How to secure your VPS server

August 5, 2020

It doesn‘t matter whether you run a small personal blog or a big corporate e-commerce website with high daily traffic – security is a concern for everyone. While sketchy third-parties have the time and resources to exploit any weakness they find in your system, you can also take additional measures to improve your VPS server security and stop them. Here’s what you can do to improve your protection.

 

Keep all software up to date

It goes without saying that all outdated programs, applications, add-ons, and even an OS pose a high-security risk. Developers offer frequent updates not only to tweak certain settings or introduce new features but to patch any known security vulnerabilities.

Update everything whenever a new update comes out, or if you find it to be a hassle, just automate this task. If you’re running on a Debian- or Ubuntu-based OS, you can go for “apt-get” and for CentOS and RHEL based OSs, there’s the “rpm/yum” package manager. These are very handy as they can also notify you via email about the updates and what’s being changed/fixed. Another easy way to automate updates is to set up cronjobs. Here’s a quick guide on how to create them in cPanel.

 

Remove unused modules/packages

While keeping software updated is central to improving your VPS server security, you should also uninstall everything that isn’t being used. Chances are that most of the modules or packages that come pre-installed with certain distributions just aren’t needed. And if you don’t really need or use it, you probably won’t be rushing to update it whenever a new version comes out. Make sure that you’re only running services that you’re actually using, remove the rest, and you won’t have to worry about additional weaknesses.

Furthermore, don’t install packages, modules, or software that is unnecessary for the server. And if you really want a specific add-on or application, check whether it has any known security vulnerabilities.

 

Change the default SSH port

Another great way to boost your VPS server security is by changing the default SSH port, which is usually set to 22. Many users forget to do this, and, naturally, hackers take advantage of this mistake by programming bots to target this specific port. But the bots can’t hack something that they can’t find.

Follow these steps to change the default SSH port:

  1. Open “/etc/ssh/sshd_config” configuration file.
  2. Find the following line “# What ports, IPs and protocols we listen for”. There should be “Port 22” right under it.
  3. Change “22” to your chosen number. Do not enter a number that is already used on the system!
  4. Save and exit the configuration file.
  5. Restart the service with this command: “etc/init.d/ssh restart”

When you request an SSH connection, you’ll just have to indicate the new port.

 

Disable unused network ports

As with default SSH ports, unused and open network ports also pose a great risk for your VPS server security. You can check which ports are currently open with the “nestat” command. It will also show which port is associated with which system service.

Single out the ones that aren’t wanted and set up “iptables” which is a rule-based firewall utility that can be used to close open ports. You can also use the “chkconfig” command to disable any unwanted services.

 

Use only strong passwords

While it might seem that everyone already knows that having a strong password policy is crucial, this point still needs to be repeated – weak passwords remain the number one threat to VPS server security. Here are some tips that will help you create strong passwords:

  • Make them as long as possible
  • Don’t use words that can be found in a dictionary
  • Avoid using pop culture references or simple number placement
  • Use a mixture of upper- and lower-case letters, symbols, and numbers

Remember to never use the same password twice – everything on the system that requires a password should have a unique one for each case. It’s also good practice to change them regularly, i. e. every 3 weeks or so.

Create regular backups

Security isn’t only limited to protecting yourself from possible hacker attacks – you also have to keep your data safe. Creating backups is essential not only for VPS but for every type of hosting in general. You never know what could go wrong on your server, and data loss is extremely damaging to your reputation, trustworthiness, and profits, especially when confidential client information is put at risk.

While most hosting providers create backups on your behalf or offer additional services for this task, don’t just rely on your host. It’s strongly recommended to do them yourself on a regular basis and, ideally, they should be stored outside your server in different locations.

 

Disable root logins, the change the root password and create a separate user

Every VPS comes with a default “root” username for the users to log into the system. It’s very risky to leave it as is because hackers can use brute force attacks to eventually crack the password and gain access. What you can do to improve your VPS server security is to disable any logins from the “root” username and create another username with the appropriate permissions. You’ll have to use the “sudo” command to execute all root-level commands.

To create a new user, type in the following command: “adduser CustomUserName”. Just follow the prompts and enter your password, name, etc. Don’t forget to set root permissions for this new user.

If you’re planning on still using the “root” login, then at least change this username’s password. You can do so by typing in this command: “passwd root”. Just enter your new password twice. Note: the password is not going to be displayed when you’re typing it for security reasons.

 

Switch from FTP to SFTP

While File Transfer Protocol (FTP) is a convenient way to move files, it’s one of the oldest protocols used today. It doesn’t have proper encryption and is vulnerable to packet sniffing when computer programs intercept and log the traffic that’s going through your network. This means that third parties can read data that is being transferred. Some users opt for FTPS as it’s supposed to improve the security, but the truth is that it only encrypts the credentials.

That is why “secure FTP” or SFTP was created, and users are strongly advised to switch to this protocol. It encrypts both the credentials and the files, making sure that no one can read them.

 

Besides disabling certain features and switching to a better protocol, you can also improve your VPS server security by installing and configuring additional programs meant to do just that. Here’s what we recommend:

    • Firewalls. Essentially, these are the gatekeepers of the server, allowing or denying access to the system. A firewall keeps away unwanted traffic and protects you against such attacks as SQL injections, HTTP floods, and more. Regardless of whether you’re using a pre-installed or a custom one, you should still configure the following:
      • Traffic filtering, so that incoming traffic matches defined patterns you’ve observed
      • Blocking certain IP addresses
      • Closing unused ports
  • Antimalware/antivirus programs. While firewalls take care of the incoming traffic, they are not fool-proof and harmful software can still slip through. That’s why you also have to make sure that everything on the server is safe by installing anti-malware and antivirus programs. They’ll monitor all system activity and quarantine unwanted/suspicious files. While paid solutions are usually the best choice, there are some trustworthy open-source options, like ClamAV, Maldet, and CXS.
  • Rootkit scanners. Rootkits are extremely dangerous as they provided hackers with privileged access to the system. They can be quite hard to spot as they are designed to install themselves as part of another software, download, or even an OS. Boost your VPS server security by installing a rootkit scanner like “chrootkit” which will scan your server for any possible rootkits. It should be noted, though, that they are hard to get rid of, and most times you’re better off just reinstalling the OS.
  • cPHulk. This tool is integrated within cPanel, and it acts as a secondary firewall. It protects your system by blocking IPs with several failed login attempts to cPanel, WHM, FTP, and even server email. If you have this control panel and want to enable this feature, go to the WHM Security Center and choose cPHulk Brute Force Protection.
  • Fail2ban. This is another tool that you can use to deal with brute-force attacks. It blocks unknown IP addresses from trying to gain access to the server. To install the software package, type in this command: “apt-get install fail2ban”. Once installed, customize the configuration to your liking, but also remember to create a backup of the original settings beforehand. You can do so with the following command: “cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup”. When you’re done changing the configuration, restart the service.
  • SSL certificates. These certificates completely encrypt all data being sent to and from your system. No one can intercept the information or let alone read what is being transferred without having the appropriate decryption keys. That’s why it’s crucial to have these installed not only for VPS server security but for the protection of all kinds of hosting in general.

Lastly, don’t forget to monitor your server logs. Not only will you gain a better understanding of your system, but you’ll also be instantly notified when a problem occurs or if there is a hacking/cyber-attack attempt, as well. When it comes to security, it’s better to minimize the threat as much as possible and be ready for anything, than to be scrambling to save what’s left in the aftermath.