Securing Webservers

The HPC Cloud operates under a shared responsibility model w.r.t server and service security. This means that MPI Project admins are responsible for ensuring that the services they open to the internet are as secure as possible and are also regularly checked and upgraded.

Online services exist to both generate secure example configuration and to test any service which is exposed to the public internet.

Configuration generator

To generate secure configuration the following tool from Mozilla is often useful:

Mozilla SSL config generator: https://ssl-config.mozilla.org/ (note this also provides example configs for databases such as MySQL and PostgreSQL)

The highest level of protection “Modern” is obviously advised if possible. However, in many real life cases the “Intermediate” Level protection is a good compromise between security and access (ensuring most clients can access the service).

Scanning Services

When scanning webservers the following webpage is simple to use and provides detailed information about the security level of the scanned server.

ssl labs page: https://www.ssllabs.com/ssltest/

Moreover several command line scanning tools exist including:

• https://github.com/drwetter/testssl.sh

• https://github.com/nabla-c0d3/sslyze

Note: The command line tools can be especially useful when services are exposed on non-standard ports and/or when you wish to scan a service which has yet to be open to the public internet (in general we would advise scanning locally before opening the service to the public internet).