Archive

Archive for January, 2019

View Azure metrics in Grafana dashboards

January 16, 2019 Leave a comment

Microsoft released a plugin that will allow Azure services and applications to be monitored from from Grafana using the Azure Monitor data source plugin.

Grafana configuration for Azure Monitor integration

The plugin gathers application performance data collected by Azure Monitor, including various logs and metrics.

If you use Application Insights, you can also include your Application Insights API and application ID to collect Application Insights based metrics.

You can also install Telegraf and InfluxDB to collect and plot both custom and agent-based metrics using the same Grafana instance and include metrics from the Prometheus server to monitor Containers.

When configuring the plugin, you can indicate which Azure Cloud you would like the plugin to monitor (Public, Azure US Government, Azure Germany, or Azure China).

The high level steps are:

  1. Set up Grafana (locally or in Azure downloading from the Azure Marketplace: Grafana by Grafana Labs). You will need Grafana version 5.3 or higher
  2. Login to Grafana
  3. Configure the DataSource plugin and select Azure Monitor as the type from the dropdown
  4. Use an existing one or Create a new service principal – Grafana uses an Azure Active Directory service principal to connect to Azure Monitor APIs and collect data
  5. Provide the connection details to the APIs and select Same details as Azure Monitor API
  6. Provide your Application Insights API and application ID if you want to collect Application Insights based metrics
  7. Save and on the Grafana Home page, and select New Dashboard
  8. Select the configured Azure Monitor data source

for a more detailed step by step check https://docs.microsoft.com/en-us/azure/azure-monitor/platform/grafana-plugin?toc=%2Fazure%2Fazure-monitor%2Ftoc.json

Advertisements

Password-less VM – The importance of securing your IaaS Linux VM in the Public Cloud

January 9, 2019 Leave a comment

When creating a VM in the Public Cloud, some would think that the Provider would be responsible for its security. Guess what, you are responsible for its security.

A common misunderstanding is assuming that a strong password would do the job of securing the VM access. To prove that is not good enough, yesterday I created a VM in Azure for a Containers Lab work and in less than 9hrs, I had 8712 failed login attempts as it shows in the picture above.

Creating a more Secure VM

So, what should you do to protect the access to my public VM?

“Password-less VM”: Using SSH public key, instead of password, will greatly increase the difficulty of brute-force guessing attack.

A “password-less” VM includes:

  • A username that is not standard such as “root” or “admin”: Azure already help you with that, by not allowing you to create “root” or “admin” as a username. Also note that in Linux, the username is case sensitive.
  • No password for the user; no password-based login permitted. Instead, configure Private key/certificate SSH authentication: That’s a must!
  • A randomized public SSH port.

Verifying

Using the below Linux command line, you should see a line showing: PasswordAuthentication no

$ sudo tail -n 10 sshd_config

Detailed Steps

Check out the Quick steps: Create and use an SSH public-private key pair for Linux VMs in Azure article on how to configure those steps.

What else should you do?

Azure offers great protection options for Azure VM’s. It’s definitely a must that you:

  • Install Microsoft Monitoring Agent to enable Azure Security Center which will help you prevent, detect, and respond to threats. Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations. The recommendations guide you through the process of configuring the needed controls. For detailed information see https://docs.microsoft.com/en-us/azure/security-center/quick-onboard-linux-computer
  • Configure Security Policies, which drives the security recommendations you get in Azure Security Center.
  • Configure Just-in-time (JIT) virtual machine (VM) access which can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. Configure custom ports and customize the following settings:

Protocol type– The protocol that is allowed on this port when a
request is approved.

Allowed source IP addresses- The IP ranges that are allowed on this port when a request is approved.

Maximum request time– The maximum time window during which a specific port can be opened.

  •  Configure Network security groups and rules to control traffic to virtual machines
  • Configure dedicated network connection between your on-premises network and your Azure vNets, either through a VPN or through Azure ExpressRoute: Production services should not be exposing SSH to the internet.

Stay safe!

Article also published in my Linkedin page: https://www.linkedin.com/pulse/password-less-vm-importance-securing-your-iaas-linux-cardoso/?published=t