Keeping your VPS host secure is very important. Out of the box, GNU/Linux is very secure but you can always make your VPS server(s) even more secure. Here are 30 ways to make your VPS more secure and keep it that way.
1. Use a non-root user when managing your server
When you log in the first time, create a new user for yourself that has sudo permissions and ONLY use sudo or root when absolutely necessary. You could do some severe damage to your server when using a root account.
2. Use SSH keys instead of a password
SSH Keys protect your server form brute force attacks. It uses a key generated by your SSH client to authenticate with the server and SSH keys prevent brute force attacks.
3. Keep backups
Use a backup program such as ElkarBackup or use SFTP to zip and download copies of your files every once and awhile. You can also set up a Chron job to do it. You can also use mysqldump to backup databases
4. Prevent brute-force attacks with Fail2Ban
Getting Fail2Ban is as easy as running sudo apt install fail2ban and it will go a very long way to protect you from attacks. Just be warned if you put your password in wrong 3 times you won’t be able to log in for an hour. Fail2ban can also be used to protect WordPress, Apache, and more.
5. Do not manage your server in an untrusted environment
Don’t go to your local coffee shop or public Wi-Fi hub to manage your Linux server. There can always be hackers lurking especially in popular cities. Also man in the middle attacks can be a huge risk to your VPS security.
6. Do not add any unnecessary or untrusted repositories to your package manager
Adding unnecessary or untrusted repositories to your package manager will make your repository sync take longer. It also can install or update certain packages which can break your system or lead to the installation of malicious programs.
7. NEVER run scripts you find on online forums or websites unless you know what it does
We all were tempted to do it once. It seems so easy just to download and run a script that will do all the work for you. Well, that is not recommended because your server can get compromised. A good example of this is once there was someone who sold a Pterodactyl install script on McMarket for $25. On top of that, he created a root user on your server AND made your server a part of a docker swarm where the hacker can just steal your server’s resources for what he wanted. While most scripts out there are safe, read through it first and never take a chance even if you paid for it.
8. Install and use a proper firewall
UFW on Debain/Ubuntu systems and Firewalld on CentOS and RedHat work very well and are easy to use. Good ol’ IPtables works too! Only open the ports needed for your server to operate.
9. Keep users in check – Only give them access to what they need
If you run a server with many users make sure they don’t have more power than they need. For example, if you have a person who does your website work just give them access to Apache Webserver files.
10. NEVER run a web server as root
This is a HUGE no-no in the System Administration world. Imagine this. You have Apache or NginX running as root, someone can inject PHP or other code that creates them a root user on your server through a venerability and BOOM your server is compromised.
11. Install an Anti-Virus to help protect from malware
ClamAV with Clamscan are great software for this. You can use it to scan server files, scan emails, as well as scan scripts and executable files. Create a Chron Job to scan files over night.
12. Set a strong password on your ElixirNode account and email.
Your ElixirNode account is the most important thing to secure. If someone gets their hands on your account you can have ALL your servers stolen no matter how secure the VPS itself is. The VPS panel can do many things such as reset your Operating System, Change your root password, and can even downgrade/upgrade and cancel your server.
13. Use SFTP over FTP
SFTP also known as Secure File Transfer Protocol or SSH FTP is a secure way to transfer files between you and your servers. It is built into SSH so you can just open FileZilla or WinSCP and connect with your user or root information and transfer files.
14. Use SSL.
SSL stands for Secure Socket Layer. It encrypts your data when you connect to a website and it also is used as identification that the website you are on is who they say they are. You can you use OpenSSL for internal certificates for applications like for Email Servers and VPN servers. There is also a free service called LetsEncrypt that gives you basic 90 day SSL certificates. Having that green lock and encryption can put a user at ease when using your website.
15. Don’t get help from people you do not trust.
Getting help from others can be great just so long as they are experienced in what they are working in and that they can be trusted. Ask them for their credentials and ask them how they benefit before giving them access to your server.
16. Don’t set a root password for MySQL.
By default, MySQL’s root account is locked down. Only accessible by entering mysql in the terminal as root. Its best to create a administrator account with root-like privileges to increase security
17. Use a hard to crack password
Using a password from the dictionary like happiness isn’t going to keep your server secure for very long. That’s why using a password like Thi$iSmYP@5sw0rD will keep your server very secure
18. Use well trusted web applications
Web applications such as WordPress, PhpBB, PhpMyAdmin and Pterodayctl have active developers and high security standards. Some smaller or newer applications out there may have unknown security issues that can be easily exploited and never fixed.
19. Make sure web applications use their own MySQL user (if applicable)
If your web application needs MySQL access don’t let it use root. If it uses its own user account and password with rights to the database(s) it needs then if someone hacks that application or database account the damage won’t be as severe.
20. Use Apache user authentication and .htaccess permissions to protect your web panels.
Access control with .htpasswd and .htaccess can secure your websites, panels, and more. You can use this to protect sites that you don’t want just anyone to access.
21. Use 2FA (two factor authentication) where possible
Applications such as Pterodactyl Panel support features like 2FA. You can also use the google authentication SSH pam plugin. If you use passwords to log into your server this may be very useful.
23. Require users on your VPS to change their password every once and a while
If you have users who access your VPS for any reason, require them to change your password at least once every 90 days.
24. Set proper file permissions
Don’t set all the file permissions on your server to 777 (rwxrwxrwx). Make sure that your files are only accessible from the users that need it. The best option is 755 (rwxr-xr-x), or 644 (rw-r–r–).
25. Use chroot, containerization, and virtualization (advance)
Using containerization technologies such as chroot, docker, LXC, KVM, or Xen can help you secure and monitor your server on many levels. LXC is the best for this kind of stuff since you can limit the RAM, limit the ports, monitor the resource usage, take snapshots, and more! Therefore if someone compromises your web server your main VPS files are safe as well as your backups.
26. Install a VPN on your server and use that to ensure secure connections when managing
Installing a VPN server such as OpenVPN or SoftEther gives you another layer of encryption to connect to your server. This also allows you to create a virtual encrypted “LAN” for servers you may be running at home or on other service providers. This is great for services like NFS that are not encrypted by default Also a VPN can make dynamic IPs static to ensure if the ISP changes the IP.
27. Don’t copy commands from online tutorials all willy-nilly
Copying and pasting commands from the internet may cause many issues. Usually when you follow guides they are not meant to be malicious but can cause conflicts in your configuration that can cause issues with your server. For example if you use someone else’s firewall configuration options it can break software that you are using. Make sure to always read into what each command does or changes and understand how it will effect your system.
28. Monitor your logs.
Logs are the most important resource on a Linux server, You can see who is accessing your website, who logged in and when, and what commands were run on your server. You can view logs for different software by reading the files in /var/log For example, to view who tried to log in to your server, view /var/log/auth.log, as seen in the picture below.
29. Do research before changing software configurations
Make sure you know what you are doing to your software before you make any significant changes. Disabling a feature or misconfiguring software can cause a unwanted or unknown vulnerability that may be hard to fix or once you find it out it may be too late.
30. Use common sense!
In the end, YOU are the one in control, YOU are the one behind the keyboard. GNU/Linux is a very powerful and extendable operating system but with great power comes responsibility. Your in charge of who as access to your server, what gets installed and removed, what gets updated, and what software can control. The decisions you make impact the security of your server. In some ways, this article helps you keep safe from not just hackers but most importantly yourself.