What is VPS Hosting?
VPS stands for virtual private server, which allows web hosts to divide a bare-metal server into smaller VPS instances rather than sharing all resources on shared servers. Customers perceive each instance as a dedicated server, but it is actually a virtual machine with dedicated resources. The resources are assigned based on the customer’s service level, but they may differ between virtual machines and web hosts.
Customers can run their own Linux distributions on VPS Hosting, which is another benefit. For various reasons, they can operate multiple virtual machines on the host server with different distros of their choice. Using dedicated servers on a third-party host or building out the infrastructure on-premise is usually a more cost-effective solution.
How to Secure a Linux VPS Hosting?
Linux VPS hosting can be secured in a number of ways. While hosting providers rely on users to protect their sites to some extent, managers can still customise and install tools to make a Linux VPS more secure. Customers that host their websites on a VPS hosting can also take steps to secure their sites and services.
1. Choose a Hosting Provider That Takes Security Seriously
Web hosts are responsible for keeping infrastructure secure for their customers. Not all web hosting companies address security the same way. Customers should choose their web host carefully in order to make their website secure.
2. Change the SSH Default Port
SSH is required for remote access to a server and is installed on port 22 by default. Via get remote access to SSH, attackers scan servers for open ports such as 22. After identifying SSH on port 22, an attacker may conduct a brute-force attack to guess the root user’s credentials and get remote access to the server.
To defend against this attack, the SSH port might be changed to a different one. Any automated checks for port 22 will display nothing if SSH is running on a different port. The following file must be altered to change the port (we’ll change this file in other tips, so keep this file open):
Make that the port isn’t being used by another service before editing the file; otherwise, you’ll have a conflict and both services won’t work.
3. Monitor Server Logs
Monitoring should be enabled for both host administrators and website owners. Monitoring servers necessitates the recording of specific events such as login failures (and perhaps successes), unsuccessful uploads, errors, and other typical security issues. These logs can then be utilised to create analyses and reports that provide admins with detailed information and insights into server activities. Administrators can use logs to detect an ongoing attack or a breach.
Website owners should also monitor their own sites. Host administrators can monitor activity on their servers to verify that customer sites are secure, but website owners should monitor their own sites as well. The smaller the window of opportunity for an attacker to exfiltrate data, the sooner a compromise is contained.
4. Disable Unused Ports
Several ports are open when Linux is installed. Some are required for specific uses, while others are not. For example, port 80 is frequently opened for online applications, although you may not require this port to be open. Because leaving unused ports open enhances the server’s attack surface, best practises recommend disabling them.
The netstat command can be used to find open ports. The iptables command can then be used to change firewall settings or alter open ports. To begin, run netstat to see what ports are open:
Consider the case when you want to disable port 22. Netstat can show you whether or not port 22 is open. After you’ve confirmed that you want to drop port 22 and prevent it from being utilised, type the following command:
iptables -I INPUT -p tcp –dport 22 -j DROP
5. Use GnuPG Encryption
Eavesdropping is possible on any data sent over the internet. HTTPS encrypts data between clients and websites, but other data, such as credentials given to server services or files sent using FTP, could be intercepted. Asynchronous encryption is used to solve this problem by encrypting data with a public key that can only be decoded with the recipient’s private key.
Administrators and site owners can use the GnuPG application to asynchronously encrypt data transfers. Any third-party can transmit encrypted material to the site owner or administrators using the public key created, and the private key is used to decrypt it. Because the private key is used to decrypt data, it should be kept safe and never shared with anyone else.
6. Implement a Strong Password Policy
Any user who has access to network resources should always have a password policy in place. Users frequently use passwords that are easily learned by brute-force assaults. When any password is produced, including new passwords when users are required to change them and password resets, a password policy imposes length and complexity standards.
Passwords should, in general, include the following:
At least 10 characters are required for access to highly sensitive data, and 12 characters are required for access to highly sensitive data.
At least one numeric character is required.
At least one special character is required.
Uppercase and lowercase letters are included.
7. Use Disk Partitioning
Attackers who have access to the operating system’s executables can tamper with its operations and functionalities, as well as listen in on data. An attacker can utilise the /tmp and /var/tmp user directories to upload and execute malicious files to obtain access to the operating system. To make the server more secure, you can divide the operating system from the user file partitions.
To mount the two partitions securely, use the noexec (no execution of binaries) and nosuid (do not allow set-user-identifier or set-group-identifier) options:
# mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp
# mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp
8. Use SFTP
File transfers to the server are encrypted using Secure FTP. FTP transports all data in plaintext, but SFTP is “FTP over SSH,” which encrypts file transfers. Some site owners may be tempted to employ FTPS, but this protocol simply encrypts credentials given to the server for authentication. Both the credentials and the files being exchanged are encrypted using SFTP.
9. Keep the Operating System Patched and Updated
Although the Linux operating system was designed with security in mind, issues do arise from time to time that must be addressed. When patches are required, your distribution’s vendor will provide an update. In some circumstances, the found vulnerability is deemed critical. When a vulnerability is critical, administrators must update the operating system as soon as possible because the exploit could compromise the server.
The longer an operating system remains unpatched, the greater the window of opportunity for attackers. Server updates are frequently scheduled by administrators, but delayed updates leave the server vulnerable to exploits until patches are installed.
10. Prevent Anonymous FTP Uploads
Allowing anonymous FTP uploads to your Linux VPS Hosting will almost certainly result in your server being a repository for illegal software and other questionable content. It could contain malware that spreads throughout the virtual system. Instead of allowing anonymous uploads, the FTP server should be deactivated so that only authorised users can upload.
Open the following file to stop anonymous access:
Make the following changes to the anonymous access configuration: