Before you begin performing useful work on a cloud server or any server, your first activities on that server should to ensure that it is secure, running necessary software, and regularly backed up. These are good practices in or out of the cloud.
Because you probably chose to use cloud computing to deal with a rapidly changing workload, it’s important for you to begin two additional good practices now to prepare you to recognize and respond to usage peaks:
- Establish a monitoring protocol to alert you to unusual events
- Establish scaling policies to enable your configuration to grow as needed
Note: Securing your own server and establishing your own backups provides a layer of protection that you can control, in addition to the protection provided by Rackspace’s reliable infrastructure. You can read about our infrastructure at Global Infrastructure and Uptime Guarantee. To perform some test interactions, click the name of one of the data centers shown on that page.
Every time you create a server, whether in the cloud or in your data center, configure it to disable abuse and enable your legitimate work. You might need to do some research to identify the specific steps required to secure your configuration, but the steps should be similar to those shown in Basic Cloud Server Security, which demonstrates the process of securing a cloud server running the Ubuntu operating system. For that server, the steps are as follows:
- Edit the SSH known_hosts file and remove entries that point to your server’s IP address.
- Change your root password.
- Add an admin user.
- Give the admin user sudo privileges.
- Establish a public/private key.
- Set permissions for the key.
- Disable unused ports.
- Establish a firewall.
- Set rules for the firewall.
- Create a script to activate the firewall after every restart.
Limiting network access to your configuration, so that only legitimate traffic can use pre-defined ports, is a very effective way of improving overall security. A firewall is the key tool for this purpose. Methods not based on firewalls can require you to disable or reassign connections that are required for normal operation. Before pursuing any of those methods, consider their implications as described at:
Tip: Because security configuration can be time-consuming, it’s a good idea to save a copy of a clean, securely-configured cloud server that works well for your purpose. You can use Cloud Images to maintain a consistent starting point for future servers that you create.
Security-related offerings from Rackspace partners are listed in the Rackspace Marketplace. You might find one or more of these that directly addresses your specific security needs.
Validating SSH configuration¶
Depending on your circumstances, it may be appropriate for you to change the assignment of port 22 in your configuration. By default, port 22 is assigned to Secure Shell (SSH). Changing this assignment can make it harder for attackers to guess the location your SSH port, but that change can also make it impossible for some cloud services to coordinate their activities.
Do not change the default assignment of your SSH port if any of the following are true of your account:
- Uses Managed Operations service level
- Uses RackConnect
- Uses Cloud Monitoring
- Uses Cloud Backup
Before you make any change to the SSH port, make sure you can answer the following questions:
- Does your account use the Managed Operations service level?
To learn which service level is associated with your account, login to the Cloud Control Panel. At the upper right, under your account name, look for a red + followed by the shortened name of a Rackspace service level. For example, Managed Infrastructure is indicated by “+Infrastructure”.
You can compare the Managed Infrastructure and Managed Operations service levels at Compare service levels.
- Does your account use RackConnect?
RackConnect enables cloud servers and dedicated servers to share data. On the Cloud Control Panel, nothing indicates which cloud servers use RackConnect to communicate with dedicated servers.
RackConnect configurations are managed from the MyRack control panel, where dedicated devices are managed. When you login to the MyRack control panel and display Server Details for a cloud server, the details include a RackConnect Status field. If RackConnect Status is Deployed for at least one server, then RackConnect is in use at your account. You can read more about this at Accessing RackConnect Cloud Servers.
- Does your account use Cloud Monitoring?
Cloud Monitoring is available to all Rackspace cloud customers. Even if you have not chosen to use Cloud Monitoring to observe activity on servers that interest you, someone at your account may be using Cloud Monitoring to enable Auto Scale.
To learn whether Auto Scale is in use at your account, login to the Cloud Control Panel. On the Servers menu, click Auto Scale. If Auto Scale is in use, at least one scaling group is listed under Groups. Otherwise, a message reports that no scaling groups have been created.
If anyone at your account is using Auto Scale, a scaling group is listed.¶
- Does your account use Cloud Backup?
Cloud Backup is available to all Rackspace cloud customers. Even if you have not chosen to use Cloud Backup to maintain copies of key data on servers that interest you, someone at your account may be using Cloud Backup to protect data on other servers.
To learn whether Cloud Backup is in use at your account, login to the Cloud Control Panel. On the Backups menu, click Activity. If Cloud Backup is in use, at least one backup schedule is listed. Otherwise, a message reports that no backup activity was found.
Whether you reassign port 22 or retain this default assignment, your best security comes from an effective firewall configuration.
Installing a software stack¶
When you create a cloud server, unless you begin from an existing Cloud Images configuration, only an operating system is installed. You can then install any additional software that is compatible with the server’s configuration.
You can install software manually, following the software provider’s instructions. Before you can run some software, you’ll have to install a set of enabling software; for example, if you want to publish a blog using the WordPress content management system, you’ll have to provide WordPress with a Linux+Apache+MySQL+PHP environment (a LAMP stack). To learn about this process, read the article How to Install a LAMP stack on CentOS, Fedora, or Red Hat.
For many popular software packages and their enabling stacks, Rackspace offers an easier way to get what you need. When you create a server, you can choose to install specific software in addition to the operating system. To do that through the Cloud Control Panel, choose Create Stack rather than Create Server, and then choose a template that describes the software that you want to install.
We frequently update the list of templates. To see the complete, up-to-the-minute list of templates, log in to the Cloud Control Panel and click Orchestration.
For some templates, you can choose a flavor. For example, the Rails template is available in single-server and multi-server flavors.
In the Cloud Control Panel, you also have the option to click Create Custom Template to create your own template.
Additionally, if you’ve written your own automation to create cloud servers, you can use the Cloud Orchestration API to create a server from one of our templates. You can also use the API to create your own templates and then use one of your own templates to create your own cloud servers. To learn how to use the Cloud Orchestration API, begin with the Rackspace Cloud Orchestration API Getting Started Guide.
Tip: Because installing and customizing software can be time-consuming, it’s a good idea to save a copy of a cloud server that already has the software that you need, configured just the way you like it. You can use Cloud Images to maintain a consistent starting point for future servers that you create.
Rackspace data centers are secure and reliable, but you might still occasionally find reasons to restore your data or your operating system to an earlier time.
- Use Cloud Images to be sure you can quickly create a new cloud server configured just like the one you have.
- Use Cloud Backup to create incremental backups of a single cloud server.
- Use Cloud Block Storage to create data on a portable drive image, moveable from one server to another.
For advice regarding when to use Cloud Backup and Cloud Block Storage, see Best Practices for Backing Up Your Data: Cloud Block Storage versus Cloud Backup.
The Rackspace cloud infrastructure is meant to operate smoothly, handling workload peaks with no human intervention. When unexpected events happen, part of ensuring continued smooth operation is to make sure a responsible human knows what’s going on and can decide whether to get involved. Before any surprises can happen, set yourself up for success by using Cloud Monitoring to identify what events you want to know about and how you want to be told.
If you are using Cloud Databases or are signed up for the Managed Infrastructure service level, some Cloud Monitoring is already in place for you. To investigate other options, begin with Cloud Monitoring Resources.
The cloud gives you room to grow. Before growth surprises you, you can establish some policies for handling it, using Auto Scale to add new cloud servers when they’re needed. Autoscaling policies are easy to change as you become more familiar with the peaks and patterns in your workload.
Auto Scale relies on Cloud Monitoring and Cloud Load Balancers. To learn how to use Auto Scale through the Cloud Control Panel or the Cloud Monitoring API, start at the Rackspace Auto Scale introduction page.
Updated 5 months ago