Initial Server Configuration

You may use CeraNet Network security or your own firewall solution if you are a collocation client and use hybrid services.  When using a firewall you help protect your CeraNet Cloud servers but there are additional steps you should take to further protect your servers.

1) Windows

  • The Windows software firewall is enabled by default.  However, it should be tightened upon deploying a new server even when protected by a core firewall.
  • One benefit is that you decrease your risk of server to server infection of things like malware and ransomware if one of the servers becomes compromised.
  • At a minimum, the incoming rules should limit access to source IPs.
  • When using CeraNet Network Security, take note of your VPN DHCP range.
  • Firewall rules for services accessed only by Administrators, such as RDP, should be limited to the VPN DHCP range.
  • Firewall rules for services such as file sharing/SMB should be disabled or only limited to the specific local IPs of other servers that need to access file sharing
  • Firewall rules for things like remote management should all be disabled
  • If you are not sure, it is best best to disable all incoming rules, with exception to RDP, and re-enable rules as needed before the server goes into production. 
  • It is more difficult to start disabling rules after the server is in production use because you may inadvertently break things.
  • If you lock yourself out of the server because of a software firewall rule then you can use the Virtual Console within the portal to regain access

2) Ubuntu

  • The Ubuntu firewall known as the Uncomplicated Firewall (UFW) is disabled by default.
  • You should start by adding a rule that limits SSH access to your VPN DHCP subnet and enabling the firewall
  • sudo ufw allow tcp from <vpn_dhcp_subnet> to any port 22 proto tcp
  • Where <vpn_dhcp_subnet> is your actual VPN DHCP subnet which can be found in the portal in the Network Security product information
  • sudo ufw enable
  • sudo ufw status
  • You can then add additional rules as needed
  • If you lock yourself out of the server because of a software firewall rule then you can use the Virtual Console within the portal to regain access

 

  • By default, you are granted root access to new Ubuntu servers.  You should create individual users and disable root SSH access.
  • sudo useradd -m -s $(which bash) -G sudo <USERNAME>
  • sudo passwd <USERNAME>
  • Where <USERNAME> is the new username you want to create

 

  • By default, root SSH is permitted.  You can disable it only allowing individual users SSH access.
  • sudo nano /etc/ssh/sshd_config
  • Modify the line that says PermitRootLogin yes to PermitRootLogin no
  • Save and Exit
  • sudo systemctl restart ssh

 

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Deploying New Cloud Servers

1) Sign in at https://www.cera.net 2) Click on Cloud from the main navigation and select the...

Purchasing and Allocating Server Resources

Detailed steps for purchasing and allocating resources for Cloud Servers. 1) Purchase Resources...

Step 1: Purchasing Upgrades/Downgrades our web site

It is necessary to purchase upgrades when you want to add new resources while using all available...

Step 2: How to Allocate Resources to your Cloud Server

Sign In to our website and complete the following steps:1. Click on Services at the top of the...

Step 3: How to Expand a Hard Drive Partition on your Cloud Server

Windows Connect to your server via RDP Open the Server Manager and select Tools then Computer...