This checkpoint is intended to help you assess what you learned from our introductory articles on security, where we introduced recommended security practices and commonly used security tools. You can use this checkpoint to assess your knowledge of these topics, review key terms and commands, and find resources for continued learning.
To run a cloud application efficiently, you should implement industry recommended security practices when configuring your server. Securing your server is critical for protecting your users and personal information. You can set up effective security measures for both the cloud server itself and your web applications.
This checkpoint will focus on securing your server. You’ll find two sections that synthesize the central ideas from the introductory articles: a brief overview of key security terminology and practices, followed by a section on using the command line with subsections related to specific security tools. Each of these sections has interactive components to help you test your knowledge. At the end of this checkpoint, you will find opportunities for continued learning about containers.
When you secure your cloud server, you are able to manage vulnerabilities in your infrastructure and protect against potential harm and malicious attackers.
It’s important to have familiarity with several key terms to understand security practices for cloud computing.
Terms To Know
Define each of the following terms, then use the dropdown feature to check your work.
Encryption refers to the process of encoding information through an algorithmic transformation, which can then be used for safe transmission or storage.
You can use symmetrical or asymmetrical encryption to achieve your goals, depending on your needs.
SSH refers to the Secure Shell protocol, which enables you to administer your remote servers safely through cryptographically secure connections.
For more on how SSH works, you can review Understanding the SSH Encryption and Connection Process.
A firewall controls connections for your server in two main ways: detailing what kind of traffic can be routed to and from the servers; and defining what servers are exposed to the network.
When working on your server, you should know whether you are using its IPv4 (32-bit numeric) or IPv6 (128-bit alphanumeric) IP address. Both IPv4 and IPv6 can be used, though we recommend moving to IPv6.
Once your server is set up, it will participate in public key infrastructure (PKI) for certificate management, identification, and communication encryption. TLS/SSL encryption is often used to provide that extra level of security, mostly commonly by providing a certificate from a legitimate certificate authority (CA) to update from an HTTP to an HTTPS server.
Use the dropdown feature to get the answers.
TLS, which refers to Transport Layer Security, is an encryption protocol for web traffic. In a TLS handshake, a client and a server exchange messages, verify that the message is from the authentic source, and determine an encryption method (a cipher suite) that will manage communications for the secure transfer of information.
The TLS protocol uses a public and private key encryption method known as asymmetric encryption. In this process, there is a key pair.
With shared key encryption, there is an identical key cipher that both the sender and the recipient will use to decrypt messages. This process is known as symmetric encryption and uses a single key.
You can use Let’s Encrypt as a certificate authority to obtain free TLS/SSL certificates. You can also generate self-signed certificates. However, a self-signed certificate will not validate your server for users, so you might try installing an SSL certificate from a commercial certificate authority.
In the following sections, you’ll review the core tenets for connecting to your server via SSH, running VPNs, using firewalls, and monitoring your network security.
In the SSH Essentials article from our introductory series on cloud servers, you generated an SSH key pair. That key pair uses an asymmetric encryption method that generates both a private key and a public key. You used that key pair to access your server as a non-root user in the Initial Server Setup.
Use the dropdown feature to get the answers.
SSH typically runs on port
HTTP/HTTPS typically run on ports
To update SSH port access, modify the
Port 22 specification in your server’s
sshd_config file to reference an unused port of your choosing, then restart your SSH daemon.
When you have changed the SSH port, you must specify the new port every time you want to log in to your remote server.
For additional protection, you can harden OpenSSH and the OpenSSH client on your server. By hardening OpenSSH on both the server-side and client-side, you will improve the security around remote access to your server.
To use SSH, you need to configure SSH access with your firewall.
Firewalls control traffic in and out of your server, which can be configured according to your needs. When you choose an effective firewall policy, you have to consider what kind of policies you want for your server(s) and how different firewall programs will respond to requests.
Some commonly used firewall programs include the Uncomplicated Firewall (UFW) and firewalld, which both act as high-level interfaces to iptables or nftables. If you’re using an Ubuntu or Debian distro, you’ll likely use UFW as it comes pre-built with the system. For CentOS or Rocky Linux, you’re more likely to use firewalld. To learn more about iptables, you can refer to our articles on How the Iptables Firewall Works and Iptables Essentials: Common Firewall Rules and Commands.
You can use both IPv4 and IPv6 when configuring your firewall, though you may need to update your firewall to manage IPv6 as well. UFW, for example, manages only IPv4 by default and needs to be configured manually to write rules for IPv6.
A VPN provides an encrypted tunnel through which you can connect to the internet, which can be beneficial for both developers and consumers. For developers, VPNs enable you to access your own infrastructure from various locales so that you don’t need to leave a sensitive port open. As a consumer, a VPN enables you to access the internet securely even when you are connected to an untrusted network (such as WiFi at a coffeeshop or library).
VPC refers to a Virtual Private Cloud network, which is a private network interface for your resources. Resources in a VPC can only connect to each other via an internal network and cannot be accessed through the public internet unless ingress gateways are set. A VPC can scale to your needs, providing benefits in workload management and secure connections.
A VPN, or virtual private network, simulates a private network between remote computers over the internet as if they were on a local private network. VPNs provide a secure gateway to shared network information.
Once you have set up your network, whether with a VPN or not, you’ll want to manage your system long-term for secure and sustainable processes.
Configuring your server setup is one of many steps to ensuring secure practices. You can maintain your server by keeping it up to date, hardening the network, and monitoring your network security.
To keep an Ubuntu server up-to-date, you might want to update your
systemd configuration file or schedule a
cron job for automated rebooting. You can also set up your package manager to complete automatic updates with the
unattended-upgrades service that you can manage with
systemctl. If you prefer running a Rocky Linux server, you can refer to our guide on How To Keep Rocky Linux 9 Servers Updated.
Sometimes you may need to run updates at the kernel level in order to patch system-wide bugs and vulnerabilities. While you can run the
unattended-upgrades tool for
apt, it may result in some downtime for your system. If you need to ensure consistent uptime, you might use a load balancer to redirect traffic while different servers run the kernel updates. You can also use a live patching service, like the Canonical Livepatch Service or Kernelcare, to run in the background.
You can also scan and monitor network traffic, looking for vulnerabilities or suspicious packets. You installed Suricata as a network monitoring system, defining rulesets for the service to manage on your behalf.
Connecting to and managing your server is often done via the command line, which you used across these articles on security.
You began to use the Linux command line with our introductory articles on cloud servers, configured a web server with the articles on web server solutions, managed your database with articles on databases, and configured a container solution with the articles on containers.
In the introduction to security practices, you have continued to develop familiarity with the command line through commands such as:
add-apt-repositoryas your sudo-enabled user to add software repository information to your server.
catto output a file’s content to the terminal.
chmodto change file permissions.
cpto copy files on one server and
scpto copy files between servers.
cutto remove a section of a file, using the
-coption to cut the specified string).
dateto output a timestamp, using the
+%s%Noptions to output seconds (
%s) and minutes (
grepto search text and strings in a specified file.
jqto read and filter entries as specified by the command syntax.
killas your sudo-enabled user to specify a signal by which a service should be stopped.
-soption to create a symlink between files.
printfto display a given string.
sha1sumto print and check a checksum.
ssto list all TCP/UDP ports in use, paired with the
-pluntoptions for additional information.
sysctlas your sudo-user to configure kernel parameters and load new values for your terminal session.
systemctlto manage services, including OpenVPN as a
systemdservice and Suricata as a networking monitoring package.
resolvectl dnsto identify the DNS resolvers used by your server.
tailto output lines from a file specified with the
teeas your sudo-user to redirect an output into a new file.
You used the
ip command and associated subcommands to configure your network interfaces:
ip addrto look up your network interfaces. You then used the output with the
ufw allowcommand to enable incoming traffic via the selected network interface.
ip address showto find the public IP address for the system.
ip routeto find the public network interface.
If you opted to run a live patching service for kernel-level updates to your Ubuntu server, you ran subcommands for the
canonical-livepatch service as your sudo-enabled user:
canonical-livepatch enable your-keyto enable the tool.
canonical-livepatch statusto check the status of the background service.
You also used the pipe operator (
|) to chain together multiple commands.
In our Initial Server Setup, you set up a basic firewall with the Uncomplicated Firewall. You then used
sudo access to modify your firewall with various subcommands in How To Set Up a Firewall with UFW on Ubuntu 22.04:
ufw default deny incomingto deny all incoming connections (this is the default state).
ufw default allow outgoingto allow all outgoing connections (this is the default state).
ufw allow sshto allow incoming SSH connections on port
22, such as when you wish to manage a remote server.
ufw allow port_numberto specify a port for incoming connections.
ufw enableto make the firewall active.
ufw statusto check the status of your firewall and
ufw status verboseto see all the rules that are set.
ufw allow httpor
ufw allow 80to allow incoming connections from unencrypted web servers over HTTP.
ufw allow httpsor
ufw allow 443to allow incoming connections from unencrypted web servers over HTTPs.
ufw allow port_number:port_number/tcpand
ufw allow port_number:port_number/udpto allow a range of ports, specifying the TCP/UDP protocols.
ufw allow from your_ip_addressto allow connects from a specific IP address. You can add
to any port port_numberto direct the IP address to a specific port.
ufw deny httpto deny HTTP connections and
ufw deny from your_ip_addressto deny all connections from a specific IP address.
ufw status numberedto generate a numbered list of firewall rules.
ufw deleteto delete rules, using a list number or using the
allowrule (such as
ufw delete allow http).
ufw disableto deactivate all rules you have created.
ufw resetto disable UFW and delete any rules you created.
You can continue to work on your UFW setup with our article on UFW Essentials: Common Firewall Rules and Commands.
In addition to configuring your firewalls, you also managed WireGuard and OpenVPN, two different VPN tools.
When setting up your WireGuard VPN, you ran the following WireGuard commands across both the WireGuard server and its Peer server:
wgto manage your WireGuard server.
wg pubkeyto create a private and public key pair for a WireGuard server.
wg setwith an
allowed-ipssettings and a list of specific IP addresses to manage access to your WireGuard VPN.
wg-quickestablish your VPN connection manually with the
upargument to start the tunnel and the
downargument to disconnect from the VPN.
When setting up your OpenVPN server, you ran a series of modified scripts across your OpenVPN server and the CA server that validates certificates, setting configuration directives like the
tls-crypt directive, to improve cryptographic communications.
Through these articles and best practices, you now know the basics to protect your cloud server.
In these articles introducing security practices for cloud servers, you have learned about best practices and commonly used tools for building robust security measures in your cloud servers. To ensure that your infrastructure begins with a secure base configuration, you can continue to follow industry best practices for encryption, private networking, security monitoring, and service auditing.
To continue building your server security, try these tutorials next:
You can transfer files across your system with these tutorials:
If you’d like to implement security practices for your DigitalOcean Kubernetes cluster, try these tutorials next:
If you haven’t already, you can also install an SSL certificate from a commercial certificate authority for a domain associated with your server.
With your newfound knowledge of security, you are ready to continue your cloud journey. If you haven’t yet, check out our introductory articles on cloud servers, web servers, databases, and containers.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This curriculum introduces open-source cloud computing to a general audience along with the skills necessary to deploy applications and websites securely to the cloud.