14 Tips on How To Secure Your Linux VPS
In order for you to run a successful website or application, you need to ensure that your hosting infrastructure is capable of not only handling your load, but also keeping you protected and secure at all times.
There are a vast majority of web servers run on Linux globally, which are constantly under a potential threat. If you are one of those people that employs a Linux-based VPS server for your hosting needs, this guide is for you as today we are going to be sharing 14 useful tips in order to protect your Linux VPS!
What is a Linux VPS?
A Linux VPS is a virtual private server that utilizes a Linux-based distribution as its operating system. Some examples of popular Linux distros include Debian, Ubuntu, Fedora, Alma Linux and others with each OS offering a different set of advantages compared to its fellow distributions.
But why Linux? With regards to its counterpart - Windows Server, Linux offers a much greater control over your server and its resources, allowing for a versatile and customizable environment which can unlock a lot of potential for your websites and applications.
However, this does come at a price - you have to ensure that you keep your server protected at all times by yourself. But not to worry! We are here to help by sharing with you 14 useful tips that you can utilize in order to protect your Linux VPS regardless of whether you are a seasoned professional or just starting out!
Why should you protect your Linux server?
Your server acts like a house for your website or application and its data. If someone were to just come in and rob it, you’d find yourself in a lot of trouble. Because of this, it is crucial to know what you need to protect yourself against first, before making any changes to your configuration.
In general, there are 4 main types of attacks that you need to be watchful of.
The first one is Brute-Force attacks. These attacks are essentially an automatic attempt (most commonly utilized by scripts) to guess both usernames and passwords that can gain access to your server.
They generally target username-password authorization methods, including SSH, admin panels, FTP, among others. Successful access would allow anyone to tamper with your server.
The second one is DDoS attacks. Such attacks aim to overwhelm your server with an unmanageable amount of concurrent requests and traffic, forcing your cloud instance to crash, which results in downtime, which can be quite costly especially for larger websites like ecommerce platforms.
The third type of attack is Privilege escalation which can occur due to application-Level or OS exploits. These occur when vulnerabilities in software or the operating system itself are taken advantage of. If the software runs with high privileges, like root, attackers can perform harmful actions immediately without needing any privilege escalation.
Finally, there is the fourth type of attack - malware. Malware is malicious software that spreads on your server, gaining access to data, files and all sorts of information, which can lead to major problems for all types of businesses and projects.
Start with your initial configuration
In order to secure your Linux VPS, you need to start from the beginning - your initial configuration and your hosting provider.
First and foremost, it’s important to choose a reliable hosting provider that can offer you additional features like DDoS protection, proactive server monitoring and automated backups as these are all crucial for keeping your server secure.
Create a strong root password
Just like with everything else online, you must ensure that your password is strong and unique. You could consider using a random password generator that can create a really secure password consisting of lower and upper case letters, numbers and special symbols. You can then utilize a password manager with added 2FA security in order to keep your password safe.
Enable Two-Factor Authentication (2FA) with PAM
For added security, you could consider enabling 2FA using PAM and Google Authenticator. Here’s how to do it!
Start by installing the GA PAM module using these commands for Ubuntu or Debian:
sudo apt update sudo apt install libpam-google-authenticatorIf you are using CentOS or RHEL, you will have to be enable the EPEL repository first:
sudo yum install epel-release sudo yum install google-authenticatorNext, you will need to set up GA. To do this, you will need to run this command as the user who will be logging in via SSH that you wish to enable the authentication for:
google-authenticatorYou will then see a QR code which you will need to scan using the Google Authenticator app on your mobile. You will then see a set of recovery codes being generated. Make sure you store these somewhere safe if you happen to misplace your phone! Finally, you will be presented with some prompts about the token lifetime and login attempts. You can leave them with the default settings. Once done, you will see that login codes are being generated in your GA app!
Now, you will need to modify the PAM configuration in order to require the 2FA code. Start by opening the PAM configuration file using this command:
sudo nano /etc/pam.d/sshdAdd the following line at the top of the file:
auth required pam_google_authenticator.soNext, edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configLook for the line ChallengeResponseAuthentication and set it to yes:
ChallengeResponseAuthentication yesFinally, make sure that PasswordAuthentication is also set to yes:
PasswordAuthentication yesThen save the changes and restart the SSH service:
sudo systemctl restart sshdKeep your system updated
First and foremost, it is absolutely crucial that you keep your system updated at all times. Installing frequent software updates can be quite a boring and time-consuming task, but you should never neglect it!
Such periodic updates can also fix and patch potential exploits such as backdoors. It wasn’t that long ago that over 50% of all existing WordPress installations were found to have a dangerous exploit, leaving them vulnerable and susceptible to cyberattacks.
Here is how you can update your Linux distribution.
Updating Debian & Ubuntu
Update the package list:
apt-get updateUpdate the packages themselves:
apt-get upgradeUpdating CentOS & AlmaLinux
yum updateRemembering to update your system regularly will ensure that you will not experience any security exploit issues.
Use the non-standard (non-default) SSH port
By default, the SSH service’s listening port is set to port 22. Leaving this unchanged can result in your VPS server becoming a target for online hackers as port 22 is generally the main target when it comes to automated attacks.
To change the port, you only need to modify the service configuration file as illustrated below:
nano /etc/ssh/sshd_configThe following text should appear (or similar, depending on the configuration file):
# What ports, IPs and protocols we listen for Port 22All you need to do here, is to simply replace the number 22 with a different port number.
IMPORTANT: Using a port that is already being used on your system might result in the SSH server being unable to start. You can check all ports currently open with the following command: "ss -tulpn"
Once you have changed the port, save and exit the configuration file and then restart the service:
systemctl restart sshdThis will automatically apply your changes. Keep in mind that you need to indicate the new port every time you request an SSH connection to your server.
For a detailed, step-by-step explanation, you can check out our tutorial on how to change your server’s SSH port.
Create a user with restricted rights
Our next tip involves creating a user with restricted rights. Generally speaking, you don't need to have root privileges in order to perform tasks via a standard user. You can easily create a new user with restricted rights and protect your server using the following command:
adduser CustomUserNameNext, fill in the requested information (name, password and other data). This new user will be allowed to log in via SSH. When you establish a connection, you can now use your newly-created credentials.
When you are successfully logged in, in order to perform any operations that require root permission, simply type the following command:
su rootThen, type the password and the active login will be switched to the root user.
Disable root user login
Having root access means having the most permissions on an operating system. We strongly recommend you disable direct root user access via the SSH protocol.
Leaving only root access as an access type for your server can result in irreversible damage!
IMPORTANT: Prior to disabling the root user login function, ensure to create another user like we mentioned in the previous section!
To disable the server access via the root user, you can follow these steps.
First, open up the SSH configuration file, like we mentioned in the initial section of this article using the following command:
nano /etc/ssh/sshd_configNext, locate this section:
# Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yesLook for the line - PermitRootLogin and replace 'yes' with 'no'!
To apply the changes, you just need to restart the SSH service:
systemctl restart sshdOnce completed, you will notice that any further connections to your server via the root user will be automatically rejected.
Use security keys for identification
Using Security Keys (SSH Keys) has a number of security advantages.
Firstly, you can access your terminal without having to enter your password. Secondly, you can completely disable the process of having to log in with a password, meaning that a password would not be required to connect to the server.
This step protects your server against some possible attacks such as brute force attacks.
For more information, you can check out our tutorial on how to create a SSH key.
Install Fail2ban
Another great thing you can do to secure your server is to install Fail2ban.
This lightweight software prevents intrusion as it is designed to block unknown IP addresses that are trying to penetrate and gain access to your system. To install the software package, you can use the following command.
Ubuntu & Debian:
apt-get install fail2banCentOS:
yum install epel-release yum install fail2banOnce the package installs successfully, you will need to adjust its configuration file in order to set it up with your system.
IMPORTANT: Before making any changes to the configuration file, we strongly recommend creating a backup of the original using the following command:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backupOnce you have made a backup of the original file, open up the Fail2ban configuration file using this command and adjust the settings:
nano /etc/fail2ban/jail.confWhen you finish editing the config file, restart the service with:
service fail2ban restartFor any additional information on the software, you can check out the official Fail2ban documentation.
Configure the internal firewall
Linux distributions come with a firewall service named ‘iptables’. By default, it doesn't have any active rules. To verify that it is indeed located on your system, type the following command:
iptables -LWe recommend creating and adjusting some firewall rules according to your needs. However, the firewall service is configured differently for each Linux distribution. You need to check out the official documentation for the Linux OS of your choice in order to make adjustments accordingly.
For Debian-based systems, you can use UFW (Uncomplicated Firewall). UFW comes with an user-friendly interface for configuring iptables rules. You can enable it and set up basic rules manually . For example - to allow SSH, HTTP and HTTPS traffic, you can utilize the following commands:
sudo ufw allow ssh sudo ufw allow http sudo ufw allow httpsYou can then enable the firewall with:
sudo ufw enableFor more detailed instructions, refer to the UFW manual.
Backup your system and your data
Finally, it is important to mention that security doesn’t only mean protecting your system against external attacks.
As a matter of fact, having a backup or a snapshot of your system and its data on a remote server can help you fully restore any information that might be lost due to a hacker attack or a physical server malfunction.
Because of this, make sure to start generating regular server backups and store them in different locations.
Disable Unused Services
Sometimes you might be attacked from services that you might not even be using, but that are still running in the background. To avoid this, run the netstat -tuln command. This will show you open ports, which you can then disable, stopping any unneeded services.
Monitor your server logs
Another useful tip that you can utilize is to manually monitor your server’s logs. Using commands like rsyslog and journalctl can help you notice unusual activity on your Linux VPS, which can ultimately help prevent further damage to your infrastructure.
Additionally, you could consider implementing intrusion detection systems like AIDE or OSSEC which review your files and notify you if any files are modified.
Extra Linux VPS hardening tips
If you have implemented everything so far but are still unsure whether your server is protected, we’ve got a few extra hardening techniques for you to try out!
Firstly, start utilizing tools like SELinux or AppArmor. These tools restrict application permissions and operate at a low level, keeping your server secure from any application backdoors or vulnerabilities.
Secondly, start utilizing a VPN when connecting to your server. This will guarantee that your network is secure via the tunneling and encryption mechanisms that virtual private networks employ.
Thirdly, scan your system regularly using tools like ClamAV or Imunify360 and also make sure to constantly check for any security updates and apply them as needed.
Overall, having these extra layers of protection for your Linux VPS server can be quite helpful. Our VPS servers, for example, support all of the aforementioned additional security measures and we also provide advanced DDoS protection! Finally, if you are not using Linux, but running Windows Server, you might also want to secure your VPS using our Windows tips!
