Tips and Ideas For Securing a Virtual Private Server
Last updated on Dec 19, 2020
A Virtual Private Server, or VPS as it is commonly called, is often considered to be the next step after shared hosting. In a shared hosting environment, you are provided with just a fraction of the server resources. With a VPS, on the other hand, you get greater access to server resources.
Furthermore, with layers of virtualization, you also get greater freedom on a VPS. You can choose to install the operating system of your choice, set up customized software and scripts, and do a lot more! Naturally, a Virtual Private Server has a lot to offer and that is the primary reason why Virtual Private Servers are becoming more and more popular with each passing day.
While you have the luxury of opting for a managed VPS, there are self-managed or unmanaged VPS offerings available too. You can learn the key differences between the two on this page.
With that said, how do you go about securing your VPS? Are there any good VPS security practices and ideas that you should keep in mind? In this article, we will be discussing some of the major VPS security tips and tricks that you can make use of.
Use the Firewall
The advantages of a properly-configured and active firewall have become common knowledge by now. In fact, if you are using a computer that is connected to the internet most of the time, you might already have a firewall set up to keep the bad guys at bay. Most desktop operating systems, including Windows and Linux, tend to ship with a custom firewall of their own that you can tweak as per your needs.
VPS scenario is no different either. It is a good idea to configure a firewall so as to prevent wrongful events such as a DDoS attacks. In Linux, you can also filter network-access for various programs by means of utilities such as TCPWrapper. Basically, the idea here is to prevent spoofing and unauthorized access.
Linux kernel comes with its own integrated firewall called NetFilter that is highly versatile and tweakable. If you are on a Windows VPS, you can use the Windows Firewall to do the same.
Custom firewalls such as CSF are also a worthy choice. In most cases, you should opt for a firewall that comes with its own plugin for integration into WHM/cPanel and/or Plesk, as the case may be.
Keep the Software Updated
It goes without saying that your server is only as secure as its software. With more and more threats being discovered with each passing day, newer security updates and patches are released at regular intervals. If you are using a managed VPS, it is the responsibility of your web hosting provider to ensure that security updates to server software are applied as and when necessary. This includes updates for server operating systems as well as any server-side software that might be installed, such as WHM/cPanel or even Node.js core extensions.
On an unmanaged VPS, the onus for keeping everything updated lies on you. Of course, you may find implementing operating system-level updates a bit too much and it makes sense to hire a specialist for the task. With that said, you should be aware that virtually every Operating System nowadays goes out of the way to provide info about update procedures — in Ubuntu, it can be as simple as running an apt-get command. Similarly, you can configure cPanel and/or Plesk to automatically fetch and install security updates and bug fixes.
Use an Antivirus Solution
Irrespective of the fact whether you are using a Windows or a Linux VPS, a good anti-virus and anti-malware software is a must. There are various options out there, and generally, paid solutions are better than free ones. Of course, this is no hard and fast rule and you should consider doing your own research in this field. A good antivirus or anti-malware software is regularly updated to ensure that its signatures carry info about identifying the latest security threats. ClamAV is highly popular nowadays, especially on Linux platforms.
Beyond that, you should also be wary of rootkits. Generally, a rootkit at the operating system level. This means normal antivirus software can often not detect it — naturally, this can compromise the overall security of your VPS. more often than not, a rootkit problem can only be solved by reinstalling the OS.
The open source tool chrootkit can prove useful in detecting and informing about rootkits on your system, if any.
Disable That Which isn’t Needed!
Often, it is seen that any VPS configuration has several aspects that are activated by default. These may or may not be entirely useful and can pose a security issue in the long run.
For a start, you should consider disabling root logins on your Linux VPS. all Linux platforms have a “root” super-user with enhanced privileges that can wipe your system clean, install or uninstall anything and everything, and so on. In a VPS environment, once you have the operating system and the server software up and running, you would only need a basic admin account to manage things. Logins as root are rarely needed, and hackers can attempt to guess your password for root account. You can safely disable root logins by going to /etc/ssh/sshd_config file and setting the PermitRootLogin value to “no”. Note that you cannot “delete” the root account, as some guides on the internet claim to do so.
Similarly, you can also disable unused network ports by using IPTables. This will make sure there are no unwanted ports of entry to your server data.
Furthermore, if you are not yet using IPv6 nor have any plans to do so in near future, you can consider disabling it altogether. This, of course, depends on your requirements. If you have any use for any of the benefits that IPv6 provides, you should leave it open. Otherwise, simply disable it and forget about it.
Wherever possible, you should consider using only SFTP (secure FTP) and not plain FTP to connect to your server. In fact, many web hosting providers now are shifting towards an SFTP-only scenario. Disabling FTP means you are relying only on an encrypted data transfer mechanism as provided by SFTP.
Other VPS Security Measures
- You can make use of GnuPG encryption for transmitting data. Basically, GnuPG is a free tool that provides a private key which you can share with the recipient — thereby ensuring no one else can decrypt data during transit.
- A Linux VPS stores all its kernel-related files inside the /boot directory or partition. It is a good idea to make sure the /boot directory is read-only, so that while your system can read it, malicious users cannot possibly write to it or modify it.
- If you are using cPanel and WHM, you can enable the cPHulk option therein. Essentially, this is a brute force protection mechanism that locks out users after too many login failures. It is effective as a secondary firewall.
- In a Windows VPS environment, you can restrict Remote Desktop Access and setup custom rules for Remote Desktop Gateway, so that malicious users are unable to access your data.
So there you have it, some of the major VPS security tips and ideas. Security is an ongoing practice, and you need to stay at your best game in order to ensure malicious hackers and bad guys do not compromise your server’s health.
Got any security tips or ideas of your own? Share them with the world in the comments below!
Sufyan is a contributor to a variety of websites and blogs about technology, Linux, open source, web design, content management systems and web development. Learn more about his works on sufyanism.com