Unmanaged Virtual Private Server: Keeping It Secure

Virtual Private Servers (VPS) is undoubtedly the future of web hosting. A VPS refers to a virtual machine or virtual server, installed on a computer that is simultaneously accessed by many end users or websites seems to be a dedicated server. Also referred to as a virtual dedicated server (VDS), the VPS technology employs powerful virtualization techniques to create several partitions on one physical server. Each part runs its own Operating Systems hosting different resources for different users.

Unmanaged VPS hosting

Typically, a customer chooses a self-managed (unmanaged) VPS hosting if they want complete control of the VPS hosting service solution, free from the influence of a service provider. To learn more about VPS hosting and how it works, see this tutorial. A user needs enough skills to establish and manage a web server without external help.

Why unmanaged VPS is preferred

In many ways, an unmanaged service has more merits than demerits compared to its counterpart.

• The user has autonomous control.

• The VPS setup can be customized to meet specific needs and objectives.

• There’s no need to spend on purchasing resources or power on the server, which makes it relatively cost-efficient.

• One does not rely on external technical support from the provider, which is often unresponsive.

• It’s perfect for businesses with high bandwidth upsurges.

• Programs that are not offered on shared hosting platforms can be used here.

Securing your unmanaged VPS

With the freedom that comes from total flexibility, additional administration tasks await. Server management fully relies on the user, and it’s therefore important that one is sufficiently capable of setting up robust security measures.

Below I’ve outlined several steps to ensure your servers, data, and resources remain healthy.

1. Use a strong password

A weak password will undermine all your security efforts. Good security practices start with a strong password. The more complex a password is, the more resistant it is to brute-force attacks. As long as you stick to the length and complexity password regulations you’ll be fine.

It also goes without saying that passwords should never be shared. Don’t write down your passwords because someone else might see.

1. Change Default SSH port

SSH is a Linux tool employed by users to remotely connect to their servers. It should always be updated. Many attackers use port 22 to hack into the system, therefore, it’s recommended to change the port number to a different one.

To do this, edit the /etc/ssh/sshd_config file, use a port that is unused by another service and is less than 1024 (privileged ports).

1. Disable root SSH access

The root account is highly privileged. If a rogue element accesses it, you’re done for. Create a standard user account then disable the root SSH access.

For CentOS and Fedora:

• Log into the server (Replace the username with the name of a user)

• On the command prompt, type;

• “useradd username”  

• “passwd username”

• “visudo”

• Add “username ALL = (ALL) ALL”

For Debian and Ubuntu:

• Log into the server (Replace the username with the name of a user)

• On the command prompt, type;

• “adduser username”

• “apt-get install sudo”

• “usermod –a –G username” to add the user to the sudo group.

1. Regular Server Updates

Discovering security vulnerabilities, (like the Heartbleed OpenSSL vulnerability) and constant patching is crucial procedures that should be adhered to. Boost a server regularly with the latest security patches and the latest fixes.

To download and install the latest updates for CentOS and Fedora:

Type “yum –y update”.

To download and install updates for Debian and Ubuntu:

Type “apt-get -y update && apt-get –y upgrade”.

1. Set up a firewall

It is possible to specify security rules based on port numbers. Thus, a firewall gives you the ability to control both incoming and outgoing network traffic packets.

Firewalls can be set up either using iptables or Advanced Policy Firewall (APF). With both, you can explicitly block or grant access to specific IP addresses and specific selected services from the network or the server.

1. Set up fail2ban

Fail2ban program is a very useful feature used to monitor log files for suspicious activity like intrusion attempts. If a certain host service or IP address has been blocked several times (A pre-set number of times), fail2ban will consequently block it for a certain duration of time. It is very reliable for scripted attacks.

After the installation, configure it by specifying which IP address or which hosts the program should block or ignore. You can configure how much time a hostname/IP address will stay banned, and how many failures one is granted before being blocked.

1. Monitor your server

Ensure you know everything about your system; when an update is made, when user accounts are created, and which software requires new updates, among other important information.  

Run a few of these commands to ensure that the system runs as expected:

• “netstat –anp” — It checks for unauthorized programs on ports.

• “ls /var/log/” — Runs frequent log checks on the logs on the server.

Install and run these third-party tools to detect abnormalities:

Rkhunter – For vulnerability scans.

Logwatch – For monitoring server activities.

Tripwire – To monitor files and changes.

1. Secure Apache

Apache must be constantly secured from malicious attacks. Employ ModSecurity. ModSecurity allows one to set up and configure certain rules and guidelines for which any connection found to be a mismatch will automatically be blocked.

Install ModSecurity by following these steps;

“WHM/Home/Plugins/ModSecurity”.

As a best practice, use SuPHP to perform both Apache and PHP compilations so that all PHP scripts are run as the user owning them. Thus, any scripts that run will be easily identified through the user running them and the location of any malicious scripts can easily be uncovered.

1. System Compilers

Compilers should be disabled for user accounts unless the account exists in the compilers group file.

Disable the compilers either from the command line or the WHM compiler interface. Use:

“/scripts/compilers off” for command line or;

“WHM/Home/Security Center/Compiler Access” for WHM compiler.

1. Make Regular Backups

Ensure regular backup your VPS data is made. If anything like an accidental deletion takes place, one can easily retrieve lost data by rolling back to an earlier state or one can restore the information that had been saved somewhere else.

It’s possible to build your own backup solution using any cloud platform that suits your organization best. It is also possible to use 3rd party backup services like Acronis for this purpose.

1. Anti-virus and Anti-malware

Use a reliable anti-malware engine like ClamAV to run virus and malware scans.

It is a control panel plugin that can be installed by following these steps;

“WHM/Manage Plugins/Check ‘Install and keep updated’ checkbox.”

Click save.

Conclusion

Remain vigilant – there’s never a once-and-for-all solution when it comes to VPS security. There’s no guaranteed safety on the internet. New technologies crop up every day, thus one must keep their systems updated. If you stick to the recommendation laid out in this article, your odds of staying safe and secure greatly improve, and the chances of getting hacked are greatly reduced. Stay vigilant.