Best practice
External Cloud Tenancy additional notes
Best practice guides for “server hardening” of Linux machines facing the internet:
And particularly for web servers:
Additional notes regarding JASMIN External Cloud environment:
- The Shield NAT/Firewall device is the only isolation between Tenant VMs and the raw internet.
- We monitor network traffic at the gateway/router but
- Security is the responsibility of the tenant. Please follow suggested security hardening guidelines for all VMs with connections to 192.171.139.0/25
- Access to other JASMIN hosts and services from the external cloud, is the same as access from internet to these services.
- The default CentOS public catalog template is configured to use DNS, NTP and yum repo network services from the internet, not from the RAL site.
- SMTP (mail) server/relay configuration is the responsibility/choice of the tenant.
- We recommend tenants choose a hosted email server with virus and SPAM filtering and not attempt to configure their own email pipelines.
- Reverse DNS (IP to hostname) for 192.171.129.0/25 is managed by NERC DNS servers along with ( shortly ) default forward A name records.
- SMTP (mail) server/relay configuration is the responsibility/choice of the tenant.
Tenants may setup forward A or CNAME DNS records (hostname to IP) for any domainnames they own/control via their own DNS or institutional name servers