9.4. Service Policy¶
To be able to log in to your Virtuozzo Hybrid Server server for administration purposes, make sure that services listed in the table are enabled on the server.
||Provides network connectivity for the Virtuozzo Hybrid Server server itself and virtual environments residing on it.|
||Most of the Virtuozzo Hybrid Server servers reside in datacenters and are managed remotely.|
||Virtuozzo Hybrid Server uses a number of cron-based tools for periodical checking and reporting of system health parameters.|
||System events logging.|
||Virtuozzo Hybrid Server management service.|
||Performs management tasks on virtual environments.|
The following best practices apply:
- Configure your SSH daemon to use protocol version 2.
- Prohibit remote root login as most attacks are performed to this account. Login as a non-privileged user and switch to the root credentials using
sudopackage if required.
- Prohibit authentication based on
rhostsas they are known to be vulnerable.
- Do not use remote logging over UDP protocol.
- Use TCP transport and SSH tunnel for remote logging, if packets pass through an untrusted network.
- Block the remote access to
prl-dispif you do not use virtual environment migration, remote backup/restoration, or remote access to Virtuozzo Hybrid Server servers via
prlctlor Virtuozzo Hybrid Server SDK.
- Enable encryption of all the data transmitted between management services on different nodes by running
prlsrvctl set --min-security-level highand restarting
prl-disp. Doing this will significantly slow down virtual environment migration.
Additionally, it is recommended to have only hardware-related services running on your Virtuozzo Hybrid Server server. For example, you can run
snmpd on the server, but make sure to isolate services like web or mail servers inside virtual environments in case they are attacked.