Business operations are increasingly moving online. Most small and medium-sized businesses (SMBs) start their web hosting journey with a virtual private server (VPS). Whether managing it in-house or hiring a system administrator, VPS security is vital to the success of any business.
Web hosting providers usually offer unmanaged or managed VPS hosting with several options for server security. Limited server access finds that the provider provides security patches and server-side configurations. Users allowed root access can perform some or all of these functions themselves.
Experienced and beginner admins must know how to secure their VPS hosting environment best. This article provides eight tips for enhancing your VPS security.
- Common Linux VPS Security Vulnerabilities
- Unmanaged vs. Managed VPS Security
- VPS Security Tips
Common Linux VPS Security Vulnerabilities
Many server security vulnerabilities can affect your VPS hosting environment. Here are some common security threats to look out for.
Weak passwords are a widespread Linux VPS security vulnerability. Hackers use these exposures to guess weak passwords or use other means, such as brute-force attacks, to get them and gain access to systems quickly. Once bad actors gain system access, they can steal data or cause harm to systems by releasing malware or execute root level commands.
Another security vulnerability for VPS hosting is unpatched software. Security patches plug holes in operating system, ensuring no exploitation of known vulnerabilities in the wild. When the operating system goes without these critical updates, cyber thieves use the exploits to access login credentials, web servers, or sensitive data.
Lack of Deployed Firewall
A firewall offers additional protection from unauthorized users accessing your environment, whether physical or software-based. Depending on your hosting infrastructure, deploying a firewall is another secure layer between your servers and malicious actors.
Improper Linux VPS Configuration
Misconfiguring your server leaves your entire server susceptible to attack. Leaving ports open or unrestricted can provide an unnecessary entry point for malicious activity.
Another improper Linux server configuration is an unsecured Secure Shell (SSH). Commonly used to access a web server remotely, SSH can be vulnerable to brute force attacks when not correctly configured.
File Transfer Protocol (FTP) is another VPS hosting tool that allows transferring files to and from your Linux VPS. You avoid being vulnerable to compromising attacks by securing your FTP connections correctly.
Lack of User Permission Processes
When businesses part ways with employees, ensuring they no longer have access to sensitive data is essential. If no processes are in place to protect sensitive information, SMBs put themselves in jeopardy of data loss or attack.
Unmanaged vs. Managed VPS Security
When it comes to unmanaged vs. managed VPS hosting for security, you must determine the amount of support you and your team will provide.
A web hosting provider typically supports only the hardware for unmanaged servers. An unmanaged environment gives you the ultimate control of your software and how it interacts with the hardware. Your team is solely responsible for server configurations, software installation, and patches.
Managed VPS security, however, offers support from the hosting provider for these and other functions. While there may be some restrictions on the software you can install, the tradeoff is knowing that you have the provider’s support in times of need.
VPS Security Tips
Securing your VPS can be daunting, but it is necessary for your data security. Here are eight tips for your VPS security in no particular order.
#1. Use Strong Passwords
Most critical tasks on the Internet, from email to banking, require a password. Data breaches and cyberattacks typically begin with weak passwords that hackers can guess or crack to gain system access.
Your VPS security begins with strong passwords for all your services and users accessing your systems and services. The best practice for strong passwords is that they are long, lack personal information or identifiers, and are challenging for others to guess yet simple for you to recall.
Password strength is measured by how many seconds a person or program takes using brute-force attacks to crack it. Strong passwords have a strength meter rating greater than or equal to 70 seconds.
#2. Use 2FA on WHM/cPanel
Another means of VPS security is using Two-factor Authentication (2FA). It is a security method requiring users to provide two authentication elements for verification. Many companies and services offer 2FA as an additional security measure.
cPanel/WHM allows enabling this feature to level up your VPS security. Turning this feature on in the settings ensures that those accessing your web hosting environment validate their identity.
#3. Use CSF Firewall
Using a firewall enhances the security of any web hosting environment. It allows users to set rules by which traffic accesses your servers. A firewall maintains legitimate traffic while blocking erroneous traffic from gaining access.
One such firewall is ConfigServer Security & Firewall (CSF). With CSF, SMBs can effectively protect against Distributed Denial-of-Service (DDoS) attacks. You can install CSF provided you have root privileges to your server and can run commands from the Linux command line.
#4. Change SSH to a Non-Standard Port
Your Linux server typically uses port 22 for SSH listening as the default SSH port. Because this is common knowledge, hackers often exploit it to gain access to your server and, ultimately, your data. Changing the port to a non-standard one helps to secure against these exploits.
You must edit the sshd_config file to change the SSH listening port. Use the text editor of your choice to complete this process. This guide uses the Vim text editor.
Use the following command to open the sshd_config file:
Locate the line in the file that resembles the following:
#What ports, IPs, and protocols we listen for
Edit the port number to one of your unused network ports. Once completed, save and exit the file. For those using Vim, use the following command:
#5. Leverage WHM Host Access Control
Web Host Manager (WHM) offers a service called Host Access Control, which allows setting rules for allowing and denying access to your server based on the IP address trying to gain access. The most secure way to use Host Access Control is to deny all access while allowing only the connections you wish to proceed.
To set up a rule:
- Log into your WHM account.
- From the Security Center, select Host Access Control.
- Add the name of the service you wish to control under Daemon.
- Add the IP address you want to allow or deny under Access List.
- Under Action, add the action you wish to take, either Allow or Deny.
- In the Comment section, add any notes for the rule you created.
#6. Disable SSH Root Login or Password Auth
Root access to any Unix-based or Linux system allows total system access. This control enables altering or creating directories and installing or deleting programs. Malicious actors could do with your infrastructure as they pleased.
Because SSH is a means of connecting to servers remotely, disabling root logins via this method is a best practice among system administrators. Admins can still use sudo commands for these functions if more elevated permissions are necessary. In addition, admins can opt to have users utilize SSH keys.
Disabling SSH root login again requires editing the sshd_config file. Using the text editor of your choice, follow these steps.
Open the file. For those using the Vim text editor, use the following command:
Ensure the file contains the following line:
In locking out root access via SSH, ensure the regular user can log in by username or group. Insert the following lines, replacing username with the actual user name and groupname with the existing group name.
Once completed, save and exit the file using the following command:
#7. Keep Packages and Systems Up-to-Date
Keeping operating systems up-to-date is fundamental to any security best practices. An updated Linux server means your systems are patched and running the latest firmware to guard against potential security threats.
For RHEL-based Linux systems, the Yellowdog Updater Modified (YUM) is the package manager that updates the packages and systems. Here are some commands to update your system:
Use one of the following commands to resynchronize your package index with the source:
sudo yum update
You can list the installed packages for which updates are available using the following command:
sudo yum list updates
To update a specific package, use the update command. This example updates the mySQL package:
sudo yum update mysql
#8. Use Imunify360
Imunify360 is a suite of security tools and services designed to protect your Linux server from malicious actors. It offers some free services, though it primarily requires payment for its advanced solutions.
Some of its key features include:
- External blacklist/whitelist management.
- Low resource usage mode.
- Exim+Dovecot brute-force attack protection.
- Malware Database Scanner (MDS).
- Overridable config.
- Scan of the system and user crontab files for malicious jobs.
Imunify360 provides the tools to secure your VPS instead of creating your configurations.
Implementing these eight tips for VPS security will take you far in protecting your virtual private server from malicious attacks. The key is staying vigilant and proactive with security measures, regularly updating and monitoring your VPS for security gaps. Following these tips will help you rest knowing your Linux server is safeguarded against potential threats.