1. Home
  2. Training Library
  3. Google Cloud Platform
  4. Courses
  5. Getting Started with Google Compute Engine

Hardening your GCE instance

Contents

keyboard_tab
Provisioning your first GCE instance
Start course
Overview
Difficulty
Beginner
Duration
46m
Students
894
Description

Google Compute Engine is the cornerstone of the Google Cloud Platform. It is an IaaS (Infrastructure as a Service) environment - powered by KVM hypervisors - that allows you to create instances based on default images and custom snapshots, with complete control over network traffic.

This course, crafted by our expert Linux System Administrator David Clinton, will help you get started with Google Compute Engine, either through Google's browser console or their command line interface. By the end of this course you will have everything it takes to master the efficient and effective use of GCE.

Who should take this course

As a beginner-level course, you don't need experience with Google Cloud Platform to benefit from this tutorial. Some basic knowledge of the Linux CLI interface and TCP/IP stack might help you better understand the Networking and the CLI lectures though.

If you need a high-level introduction to the cloud, check out the Introduction to Cloud Computing course. We also have an Introduction to Google Cloud Platform course to offer you broader overview of the whole family of Google services.

If, after going through this course, you'd like to test your knowledge of Google Compute Engine and improve your CloudRank, we've got Quizzes that should serve as a perfect followup.

 

Transcript

Hi and welcome to CloudAcademy.com's video series on getting started with Google Compute Engine. In this video we're going to explore security in the Google Cloud.

Insecure virtual machines are obviously vulnerable to attack but besides the threat of having your private data exposed, such attacks can also consume very expensive resources. While on the whole virtual computing is probably no less secure than any other method, they're still just as likely to be badly configured and the targets of dangerous exploits.

How to minimize the risk of attacks

Therefore you've got to do everything you can to minimize the risk. So for instance, you might want to remove all unnecessary non-user accounts from the default install, not to mention make sure there are no users with administrative access they don't need. You should minimize the amount of software installed by default, so there's simply fewer processes running and as a result few opportunities for trouble.

We should also make sure that our system is completely upgraded and patched, so there are no glaring holes and vulnerabilities that are associated with the operating system itself. To do that, we'll install the unattended upgrades package, first sudo apt-get update. Then we'll run sudo apt-get install unattended-upgrades. Yes, we want all that to be downloaded and installed. And then we'll run sudo dpkg-reconfigure plow unattended-upgrades. We are asked if we'd like to apply the updates regularly, you hit tab once to highlight yes, and enter and it's done. As long as this instance is running, it's going to keep the system constantly patched and updated with all software updates. You should use strong passwords on your accounts and you should force all your users to comply with strong password guidelines, that means your passwords should not contained dictionary words that is words found in a dictionary. They should have uppercase and lowercase characters, they should have at least one number and at least one non-numeric character like the dollar sign or the percentage sign.

You should if possible, it's not always possible, lock the root account. You do that from the command line using usermod-L, uppercase L, and then the word root and this of course has to be done as sudo. And generally using logs and other monitoring tools keep a good eye on system and network activity and the health of your system. It will almost certainly pay off in a big way at some point.

Optimize your Firewall rules

Finally, let's make sure all our firewall rules are as restricted as possible, we can't obviously make them completely restricted because then our instance wouldn't be able to do anything, wouldn't be able to go to serve the clients that we'd like it to. So let's click on Newnet which is one of the networks we've previously created, let's edit our SSH rule, click edit. It currently allows SSH access from anywhere on the internet, that's not a good idea. Let's change that to let's say, 216.254.160.61. That might be your IP address which would mean that no one on the internet has SSH access to your instance no matter how many passwords and keys he happens to have unless he's coming from the public IP address 216.254.160.61. That is, if he's coming to Port 22. We should make sure, though, after saving this that no other ports are open unnecessarily. We may need HTTP access and there's nothing we can do about that, this is a web server we have to allow HTTP access and we may require SSH access, but we can limit that to particular sources. Similarly any other ports you're going to open up or any other traffic you're going to allow, keep it as restrictive as possible.

About the Author
Avatar
David Clinton
Linux SysAdmin
Students
11913
Courses
12
Learning Paths
4

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.