Securing Instances
Securing your cloud instances is critical for protecting sensitive data and ensuring system integrity. Whether you're deploying on Ubuntu or Windows, following a comprehensive set of hardening practices can drastically reduce your exposure to potential attacks. This guide outlines the essential steps for locking down your virtual machines (VMs) with clarity and precision.
- Ubuntu
- Windows
Ubuntu Server Hardening
1. SSH Key Authentication
Disable password-based SSH logins to prevent brute-force attacks.
Steps:
- Generate a key pair:
ssh-keygen -t rsa -b 4096 -C "your@email.com"
- Copy the public key to your VM:
ssh-copy-id username@vm-ip-address
- Disable password login in
/etc/ssh/sshd_config:
PasswordAuthentication no
PermitRootLogin no
- Restart SSH:
sudo systemctl restart ssh
2. Configure UFW Firewall
Control network traffic with strict default policies.
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable
3. Regular Updates & Security Patches
Apply the latest security fixes automatically.
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
4. Fail2Ban Protection
Automatically ban IPs making repeated failed login attempts.
sudo apt install fail2ban
sudo systemctl enable fail2ban --now
5. Principle of Least Privilege
Avoid using root for daily tasks.
adduser youruser
usermod -aG sudo youruser
6. Service Auditing
Disable unnecessary services to reduce the attack surface.
sudo ss -tulnp
sudo systemctl disable --now unwanted-service
7. Log Monitoring
Set up log analysis tools like Logwatch.
sudo apt install logwatch
Windows Server Hardening
1. Secure the Administrator Account
Change the default password and use complex credentials.
net user Administrator "StrongPassw0rd!"
2. Windows Firewall Configuration
Ensure only necessary traffic is allowed.
- Open Windows Defender Firewall settings
- Create inbound rules only for required ports (e.g., 3389 for RDP)
3. System Updates
Enable automatic updates for security patches.
- Navigate to Settings > Update & Security > Windows Update
- Enable scheduled installs
4. Harden Remote Desktop
If RDP is required:
- Enable Network Level Authentication
- Configure account lockout policy via
secpol.msc - Limit RDP access to trusted IPs
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -name fDenyTSConnections -Value 0
5. Antivirus Setup
Use Windows Defender or a trusted 3rd-party solution.
- Enable regular scans
- Turn on real-time protection
6. Account Lockout Policies
- Open
secpol.msc - Set lockout threshold, duration, and reset timers under Account Lockout Policy
7. Audit Logging
Monitor activities with Event Viewer and enable alerts for suspicious behavior.
Extended Hardening Practices (All OS)
Database Security
- Use encrypted connections (SSL/TLS)
- Remove default/test users
- Apply least-privilege principles
- Enable logging and monitoring
Web Server Hardening
- Use HTTPS with valid SSL certs
- Disable directory listing and server headers
- Apply rate-limiting rules and security headers (CSP, HSTS)
SIEM Integration
- Deploy centralized log collectors (Filebeat, Wazuh)
- Use alert rules for failed logins, privilege escalations, config changes
Backups & Disaster Recovery
- Schedule regular, encrypted backups
- Store offsite (e.g., S3, GCS, external drive)
- Periodically test restores
VPN Access Control
- Deploy VPN like WireGuard or OpenVPN
- Restrict SSH/RDP access via VPN-only routes
- Disable direct public IP access to sensitive services