# Cloud Service

# Cloud Tutorials

## Openstack Tutorials

**An Openstack Horizon/Dashboard tutorial can be found**[**in these slides**](https://docs.google.com/presentation/d/1yERFe9v5xupjPJcZAnVdI1kmKXg4nlb3MlTZIYviVHQ/)

**The Openstack CLI tutorial is being maitained in a github repository**[**tutorial-oscli**](https://lip-computing.github.io/tutorials/openstack-cli/oscli.html)

---

Older versions of the Openstack Tutorials:

- Openstack Command Line Tools [**materials**](https://wiki.incd.pt/attachments/51)
- Openstack Graphical User Interface [**materials**](https://wiki.incd.pt/attachments/48)
- Openstack EC2 API [**materials**](https://wiki.incd.pt/attachments/50)

# Security recommendations for cloud

Security recommendations for cloud users, in particular when instantiating and managing VMs

# Security recommendations for the Cloud

## A non exaustive list of security recommendations

These recommendations target speacially user and administrators of cloud computing resources (VMs), as well as
interaction through the Openstack dashboard and CLI.

* default security groups, leave only ssh (22) open and nothing else, other rules should be to create
another "Create Security Group". Each security group should be as minimal as possible. When
too many ports are added to the Default, like the 80 and 443 these are imediately available on the VM, and soon
that the service comes up it can be immediately attacked.

* The first thing when instantiating a VM is to immediately update / upgrade the
operating system and reboot to get the latest kernel, before installing other SW.
In fact, update / upgrade regularly all VMs.

* Install fail2ban (see below)

* When testing or developing a given service such as wordpress, it's better to have only one private IP
and make an ssh tunel from another VM with a public IP, until the service is properly configured and secured.

* Deploy the service endpoints with https/certificate, if possible only port 443 should be opened in the security groups.

* Only associate the new security group (for example 443 and / or 80) after the service is configured properly.
Avoiding windows of opportunity while developeing/testing the service.

* If necessary, restrict the range of IPs that can be connected from outside.

### Updates, installation and configuration of fail2ban

On the follwoing use either `yum` for Cento7 or `dnf` for Centos8, for Ubuntu also available, update and reboot the VM:

```bash
sudo -s
dnf -y update
dnf -y install epel-release
shutdown -r now
```

Reboot the VM

```bash
dnf -y install fail2ban
```

The fail2ban configuration files are located in the `/etc/fail2ban/` directory
and filters are stored in the `/etc/fail2ban/filter.d/` directory (the filter file
for sshd is `/etc/fail2ban/filter.d/sshd.conf`).

The global configuration file for the fail2ban server is `/etc/fail2ban/jail.conf`,
however, it is not recommended to modify this file directly, as it will probably be
overwritten or improved in case of a package upgrade in the future.

As an alternative, it is recommended to create and add your configurations in a
`jail.local` file or separate .conf files under the `/etc/fail2ban/jail.d/` directory.
Note that configuration parameters set in jail.local will override whatever is defined in `jail.conf`.

For this article, we will create a separate file called `jail.local` in the `/etc/fail2ban/` directory as shown.

```bash
vi /etc/fail2ban/jail.local
```

Once the file is open, copy and paste the following configuration in it.
The [DEFAULT] the section contains global options and [sshd] contains parameters for the sshd jail.

```bash
[DEFAULT] 
ignoreip = 192.168.56.2/24
bantime  = 21600
findtime  = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd

[sshd] 
enabled = true
```

Enable and start the service:

```bash
systemctl start fail2ban
systemctl enable fail2ban
systemctl status fail2ban
```

# How to check resource accounting

In the Openstack dashboard, select "Overview" on the left panel:

[![](https://wiki.incd.pt/uploads/images/gallery/2021-01/scaled-1680-/iSqWcMwX4L2ULl4y-image-1611055907207.png)](https://wiki.incd.pt/uploads/images/gallery/2021-01/iSqWcMwX4L2ULl4y-image-1611055907207.png)

Scroll down to see the "Usage Summary" and select the initial date, for example January 1st 2021, and end date (the default is the current day):

[![](https://wiki.incd.pt/uploads/images/gallery/2021-01/scaled-1680-/LWDf8axZT2r32FIk-image-1611056010894.png)](https://wiki.incd.pt/uploads/images/gallery/2021-01/LWDf8axZT2r32FIk-image-1611056010894.png)

After you click "submit" you will see the summary table with resource usage, shown below:

[![](https://wiki.incd.pt/uploads/images/gallery/2021-01/scaled-1680-/J2RLXfrmkFOgnqvx-image-1611056136344.png)](https://wiki.incd.pt/uploads/images/gallery/2021-01/J2RLXfrmkFOgnqvx-image-1611056136344.png)

# Time synchronization

## Recommendations for NTP configuration

For stratus.ncg.ingrid.pt use the INCD provided NTP servers:

```
server ntp01.ncg.ingrid.pt
server ntp02.ncg.ingrid.pt

```

To use other NTP servers configure them as "peer" not "server" like:

```
peer ntp02.oal.ul.pt
peer ntp04.oal.ul.pt
peer ntp01.fccn.pt
peer ntp02.fccn.pt

```