Protecting a virtual server

Hyper Protect Virtual Servers is a service that is used to provide highly secure virtual servers. The difference to common virtual servers from a security perspective is that an instance that is created from this IBM Cloud® service runs on a secured stack. Even IBM Cloud system administrators can't access your data nor track your usage. They don't have an insight into the security status of your virtual server. They are also limited in how they can set up or change for your virtual server configuration.

However, the virtual server is still a virtual server, which is accessible from the internet. From a security perspective, you need to protect the virtual server instance itself.

Do not use personal information, for example, your name, as the instance name or as part of the instance name. The data that you provide when you provision an instance or interact with the hpvs cli is not considered to be personal data or credentials. Learn more about IBM Cloud Hyper Protect Virtual Servers' Data usage and Certifications here

For Ubuntu, different System Hardening Guide documents are available.

The Ubuntu operating system that is provided for your virtual servers is part wisely hardened according to the CIS Ubuntu Linux 20.04 LTS Benchmark, Level 1- Server profile, which means that the operating system is more secure than the standard Ubuntu image. However, it still might not be secure enough to meet to your requirements. Select a System Hardening Guide depending on your companies’ location and policies.

The subsequent description presents an overview of the features that are implemented for the Ubuntu OS offered with Hyper Protect Virtual Servers.

As part of the hardening, IBM installed and configured AIDE (Advanced Intrusion Detection Environment), which is a file and directory integrity checker. With the implemented configuration, AIDE is run as a cron job every 5 minutes while the server is running.

The firewall allows all outgoing TCP, UDP, and ICMP traffic. Incoming traffic is only accepted on ports 22 (the TCP port) and with protocol ICMP.

For firewall configurations based on IPtables, IBM provided an systemd-service, which is located within /usr/lib/systemd/system/iptables.service and added to the multi-user target.

To adjust the firewall, configure your IPtables and override the existing configuration file by using the following command:

iptables-save > /etc/iptables/iptables.conf

It is in your responsibility to configure the firewall correctly and to protect your network traffic. Configure the firewall as restrictively as possible to secure your virtual server and data. For example, ensure that your network traffic is encrypted and limit port access for the network interface.

The following commands open the firewall for incoming traffic on a specified protocol and port:

iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT

To make the configuration persistent, save your changes as described. Otherwise, all configuration updates are lost after a restart.

Another part of the hardening is that the server is configured in such a way that the password expires after 90 days. After your password expires, you have 30 days to change it. If you don't change your password within the 30 days, your account becomes inactive and it is no longer possible to log in with SSH even if you are using SSH-keys. This restriction also includes system-accounts, for example, accounts created by using the command, useradd --system.