9.4. Service Policy

To be able to log in to your Virtuozzo server for administration purposes, make sure that services listed in the table are enabled on the server.

Service Description
network Provides network connectivity for the Virtuozzo server itself and virtual environments residing on it.
sshd Most of the Virtuozzo servers reside in datacenters and are managed remotely.
crond Virtuozzo uses a number of cron-based tools for periodical checking and reporting of system health parameters.
rsyslogd System events logging.
prl-disp-service Virtuozzo management service.
libvirtd Performs management tasks on virtual environments.

The following best practices apply:

sshd:

  • Configure your SSH daemon to use protocol version 2.
  • Prohibit remote root login as most attacks are performed to this account. Login as a non-privileged user and switch to the root credentials using sudo package if required.
  • Prohibit authentication based on hosts and rhosts as they are known to be vulnerable.

rsyslogd:

  • Do not use remote logging over UDP protocol.
  • Use TCP transport and SSH tunnel for remote logging, if packets pass through an untrusted network.

prl-disp-service:

  • Block the remote access to prl-disp-service if you do not use virtual environment migration, remote backup/restoration, or remote access to Virtuozzo servers via prlctl or Virtuozzo SDK.

Additionally, it is recommended to have only hardware-related services running on your Virtuozzo server. For example, you can run smartd or snmpd on the server, but make sure to isolate services like web or mail servers inside virtual environments in case they are attacked.