigitalOcean Kubernetes Cluster
• How To Set Up an Nginx Ingress on DigitalOcean Kubernetes Using Helm
• How To Secure Your Site in Kubernetes with cert-manager, Traefik, and Let’s Encrypt

If you haven’t already, you can also install an SSL certificate from a commercial certificate authority for a domain associated with your server.

With your newfound knowledge of security, you are ready to continue your cloud journey. If you haven’t yet, check out our introductory articles on cloud servers, web servers, databases, and containers.