VPS implies that web hosts offer virtual private servers that split up a bare-metal server into smaller VPS instances instead of sharing all resources using shared servers. Each instance looks and feels like a dedicated server to customers, but it’s a virtual machine with dedicated resources. The resources are allocated based on the customer's service level, but allocated resources could vary across each virtual machine and web host.
Another advantage of VPS Hosting is that customers can run their own preferred Linux distributions. They can run several virtual machines on the host server with different distros of their choice for various reasons. It’s usually a more affordable option than using dedicated servers either on a third-party host or building out the infrastructure on-premise.
Yes, a VPS could be hacked. Given enough time and dedication, any server can be hacked, including virtual machines, even with security controls in place. No system is ever 100% risk-free, but administrators can reduce risk to the lowest possible level to avoid threats and stop attacks. The Linux operating system is generally secure, but vulnerabilities are introduced when users misconfigure the system, add vulnerable software, leave applications unpatched, or download and install malware locally. As the system changes, the risk also increases or decreases depending on what was changed.
Sophisticated malware can affect more than just the local machine. It can sometimes traverse the network from the hosted server, and it can occasionally affect other systems. If any sensitive data is stored on the local server, it would be exposed and the host could be the victim of a data breach. Even without traversing the network, malware affects the local virtual machine instance.
The VPS instance hosts the customer’s website, so even if malware does not affect other customers on the server, it does affect the local instance’s hosted applications. Should a customer keep sensitive information on the server, it could be disclosed to attackers if the hosted site is not secure.
There are several steps to secure VPS hosting. While hosting providers rely somewhat on the customers protecting their site, administrators can still configure and install software that will better secure a VPS. Customers hosting their sites on VPS can also take steps to secure their sites and services.
Choose a Hosting Provider That Takes Security Seriously
Customers rely on web hosts to keep infrastructure secure. Not every web hosting provider treats security equally. To keep a website secure, customers should choose their web host wisely. For example, Interserver.net has proven to focus on security of their customer sites. Interserver.net is a US-based hosting service with a good reputation for quality service at an affordable price. They have two datacenters on the east and west coast of the US to service their thousands of customers ranging from small individual site owners to Fortune 500s. Read the full story on how Interserver streamlined its operations with CloudLinux OS, Imunify360 and KernelCare. And you can find additional hosts that put the right scanning and monitoring tools in place in the Imunify360 host directory.
Change the SSH Default Port
SSH is necessary for remote access to a server, and it’s installed with the default port 22. Attackers scan servers for open ports such as 22 to gain remote access to SSH. After detecting SSH on port 22, an attacker might launch a brute-force attack to obtain remote access to the server by guessing the root user’s credentials.
To combat this attack, the SSH port can be moved to an alternative one. When SSH runs on an alternative port, any automated scans will show nothing for port 22. To change the port, the following file must be updated (we’ll change this file in other tips, so keep this file open):
/etc/ssh/sshd_config
Before you edit the file, make sure that the port is not used by another service, or you will have a conflict and both services will not run properly.
Monitor Server Logs
Both host administrators and website owners should have monitoring enabled. Monitoring servers requires logging specific events such as authentication failures (and possibly successes), failed uploads, errors, and other common threats. These logs can then be used in analysis and reports that can give administrators detailed information and insights into activity happening on the server. Logs can tell administrators of an ongoing attack or a compromise.
Host administrators can monitor activity on their servers to ensure that customer sites are secure, but website owners should also monitor their own sites. The sooner a compromise is contained, the smaller the window of opportunity for an attacker to exfiltrate data.
Disable Unused Ports
Linux installs with several ports open. Some are necessary for certain applications, and others are unnecessary. For example, port 80 is often opened for web applications, but it’s possible that you will not need this port open. Leaving unused ports open increases the server’s attack surface, so best practices suggest that they should be disabled.
You can identify open ports using the netstat command. You can then use firewall settings or edit open ports using the iptables command. First, use netstat to view open ports:
netstat -a
For example, suppose that you want to drop port 22. Netstat will confirm that port 22 is open. After you confirm, type the following command to drop port 22 and therefore block it from being used:
iptables -I INPUT -p tcp –dport 22 -j DROP
Use GnuPG Encryption
Any data transferred over the internet is vulnerable to eavesdropping. Websites use HTTPS to encrypt data between customers and websites, but other data could be intercepted - such as credentials sent to server services or files transferred over FTP. To overcome this issue, asynchronous encryption is used to encrypt data with a public key that can then be decrypted only with the recipient’s private key.
The GnuPG application will let administrators and site owners transfer data using asynchronous encryption. The public key generated can be used by any third-party to send encrypted data to the site owner or administrators, and the private key is used to decrypt it. Because the private key is used to decrypt data, it should be secured and never disclosed to a third party.
Implement a Strong Password Policy
A password policy is always necessary for any user with access to network resources. Users often use weak passwords that can be easily guessed using brute-force attacks. A password policy enforces length and complexity requirements when any password is generated, including new passwords when users are forced to change them and password resets.
Generally, passwords should:
Use Disk Partitioning
Attackers that can run executables on the operating system can tamper with its operations and functions and eavesdrop on data. To gain access to the operating system, an attacker can use the /tmp and /var/tmp user directories to upload malicious files and execute them. You can separate the operating system from user file partitions to add security to the server.
To separate the two, you use the noexec (no execution of binaries) and nosuid (do not allow set-user-identifier or set-group-identifier) option to mount the two partitions securely:
# mount -t tmpfs -o noexec,nosuid,nodev tmpfs /tmp
# mount -t tmpfs -o noexec,nosuid,nodev tmpfs /var/tmp
Use SFTP
Secure FTP adds encryption to file transfers uploaded to the server. All data transferred over FTP is in cleartext, but SFTP is “FTP over SSH,” adding encryption to file transfers. Some site owners might be tempted to use FTPS, but FTPS only encrypts credentials sent to authenticated into the server. SFTP encrypts both credentials and the files being transferred.
Keep the Operating System Patched and Updated
The Linux operating system was created with security in mind, but occasionally issues are found that must be patched. When patches are necessary, the vendor for your distribution will release an update. In some cases, the vulnerability discovered is considered critical. When the vulnerability is critical, it’s important that administrators update the operating system immediately because the exploit could open the server to a compromise.
The longer the operating system is left unpatched, the longer the window of opportunity for attackers will remain open. Administrators will often set aside a set schedule for server updates, but delayed updates leave the server open to exploits until patches are installed.
Prevent Anonymous FTP Uploads
If you allow anonymous FTP uploads to your Linux server, it’s highly likely that your server will become a silo for illegal software or other inappropriate content. It could host malware that could later affect the rest of the virtual machine. Instead of leaving the FTP server open to anonymous uploads, it should be disabled so that only approved users can upload to FTP.
To disable anonymous access, open the following file:
/etc/vsftpd/vsftpd.conf
Edit the anonymous access configuration by changing it to the following:
anonymous_enabled=NO
Install a Rootkit Scanner
Rootkits are one of the most dangerous malware applications. They could give the attacker control over the server, run other malware on the operating system, or disable any antivirus applications. To stop rootkits or detect them should they compromise the server, a rootkit scanner such as chrootkit can be installed to stop them.
Removing rootkits is much more difficult than standard malware, because it integrates with the operating system and can go undetected by standard anti-malware services. For sophisticated rootkits, it might be necessary to reinstall the operating system. For this reason, it’s important to use anti-malware applications that detect and stop them.
Disable root Logins
Every VPS is created with the root account, which contains the highest level of privileges on the system. Hackers know that many administrators leave root enabled and use the account to configure the server. In the interest of security, the root account should be disabled and another user account created with root privileges. This strategy secures the server from brute-force attacks against the root account.
Before disabling root, create a user account with elevated privileges, then open the following file:
/etc/ssh/sshd_config
Change the root login parameter to the following:
PermitRootLogin=no
Please restart the sshd service after making this change.
Keep Software Updated
You know that the operating system should stay updated, but don’t forget the other software running on the server. Common vulnerabilities are logged in the CVE database, but you must stay aware of the latest updates and patches addressing security issues involving the software installed on the system.
Software vendors release updates and identify the bugs and vulnerabilities addressed for each patch. You could manually update software and check for updates every day, or you can let Imunify360 automatically update and patch software so that it’s done for you. By keeping software updated in a timely manner, it reduces the opportunity for attackers to exploit a common vulnerability.
Always Create and Safely Store Backups
Backups are essential should your system be compromised beyond repair or any data is corrupted and must be restored. For example, if the operating system suffers from a rootkit compromise, instead of reinstalling the operating system, you can restore from a backup. With a VPS, you can back up the entire VPS instance and restore it should you need to.
You should keep backups secure and have a retention plan to keep backup files for a specific amount of time before you delete or archive them. At least one backup should be offsite in case the host experiences any downtime.
Install Full Server Protection
Securing a server and continuously monitoring it can take a big portion of your day, which is why many business owners hosting on VPS do not have the time to properly maintain server software and resources. Instead of spending time reviewing multiple reports, scanning servers manually, and removing any malware, allow Imunify360 with Linux malware scanner and Proactive Defense to monitor and remove malware for you.
While this list is not exhaustive, it starts VPS administrators off on the right path towards securing their server. Losing data and time costs thousands of dollars in lost revenue and brand reputation damage. With Imunify360 and the right server configurations, any site hosted on a VPS will be more secure, monitored for any strange activity, and in many cases automatically cleaned without any administrator hassles.
Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.