Any virtual or physical machine
will eventually get hacked
As a general rule, any IP number is going to get attacked by
some hacker once every couple of minutes. This means that someone will probably
try to break into your system 700 times a day, or 250,000 times a year.
Even if you are religious about upgrading your systems, eventually
someone is going to get you. You may go on vacation for a couple of weeks, or
slack off for a time, or not realize that a patch did not fully take.
The reason is simple: even with a firewall to exclude the non-necessary
traffic, there remain services that you may have to run and make Internet accessible
just to be able to use the machine productively. Examples of this might include
ftp, SSH, and http. Each service or application is going to have bugs that a
hacker can find, attack and exploit to take control of your machine. Thus, you
have to be religious in searching for new break-in types, and patching your
system as soon as a problem is identified.
While the job of patching Linux systems is reputed to be nowhere
near as onerous or time-consuming as windows systems, unless we are administering
your system for you, you are going to be responsible for finding and applying
the relevant patches to your system and reconciling them with any of your applications.
Similarly, if and when you do get a break-in, you will be responsible for any
damage the varmint does, including consuming bytes billed to your machine, and
either repairing the system and removing him, or blowing away the system, and
rebuilding from an older data set. We can provide some advice on how to do this,
but ultimately the work is yours to do.
There are a couple of pointers and little things you should also
know about your system, to help you in such situations:
1. |
Keep your machine sparse, running as few services as you
can get away with. To give you an example: we use the virtual systems concept
for our own system management, and build machines for single purposes. By
building, for instance, a virtual machine that does only DNS or e-mail,
we greatly reduce the chances of break-in, as well as the complexity of
initial configuration, because we don't need to worry about a lot of interactions.
You may find you can produce a safer result with two of our machines rather
than one. |
|
|
2. |
Make sure nonessential services are turned off at the firewall. |
|
|
3. |
Use our services when they make sense. For instance, use
of our e-mail and DNS service can save you the expense of maintaining these
for yourself. Similarly, consider using our MultiPath proxying service and
certs as a way to reduce maintenance costs. |
|
|
4. |
We will e-mail you daily activity reports, so that you can
get a sense if strange things are starting to happen. |
|
|
5. |
We provide a bandwidth shaper which restricts aggregate
throughput to 1mbit/sec. You should only change this if you understand what
you are doing and need a bigger throat. Leaving bandwidth restricted is
a way to reduce the costs to you might accrue if someone broke into your
system. |
|
|
6. |
We try to make sure that you have the most current and patched
build of things when you start. |
|
|
7. |
We install a firewall in your system, and turn off all but
necessary services initially -- basic web and SSH. You should not turn on
other services unless you know exactly what you are doing before you do
so. |
|
|
8. |
We encourage you to have a backup plan, though, for our
Basic service, we do not require one. If you get a varmint, the easiest
way to fix it may be to flush your system and restore from a backup. If
this is conveniently available, the restore is easy. If not, it can be very
painful. |
|