Update! We’ve added a few more security measures you want to consider to best protect your VPS
If you’re running an unmanaged VPS instance that deals with sensitive data or private information, it goes without saying that you want to keep it as secure as possible. As a server administrator, there are a few basic measures you should take to ensure the information you’re dealing with stays securely in your hands. Ignore these procedures at your own peril, as they are the key to protecting your VPS.
Audit Your Server
Your first step is to run an audit of your server. Knowing what’s running on your system – as well as where said system’s vulnerabilities lie – is vital to securing a VPS. Thankfully, there’s no shortage of tools designed to carry out such audits – for one-time auditing and hardening, you could use something along the lines of the Linux Security Auditing Tool or Bastille. You could also set up a regular, automated auditing system with Logwatch. For remote/external audits, use Nessus Vulnerability Scanner and Nmap.
Lastly, I’d suggest taking a look at Future Engineer, as it could significantly simplify the process of securing your server.
Close Unnecessary Ports And Disable Unused Services
Next, you need to take a very close look at the services and applications running on your system. Ask yourself: are all of your daemons strictly necessary for your VPS to function? In the event that a particular daemon is necessary, does it need to be open to the world? If you’re running a collection of unnecessary applications, then you’re making your server significantly more vulnerable without reason.
As far as ports are concerned, a good practice is to open whatever ports your VPS requires with iptables, then set the default policy for the INPUT chain to “drop.” Basically, this will ensure that any port you haven’t explicitly stated to be open will be ignored.
Keep Everything Updated, And Make Backups Often
It seems incredibly basic, but you need to also be sure that you’re constantly keeping your server up to date, installing the latest secure implementation of whatever distro you happen to be using. The reason for this is simple: oftentimes, newer versions of an OS contain patches for security vulnerabilities that plagued older ones. Additionally, make sure you’re regularly saving backups of the data on your VPS. That way, in the event that something goes wrong, you can save your information or roll back to an earlier version.
Make Sure Your SSH Configuration Is Secure
Since SSH is one of the daemons that will always need to be running on your VPS, it’s also a prime target for hackers. As such, keeping it secure should be one of your highest priorities. Thankfully, protecting yourself in this regard is fairly simple:
- Change the default port of your SSH configuration from port 22.
- Prevent root access for users logging into your server using SSH.
- Disable password-based authentication and instead require key pairs.
- Limit logins to a select group of users.
- Consider installing intrusion-detection software such as DenyHosts or Fail2Ban.
- Configure your system to display a warning message to unauthorized users and welcome messages to authorized users.
Remain Vigilant Against The Most Common Security Threats
Last but certainly not least, I’ve two words: constant vigilance. Remain constantly guarded against the possibility of new and unanticipated security threats arising, and be sure you implement protection against the most common modes of attack. A few best practices to that effect include:
- Run regular virus/malware scans on your server.
- Regularly check your security logs.
- Disable Compilers
- Use Apache 2.2 or higher (but obfuscate your version number)
- Sign on with a DDOS protection provider such as CloudFlare
- Install rkhunter or chkrootkit. This will let you regularly check if your server is compromised.
- Secure WHM.
Remove unwanted modules/packages
In many cases, your Linux distribution came bundled with a lot of packages and services. You likely won’t need all of them, so it can be good to remove those you won’t be using. Each unused service represents another weakness you need to keep tabs on, so the best practice is only running services that are actually being used. Also, stay away from installing any other unnecessary software or services to keep threats low. Server performance will improve as a result as well.
Improve your password policy
Passwords — especially weak ones — are a huge threat to security. User accounts should never have empty passwords and “easy” passwords that are a consecutive string of numbers or letters. The strongest passwords will include a mix of lower and uppercase letters, numbers, and special characters.
Also, require all users to update passwords regularly, restricting users from reusing old passwords. Using the “faillog” command to set login failure limits can also boost security. User accounts should be set to “lock” after repeated failed attempts to log in to guard against brute force attacks.
Configure a firewall
There are a number of firewalls to choose from to truly secure your VPS. Some come integrated with Linux kernel, allowing configuration that filters out undesirable traffic. It is a solid way to combat distributed denial of service (DDos) attacks.
TCPWrapper is an application that can also be used to filter network access for different programs. Standardized logging, spoofing protection, and hostname verification all come baked in, so it can boost your security.
Implement antivirus software
Antimalware and antivirus software can be a great second defense against harmful software that may make it past your firewall. While the firewall can deny access to well-known sources of malicious traffic, it’s not a catch-all. Paid security software may cost a little extra, but it is worth the investment. These solutions use their hard-earned revenue to hire top talent and programmers that will keep antivirus software up-to-date and relevant.
That said, free alternatives may be a viable option if your budget doesn’t have room for a paid solution. Consider ClamAV or Maldet, both of which are open-source applications that can scan and score potential threats on your server.
Activate CMS auto-updates
If you run your website on a popular content management system (CMS) such as Joomla, Drupal, and WordPress, you make a great target for hackers who are constantly scanning the web for security loopholes. Add to that the fact that CMS developers are always releasing security fixes, and you have the perfect storm of opportunity for bad actors.
Activating auto-updates in your CMS means updates, new feature releases, and other fixes are applied as soon as a new version is released. Most major CMS players offer auto-updating, so be sure that yours is switched to “on.” While you’re there, be sure that you have regular backups running as well.