Cart

/ Virtual Private Servers

/ Networking

/ Software

/ Storage

Kubernetes

/ Openstack

/ Network

/ Volumes

/ Other

Knowledge Base

/ TransIP

/ Other

Cart Control panel

    Sorry, we could not find any results for your search querry.

    Home OpenStack General OpenStack Security Groups

    OpenStack Security Groups

    Within the OpenStack Horizon interface, you have the ability to secure your networks using security groups. This allows you to restrict inbound or outbound access for an instance and protect your systems against attacks or unauthorized access. This guide explains how security groups work and how to manage them effectively, accompanied by video instructions.

     

    Explanation of security groups

    Security groups are used to protect your instances and networks from attacks or unauthorized access from the outside. It is possible to add a security rule per instance. Security groups offer an additional, free firewall feature to shield your environment from external access. They act as a second layer of protection for your network.

     

    Default security group settings

    When creating a new instance in the Horizon interface, it is automatically assigned the default security group 'default'. This security group does not allow any inbound traffic from the outside world by default, but does allow traffic from your system to the outside. As a result, your system is not reachable from the outside by default.

     

    Allowing ICMP ping requests

    To test if your instance is reachable from the internet, you can send a ping request to your VPS. By default, ping requests are blocked, so you will need to configure a security group for your VPS.

    • Log in to the Horizon web interface.
    • In the left-hand menu, select 'Compute' and then 'Instances'.
    • From the overview, for the relevant instance, open the right-hand dropdown menu and select 'Edit Security Groups'.
    • Select '+' next to the option 'allow-icmp' and then select 'Save'.
    • The new security group setting will take effect immediately.

    You can test this by running the following command from your workstation’s command line, replacing 1.2.3.4 with your instance’s IP address: ping 81.96.4.1

     

    Allowing remote access

    To manage the server, it must be accessible via SSH or Remote Desktop. In the example below, SSH access is configured.

    • Log in to the Horizon web interface.
    • In the left-hand menu, select 'Network' and then 'Security Groups'.
    • At the top right, select 'Create Security Group'.
    • In 'Name', enter a name for the new security rule (in our example, "SSH") and optionally a description. Then select 'Create Security Group'.
    • In the overview, to the right of the new security group, select 'Manage Rules'.
    • At the top right, select '+Add Rule'.
    • Under 'Rule', select 'Custom TCP Rule'.
    • Under 'Direction', select 'INGRESS' — this refers to traffic coming from outside to inside.
    • Under 'Port', enter 22 for the SSH service.
    • Under 'CIDR', enter the IP address from which you will connect to your management station (for example, your office IP), e.g., 1.2.3.4/32, and then select 'ADD'.
    • In the left-hand menu, select 'Compute' and then 'Instances'.
    • From the overview, for the relevant instance, open the right-hand dropdown menu and select 'Edit Security Groups'.
    • Select '+' next to the option 'SSH' and then select 'SAVE'.
    • The new security group setting will take effect immediately.

    To test if your instance is reachable, connect to your server using an SSH client.

     

    Allowing webserver HTTP/HTTPS

    The example below shows how to make a service available to your users, such as a web server.

    • Log in to the Horizon web interface.
    • In the left-hand menu, select 'Compute' and then 'Instances'.
    • From the overview, for the relevant instance, open the right-hand dropdown menu and select 'Edit Security Groups'.
    • Select '+' next to the option 'allow-web' and then select 'Save'.
    • The new security group setting will take effect immediately.

    To test if your service is available, enter your system’s IP address into your web browser. You can also perform a Telnet on port 80 or run a port scan with a tool like nmap.

    If you use DirectAdmin, you also need to add port 2222/TCP for managing your DirectAdmin installation.

     

    Terminology explained

    Before you start configuring security groups, it is important to understand some key terms, which are explained below.

    • Direction

    The direction defines the flow of network traffic. There are two types used when setting firewall rules:

    ingress: traffic coming from outside into your system, for example, an external user trying to access your web server.

    egress: traffic going from inside your system to the outside, for example, when your server sends a file to an external party.

    The most common firewall setup is to allow all egress traffic and restrict ingress traffic to only what you want to allow. This is also the default behavior in OpenStack security groups when you create a new rule — all outbound traffic is allowed, inbound traffic is blocked.

    • Ether Type

    Specifies the type of network in use. When you set the IP range or subnet in a security rule, this is determined automatically. Only two Ether types are used in security rules: IPv4 networking (e.g., 1.2.3.4/5) or the newer IPv6 (e.g., 2a02:348:5e6:1::9bc0).

    • IP Protocol

    You can specify the IP protocol type, usually TCP and, in some cases, UDP traffic. 

    • Port / Port range

    Specify the service port you want to allow, for example, HTTP traffic on port 80 or port 443 for your web server. You can also specify a range of ports, for example, ports 2000 to 3000.

    • Remote IP Prefix

    The IP address allowed to access your system, for example, your home IP 1.2.3.4. To allow all traffic, set 0.0.0.0/0 for IPv4 and ::/0 for IPv6. Or specify a specific IP range, for example, 8.8.8.0/24.

    • List of common service ports

    20: File Transfer Protocol (FTP) Data Transfer 
    21: File Transfer Protocol (FTP) Command Control 
    22: Secure Shell (SSH) Secure Login 
    23: Telnet Remote Login Service, unencrypted text messages 
    25: Simple Mail Transfer Protocol (SMTP) Email Routing 
    53: Domain Name System (DNS) Service 
    80: Hypertext Transfer Protocol (HTTP) used on the World Wide Web 
    110: Post Office Protocol (POP3) 
    119: Network News Transfer Protocol (NNTP) 
    123: Network Time Protocol (NTP) 
    143: Internet Message Access Protocol (IMAP) Management of digital mail 
    161: Simple Network Management Protocol (SNMP) 
    194: Internet Relay Chat (IRC) 
    443: HTTP Secure (HTTPS) HTTP over TLS/SSL 
    465: Authenticated SMTP over TLS/SSL (SMTPS) 
    587: Email message submission (SMTP) 
    993: Internet Message Access Protocol over TLS/SSL (IMAPS)

    For a full list of all available service ports, see this link.

    Index

    Need help?

    Receive personal support from our supporters

    Contact us