What can you as a VPS user do to protect your server from attack and possible compromise. Below are some commonly used tools and procedures to help protect your server.
It should be noted that this is not an exhaustive list and there will be many opinions on server security but the steps below should go a long way to help protect your server. Hackers can use a mountain of complex strategies to access servers but following these steps will certainly help.
Suggestion One: Disable Direct Root Login to your server
Your root password is the key to your server. Have a weak root password that can be compromised in a brute force attack and boom! your server is vulnerable. Why not ask us to disable direct root login to your server, add a new user and add that user to the wheel group so that user can use the su command to escalate their privileges to root. In very simple terms this means you cannot directly login to your server as root and you need the two passwords to gain access to your server. We can help set this up on your server if you wish us to. We can also set up the server to email you if there are any root logins (direct or su) from any IP other than the allowed IPs. Useful if you want to be informed quickly about a potential security breach.
Suggestion Two: Restrict SSH logins to specific IP addresses
If you have a static IP address or have a VPN with a static IP address then it is good advice to completely lock down ssh access on your server to specific IP addresses only. For our clients we strongly recommend we add our IP addresses as well to the allow list so we can access your server for administration purposes. This simple step can greatly enhance the security of your server.
Suggestion Three: Install Fail2Ban on your server
Fail2Ban is a really cool open source piece of software that scans log files and automatically bans IP addresses that show malicious signs on your server. You can also get alerts to your email account the moment something happens. See below for a snippet from the email that is sent to you upon the banning of an IP address. If this is a package you would like us to install on your server for you just let us know.
Suggestion Four: WHM Servers
We have a number of clients who upon receiving their welcome email for their cPanel/WHM VPS server immediately log in and create a reseller account with a very large pool of resources. They then log out of the root account in WHM and only ever use the Reseller Account to set up hosting accounts on their VPS. This means you never need to log into your server on a daily basis as the root user to administer the accounts in Web Host Manager and these users can store their root passwords securely knowing they will rarely need to use them.
Suggestion Five: Have a Password Change Policy
Most clients unfortunately are complacent about passwords and a change policy. We see clients who have had the same passwords for years. If that is you then STOP right now and change your password! We recommend you use a website such as http://strongpasswordgenerator.com/ to generate a really strong password.
Suggestion Six: Malware Scan your Computer regularly
Regularly scan any computer used to access your server for Malware. Never save your password in your browser and always ensure you only use trusted connections. This is important for clients who use Web Host Manager on their VPS Server. Saving your root password in your browser is bad practice as this password can be used to gain ssh root access to your server if you have not taken any other security steps. See suggestion four for a way to never need to use your root password with Web Host Manager.
Suggestion Seven: Use a Secure https:// connection
We sell SSL Security Certificates for a very cost effective price and we can easily have an SSL installed and configured for you on your server hostname so you always are using https:// secure connections when entering any passwords for WHM or cPanel on your server. Talk to us and we can have an SSL installed quickly for you.
Suggestion Eight: Change the default SSH Port to a random port
A company we use for security audits (Vertical Structure in Belfast) recently told us they did some testing and the simple process of changing the default SSH port on the server resulted in many fewer brute force and attempted login attempts. Ask us if you want us to change your default SSH port from the standard port 22 to something else.
Suggestion Nine: Lock down ALL ports you do not need
Audit your server firewall that we install on all servers we deploy and ensure you lock down access to all ports not needed. Open a helpdesk ticket if you need us to do this for you and we can certainly check to see that all ports are locked down that are not needed.
Suggestion Ten: Keep up to date with the latest security info
There is a very respected security consultancy company in the USA called Rack 911. Someone once said that Knowledge was Power and Rack911 maintain three mailing lists where you can sign up for free to be notified of server security issues as they come to light. You can sign up here: http://www.hostingseclist.com/ – you can also view all past security advisories on this website as well. Another great website with some useful information is the Security Focus website: http://www.securityfocus.com/
Suggestion Eleven: Upgrade Software
Set automatic updates or check regularly for software updates within the OS and make sure you update. Check your kernel as well for vulnerabilities and have us upgrade and boot your machine into the new kernel if needed.
Suggestion Twelve: Malware Scan your WebFiles
Periodically we would recommend scanning all your files for known Malware. Maldet is a well known linux malware scanning tool and we can initiate a scan for you on request for individual hosting accounts (quick) or your entire server (slow). You can also use the popular Sucuri website to perform a quick scan on your website and their $89 per year plan is ideal if you need to keep a mission critical website free from Malware. Click here for more information.
Suggestion Thirteen (unlucky for some!): Ban Weak Passwords!
Sorry to mention this yet again but working the helpdesk we regularly see weak passwords. Some passwords are so ridiculous that we reply and tell the user they need to urgently review their password choices. Your root password gives access to everything! Why leave the keys under your mat by using a weak password! We recently saw one client’s server that was not locked down in any way being Brute Forced with tens of thousands of login attempts from a Chinese IP address. Why risk your server security to a pathetically weak password! Sort it out NOW!
Suggestion Fourteen: Never send passwords via email
….and if you have to perhaps when our helpdesk needs access always reset the password to something strong but temporary and change them back immediately. Failing that call us (number on our website) and give us the password on the phone where we can write it down on old fashioned paper and shred it afterwards!
Suggestion Fifteen: Password vs SSH Key logins
Passwords are probably the most natural way for someone to gain access but as explained above they can be subject to brute force attacks. SSH Keys are a lot more secure but you would require a little more technical knowledge to implement these. It is relatively simple though and we will step you through this in our next blog post. SSH keys are very complex so they are impossible to crack by brute force and you can also add complex and long pass phrases to enhance security even further.
Suggestion Sixteen: Use RK Hunter
RK Hunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules. We can help you scan your server if you wish just open a ticket.
We hope the above will give you some food for thought and if nothing else it will raise the profile of server security and show the importance of taking server security seriously. Remember if you have a fully managed server with us and need any assistance with anything contained in this blog post just open a helpdesk ticket and we will be more than happy to help you out.