9.4. Service Policy¶

To be able to log in to your Virtuozzo Hybrid Server server for administration purposes, make sure that services listed in the table are enabled on the server.

The following best practices apply:

sshd:

• Configure your SSH daemon to use protocol version 2.

• Prohibit remote root login as most attacks are performed to this account. Login as a non-privileged user and switch to the root credentials using sudo package if required.

• Prohibit authentication based on hosts and rhosts as they are known to be vulnerable.

rsyslogd:

• Do not use remote logging over UDP protocol.

• Use TCP transport and SSH tunnel for remote logging, if packets pass through an untrusted network.

prl-disp:

• Block the remote access to prl-disp if you do not use virtual environment migration, remote backup/restoration, or remote access to Virtuozzo Hybrid Server servers via prlctl or Virtuozzo Hybrid Server SDK.

• Enable encryption of all the data transmitted between management services on different nodes by running prlsrvctl set --min-security-level high and restarting prl-disp. Doing this will significantly slow down virtual environment migration.

Additionally, it is recommended to have only hardware-related services running on your Virtuozzo Hybrid Server server. For example, you can run smartd or snmpd on the server, but make sure to isolate services like web or mail servers inside virtual environments in case they are attacked.