30,000 websites get hacked every day! Is yours next? We hope not. These 11 steps could make help you secure your VPS and effectively layoff hackers and cyber-attacks. We also have 1 simple step that could do away with these 11, but we’re going to talk about it later. For now, read on to find out 11 steps to securing a VPS.

Good websites go bad every day! While in 2002 there were just about 20,000 threats, the number quickly grew to 1,656,227 in a single year, to the point that today more than 30,000 websites are attacked every day! Linux is comparatively secure thanks to LMS, but without a few additional measures, neither Linux nor Windows can mitigate the imminent risks. Either you do these or get an expert to help you out. More often than not, Infrastructure management is best outsourced to a reliable organization. Find out how.

Secure your VPS in 11 steps – Linux

  • Root logins need to go
  • Change SSH port
  • Updated software is important
  • Identify and disable unused ports
  • Remove bundled packages and services
  • IPv6 can cause threats
  • Encrypted data transmission
  • Strong passwords and faillog command
  • Firewall – configure and stay updated
  • Disk partitioning can help
  • Read-only /boot

For some mavens, we needn’t elaborate on the above pointers. Feel free to use the above as a checklist. For the benefit of other who need explanation (and hence googled this topic), we’re going to discuss each of the above in a little detail. For yet others who do not wish to get their hands dirty with all of these hardening techniques,

Root Logins

The root login is default with Linux servers and that is precisely why hackers try to brute force it. Always login as another user and use sudo to run administrative commands. In nano or vi, open /etc/ssh/sshd_config, and find the parameter “PermitRootLogin” and if the default setting is “yes”, then change it to “no”.

SSH Port

Make it hard to hack SSH – change the port number. Malicious scripts find it supremely easy to directly connect to default port 22. Change the port here: /etc/ssh/sshd_config.

Ensure that the new port number is not being used already by other services.

Updated Software

Upgrading to newer version is easy especially in Linux. Use rpm/yum package manager (CentOS/RHEL), or apt-get (Ubuntu/Debian).To set up reminders regarding upgrades, configure your OS to send yum package update notifications via email. Alternatively, a cronjob can automate the security upgrades installation.

If you use either a cPanel or Plesk, set them up for automatic updates. Apply security patches as soon as they’re made available!

Identify & Disable unused ports

The easiest targets for hackers are open network ports and unused network services. Use the “netstat” command to see all currently open network ports, and associated network services. A lot of Firewalls can automate iptables rules to close open ports. You can alternatively use chkconfig to disable unwanted services.

Avoid installing unnecessary software

Your VPS comes bundles with a lot of distributions, default packages, and services. Remove all unwanted modules/packages and get rid of as much bloat ware as possible. Every service removed, is one attack less. Minimize the threat possibility by created less room for it – remove/avoid unnecessary software.

Disable IPv6

IPv6 may have several advantages over IPv4, only a few of us actually need/use those. It’s a common practice for hackers to send malicious traffic via IPv6.This protocol if left open can significantly expose you to attacks.

Edit /etc/sysconfig/network.

Set NETWORKING_IPV6=no and IPV6INIT=no.

Use encryption

Data in transit is out of your control – or so you thought. Encryption helps where firewalls do not. Encrypt data transmissions to your server using passwords, keys or certificates.

Key-based encryptions use a “public key” for encryption while only a “private key” available to the intended recipient can be used for decryption.

Revisit password policy

Weak passwords are undeniably one of the largest threats to security. Most users are lazy and resort to empty passwords or easy ones relating to their birthdates or similar to their usernames! A few things to help:

  • Password aging is a good way to force user to change passwords at regular intervals.
  • Restrict the re-use of previous passwords
  • Use ‘faillog’ command to limit failed login attempts
  • Lock user accounts after several failed attempts
  • Set mandatory rules on passwords – length, special characters etc.

Firewalls are important

There are plenty to choose from:

  • NetFilter comes integrated with the Linux kernel.
  • TCPWrapper is a host-based networking access control list (ACL) system.

CSF and APF are other popular firewalls that offer plugins to cPanel or Plesk.

Disk partitioning

OS-specific files should always be kept separated from the user files, third-party programs&tmp files. As additional steps:

  • Don’t set SUID/SGID access (nosuid)
  • Disable execution of any binaries (noexec) on the OS specific

Read-only /boot

On a Linux server, all kernel-specific files are stored under the “/boot” directory. And the default directory access level for “/boot’ is set to “Read-Write”.

Change the access level to “Read-Only”. Edit the /etc/fstab file, and append this to the bottom: LABEL=/boot /boot ext2 defaults, ro 1 2

If you later need to make changes to the kernel, then simply revert to the “Read-Write” mode, make your changes, and redo.

What’s that one step?

Yes, one step that could do away with all these 11 would be to hire Dolphin24x7! If you saw that coming, you’re smart and smart people know better than to be jack-of-all-trades. Hand over your infrastructure management to the experts at Dolphin24x7 and rest assured, we’d be available 24×7 x 365.

Call us at +1-516-717-2049 for a quick chat!