Today’s topic is how to Secure Linux VPS. Linux VPS servers are much more secure than other operating systems like Windows because of the Linux Security Model (LSM). But they are not flawless, and they are certainly not invulnerable. How to secure Linux VPS and protect it against hackers?
Taking charge of your own Linux server is an opportunity to try new things and maximize the power and versatility of a great platform. However, Linux server administrators must take the same care that is needed to keep any network-connected computer safe and secure.
Vulnerabilities in web server infrastructure can be catastrophic. Millions of hackers around the world are working around the clock to find even the smallest security flaws in your Linux VPS.
It is important that you have a secure VPS against future threats because, sooner or later, hackers will come to get you. In particular, corporate and e-commerce websites are becoming prime targets for hackers. Although most businesses have basic security measures in place, they are often ineffective and easily compromised.
This post will introduce you to basic Linux server security. Although it focuses on Debian/Ubuntu, you can extend anything presented here to other Linux distributions.
What is Linux VPS?
Nowadays, Linux VPS servers use cloud platforms that have better security features than most of their competitors. Storing data in a cloud-based environment such as a Virtual Private Server (VPS) is a very important factor in protecting sensitive files these days. Storing data in a cloud means storing files somewhere else rather than on a personal computer or hard drive.
But it still has vulnerabilities that allow attackers to compromise unsecured VPS servers to steal sensitive data hosted inside them. When users order VPS hosting, an operating system is pre-installed or delivered. Regardless, it’s up to you to protect your VPS and choose the best Linux VPS cloud.
The primary concern is running your applications on the VPS infrastructure and managing your applications properly without any security vulnerabilities is another major concern.
Why should you secure your Linux VPS?
At a higher level, when a computer, like a server, is in the public domain and open to the outside world, it becomes a target for bad actors. An unsecured computer is a gateway for bad actors who want to access your data or use your server as another node for their large-scale DDOS attacks.
The bad problem is that without good encryption, you’ll never know if your server has been compromised. A bad actor can gain unauthorized access to your server and copy your data without changing anything, and you’ll never know about it. Or maybe your server was part of a DDOS attack and you don’t realize it.
You’ll see big data breaches in the news, and companies often don’t discover data leaks or breaches until long after the bad actors are gone.
Contrary to popular belief, bad actors aren’t always trying to change something or lock you out of your data for money. Often, they just want to store your server data in their database system (there is a lot of money in big data) or secretly use your server for their purposes.
Linux Security Model (LSM)
LSM is code built directly into the Linux kernel that can deny process access to critical kernel objects using the LSM system. Protected object types include files, task structures, credentials, and interprocess communication items.
By manipulating these items as the primary means by which processes interact with their environment, and by carefully defining permitted interactions, a security administrator can make it more difficult for an attacker to exploit a vulnerability in a program and gain access to other areas of the system.
LSMs are not meant to prevent a system from being attacked Tools for good coding standards, configuration management and memory-safe languages. However, the security provided by LSMs helps prevent your device from being hacked when an attacker exploits a vulnerability in one of the running programs.
This can be an important layer in any deep defense strategy for Linux systems, and by knowing what protections they offer, you can have a better understanding of which systems to protect and how to apply those protections. Linux VPS servers are much more secure than other operating systems like Windows because of the Linux Security Model (LSM).
There have some steps to Secure Linux VPS
Keep software up to date
You should monitor software updates on your server software using the RMP package manager or YUM package manager (CentOS/RHEL) or apt-get (Ubuntu/Debian) and download the latest versions of software and component updates.
Disable root login
You should never sign in as the root client. As a general rule, every Linux server has “root” as a username, so hackers are trying brute force attacks to crack passwords and gain access.
Disable login from the root username adds another layer of protection as it prevents attackers from guessing hidden passwords.
Develop a new username and use the sudo command to run root-level commands instead of logging in as the root user. sudo grants special access to authorized users that help run administrative commands without root access authorization.
Before you disable the root account, ensure that your non-root user is created and provided with the required level of permissions.
Create an SSH key pair
While strong passwords can make a difference, better methods for logging into private servers are possible. In particular, Secure Shell (SSH) key pairs are worth introducing because these systems are much more difficult to hack through brute force.
Before using SSH keys, it’s important to understand why you want to implement them instead of a regular username and password setup. While passwords are more convenient for everyday users, these same users rely on easily guessed choices that leave the entire security infrastructure vulnerable.
SSH key pairs are not as user-friendly as passwords, but they are significantly more secure. This enhanced security may be related to the encryption used by both the server you log into and the device you use.
At a minimum, the SSH key pair is equal to a 12-character password, however, most SSH key pairs are much more complex. For this reason, SSH key pairs should be one of the first steps when implementing a proactive server security strategy.
Enable two-factor password authentication
Check the strength of the passwords you use for cloud accounts and enforce a minimum password enforcement policy. Don’t use the same password for different resources. Get a password manager and set unique passwords for every service.
Enable minimum two-factor authentication to save data and secure your account Make sure you’re told if someone tries to reset your secret key, and if security issues are involved, make sure you choose deep questions.
Change SSH Port
It is quite difficult for hackers to hack SSH because they cannot find it. Changing the SSH port number will prevent malicious scripts from connecting to the default port directly (22).
To do this, you need to open
/etc/ssh/sshd_config
and change the appropriate settings. Double-check if another service uses the selected port number.
Disable unused network ports; Disable IPv6
Cybercriminals primarily target open network ports and unused network services, and you need to protect yourself from abuse. Use the “netstat” command to view all currently open network ports and their associated services.
Hackers who often send malicious traffic over IPv6 and leave the protocol open can expose you to potential attacks. IPv6 has some advantages over IPv4, but is used by a smaller group of users.
Use “iptables” to close all open ports or “chkconfig” command to disable unnecessary services.
Configure a firewall
To filter unnecessary traffic to your VPS server, you need a firewall to combat Distributed Denial of Service (DDoS) attacks. Popular firewalls, including CSF and APF, provide plugins for popular panels like cPanel and Plesk.
Installing and configuring a firewall should be one of the first things you do when setting up a new Linux VPS. Use SFTP, which is “SSH over FTP” instead of a File Transfer Protocol (FTP) which is obsolete and no longer secure.
Install anti-malware and anti-virus applications
A firewall’s main function is to prevent access to any known source of malicious traffic and essentially acts as your first line of defense. But no firewall is flawless and malicious applications can still slip through, which is why you need to protect yourself even more. Many inexperienced server administrators neglect to install anti-malware apps.
The most popular explanation for this is not ignorance. Because they don’t want to spend money on safety products. As a rule, pay-as-you-go options are usually the best because their revenue streams help them hire skilled programmers and researchers who can help the app stay relevant.
Install a Rootkit Scanner to Secure Linux VPS
One of the most dangerous pieces of malware is rootkits. It resides at the operating system (OS) level below other standard security software and can allow undetected access to servers.
Fortunately, you can use tools like Chrootkit, an open-source scanner, to find out if your server is affected. But rootkits aren’t always easy to uninstall, and the easiest way to fix the problem is always to reinstall the operating system.
Choose a secure physical system
Current VPS systems are very stable. However, they are vulnerable to some types of security problems that other systems do not face. Generally, this is not a concern for most users.
A successful VPS provider should adopt all necessary security requirements to maintain the physical security of the device. This will include limited access to metal devices.
Note, however, that a VPS provider may not have a certain level of security by definition. For example, anything that needs to be air-gapped cannot go on a VPS. National security networks are another example of something that cannot go on a VPS.
Enable SELinux
SELinux is an essential security kit provided by the Linux Foundation. SELinux is simple to install and comes pre-installed with every Linux distro. If you want a secure VPS, make sure SELinux is always on.
Obviously, just turning on SELinux isn’t enough to secure your server. Follow these short guidelines to get the most out of SELinux.
You can check the status of your daemon using the following command:
# sestatus
If it is off, you can turn it on with this command:
# setenforce enforcing
Protect files, directories, and email to Secure Linux VPS
Linux provides excellent security against unauthorized access to data. However, Linux permissions are meaningless if an attacker has physical access to a device and can easily transfer one computer’s hard drive to another machine to copy and review sensitive data.
Use the “gpg command” to encrypt and decrypt files with passwords. Linux or UNIX password lock files with OpenSSL and other approaches.
Full disk encryption is essential for data protection and is supported by most Linux distributions. Also, make sure the route mail is forwarded to your checking account.
Take regular backups
Many users fail to backup regularly and then regret it when something unexpected happens and they don’t have a copy of their data. No matter how careful you are and no matter how secure your server is, there is always the risk of something going wrong.
Don’t take unnecessary risks by failing to back up and don’t rely on your host to do it. It is recommended that you take your own backups, even if your hosting company claims they do it for you. Keep copies in different places and try using the cloud so your copies can be accessed from anywhere.
Create disk partition
Disk partitioning is one of the smartest tools to enhance your Linux VPS security. Using this method allows you to separate valuable system files from different file types to reduce the risk of corruption.
For example, allocating a dedicated system space, applications, and data for specific uses in different partitions helps you prevent data loss in case of corruption or attack.
Based on this fact, running multiple operating systems on multiple partitions is a great solution to increasing vulnerabilities. Additionally, it can optimize your system security when you disable SUID/SGID access (nosuid) and execution of binaries (noexec).
Remove unnecessary modules and packages to Secure Linux VPS
Another powerful approach important to running a secure Linux VPS is to use the essential services you need and want. Removing unused and useless packages makes a significant impact on your system’s performance. It provides valuable benefits such as increasing disk space, optimizing additional resources and maximizing the security of binaries.
These commands can also remove unwanted packages
yum list installed
yum list packagename
yum remove packagename
Use GnuPG encryption
Taking advantage of high-security password protocols is absolutely essential to keep your important data safe and secure. GnuPG Encryption is an efficient tool that allows users to use a unique private key for data encryption, decryption, and sign communication.
It also takes control of data ownership and protection against alteration and tampering. This strong password encryption creates a key-based authentication that avoids hacker attacks and provides good privacy by using public and private keys to encrypt and decrypt messages.
The public key allows senders to encrypt data messages and send them over the network; The receiver then uses the private key to decrypt and read it. Next, we can create a message using the original sender’s public key to encrypt the message and send it back. In response, they must use the private key to decrypt and read the message.
Choose SFTP from FTP
SFTP is the most secure file transfer protocol that guarantees data security and privacy using SSH. However, FTP is a non-security file transfer protocol that hackers can easily access and can reduce your vulnerability to hackers’ brute force attacks or spoofing attacks.
Using FTP does not allow fast delivery and encrypted file transmission. A secure connection can be established, but the file contents are not encrypted. Therefore, sensitive data exchange requires authentication by the server, SFTP connections are encrypted, and the file transfer process is more reliable and secure. That’s why we prefer SFTP over FTP.
Enable CMS automatic updates to Secure Linux VPS
Note that content management systems (CMS) need to be updated to install security patches to avoid website hacks and attacks. Since they are open-source software, it is fundamental to secure your Linux system by automatically updating your CMS.
It doesn’t matter whether you use Joomla, WordPress, or Drupal; You need to constantly update your security to prevent unexpected security risks like loss of data and sensitive information. It is therefore essential to use roll-out CMS security fixes and new features to enhance Linux VPS security.
- Automatic updates allow your CMS core, themes, and plugins to be updated with the latest virus definitions and give your website maximum security against possible future attacks.
- As the number of websites increases, it simplifies the process of managing multiple different websites for website owners.
- Fix the latest features and bugs from previous versions that affected performance and stability.
Disable Anonymous FTP Uploads to Secure Linux VPS
Anonymous FTP allows unprotected remote access to FTP servers without any credentials (user ID and password). Web hosting control panels include cPanel, and Plesk disables anonymous FTP uploads by disabling write access for that user. FTP data transitions are vulnerable to sniffing, spoofing, and brute force attacks, among other attack methods, putting you at a massive security risk.
- Log in to your cPanel.
- In the Files category, select the Anonymous FTP icon.
- Under Anonymous FTP Control, uncheck both the “Allow Anonymous Access” and “Allow Anonymous Upload” boxes.
- Click on Save Settings.
After completing these steps, you may still see [email protected] and [email protected] listed in your cPanel FTP accounts, but they are not enabled.
Configure cPHulk in WHM
WHM/cPanel is released with a built-in firewall called “cpHulk”. This is one of the most common ways to expose your web services to brute force attacks. Malware or malicious software can get into your authentication system through frequent login attempts and luckily, cPanel includes “cPHulk” for brute force protection.
This means that cPHulk disables login capabilities first and the firewall is enabled later. The configuration process is a cakewalk of security software that requires a command-line interface. To protect your dedicated Linux VPS hosting from brute-force attacks, you need root access to enable cPHulk.
- Log into WHM as root user.
- Search for “Security” in the search box
- Click the Security Center link.
- In the Security Center page, click on the cPHulk Brute Force Protection button.
- Next, you can see that cPHulk is disabled.
- Toggle on the menu to enable it.
- When launching it, choose the cPHulk settings you want,
- Click the Save button.
Conclusion
This guide provides the minimum requirements for securing a Linux VPS server. Additional security layers can and should be enabled depending on how the server is used. These layers may include items such as individual application configuration, intrusion detection software, and access control. There are a variety of security concerns under the general category of Linux security, and there are many theories about what an acceptable level of security is for a Linux server. The key takeaway from this guide is that you need to determine for yourself what security measures are needed. If you want to know how to fix the VPS connection problem then you can read this content.
