Security tips for your Linux VPS
Over the last couple of decades, the Linux user base has been slowly growing in size as more and more people make the switch from Windows.
In the world of hosting, these changes are even more evident as experienced professionals and relative newcomers prefer to make use of a Linux distribution as their operating system, hence why the popularity of Linux-based VPS servers has become so widespread.
The common reason for this change is the fact that Linux has better overall security with statements that malware for Linux distributions is much harder to create and release.
However, it is important to remember that your Linux-based OS can only be secure if it is appropriately configured.
Because of this, we are going to be sharing some valuable tips in this article that you should definitely consider utilizing in order to make your VPS server more secure.
Keep your system updated
First and foremost, it is absolutely crucial that you keep your system updated at all times. Installing frequent software updates can be quite a boring and time-consuming task, but you should never neglect it!
Such periodic updates can also fix and patch potential exploits such as backdoors. It wasn’t that long ago that over 50% of all existing WordPress installations were found to have a dangerous exploit, leaving them vulnerable and susceptible to cyberattacks.
Here is how you can update your Linux distribution.
Updating Debian & Ubuntu
Update the package list:
Update the packages themselves:
Updating CentOS & AlmaLinux
Remembering to update your system regularly will ensure that you will not experience any security exploit issues.
Use the non-standard (non-default) SSH port
By default, the SSH service’s listening port is set to port 22. Leaving this unchanged can result in your VPS server becoming a target for online hackers as port 22 is generally the main target when it comes to automated attacks.
To change the port, you only need to modify the service configuration file as illustrated below:
The following text should appear (or similar, depending on the configuration file):
# What ports, IPs and protocols we listen for Port 22
All you need to do here, is to simply replace the number 22 with a different port number.
IMPORTANT: You should never use a port number that is already being used on your system!
Once you have changed the port, save and exit the configuration file and then restart the service:
systemctl restart sshd
This will automatically apply your changes. Keep in mind that you need to indicate the new port every time you request an SSH connection to your server.
For a detailed, step-by-step explanation, you can check out our tutorial on how to change your server’s SSH port.
Create a user with restricted rights
Our next tip involves creating a user with restricted rights. Generally speaking, you don't need to have root privileges in order to perform tasks via a standard user. You can easily create a new user with restricted rights and protect your server using the following command:
Next, fill in the requested information (name, password and other data). This new user will be allowed to log in via SSH. When you establish a connection, you can now use your newly-created credentials.
When you are successfully logged in, in order to perform any operations that require root permission, simply type the following command:
Then, type the password and the active login will be switched to the root user.
Disable root user login
Having root access means having the most permissions on an operating system. We strongly recommend you disable direct root user access via the SSH protocol.
Leaving only root access as an access type for your server can result in irreversible damage!
IMPORTANT: Prior to disabling the root user login function, ensure to create another user like we mentioned in the previous section!
To disable the server access via the root user, you can follow these steps.
Modify the SSH configuration file
First, open up the SSH configuration file, like we mentioned in the initial section of this article using the following command:
Next, locate this section:
# Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes
Look for the line - PermitRootLogin and replace 'yes' with 'no'!
To apply the changes, you just need to restart the SSH service:
systemctl restart sshd
Once completed, you will notice that connections to your server via the root user will be automatically rejected.
Use security keys for identification
Using Security Keys (SSH Keys) has a number of security advantages.
Firstly, you can access your terminal without having to enter your password. Secondly, you can completely disable the process of having to log in with a password, meaning that a password would not be required to connect to the server.
This step protects your server against some possible attacks such as brute force attacks.
For more information, you can check out our tutorial on how to create a SSH key.
Another great thing you can do to secure your server is to install Fail2ban.
This lightweight software prevents intrusion as it is designed to block unknown IP addresses that are trying to penetrate and gain access to your system. To install the software package, you can use the following command.
How to Instal Fail2ban for Ubuntu & Debian
apt-get install fail2ban
How to Install Fail2ban for CentOS
yum install epel-release yum install fail2ban
Once the package installs successfully, you will need to adjust its configuration file in order to set it up with your system.
IMPORTANT: Before making any changes to the configuration file, we strongly recommend creating a backup of the original using the following command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup
Once you have made a backup of the original file, open up the Fail2ban configuration file using this command and adjust the settings:
When you finish editing the config file, restart the service with:
service fail2ban restart
For any additional information on the software, you can check out the official Fail2ban documentation.
Configure the internal firewall
Linux distributions come with a firewall service named ‘iptables’. By default, it doesn't have any active rules. To verify that it is indeed located on your system, type the following command:
We recommend creating and adjusting some firewall rules according to your needs. However, the firewall service is configured differently for each Linux distribution. You need to check out the official documentation for the Linux OS of your choice in order to make adjustments accordingly.
Backup your system and your data
Finally, it is important to mention that security doesn’t only mean protecting your system against external attacks.
As a matter of fact, having a backup or a snapshot of your system and its data on a remote server can help you fully restore any information that might be lost due to a hacker attack or a physical server malfunction.
Because of this, make sure to start generating regular server backups and store them in different locations.
Overall, having these extra layers of protection for your Linux VPS server can be quite helpful. Our VPS servers, for example, support all of the aforementioned additional security measures and we also provide advanced DDoS protection up to 1.8Tbps!