9.4. Service Policy¶
To be able to log in to your Virtuozzo server for administration purposes, make sure that services listed in the table are enabled on the server.
||Provides network connectivity for the Virtuozzo server itself and virtual environments residing on it.|
||Most of the Virtuozzo servers reside in datacenters and are managed remotely.|
||Virtuozzo uses a number of cron-based tools for periodical checking and reporting of system health parameters.|
||System events logging.|
||Virtuozzo management service.|
||Performs management tasks on virtual environments.|
The following best practices apply:
- Configure your SSH daemon to use protocol version 2.
- Prohibit remote root login as most attacks are performed to this account. Login as a non-privileged user and switch to the root credentials using
sudopackage if required.
- Prohibit authentication based on
rhostsas they are known to be vulnerable.
- Do not use remote logging over UDP protocol.
- Use TCP transport and SSH tunnel for remote logging, if packets pass through an untrusted network.
- Block the remote access to
prl-disp-serviceif you do not use virtual environment migration, remote backup/restoration, or remote access to Virtuozzo servers via
prlctlor Virtuozzo SDK.
- Enable encryption of all the data transmitted between management services on different nodes by running
prlsrvctl set --min-security-level highand restarting
prl-disp-service. Doing this will significantly slow down virtual environment migration.
Additionally, it is recommended to have only hardware-related services running on your Virtuozzo server. For example, you can run
snmpd on the server, but make sure to isolate services like web or mail servers inside virtual environments in case they are attacked.