🔒 16 VPS Security Tips to Prevent Attacks on Your Server

Knowing how to secure your Linux Virtual Private Server (VPS) is crucial to avoiding cyber threats. However, this is not a one-time task; in addition to applying best security practices, you must continuously monitor your VPS server.

In this article, we'll delve into Linux security and its common vulnerabilities. We’ll also discuss 16 VPS security tips to prevent cyberattacks on your virtual server.

🛡️ Linux Security and Common Weaknesses

Although Linux VPS security is generally robust, it has some weaknesses.

Many cyber threats can compromise the security and data of your Linux server. Here are the most common:

• Malware: Intrusive software designed to damage computers and their operating systems.

• Sniffing Attack: A cyberattack where a hacker uses packet sniffers to intercept and extract data from a network.

• Brute Force Attack: A hacking method where an attacker uses trial and error to guess login credentials.

• SQL Injection: An attack that occurs when a hacker exploits code in a web application to access the server's database.

• Cross-Site Scripting (XSS): A client-side attack where a hacker inserts malicious code into a website.

• Lack of Function Level Access Control: When access rights to a server are not properly checked, granting unauthorized users root privileges.

• Broken Authentication: Identity theft due to unencrypted data, weak passwords, or poorly configured application session times.

Before implementing any security measures, learn the crucial elements you should monitor on your VPS server:

• VPS hosting security

• Server software

• SSH connection

• Root access and logs

• Passwords and credentials

• Firewalls

• FTP connection

• User rights and privileges

• Server logs

  
  

🔒 16 Security Tips to Protect Your VPS Server

This section contains 16 security tips to prevent cyberattacks on your VPS hosting.

1️⃣ Research Your VPS Hosting Provider's Security

Your VPS hosting provider should have a solid security infrastructure and offer additional protection to keep your server safe. While users can install additional security features, some are already preconfigured.

Depending on the provider, security features will vary. At PixelHost, we apply comprehensive security practices for all our VPS hosting plans to ensure optimal security, including:

• Web Application Firewall (WAF): A dedicated security feature that analyzes and filters incoming requests based on predefined security rules.

• PHP Suhosin Hardening: A module that strengthens PHP applications against vulnerabilities often exploited by cybercriminals.

  
  

• PHP open_basedir Protection: A security measure that restricts access to specific directories for PHP scripts.

• Full Server Protection with BitNinja: A suite of security solutions with modules for IP reputation, malware detection, and proactive defense mechanisms.

• Advanced DDoS Mitigation: Protection against distributed denial-of-service (DDoS) attacks.

• Monarx Anti-Malware: A security tool that continuously scans your VPS for malware and suspicious activities.

• SSL Security Layer: SSL certificates that encrypt data transmission between your website and visitors.

Additionally, PixelHost offers automatic backups and live snapshots to facilitate data restoration in case of cyberattacks or other incidents.

This is ideal for most users and beginners, as they should choose managed VPS hosting whenever possible. This means the provider handles all the server's security features, updates outdated software, and scans for malware, keeping your VPS server secure with minimal effort.

However, advanced users who want more flexibility and control over their VPS security can still benefit from PixelHost’s self-managed hosting. Users get root access to the VPS servers, and we also offer a dedicated technical support team.

2️⃣ Change the Default SSH Port

If you are still using port 22 to access your virtual server via an SSH connection, hacking attempts are likely. This is because attackers can scan open ports to perform brute force attacks and gain SSH access to the remote server.

We recommend changing the default SSH listening port to protect your data against automated attacks. Here’s how you can change the SSH port:

• Open the Terminal and log in to SSH.

• Run the following command to edit the service configuration file:

  bash

  nano /etc/ssh/sshd_config

• Find the line that says Port 22.

• Replace 22 with a new port number and remove the #.

• Save the changes and exit the editor.

• Enter the following command to restart the service:

  • For Debian and Ubuntu:

    bash

    service ssh restart

  • For CentOS and Red Hat Enterprise Linux (RHEL):

    bash

    systemctl restart sshd.service

• Log in to SSH using the new port to verify if the changes were applied correctly.

  
  

3️⃣ Disable Root Login

Linux VPS servers have a root user with the highest privileges in the operating system and can modify any aspect of the server. Cybercriminals might target this user to gain full server access.

Disabling this account helps improve root access security, protecting your server against brute force attacks. However, we recommend creating an alternative username with the privilege to execute root-level commands to configure the server.

Follow the steps below to disable root login:

• Open the Terminal and log in to your SSH account.

• To open and edit the configuration file, run the following command using the nano or vi text editor:

  bash

  nano /etc/ssh/sshd_config

• Find the following parameter and change it to no to disable root login:

  bash

  PermitRootLogin=no

• Run the following commands to save the changes and restart the SSH service:

  • For Debian and Ubuntu:

    bash

    service ssh restart

  • For CentOS and Red Hat Enterprise Linux (RHEL):

    bash

    systemctl restart sshd.service

    
    

4️⃣ Use Strong Passwords

Passwords that contain information about your identity or simple phrases are easy to guess. To prevent successful brute force attacks, create a long and complex password with various elements, such as numbers and special characters.

You can use tools like NordPass to easily create and store strong passwords. These tools offer several customization options, such as limiting password length and characters used.

Do not use the same password for more than one account and remember to change it regularly, ideally every three months. Additionally, avoid sharing login credentials for accounts with root privileges to prevent unauthorized modifications to the server.

5️⃣ Start Using SSH Keys

If you are still using a password to log into your SSH account, you may be a target for sniffing attacks. To avoid this, use SSH keys instead of a password for VPS authentication.

These encryption keys are additional login credentials to secure an SSH connection on VPS. Generated by a computer, they can be up to 4096 bits long, making them more complex and harder to crack than a root password.

SSH keys consist of two sets: public and private. The former is stored on the server, while the latter is stored on the user’s machine. When the server detects a login attempt, it generates a random string and encrypts it with a public key. The encrypted message can only be decrypted with the associated private key.

Here’s how to generate an SSH key on a Linux server:

• Open the Terminal application and log in to SSH.

• To generate public and private keys, enter the following command:

  bash

• ssh-keygen -t rsa

• When a prompt appears, press Enter.

• You will be asked to enter a passphrase twice. If you don't have one, press Enter twice.

• Your private and public keys will be saved successfully.

  
  

6️⃣ Set Up an Internal Firewall (IP Tables)

Since HTTP traffic has various origins, setting up a firewall for VPS helps filter requests to ensure that only legitimate visitors can access your system. Doing so prevents malicious traffic and potential DDoS attacks.

Linux distributions include an internal firewall service called iptables. This tool monitors traffic to and from your server using tables. It uses rules called chains to filter incoming and outgoing data packets.

It allows you to adjust firewall rules according to your needs. Here’s how you can install and check the current iptables settings on Ubuntu:

• Open the Terminal and log in to SSH.

• Run the following command to install iptables:

  bash

  sudo apt-get install iptables

• After installation, enter the following command:

  bash

  sudo iptables -L -v

• The Terminal will display a detailed list of all iptables rules. Here's how the output might look:

  [Screenshot of current iptables rules]

  
  

7️⃣ Set Up Your UFW Firewall

The Uncomplicated Firewall (UFW) is a built-in application on Ubuntu that acts as a front-end interface for iptables. In simple terms, it will deny all incoming connections and allow outgoing ones, reducing the risk of potential threats.

You can modify and add rules to the firewall according to your preferences. Here’s how to enable it:

• Open the Terminal and connect via SSH.

• Type the following command to enable UFW and press Enter:

  bash

  sudo ufw enable

• If the prompt indicates that the command was not found, install the firewall with this command:

  bash

  sudo apt-get install ufw

• Once the installation is complete, run the command from step two to enable UFW.

• Check the firewall status with the following command:

  bash

  sudo ufw status

• Alternatively, use our integrated VPS Firewall in the hPanel. Select your VPS and choose Firewall:

  [Screenshot of the Firewall button in hPanel]

  
  

8️⃣ Regularly Update Server Software

Keeping your operating system and software up to date is crucial to ensure that all security vulnerabilities are addressed. Cybercriminals are constantly looking for exploits in older software versions to infiltrate servers.

Schedule regular updates for your operating system and any server software you are using. Debian-based systems like Ubuntu can use the following command:

• bash

  sudo apt-get update && sudo apt-get upgrade

For Red Hat-based systems like CentOS, use:

• bash

  sudo yum update

Remember to restart your server after applying updates to ensure the changes take effect.

9️⃣ Use Secure SSH Connections

The SSH protocol provides a secure connection to your server, but you can still enhance security by following some best practices. Make sure to disable password authentication and only allow key-based authentication.

To make these changes, edit the SSH configuration file with the following command:

• bash

  nano /etc/ssh/sshd_config

Look for the line PasswordAuthentication and change it to no to disable password-based authentication.

Additionally, enable key-based authentication by adding the following line to the same file:

• bash

  PubkeyAuthentication yes

Save the changes and restart the SSH service.

🔐 Limit Access by IP

Limiting access to your server to specific IP addresses reduces the risk of brute force attacks and prevents unauthorized connections. Edit the SSH configuration file:

• bash

  nano /etc/ssh/sshd_config

Add the allowed IP addresses at the end of the file in the following format:

• bash

  AllowUsers username@IP

  
  

Replace username with your username and IP with the authorized IP address. Save the changes and restart the SSH service.

💾 Regularly Back Up Your Data

Backups are your lifeline in case of data loss due to an attack, human error, or any other issue. Schedule automatic backups and store them in a secure location.

You can use built-in solutions like PixelHost’s hPanel backup or third-party tools. Make sure the backups include all critical data, such as configuration files and databases.

📊 Monitor Server Logs

Regularly review server logs to detect unusual activities or potential intrusion attempts. Logs like /var/log/auth.log and /var/log/syslog contain valuable information about system behavior and user interactions.

Use the tail command to follow specific logs in real-time:

• bash

  Copy code

  tail -f /var/log/auth.log

Set up alerts to notify you of anomalies and consider installing log monitoring tools to facilitate analysis.

🛡️ Install an SSL Certificate

Website security is also crucial. Install an SSL certificate to encrypt communication between your server and website visitors. This is especially important if you collect sensitive information through online forms.

You can obtain free SSL certificates from Let's Encrypt and easily configure them on your web server.

🛡️ Enable DDoS Protection

Distributed denial-of-service (DDoS) attacks can overwhelm your server with fake traffic, causing a service interruption. Use DDoS protection services or tools to mitigate these attacks.

PixelHost provides advanced DDoS protection on all VPS servers, helping keep your site online even during intense attacks.

🛠️ Use an Intrusion Detection System (IDS)

Intrusion detection systems monitor and analyze traffic for malicious patterns. Set up an IDS on your server to detect potential threats and act quickly to prevent intrusions.

Snort and Suricata are popular IDS options for Linux. Customize the rules according to your needs and regularly review the reports generated by the system.

💡 Consult with Security Experts

If you are unsure how to implement certain security measures or need additional advice, consider consulting with cybersecurity experts. Professionals can conduct security assessments and provide specific recommendations for your server environment.

Remember that security is an ongoing effort. Stay updated with the latest threats and security best practices, and adjust your setup as needed. With these 16 VPS security tips, you'll be well on your way to protecting your server against cyber threats.

🚨 Final Conclusions

Protecting your VPS server is a continuous commitment that requires attention and effort. By following these 16 security tips, you will strengthen your server's defenses against various cyber threats. Here are some final conclusions to keep in mind:

• Continuous Education: Stay informed about the latest trends in cybersecurity and attack techniques. Continuous education is key to adapting to new threats.

• Proactive Implementation: Instead of waiting for security problems to arise, take a proactive approach. Set up strong security measures before issues occur.

• Regular Monitoring: Constantly monitoring server logs and implementing automatic alerts will allow you to quickly identify and address any suspicious activity.

• Collaboration with Experts: Whenever possible, seek advice from IT security professionals. Their expertise can be invaluable in strengthening your server’s defenses.

• Quick Response: In the event of a security incident, have a rapid response plan. The ability to quickly isolate and resolve issues can minimize the impact of an attack.

Remember that security is an ongoing process and that each server may have specific requirements. Customize these tips according to your needs and the specific environment of your server. By doing so, you will significantly improve your VPS server's security and protect the integrity of your data and applications.

Keep in mind that these tips are designed to provide general guidance, and it is important to tailor the recommendations to your specific environment and the technologies you use. If you have any additional questions or need specific guidance, do not hesitate to seek professional advice to ensure the optimal security of your VPS server.

Best Regards,

João @PixelHost