A Virtual Private Server, or VPS, provides all the benefits of a full-blown server without the hassles. You get full control of your system without having to manage exotic network settings or worry about physical infrastructure.
But are your VPS systems secure? VPS security is easier in some ways and harder in others compared to individual cloud instance security needs. Keep reading for some top tips on hardening your Linux VPS instance.
Do you know what everything on your system does, or is it alphabet soup to you? Linux systems allow the system administrator to install packages. These packages represent the software building blocks that make up your complete system.
There are tens of thousands of distributed Linux software packages. You should generally install as few as possible. There are two main package managers for most Linux distros. “Yum” and “apt” both control operating system packages.
You may be familiar with other package managers like NPM or Composer. From the Linux command line you can remove unwanted or unused packages by using these commands:
# yum -y remove package-name
# sudo apt-get remove package-name
# sudo apt-get autoremove
On an ocean sailing vessel, designers drill small holes into the side of the ship to allow air to ventilate below deck. These round metal windows are portholes.
A computer has virtual portholes. A port in networking terminology is a virtual address where your computer listens for traffic. In case of emergency, a computer network can reroute traffic to different ports as necessary.
For instance, the popular protocol hyper-text transfer protocol, or HTTP, generally travels over port 80 on most Linux systems. SSL goes out over 443, which should be the most used port on normal setups.
Some VPS setups have another layer of control for opening and closing ports. Check with your provider to learn how it works.
It’s important to know what ports are “open” on your system. An open and unmonitored port can lead to hackers getting in an taking control of everything. It’s always best to close any ports you don’t intend to use.
You can check your open ports with the command:
# netstat -tulpn
You may be a fire-breathing Linux dragon who uses Vim blindfolded and can read BASH commands backwards, but you can always learn something. A professional audit is a cost-effective way to learn what steps you can take to improve security.
You can get a qualified audit for cheap on marketplace sites like Freelancers.com or Upwork. You can also get a security audit on your system with all your data files redacted. You should know how to invite freelancers into your domain in a secure way, and a professional can show you how.
Linux has the concept of a “root” user. A root user, or system user, can basically do anything on the system without leaving any trace or log. You usually use the root user to install a system and then disable anyone’s ability to log in after that.
In most cases, you can use the “sudo” command to issue root level actions. That’s fine. It’s really not the job of the shell to keep out unauthorized commands. The purpose of sudo is to prevent accidental actions and to control permissions.
You can modify this option by changing your ssh login config file. Use
# vi /etc/ssh/sshd_config
or
# sudo nano /etc/ssh/sshd_config
A modern VPS is a very secure system. However, they are vulnerable to certain types of security issues that other systems are not. This isn’t usually an issue for most users.
A good VPS provider will take all the necessary security requirements to handle the physical security of the system. This will include restricted access to the metal machines themselves.
However, remember that a VPS provider cannot – by definition – provide a certain level of security. Anything that needs to be air-gapped for instance, can’t go on a VPS. Nation-state security systems are another example of something that can’t go on a VPS.
A VPS system can be set up to include Payment Company Industry [PCI] compliant standards. however, there are special security requirements for this type of setup. Contact your hosting company to find out more about PCI compliant VS servers.
Linux makes it easy to log in from remote terminals. The original networks were supercomputer and remote client setups. This might not have been the best idea for standalone servers that only run apache and nothing else!
Normally, you log in to your system using SSH via the command line or a terminal like Putty. If you do this, you should use a key file to login to your system.
A key file, sometimes known as a pem file, is a long password file used by a program to login. It replaces the human auth system of a username and password combo with something much stronger. Human readable passwords are usually susceptible to dictionary attacks. There are only so many ways people can scramble their kid’s birthdays.
Linux has a special program that interacts with the system clock called cron. Cron does regular maintenance and schedules tasks based on time. You could use a cron job to make regular backups, and install system updates.
It’s important not to have superfluous crons on your system. They can cause system slowdowns or outright crashes. What’s worse, you might not even be aware this is happening if your system can reset itself!
The internet connects us to a global village of devices and information. The four corners of the earth are available at the click of a mouse, or the press of a button.
It matters where your data lives. That’s a matter of a real place, on a real map in the real world. If you don’t know how to secure a Linux server, hire a hosting company that does!
Ireland is not only one of the world’s most technologically advanced nations, but it’s also a place where the rule of law matters. Our free democratic government is transparent with its practices and respects private business and intellectual property rights. Privacy, security, stability and openness are hallmarks of our technological infrastructure. Your enterprise deserves top-notch business class hosting.
SELinux is a mandatory security package from the Linux Foundation. It’s simple to install: don’t do anything. SELinux comes pre-installed with every Linux distro. If you want a secure VPS, make sure SELinux is on.
You can check the status of your daemon by using the command:
# sestatus
Turn it on with this command if it’s off:
# setenforce enforcing
If you are running a LAMP server, you have no need for a desktop. Linux has several different desktop environments that you can install. The basic systems are KDE and GNOME. If you aren’t using them, you shouldn’t have it on your system.
Generally, Linux VPS servers don’t require a GUI desktop. Not only are they needed, but they are also one of the biggest pieces of software bloat on your server.
These GUIs provide new attack vectors for malicious users. Most of them have their own remote control systems that you would otherwise need to lock down. It’s better to get rid of them if you don’t need a GUI.
# yum groupremove “X Window System”
Accounts shouldn’t have empty or blank passwords. This could happen if your system once used ley files to log in and switched to text-based login auth. Empty password accounts are vulnerable to attack and can be a disaster if you have an account like “root” or “admin” open this way.
A good rule of thumb for Linux server security is to eliminate as many different unnecessary ways to login that you can think of. Use this command to check for blank password accounts:
# cat /etc/shadow | awk -F: ‘($2==””){print $1}’
It’s great to know everything about VPS security, but it’s not the same as fully managed hosting. With great power comes great responsibility, and you can mess up a VPS system if you don’t know what you’re doing.
The good news is that we’ve got you covered. The whole point of having a VPS is that we take care of the heavy lifting for you. Trust the pros when it comes to your security, don’t guess.
Contact us for the best Linux VPS hosting in Ireland and the world!
