LINUX on AZURE security recommendations (top)

This article is personal original, can be freely reproduced, reproduced please indicate the source, thank you!

This address: http://www.cnblogs.com/taosha/p/6399554.html

1.1Overview Introduction

Linux system is one of the world's most popular server operating systems, using open source, flexible and convenient, version update fast, but because of more branches, free community version of non-commercial operation, lack of after-sales service and security, security loopholes, which is a big problem for many Linux users.

Microsoft Cloud computing Platform ----Windows Azure (called Azure) run a large number of Linux virtual machines, how to ensure that the security of these cloud servers is a relatively hot topic of technology, this article mainly for the Linux on Azure Recommendations for security hardening and best practices.

1.2Scope of application

This article is mainly for Linux on Azure discussion, theLinux self-security hardening means are not all included in this article, theLinux self-reinforcing most of the Linux on Azure are common, this article is mainly combined Design features of the Azure platform to discuss security hardening issues.

1.3Disclaimer

This article is for the safety reinforcement proposal, for the customer reference, does not make any security commitment to the customer real environment.

2The first important step-Network Security Planning

The work of network security planning is the foundation of all security hardening, carefully planning the network of the Linux virtual machine and the internal, external and internet-based machines that need to communicate with this virtual machine in the future, which can help to set up the related security policy later.

2.1 VNetConcept

An Azure virtual network (VNET) is a representation of the user's own network in the cloud. It is a logical isolation from the Azure cloud dedicated to user subscriptions. Users have full control over the IP address blocks, DNS settings, security policies, and routing tables in the network. You can also further divide the VNet into subnets, setting up different nsgs (network security groups, which will be discussed later in the discussion).

2.2 VNetAdvantages and Features

isolation . The VNet is completely isolated from each other. This allows you to create separate networks for development, testing, and production that use the same CIDR address blocks.

access to public Internet. By default, all IaaS VMs and PaaS role instances in a VNet have access to the public Internet. Access can be controlled by using a network security group (NSG).

Access VNet in the VMs. PaaS role Instances and IaaS VMs can be started on the same virtual network and can be connected using private IP addresses (even if they are on different subnets) without having to configure the gateway or use a public IP address.

name resolution . Azure provides internal name resolution for IaaS VMS and PaaS role instances deployed in a VNet. You can also deploy your own DNS servers and configure your VNet to use those servers.

security . Traffic to and from virtual machines and PaaS role instances in the VNet can be controlled using network security groups.

connection . You can use gateways or vnet peering to connect your vnet to each other. A VNet can be connected to an on-premises data center through a site-to-site VPN network or Azure ExpressRoute.

2.3Subnets andNSGPlanning

You should consider creating multiple subnets in your VNet in the following situations:

used for all in subnets NIC the dedicated IP insufficient address. If your subnet address space does not contain enough IP addresses for the number of NICs in the subnet, you will need to create multiple subnets. Keep in mind that Azure retains 5 private IP addresses in each subnet that cannot be used: the first and last addresses of the address space (for subnet addresses and multicasting) and 3 addresses to be used internally (for DHCP and DNS purposes).

security. you can use subnets to separate VM groups from each other for workloads with multi-tiered structures, and to apply different network security groups (NSGS) to those subnets.

hybrid connections. You can use the VPN gateway and the ExpressRoute line to connect the VNet to each other and connect to the on-premises data center. The VPN gateway and the ExpressRoute line need to create their own subnets.

virtual devices. You can use virtual appliances such as firewalls, WAN accelerators, or VPN gateways in your Azure VNet. When you do this, you need to route traffic to these devices and isolate them in their own subnets.

2.5Planning Considerations (Recommendations)

ü Which Azure locations will you use to host your VNet?

ü Do you need to provide communication between these Azure locations?

ü Do you need to provide communication between the Azure VNet and the on-premises data center?

ü How many infrastructure-as-a-service (IaaS) VMS, cloud service roles, and WEB applications do you need to use for your solution?

Do you need to isolate traffic based on VM groups (that is, front-end WEB servers and back-end database servers)?

Do you need to use virtual devices to control data flow?

ü Does the user need different permissions control for different Azure resources?

2.4Subnets andNSGDesign Patterns

The following table shows some common design patterns for using subnets.

Scheme	Advantages	Disadvantages
Each application- tier single subnet, multiple NSG	Only one subnet needs to be managed.	to isolate each application, you need multiple NSG .
one subnet per application, multiple per application tier NSG	need less management NSG .	You need to manage multiple subnets.
One subnet per application tier, multiple nsgs per application .	in Subnet number and NSG balance between the numbers.	up + NSG 2 NSG
Each application layer one subnet per application, multiple subnets per subnet NSG	may be NSG number of fewer.	You need to manage multiple subnets.

2.5Planning Principles

ü Minimize the number of vnet and subnets according to the application design situation;

ü Each application is completely isolated from each other;

ü Recommend a subnet per application layer, each of the ways to apply multiple nsgs.

2.6Network Planning Demonstration

As shown, the standalone complete application (front and back) is deployed in a vnet, the application tier, the data layer is deployed on different subnets, and different nsgs or ACLs (access control) are set.

3 LinuxSoftware Installation3.1Installation Steps

Icon

through Portal Create virtual machine

Select the key or password method, the key mode can be used Putty to generate a key pair, if using a password, use a password that is not easy to guess or brute-force. Use SSH key to increase security.

Setting up nsgs, similar to an external firewall, can also be adjusted later depending on the situation, as described earlier, theNSG setup and network planning relationship is relatively large

Finally look at the Summary, no problem click OK to create a virtual machine

3.2view installed software and processes, etc.

To view a list of installed software:

Dpkg-l

To view the current process:

Ps-al

To view port usage:

Netstat-an

Tip: Stop and delete unwanted software

Not to be continued

LINUX on AZURE security recommendations (top)