9.4. Service Policy

To be able to log in to your Virtuozzo Hybrid Server server for administration purposes, make sure that services listed in the table are enabled on the server.

Service Description
network Provides network connectivity for the Virtuozzo Hybrid Server server itself and virtual environments residing on it.
sshd Most of the Virtuozzo Hybrid Server servers reside in datacenters and are managed remotely.
crond Virtuozzo Hybrid Server uses a number of cron-based tools for periodical checking and reporting of system health parameters.
rsyslogd System events logging.
prl-disp Virtuozzo Hybrid Server management service.
libvirtd Performs management tasks on virtual environments.

The following best practices apply:

sshd:

  • Configure your SSH daemon to use protocol version 2.
  • Prohibit remote root login as most attacks are performed to this account. Login as a non-privileged user and switch to the root credentials using sudo package if required.
  • Prohibit authentication based on hosts and rhosts as they are known to be vulnerable.

rsyslogd:

  • Do not use remote logging over UDP protocol.
  • Use TCP transport and SSH tunnel for remote logging, if packets pass through an untrusted network.

prl-disp:

  • Block the remote access to prl-disp if you do not use virtual environment migration, remote backup/restoration, or remote access to Virtuozzo Hybrid Server servers via prlctl or Virtuozzo Hybrid Server SDK.
  • Enable encryption of all the data transmitted between management services on different nodes by running prlsrvctl set --min-security-level high and restarting prl-disp. Doing this will significantly slow down virtual environment migration.

Additionally, it is recommended to have only hardware-related services running on your Virtuozzo Hybrid Server server. For example, you can run smartd or snmpd on the server, but make sure to isolate services like web or mail servers inside virtual environments in case they are attacked.