Hacking is no longer just a niche concern; it’s become a booming industry. Regardless of who you are or what your business does, you’re already a target for cybercriminals.
Every day brings new reports of companies falling victim to data breaches, with sensitive information being stolen and businesses crumbling as a result. Unfortunately, these news stories only scratch the surface of the problem. The reality is far worse, with hundreds of sites hacked daily, resulting in significant damage to businesses that often goes unnoticed.
But here’s the good news: you don’t have to be a cybersecurity expert to reduce your risk of being hacked. The goal is to make yourself a harder target than others. If you’re reading this, chances are you’re already using a Linux VPS (Virtual Private Server), which gives you a solid security foundation compared to other operating systems, like Windows.
That said, being on Linux doesn’t make you invulnerable. In this article, we’ll dive into several steps you can take to bolster your VPS security, including:
- Choosing a secure hosting provider
- Implementing a strong password policy
- Disabling root logins
- Setting up SSH keys
- Changing the default SSH port
- Disabling unused ports
- Removing unnecessary modules and packages
- Using a firewall
- Installing malware detection and antivirus software
- Brute force detection and prevention
- PHP version management
- Keeping software up to date
- Guarding against social engineering attacks
- Disaster recovery planning
- Ensuring PCI DSS compliance
1. Choosing a Secure Hosting Provider
When securing your VPS, your first priority is choosing a reliable hosting provider. Think of your hosting provider as the foundation of your server’s security. Even the best security configurations can be rendered useless if the host itself is compromised.
Before selecting a host, thoroughly examine their security measures. Look for features like server location security, backup policies, DDoS protection, and network monitoring. Additionally, read independent reviews from platforms like TrustPilot or Google to get a sense of their reliability.
Ask about their technical support availability, disaster recovery plans, and on-site server maintenance. Reliable hosting providers should be able to offer detailed answers and reassure you of their capabilities. If you’re still unsure, two popular and reliable options are Krystal VPS (managed) and Katapult VPS (self-managed).
2. Implementing a Strong Password Policy
Even with a fortified VPS, weak passwords can be your Achilles’ heel. Modern brute force attacks can crack basic passwords in no time, so you’ll need to step up your password game.
A strong password policy means ensuring that each password is unique, long, and complex. You can generate and store these passwords using a password manager like LastPass, Dashlane, or 1Password. Additionally, consider using passphrases that are easy to remember but hard to guess, such as “WeWalk!BytheOrangeTree!” instead of a simple word with numbers and symbols.
3. Disabling Root Logins
By default, most VPS setups come with a “root” user, which has full control over the system. Unfortunately, this also makes root a prime target for hackers. You can mitigate this risk by creating a new admin user and disabling root access for SSH logins. This forces any potential attackers to first figure out the correct username before even attempting to brute-force a password.
4. Setting Up SSH Keys
SSH keys offer an additional layer of security, making it far more difficult for unauthorized users to gain access. They work by generating a public-private key pair, where the private key remains with the user, and the public key is stored on the server. When a login is attempted, the two keys must match, which eliminates the need for passwords entirely.
Once you’ve set up SSH keys, you can further enhance security by disabling password authentication for SSH altogether.
5. Changing the Default SSH Port
By default, SSH runs on port 22, which is well-known and frequently targeted by attackers. Changing this port to something else, such as 2222 or 1234, can significantly reduce the likelihood of brute force attacks on your SSH service.
6. Disabling Unused Ports
Just like leaving windows open at home invites burglars, leaving unused ports open on your server invites hackers. Perform a port scan to identify which services are running, then close any unused ports to reduce attack vectors.
7. Removing Unnecessary Modules and Packages
Each installed package or service is a potential vulnerability. If you’re not using certain software or modules, remove them to limit your server’s attack surface. Tools like CycloneDX can help by generating a software bill of materials (SBOM) to identify what’s installed and detect vulnerabilities.
8. Using a Firewall
Firewalls are essential for controlling access to your server. Tools like UFW (Uncomplicated Firewall) and FirewallD can help you define rules that allow or block traffic based on IP addresses, ports, and services. Be sure to configure these properly as they act as your server’s first line of defense.
9. Malware Detection and Antivirus Software
Even with the best preventative measures, malware can still find its way into your system. Anti-malware software, like Imunify360 or ClamAV, is crucial for detecting and removing malicious software before it causes damage.
10. Brute Force Detection and Prevention
Brute force attacks can flood your server with login attempts, hoping to crack passwords. Tools like Fail2Ban or cPHulk (for cPanel users) can detect and block repeated failed login attempts, effectively neutralizing brute force threats.
11. PHP Version Management
If your server hosts PHP-based applications, it’s essential to stay on top of PHP version updates. New versions often contain critical security patches. Check with your host to understand how quickly they roll out PHP updates.
12. Keeping Software Up to Date
Regularly updating your server software is a must. Security patches fix vulnerabilities that attackers could exploit. Automate minor updates and manually review critical ones to ensure everything stays compatible.
13. Guarding Against Social Engineering Attacks
Phishing and other forms of social engineering are psychological attacks where hackers trick users into handing over sensitive information. Educate yourself and your team to recognize these scams and be cautious when sharing sensitive details.
14. Disaster Recovery Planning
Even with perfect security, things can go wrong. Implementing a robust disaster recovery plan, including regular backups following the 3-2-1 rule (3 copies, 2 different storage mediums, 1 offsite backup), ensures you can restore your server quickly in the event of a breach.
15. PCI DSS Compliance
If your VPS handles credit card transactions, PCI DSS compliance is non-negotiable. Following this standard ensures your customers’ financial data is protected and that you’re adhering to industry regulations.
By taking these steps, you can significantly reduce the risk of an attack. However, securing your VPS is an ongoing process, not a one-time task. Continue to monitor, update, and refine your security measures as threats evolve.
For those seeking a solid security foundation, managed Krystal VPS or a self-managed Katapult VPS are excellent options to consider.
