Over the past few years, Linux has experienced an escalated growth and has become popular among the users who appreciate an open-source operating system. With Linux, a user has unparalleled flexibility which can aid in developing and altering the system as per their personal needs. Furthermore, Virtual Private Servers (VPS) when installed with Linux have proven to have a more successful relationship and is the preferred choice of many system administrators.
What is VPS?
A Virtual Private Server (VPS) is a virtual machine that appears to the user as a dedicated server but is installed on a machine serving multiple websites. It runs its own version of operating system and has dedicated resources. All VPS hosting providers rely on a virtualization software which is known as a hypervisor to abstract resources on the physical server and provide the user with access to an emulated Virtual Machine. All virtual machines run their own version of operating system, and this is where Linux comes into the picture.
Significance of Linux as an OS for Virtual Machine
Linux is accompanied with Linux Security Modules framework which makes it secure, however, security depends on how you configure the operating system. It allows the Linux kernel to support a variety of security policies while being neutral to all security implementations. However, Linux VPS needs to be configured to meet your unique security needs and environment and can be preyed upon by hackers.
The open-source nature of Linux and the ever-changing requirements of the VPS users have contributed to the popularity of this duo. Nevertheless, security measures must be highlighted and implemented by the users of Linux VPS to ensure their websites are protected.
Practices to Secure Your Linux VPS Server
1)Disable Root Login – Secure the foundation of Linux VPS
In addition to being scalable, complete root access is one of the reasons why VPS hosting is popular. By default, every Linux administrator has a ‘root’ user or a ‘root’ account option which entitles and empowers the administrator to perform actions on the server.
Disabling the root user adds another security layer, and can keep hackers at bay. Administrators can still execute root level commands using the ‘sudo’ command. Sudo is a restricted access right given to administrators or authorized users to run root level commands.
Make sure to create a non-root user and give it proper authorization to execute ‘sudo’command.
To disable root login, open /etc/ssh/sshd_config in a Linux text editor like Nano or Vi. Find the parameter ‘Permit Root Login’ and change it to NO.
It should look like this –
2) Keep Your Server OS Updated
Updating your system on a regular basis can eliminate security threats and vulnerabilities. It is recommended to update the operating system regularly and install the latest security patches and fixes.
If you are using CentOS or RHEL execute the following command to update your system –
If you are using Ubuntu or Debian, execute the following command to update your system –
Alternatively, users can also configure the OS to send yum package notifications for update via email. A time-based job scheduler like Cron automates tasks in a Linux environment and can be setup to apply all available security updates.
3)Use SSH to Securely Login Remotely
SSH is also known as secure shell, and it is one of the protocols that is always running on the VPS server. It is used to operate network services securely over an unsecured network. Since SSH is always running, the hackers often eye it.
The first step to secure SSH configuration is to change the default port 22 to a different port which is not being used by another service. Changing the default port will prevent hackers to run malicious scripts from directly connecting to the port.
To change port number /etc/ssh/sshd_config
Alternatively, implement the following actions –
- Deny root access for users logging in from SSH
- Disable password-based authentication and instead use key pairs for logging in
- Install intrusion-detection software such as fail2ban or DenyHosts
4)Ignore ICMP or Broadcast Requests
Internet Control Message Protocol (ICMP) is an error-reporting protocol network used to generate error messages to the source IP address when certain network problems prevent the delivery of IP packets. Most malicious attacks start with ICMP, which is widely known as ping scan.
When the system responds to ICMP is disabled, it prevents the system from being discovered by a pin request.
To disable ICMP and Broadcast requests find /etc/sysctl.conf and add the following lines –
Ignore ICMP request:
net. ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast request:
net. ipv4.icmp_echo_ignore_broadcasts = 1
Reload the Sysctl configuration by entering the following command
Use ping <your server name> to validate if the system is responding to ICMP requests or not.
A user-space application program, iptables is used to set up, inspect, and maintain the firewall provided by Linux kernel. A user can set rules for filtering outgoing, incoming, and forwarding packets. It helps in preventing most Denial of Service (DOS) attacks and filters out unwanted traffic.
It is vital to disable unused network ports since open ports increase the vulnerability of the VPS server. Use iptables to close all open ports.
netstat will display all open ports.
6)FTP or SFTP – Which to use?
FTP or File Transfer Protocol is a standard network protocol which is used to move files between client and server on a network. FTP may seem handy to use, but it is an inherently insecure method of accessing the server since all authentications are sent in plain text format without any encryption. Anyone who is monitoring the connection between the user and their server can retrieve the password to the server.
Instead of using FTP, switch to a more secure alternative like SFTP. The SSH File Transfer Protocol operates with the security of SSH protocol and transfers data with an end-to-end tunnel.
7)Encrypt Sensitive Data
All data transmitted over the network between a server and a client can be monitored. Encrypting sensitive data might come at a price, but it is imperative to use encryption if you are concerned about data theft. Encryption transforms the data into an incoherent code and is inaccessible to anyone but the administrator with appropriate keys or password. Use GnuPG, also known as PGP to encrypt sensitive communication.
8)Maintain a Strong Password Policy
Never have empty passwords for user accounts or simple passwords that can be read easily by hackers using brute-force attacks. Make sure users can only login through SSH and enforce using stronger passwords.
Set up a password policy by editing Pluggable Authentication Manager (PAM) configuration file. The location for PAM file in the following Linux distros –
In the above PAM configuration file, add the following lines to implement the use of minimum number of special characters, numbers, and uppercase letters.
password requisite pam_cracklib.so retry=2 minlen=9 difok=3 ucredit=2 dcredit=1 ocredit=3
9)Set File Permissions Meticulously
Even if the user has implemented security practices mentioned above, vulnerabilities can still exist if the file permissions are incorrect. If the system administrator has given rights to the users for incorrect files, it will make the VPS insecure and prone to vulnerabilities. In Linux, permissions are categorized into three groups, viz. owner, group and all users, and types – read, write, executable. Try providing permissions that are necessary. Review SUIG or SGID permissions, and never set 777 permissions to any file or folder.
Securing a VPS server is critical, and it must be the first thing you should do when you buy a VPS hosting plan. The security fixes mentioned above are necessary, but it also depends from user-to-user. One can fine tune these security settings as per their need and configure the VPS accordingly. A secure server is the basis of an unswerving website or application. The process of securing a VPS server is ongoing, and one must keep auditing their system, implement innovative solutions, and discover new practices to be a step ahead than malicious attackers.