<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

15 Security Tips for Linux VPS Hosting

15-Security-Tips-for-Linux-VPS-HostingVirtual Private Servers (VPS) give website owners more control of their site’s configurations and experience, so it’s no surprise that most website owners prefer it over standard shared hosting. Since customers have more control over server settings, VPS service is more challenging to secure. It’s still a virtual server connected to the network, so security for host administrators and customers should be a priority to protect data on the VPS instance and the host network. The articles covers the following topics related to Linux VPS security:

  1. What is VPS?
  2. Can Linux VPS Be Hacked? Is it Secure?
  3. How to Secure a VPS?
    1. Choose a Hosting Provider That Takes Security Seriously
    2. Change the SSH Default Port
    3. Monitor Server Logs
    4. Disable Unused Ports
    5. Use GnuPG Encryption
    6. Implement a Strong Password Policy
    7. Use Disk Partitioning
    8. Use SFTP
    9. Keep the Operating System Patched and Updated
    10. Prevent Anonymous FTP Uploads
    11. Install a Rootkit Scanner
    12. Disable root Logins
    13. Keep Software Updated
    14. Always Create and Safely Store Backups
    15. Install Full Server Protection
  4. Recommended Articles

What is VPS?

linux-vps-security-what-is-vps

VPS implies that web hosts offer virtual private servers that split up a bare-metal server into smaller VPS instances instead of sharing all resources using shared servers. Each instance looks and feels like a dedicated server to customers, but it’s a virtual machine with dedicated resources. The resources are allocated based on the customer's service level, but allocated resources could vary across each virtual machine and web host.

Another advantage of VPS Hosting is that customers can run their own preferred Linux distributions. They can run several virtual machines on the host server with different distros of their choice for various reasons. It’s usually a more affordable option than using dedicated servers either on a third-party host or building out the infrastructure on-premise. 

 

Can Linux VPS Be Hacked? Is it Secure? 

can linux vps be hacked? is it secure?

Yes, VPS could be hacked. Given enough time and dedication, any server can be hacked, including virtual machines, even with security controls in place. No system is ever 100% risk-free, but administrators can reduce risk to the lowest possible level to avoid threats and stop attacks. The Linux operating system is generally secure, but vulnerabilities are introduced when users misconfigure the system, add vulnerable software, leave applications unpatched, or download and install malware locally. As the system changes, the risk also increases or decreases depending on what was changed.

Sophisticated malware can affect more than just the local machine. It can sometimes traverse the network from the hosted server, and it can occasionally affect other systems. If any sensitive data is stored on the local server, it would be exposed and the host could be the victim of a data breach. Even without traversing the network, malware affects the local virtual machine instance.

The virtual machine instance hosts the customer’s website, so even if malware does not affect other customers on the server, it does affect the local instance’s hosted applications. Should a customer keep sensitive information on the server, it could be disclosed to attackers if the hosted site is not secure.

 

How to Secure a VPS?

How to secure VPS

There are several steps to secure VPS hosting. While hosting providers rely somewhat on the customers protecting their site, administrators can still configure and install software that will better secure a VPS. Customers hosting their sites on VPS can also take steps to secure their sites and services. 

 

Choose a Hosting Provider That Takes Security Seriously

vsp security choose reliable hosting

Customers rely on web hosts to keep infrastructure secure. Not every web hosting provider treats security equally. To keep a website secure, customers should choose their web host wisely. For example, Interserver.net has proven to focus on security of their customer sites. Interserver.net is a US-based hosting service with a good reputation for quality service at an affordable price. They have two datacenters on the east and west coast of the US to service their thousands of customers ranging from small individual site owners to Fortune 500s. Read the full story on how Interserver streamlined its operations with CloudLinux OS, Imunify360 and KernelCare. And you can find additional hosts that put the right scanning and monitoring tools in place in the Imunify360 host directory.

 

Change the SSH Default Port

Change the SSH Default Port

SSH is necessary for remote access to a server, and it’s installed with the default port 22. Attackers scan servers for open ports such as 22 to gain remote access to SSH. After detecting SSH on port 22, an attacker might launch a brute-force attack to obtain remote access to the server by guessing the root user’s credentials.

To combat this attack, the SSH port can be moved to an alternative one. When SSH runs on an alternative port, any automated scans will show nothing for port 22. To change the port, the following file must be updated (we’ll change this file in other tips, so keep this file open):

 

/etc/ssh/sshd_config

 

Before you edit the file, make sure that the port is not used by another service, or you will have a conflict and both services will not run properly.

 

Monitor Server Logs

vps linux security monitor server logs

Both host administrators and website owners should have monitoring enabled. Monitoring servers requires logging specific events such as authentication failures (and possibly successes), failed uploads, errors, and other common threats. These logs can then be used in analysis and reports that can give administrators detailed information and insights into activity happening on the server. Logs can tell administrators of an ongoing attack or a compromise.

Host administrators can monitor activity on their servers to ensure that customer sites are secure, but website owners should also monitor their own sites. The sooner a compromise is contained, the smaller the window of opportunity for an attacker to exfiltrate data.

 

Disable Unused Ports

disable unused ports linux vps hosting

Linux installs with several ports open. Some are necessary for certain applications, and others are unnecessary. For example, port 80 is often opened for web applications, but it’s possible that you will not need this port open. Leaving unused ports open increases the server’s attack surface, so best practices suggest that they should be disabled.

You can identify open ports using the netstat command. You can then use firewall settings or edit open ports using the iptables command. First, use netstat to view open ports:

 

netstat -a

 

For example, suppose that you want to drop port 22. Netstat will confirm that port 22 is open. After you confirm, type the following command to drop port 22 and therefore block it from being used:

 

iptables -I INPUT -p tcp –dport 22 -j DROP

 

Use GnuPG Encryption

Use GnuPG Encryption linux vps hosting

Any data transferred over the internet is vulnerable to eavesdropping. Websites use HTTPS to encrypt data between customers and websites, but other data could be intercepted - such as credentials sent to server services or files transferred over FTP. To overcome this issue, asynchronous encryption is used to encrypt data with a public key that can then be decrypted only with the recipient’s private key.

The GnuPG application will let administrators and site owners transfer data using asynchronous encryption. The public key generated can be used by any third-party to send encrypted data to the site owner or administrators, and the private key is used to decrypt it. Because the private key is used to decrypt data, it should be secured and never disclosed to a third party.

 

Implement a Strong Password Policy

Implement a Strong Password Policy linux vps security

A password policy is always necessary for any user with access to network resources. Users often use weak passwords that can be easily guessed using brute-force attacks. A password policy enforces length and complexity requirements when any password is generated, including new passwords when users are forced to change them and password resets.

Generally, passwords should:

  • Contain at least 10 characters, and 12 characters for access to highly sensitive data.
  • Contain at least 1 numeric character.
  • Contain at least 1 special character.
  • Contain uppercase and lowercase letters.

Use Disk Partitioning

use disk partitioning vps linux hosting

Attackers that can run executables on the operating system can tamper with its operations and functions and eavesdrop on data. To gain access to the operating system, an attacker can use the /tmp and /var/tmp user directories to upload malicious files and execute them. You can separate the operating system from user file partitions to add security to the server.

To separate the two, you use the noexec (no execution of binaries) and nosuid (do not allow set-user-identifier or set-group-identifier) option to mount the two partitions securely:

 

# mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp 

# mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp

 

Use SFTPlinux vps hosting use sftp

Secure FTP adds encryption to file transfers uploaded to the server. All data transferred over FTP is in cleartext, but SFTP is “FTP over SSH,” adding encryption to file transfers. Some site owners might be tempted to use FTPS, but FTPS only encrypts credentials sent to authenticated into the server. SFTP encrypts both credentials and the files being transferred.

 

Keep the Operating System Patched and Updated

linux vps hosting keep the operating system patched and updated

The Linux operating system was created with security in mind, but occasionally issues are found that must be patched. When patches are necessary, the vendor for your distribution will release an update. In some cases, the vulnerability discovered is considered critical. When the vulnerability is critical, it’s important that administrators update the operating system immediately because the exploit could open the server to a compromise.

The longer the operating system is left unpatched, the longer the window of opportunity for attackers will remain open. Administrators will often set aside a set schedule for server updates, but delayed updates leave the server open to exploits until patches are installed.

 

Prevent Anonymous FTP Uploads

Prevent Anonymous FTP Uploads linux vps hosting

If you allow anonymous FTP uploads to your Linux server, it’s highly likely that your server will become a silo for illegal software or other inappropriate content. It could host malware that could later affect the rest of the virtual machine. Instead of leaving the FTP server open to anonymous uploads, it should be disabled so that only approved users can upload to FTP.

To disable anonymous access, open the following file:

 

/etc/vsftpd/vsftpd.conf

 

Edit the anonymous access configuration by changing it to the following:

 

anonymous_enabled=NO

 

Install a Rootkit Scanner

   Install a Rootkit Scanner vps linux hosting

Rootkits are one of the most dangerous malware applications. They could give the attacker control over the server, run other malware on the operating system, or disable any antivirus applications. To stop rootkits or detect them should they compromise the server, a rootkit scanner such as chrootkit can be installed to stop them.

Removing rootkits is much more difficult than standard malware, because it integrates with the operating system and can go undetected by standard anti-malware services. For sophisticated rootkits, it might be necessary to reinstall the operating system. For this reason, it’s important to use anti-malware applications that detect and stop them.

 

Disable root Logins

disable root logins linux vps hosting

Every VPS is created with the root account, which contains the highest level of privileges on the system. Hackers know that many administrators leave root enabled and use the account to configure the server. In the interest of security, the root account should be disabled and another user account created with root privileges. This strategy secures the server from brute-force attacks against the root account.

Before disabling root, create a user account with elevated privileges, then open the following file:

 

/etc/ssh/sshd_config

 

Change the root login parameter to the following:

 

PermitRootLogin=no

 

Please restart the sshd service after making this change.

 

Keep Software Updated

Keep Software Updated linux vps hosting

You know that the operating system should stay updated, but don’t forget the other software running on the server. Common vulnerabilities are logged in the CVE database, but you must stay aware of the latest updates and patches addressing security issues involving the software installed on the system.

Software vendors release updates and identify the bugs and vulnerabilities addressed for each patch. You could manually update software and check for updates every day, or you can let Imunify360 automatically update and patch software so that it’s done for you. By keeping software updated in a timely manner, it reduces the opportunity for attackers to exploit a common vulnerability.

 

Always Create and Safely Store Backups

Always Create and Safely Store Backups linux vps hosting

Backups are essential should your system be compromised beyond repair or any data is corrupted and must be restored. For example, if the operating system suffers from a rootkit compromise, instead of reinstalling the operating system, you can restore from a backup. With a VPS, you can back up the entire VPS instance and restore it should you need to.

You should keep backups secure and have a retention plan to keep backup files for a specific amount of time before you delete or archive them. At least one backup should be offsite in case the host experiences any downtime.

 

Install Full Server Protection

Install Full Server Protection linux vps hosting security

Securing a server and continuously monitoring it can take a big portion of your day, which is why many business owners hosting on VPS do not have the time to properly maintain server software and resources. Instead of spending time reviewing multiple reports, scanning servers manually, and removing any malware, allow Imunify360 with Linux malware scanner and Proactive Defense to monitor and remove malware for you.

While this list is not exhaustive, it starts VPS administrators off on the right path towards securing their server. Losing data and time costs thousands of dollars in lost revenue and brand reputation damage. With Imunify360 and the right server configurations, any site hosted on a VPS will be more secure, monitored for any strange activity, and in many cases automatically cleaned without any administrator hassles.

Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.

Make your servers secure now!

Recommended Articles


 

15 Security Tips for Linux VPS Hosting

15-Security-Tips-for-Linux-VPS-HostingVirtual Private Servers (VPS) give website owners more control of their site’s configurations and experience, so it’s no surprise that most website owners prefer it over standard shared hosting. Since customers have more control over server settings, VPS service is more challenging to secure. It’s still a virtual server connected to the network, so security for host administrators and customers should be a priority to protect data on the VPS instance and the host network. The articles covers the following topics related to Linux VPS security:

  1. What is VPS?
  2. Can Linux VPS Be Hacked? Is it Secure?
  3. How to Secure a VPS?
    1. Choose a Hosting Provider That Takes Security Seriously
    2. Change the SSH Default Port
    3. Monitor Server Logs
    4. Disable Unused Ports
    5. Use GnuPG Encryption
    6. Implement a Strong Password Policy
    7. Use Disk Partitioning
    8. Use SFTP
    9. Keep the Operating System Patched and Updated
    10. Prevent Anonymous FTP Uploads
    11. Install a Rootkit Scanner
    12. Disable root Logins
    13. Keep Software Updated
    14. Always Create and Safely Store Backups
    15. Install Full Server Protection
  4. Recommended Articles

What is VPS?

linux-vps-security-what-is-vps

VPS implies that web hosts offer virtual private servers that split up a bare-metal server into smaller VPS instances instead of sharing all resources using shared servers. Each instance looks and feels like a dedicated server to customers, but it’s a virtual machine with dedicated resources. The resources are allocated based on the customer's service level, but allocated resources could vary across each virtual machine and web host.

Another advantage of VPS Hosting is that customers can run their own preferred Linux distributions. They can run several virtual machines on the host server with different distros of their choice for various reasons. It’s usually a more affordable option than using dedicated servers either on a third-party host or building out the infrastructure on-premise. 

 

Can Linux VPS Be Hacked? Is it Secure? 

can linux vps be hacked? is it secure?

Yes, VPS could be hacked. Given enough time and dedication, any server can be hacked, including virtual machines, even with security controls in place. No system is ever 100% risk-free, but administrators can reduce risk to the lowest possible level to avoid threats and stop attacks. The Linux operating system is generally secure, but vulnerabilities are introduced when users misconfigure the system, add vulnerable software, leave applications unpatched, or download and install malware locally. As the system changes, the risk also increases or decreases depending on what was changed.

Sophisticated malware can affect more than just the local machine. It can sometimes traverse the network from the hosted server, and it can occasionally affect other systems. If any sensitive data is stored on the local server, it would be exposed and the host could be the victim of a data breach. Even without traversing the network, malware affects the local virtual machine instance.

The virtual machine instance hosts the customer’s website, so even if malware does not affect other customers on the server, it does affect the local instance’s hosted applications. Should a customer keep sensitive information on the server, it could be disclosed to attackers if the hosted site is not secure.

 

How to Secure a VPS?

How to secure VPS

There are several steps to secure VPS hosting. While hosting providers rely somewhat on the customers protecting their site, administrators can still configure and install software that will better secure a VPS. Customers hosting their sites on VPS can also take steps to secure their sites and services. 

 

Choose a Hosting Provider That Takes Security Seriously

vsp security choose reliable hosting

Customers rely on web hosts to keep infrastructure secure. Not every web hosting provider treats security equally. To keep a website secure, customers should choose their web host wisely. For example, Interserver.net has proven to focus on security of their customer sites. Interserver.net is a US-based hosting service with a good reputation for quality service at an affordable price. They have two datacenters on the east and west coast of the US to service their thousands of customers ranging from small individual site owners to Fortune 500s. Read the full story on how Interserver streamlined its operations with CloudLinux OS, Imunify360 and KernelCare. And you can find additional hosts that put the right scanning and monitoring tools in place in the Imunify360 host directory.

 

Change the SSH Default Port

Change the SSH Default Port

SSH is necessary for remote access to a server, and it’s installed with the default port 22. Attackers scan servers for open ports such as 22 to gain remote access to SSH. After detecting SSH on port 22, an attacker might launch a brute-force attack to obtain remote access to the server by guessing the root user’s credentials.

To combat this attack, the SSH port can be moved to an alternative one. When SSH runs on an alternative port, any automated scans will show nothing for port 22. To change the port, the following file must be updated (we’ll change this file in other tips, so keep this file open):

 

/etc/ssh/sshd_config

 

Before you edit the file, make sure that the port is not used by another service, or you will have a conflict and both services will not run properly.

 

Monitor Server Logs

vps linux security monitor server logs

Both host administrators and website owners should have monitoring enabled. Monitoring servers requires logging specific events such as authentication failures (and possibly successes), failed uploads, errors, and other common threats. These logs can then be used in analysis and reports that can give administrators detailed information and insights into activity happening on the server. Logs can tell administrators of an ongoing attack or a compromise.

Host administrators can monitor activity on their servers to ensure that customer sites are secure, but website owners should also monitor their own sites. The sooner a compromise is contained, the smaller the window of opportunity for an attacker to exfiltrate data.

 

Disable Unused Ports

disable unused ports linux vps hosting

Linux installs with several ports open. Some are necessary for certain applications, and others are unnecessary. For example, port 80 is often opened for web applications, but it’s possible that you will not need this port open. Leaving unused ports open increases the server’s attack surface, so best practices suggest that they should be disabled.

You can identify open ports using the netstat command. You can then use firewall settings or edit open ports using the iptables command. First, use netstat to view open ports:

 

netstat -a

 

For example, suppose that you want to drop port 22. Netstat will confirm that port 22 is open. After you confirm, type the following command to drop port 22 and therefore block it from being used:

 

iptables -I INPUT -p tcp –dport 22 -j DROP

 

Use GnuPG Encryption

Use GnuPG Encryption linux vps hosting

Any data transferred over the internet is vulnerable to eavesdropping. Websites use HTTPS to encrypt data between customers and websites, but other data could be intercepted - such as credentials sent to server services or files transferred over FTP. To overcome this issue, asynchronous encryption is used to encrypt data with a public key that can then be decrypted only with the recipient’s private key.

The GnuPG application will let administrators and site owners transfer data using asynchronous encryption. The public key generated can be used by any third-party to send encrypted data to the site owner or administrators, and the private key is used to decrypt it. Because the private key is used to decrypt data, it should be secured and never disclosed to a third party.

 

Implement a Strong Password Policy

Implement a Strong Password Policy linux vps security

A password policy is always necessary for any user with access to network resources. Users often use weak passwords that can be easily guessed using brute-force attacks. A password policy enforces length and complexity requirements when any password is generated, including new passwords when users are forced to change them and password resets.

Generally, passwords should:

  • Contain at least 10 characters, and 12 characters for access to highly sensitive data.
  • Contain at least 1 numeric character.
  • Contain at least 1 special character.
  • Contain uppercase and lowercase letters.

Use Disk Partitioning

use disk partitioning vps linux hosting

Attackers that can run executables on the operating system can tamper with its operations and functions and eavesdrop on data. To gain access to the operating system, an attacker can use the /tmp and /var/tmp user directories to upload malicious files and execute them. You can separate the operating system from user file partitions to add security to the server.

To separate the two, you use the noexec (no execution of binaries) and nosuid (do not allow set-user-identifier or set-group-identifier) option to mount the two partitions securely:

 

# mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp 

# mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp

 

Use SFTPlinux vps hosting use sftp

Secure FTP adds encryption to file transfers uploaded to the server. All data transferred over FTP is in cleartext, but SFTP is “FTP over SSH,” adding encryption to file transfers. Some site owners might be tempted to use FTPS, but FTPS only encrypts credentials sent to authenticated into the server. SFTP encrypts both credentials and the files being transferred.

 

Keep the Operating System Patched and Updated

linux vps hosting keep the operating system patched and updated

The Linux operating system was created with security in mind, but occasionally issues are found that must be patched. When patches are necessary, the vendor for your distribution will release an update. In some cases, the vulnerability discovered is considered critical. When the vulnerability is critical, it’s important that administrators update the operating system immediately because the exploit could open the server to a compromise.

The longer the operating system is left unpatched, the longer the window of opportunity for attackers will remain open. Administrators will often set aside a set schedule for server updates, but delayed updates leave the server open to exploits until patches are installed.

 

Prevent Anonymous FTP Uploads

Prevent Anonymous FTP Uploads linux vps hosting

If you allow anonymous FTP uploads to your Linux server, it’s highly likely that your server will become a silo for illegal software or other inappropriate content. It could host malware that could later affect the rest of the virtual machine. Instead of leaving the FTP server open to anonymous uploads, it should be disabled so that only approved users can upload to FTP.

To disable anonymous access, open the following file:

 

/etc/vsftpd/vsftpd.conf

 

Edit the anonymous access configuration by changing it to the following:

 

anonymous_enabled=NO

 

Install a Rootkit Scanner

   Install a Rootkit Scanner vps linux hosting

Rootkits are one of the most dangerous malware applications. They could give the attacker control over the server, run other malware on the operating system, or disable any antivirus applications. To stop rootkits or detect them should they compromise the server, a rootkit scanner such as chrootkit can be installed to stop them.

Removing rootkits is much more difficult than standard malware, because it integrates with the operating system and can go undetected by standard anti-malware services. For sophisticated rootkits, it might be necessary to reinstall the operating system. For this reason, it’s important to use anti-malware applications that detect and stop them.

 

Disable root Logins

disable root logins linux vps hosting

Every VPS is created with the root account, which contains the highest level of privileges on the system. Hackers know that many administrators leave root enabled and use the account to configure the server. In the interest of security, the root account should be disabled and another user account created with root privileges. This strategy secures the server from brute-force attacks against the root account.

Before disabling root, create a user account with elevated privileges, then open the following file:

 

/etc/ssh/sshd_config

 

Change the root login parameter to the following:

 

PermitRootLogin=no

 

Please restart the sshd service after making this change.

 

Keep Software Updated

Keep Software Updated linux vps hosting

You know that the operating system should stay updated, but don’t forget the other software running on the server. Common vulnerabilities are logged in the CVE database, but you must stay aware of the latest updates and patches addressing security issues involving the software installed on the system.

Software vendors release updates and identify the bugs and vulnerabilities addressed for each patch. You could manually update software and check for updates every day, or you can let Imunify360 automatically update and patch software so that it’s done for you. By keeping software updated in a timely manner, it reduces the opportunity for attackers to exploit a common vulnerability.

 

Always Create and Safely Store Backups

Always Create and Safely Store Backups linux vps hosting

Backups are essential should your system be compromised beyond repair or any data is corrupted and must be restored. For example, if the operating system suffers from a rootkit compromise, instead of reinstalling the operating system, you can restore from a backup. With a VPS, you can back up the entire VPS instance and restore it should you need to.

You should keep backups secure and have a retention plan to keep backup files for a specific amount of time before you delete or archive them. At least one backup should be offsite in case the host experiences any downtime.

 

Install Full Server Protection

Install Full Server Protection linux vps hosting security

Securing a server and continuously monitoring it can take a big portion of your day, which is why many business owners hosting on VPS do not have the time to properly maintain server software and resources. Instead of spending time reviewing multiple reports, scanning servers manually, and removing any malware, allow Imunify360 with Linux malware scanner and Proactive Defense to monitor and remove malware for you.

While this list is not exhaustive, it starts VPS administrators off on the right path towards securing their server. Losing data and time costs thousands of dollars in lost revenue and brand reputation damage. With Imunify360 and the right server configurations, any site hosted on a VPS will be more secure, monitored for any strange activity, and in many cases automatically cleaned without any administrator hassles.

Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.

Make your servers secure now!

Recommended Articles


 

Subscribe to Imunify security Newsletter