Virtual Private Clouds and 2020s Internet Security: No Country for Old Sysadmins
So, when I was young and impetuous and somewhat more invested in arguing about tabletop roleplaying games online, I decided the tabletop roleplaying game forum I posted on just wasn’t cutting it. I needed my own forum. A few erstwhile allies of mine and I carved aside our own corner of the Internet, a phpBB forum with… well, about half the features you’d expect from such an already aging beast in 2012.
Intangibility Forums were hosted initially on NearlyFreeSpeech, a libertarian-oriented (but also very cheap) shared hosting provider, and then when we required full server configuration, we moved to Linode, a VPS (virtual private server) ISP which hosted the site for over two years. To my knowledge, with the exception of one attempted intrusion — which was caught — neither Intangibility’s server nor its MariaDB core for the phpBB (later Vanilla) forum was compromised. Several other hobby projects were also hosted on the same private server.
My interest in internecine web forum battles declined substantially by 2016, when I shut down the site and its server. While it’s possible that malware had made its way onto the Linode by then, I hadn’t noticed anything unusual in logs. But that is not the reality today, as I discovered in the last week’s ordeal of setting up an entirely private cloud for data science work.
It’s simply not safe to expose ports to the web anymore. Even if your IP is totally unknown, and even if your installation is secure, hackers can and will attempt to compromise your systems, with prejudice. AWS, Google Cloud, and similar are set up with a feature which seems enormously frustrating, but unless you are running production apps/web servers, is ABSOLUTELY ESSENTIAL. This feature is virtual private networks — essentially, without using something like an OpenVPN server as a bridge to access your resources in the cloud, they can only be access by AWS/GCloud SSH.
This has serious limitations — I like to work from Visual Studio Code, which needs SSH access to the instance it’s working on. This is why the OpenVPN bridge is so important. It works for both AWS and GCloud and both have preset configurations — AWS’s is, I believe, somewhat more user friendly.
If I’m being honest, I need at least one more infosec certification than I have before I run a production webserver again. The Internet has become a scary place. For now, let me urge you to not implement firewall rules in your cloud to allow access from the open web — it may make your various backends more accessible, but you will pay for it. Possibly, in actual money, should hackers manage to obtain your cloud security credentials.
Truly, it is no country for old sysadmins.