Best Practices to Secure your Linux VPS
It is very important to secure your Linux VPS if you want to keep your data and other important resources away from the clutches of hackers. Some standard best practices for securing your VPS are the following:
–Lock down SSH: The SSH daemon running on your VPS is usually the first target for attack by hackers because as much as it provides strong encryption, it also allows a great deal of access to your server.
–Limit root and system users’ access: it is important not to give people user accounts if they don’t really need them.
–Block unwanted traffic using firewalls: Firewalls are filters which limit incoming traffic to your server. They can even block all traffic arriving from a given IP address or through certain ports in cases where you know that traffic is malicious.
–IPTables: IPTables is the best known application for creating and configuring the firewall (Netfilter) which is provided by the Linux Kernel. Most DoS attacks can be prevented with the help of IPTables.
–Uncomplicated Firewall: Uncomplicated Firewall (UFW) provides simple but effective host-based firewall management making it good for people who are not versed with Linux firewall solutions.
–Use DenyHosts and Fail2Ban to block password attacks: DenyHosts and Fail2Ban are two good applications that protect your VPS against dictionary attacks. They keep a close watch on attempted logins, so if there are multiple failed login attempts from the same IP address, they automatically insert firewall rules that will block inbound traffic from that IP address.
–Encrypt sensitive data: Encryption transforms the data to be transmitted into incoherent code, so the attacker will only see a mess that will not be of any use to him. There are many tools for encrypting communication.
–Avoid FTP and Telnet: In most network configurations, user credentials as well as FTP, telnet and rsh commands can be easily captured by anyone who is on the same network with the help of a packet sniffer. A good option is to use either of OpenSSH, SFTP or FTPS which incorporate SSL or TLS encryption to FTP.
–Minimize unused services: Hackers love to exploit unused applications, so it is a good idea to disable daemons (services) which are not in active use and also make sure you also disable the service from starting automatically.
–Keep software up-to-date: systems that are outdated may have security holes, so always make sure to use the available package management tools to keep them up-to-date.
–Install and use IDS: Intrusion detection systems (IDS) try to detect any suspicious activity such as DoS attacks and port scans.
Basic instructions for securing a virtual private server against most common attacks.
-Observe the Password Security recommendations for your root account
-Create a user account for any trusted users who should have access to the VPS – do not share your root login
-Eliminate unnecessary user accounts and disable shell access for daemons
1. Run cat /etc/passwd and identify unnecessary user accounts
2. Remove unnecessary users with userdel <username>
3. Disable interactive logins for daemon accounts by specifying /bin/false for the user’s shell
-Change the SSH port
1. Open your sshd_config file for editing
2. Locate the Port directive
3. Change the default SSH port – any port above the 1-1024 range is preferable (check the Internet Assigned Numbers Authority site for unassigned port numbers if you want to ensure no conflicts are encountered)
4. Restart SSH and connect to your VPS using the new port
-Restrict SSH users and hosts in sshd_config
1. Use the PermitRootLogin no directive to disable root logins over SSH (if you have created a user account for yourself and plan to use su to administer your VPS)
2. Use the AllowUsers directive to specify which user accounts may be used to log in
1. Limit SSH access to trusted IPs only (iptables example):
–A INPUT -p tcp -m tcp –dport XXXX –source x.x.x.x -j ACCEPT (where XXXX is the port SSH is listening on and x.x.x.x is the trusted source IP)
2. Prior to closing the established SSH session, test the SSH access rule: Create an additional SSH session from the trusted source IP. Test a non-trusted IP as well. If the non-trusted IP is unable to connect and the trusted IP is allowed, the rule is working as intended.
-Use the DenyHosts script to block malicious users (if restricting access to a single trusted IP is not practical)
-Configure your VPS to use public key authentication instead of password authentication
At Domainsatcost.com we offer you affordable and reliable Linux VPS with 24×7 Live Support 99.99% Uptime Guarantee, Free Migration / IPv6 available. For more information visit us at: http://domainsatcost.com/server-hosting/openvz-vps.php