Linux VPS servers offer more inbuilt protection than Windows, but there are still weaknesses you need to cover. These 10 tips to keep your Linux VPS secure will help protect you from online attack.
Set up a firewall
Make sure your firewall offers the features you need, and configure it to only allow your intended traffic. EuroVPS will install a firewall onto your server during setup as the standard process.
Use an antivirus
A firewall only protects you against known malicious traffic, not malware. You also need an antivirus program to scan your server regularly for malicious software. EuroVPS provides two free programs for scanning the server and rating possible malicious code to all their VPS customers. If you can afford it, paid AV software often has more frequently updated detection for the latest threats.
Enforce strong password rules
Users are usually the main weakness of any network’s security, and poor passwords are a common culprit when breaches happen.
Requiring the use of a capital letter, lower case letter, number, and symbol, as well as a minimum length, is a good start. Alternatively, you could generate random passwords using pwgen or /dev/urandom with flags to specify length and content.
You can enforce some of these rules from the server control panel, but others are down to making sure users know and follow password rules.
Update everything
Attackers are always on the lookout for new exploits in widely used network systems, so you need the latest patches and fixes to fight this. A lot of the software on your server will install new updates for you, but it’s your responsibility to keep on top of new version releases.
Scan for rootkits
Hiding in the OS level unseen by your security software, a rootkit can give a hacker undetected access to your network. Use chkrootkit to detect the presence of a rootkit in your system. Once detected, the safest option is usually to format the server and reinstall, so be sure to take regular backups of your data. EuroVPS regularly backs up customers’ servers online.
Block the root account
The root user has full administrative access to the server, and a hacker is only one password away from having this skeleton key to your system. Disable the root username by opening /etc/ssh/sshd_config and changing PermitRootLogin to ‘no’ and save changes. Remember to create a username with authorization for sudo commands first!
Assign new network ports
Using the default network ports for anything running on your server is generally a bad idea since it makes a lot less work for an attacker who knows those default ports. At a bare minimum, it is vital to assign a new port number to SSH in etc/ssh/sshd_config to prevent scripts connecting directly to the default port. This won’t do much to stop a committed attacker, but that’s no reason to make it easy for them.
Turn off ‘next gen’ features
‘Next generation’ systems such as IPv6 simply are not as robust as the tried and tested systems which have seen years of fixes and improvements. IPv6 may be the superior system, and the internet’s future, but the truth is that right now it is barely used, however, it is still vulnerable to attack and therefore should be shut down.
Hosting networks specialising in IPv6 are better protected and perform better than dual systems. If you would like to learn more about IPv6 networks you may check it here. Otherwise, it can be disabled within /etc/sysconfig/network.
Don’t use FTP
With the right software, an attacker sniffing your network packets can see and reconstruct everything being sent over your network via FTP, including the usernames and passwords sent at logon. EuroVPS uses SFTP, which does not have this vulnerability.
Only leave required ports and services open
These are all potential avenues for attack. Why leave your defenses open for no reason? Close every port you don’t need, and ideally, remove services you don’t need entirely.
Conclusion
Hackers are constantly testing defenses to identify the easiest victims. Your network will be tested eventually, so make sure you aren’t offering up an appealing target.
