back to article Cloud VMs without sane firewalls is nutty, right? Digital Ocean agrees

Running a virtual machine in the cloud without a firewall sounds a bit nutty, right? Because security. And because even when your servers are designed for developers to spin up on the cheap, as is the case for Digital Ocean's droplets, it's a good idea for folks to at least add a fig leaf of security at the beginning of their …

  1. wheelybird

    Depends on whether you harden your server

    and only open the necessary ports on the public interface.

    I suppose you might want to whitelist SSH access, but you can easily run iptables or something on the VM.

    Of course if you're running Windows then good luck to you.

    1. Missing Semicolon Silver badge
      WTF?

      Re: Depends on whether you harden your server

      Exactly. Job 1 (after the SSH login, and updating) is to enable iptables and put some sensible rules in place.

      Then you can get on with installing servers, and only opening ports to the public-facing services.

    2. Anonymous Coward
      Anonymous Coward

      Re: Depends on whether you harden your server

      "Of course if you're running Windows then good luck to you."

      Well it is a lot more resistant to remote hacking than Linux. And of course it's also locked down by default and is a minimum install by default.

      1. Anonymous Coward
        Anonymous Coward

        Re: Depends on whether you harden your server

        > Well it is a lot more resistant to remote hacking than Linux.

        WannaCry bet on that?

  2. ilmari

    This article puzzles me.

    Is it common these days to expect a server, dedicated, vps or VM to have preinstalled firewall? Or is it expected that there would be a separate firewall in front if it all?

    If anything, I would've thought the expectation would he firewall and nat-free so you can have bidirectional communication with clients from the internet...

    Could someone enlighten me please...

    1. Tom 38

      With our EC2 routing rules, (almost) all our cloud servers aren't addressable from the internet, they get an internal private address and we have a VPN connecting in to them. Anything that the public need to get out is provided by ELB (Elastic Load Balancer) talking to our internal cloud servers.

      I don't really get why anyone would do it differently than this.

      1. Anonymous Coward
        Anonymous Coward

        Presumably you're still opening up what needs to be on each machine though? Otherwise once someone is in one machine, then they've got free roam to attack all your others.

        1. Tom 38

          Like what? If we're running an remotely accessible service on a VM, its because something remote needs to access it. Remote as in "another device on this network", not as in "any internet accessible device".

          Eg, on our web worker VMs there is just one remotely accessible service, sshd. On our DB servers, sshd and mysqld/postgres. Externally, the only ways to interact with our web cluster is via HTTP, first via Akamai and ELB, then to a trivial interface server, which turns requests in to messages that are then received by the web workers, processed in to responses and returned to the interface server, which returns them to the web client.

          A malicious user could (theoretically) attack ELB or our interface server, but if they can cause a programming error in *our* code, it is extremely difficult to turn that in to an exploitable error, as there is no return channel connected to the malicious user.

    2. Anonymous Coward
      Anonymous Coward

      I made my first droplet about a year ago, with similar expectations (some modest firewall, ports closed by default) but you get whatever defaults are present in the distro you choose. Need I say I was pwned almost immediately? Wiped, respawned taking responsibility for my own protection, and things went much better. It just didn't occur to me that I'd be dropped into the 'net bareass naked.

      I think basic protections should be defaulted into the droplets, if you need to switch something off, then by all means do so. Too many folks likely either don't know or don't believe that there could really be no security.

  3. Anonymous Coward
    Anonymous Coward

    Cloud

    Cuckoo land

  4. GingerOne

    Am I understanding this right? A company was offering servers in the cloud without any firewall? And people were buying it? A windows server? Sitting in the cloud? With no firewall? No protection? Nothing? Really?

    1. Martin Summers Silver badge

      No, you're not right,they don't do Windows. And if people don't enable a firewall on a VPS that's not the providers fault, it's hardly a consumer product is it.

    2. Anonymous Coward
      Anonymous Coward

      Windows comes with a firewall enabled by default.

      1. Anonymous Coward
        Anonymous Coward

        > Windows comes with a firewall enabled by default.

        "Firewall" is such a loose word sometimes. When there are many ports open by default, it's not really being much of a firewall.

        1. GingerOne

          ""Firewall" is such a loose word sometimes. When there are many ports open by default, it's not really being much of a firewall."

          Indeed. A bit like saying your house is secure because the front door is locked - ignoring the wide-open windows and back door.

  5. Platypus

    Own your availability, own your security

    I've seen way too many cases where the preinstalled firewall crap at a cloud provider interfered with the operation of the distributed systems I was installing. Often the tools and documentation available to resolve the issue were miserable too. I did not appreciate it. I'm perfectly capable of locking down my own system, without making it unusable, all by myself. IMO it's perfectly reasonable for a provider to avoid the complexity and cost and aggravation associated with trying to do what any competent Linux administrator can and should do themselves.

  6. ofnuts

    Hmm. I got a Droplet 6 months ago, running Ubuntu server, and it came with UFW pre-installed and only the 22, 80, and 443 ports enabled (+throttling on port 22 to prevent abuse).

    The announcement isn't implying there is no firewall at all in droplets, it's more like making it easier to manage the firewalling of several systems that work together.

  7. Spuddleziz

    Ooh thats great!

    They added a firewall - too little too late IMHO.

    Used DO for a while - I do in fact still have a couple of web facing bits still there. My huge ANGER came about when you look into the "Private Network" feature.

    It's not f*cking private at all. All droplets share the same Layer 2 network, someone could easily MITM or impersonate your machine with some cleaver arp packeting or the like.. Honestly! Or at least thats how it used to be. The least "private" network there is.

    Absolute joke. Its been like this (unless they have fixed it) for at as long as they have had the feature.. Tell me if I'm wrong but it was DEFINITELY that way last year when I looked into it.

    Moved to Vultr and kept the bits on azure (that I was considering moving to DO), on Azure...

    </rant>

    1. Anonymous Coward
      Anonymous Coward

      Re: Ooh thats great!

      > It's not f*cking private at all. All droplets share the same Layer 2 network, someone could easily MITM or impersonate your machine with some cleaver arp packeting or the like...

      That's pretty much the standard with VLAN's. You need to run your own encryption layer too for proper security. eg IPSEC or whatever suits your scenario.

  8. DagD

    Blocked at the firewall

    Digital Ocean is nothing but a hosting platform for scum bags.

    Too little, too late D.O.

  9. Jove Bronze badge

    English?

    Your contributors could do with some lessons.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon