15 VPS Security Tips to Prevent Attacks on Your Server

Knowing how to secure your Linux VPS will help you avoid various cyber threats and attacks. However, it is not a one-time task – besides applying the best security practices, you have to monitor your virtual private server continuously.

With this in mind, we will dive deeper into Linux security and its common weaknesses. We will also discuss 15 VPS security tips to prevent cyber attacks on your virtual server.

Download Complete Linux Commands Cheat Sheet

Linux Security and Common Weaknesses

Even though Linux is famous for its secure system, it has some vulnerabilities. Many security threats can damage your server’s security and data.

Let’s go over the list of the most common threats and weaknesses in detail:

  • Malware – refers to intrusive software intentionally designed to harm computers and their operating systems. It comes in many forms, including Trojans, ransomware, viruses, and spyware.
  • Sniffing attack – happens when a hacker uses packet sniffers to intercept and extract data from a network.
  • Brute-force attack – a hacking method involving an attacker who uses trial and error to guess login credentials.
  • SQL injection – occurs when a hacker exploits code in a web application to gain access to the server’s database.
  • Cross-site scripting (XSS) – a client-side attack during which a hacker injects malicious code into a website.
  • No function-level control – a server may cause it by not verifying the access rights properly, giving general users root privileges.
  • Broken authentication – identity theft that usually happens due to unencrypted data, weak passwords, or poorly set application session timeouts.

Before implementing any security measures, make yourself aware of the elements you should monitor. Here are some of them:

  • VPS hosting security
  • Server software
  • SSH connection
  • Root access and logins
  • Passwords and credentials
  • Firewall
  • FTP connection
  • User rights and privileges
  • Server logs

15 VPS Security Tips to Protect Your Server Security

This section contains 15 security tips for protecting your VPS hosting.

1. Research Your Web Hosting Security

The hosting provider of your choice needs to have a strong security infrastructure and offer additional protection to keep your server safe. At Hostinger, we provide advanced security modules to protect our VPS, such as mod_security, firewall, Suhosin PHP hardening, and PHP open_basedir protection.

In addition, Hostinger utilizes BitNinja’s full-stack server protection and built-in advanced DDoS mitigation to enhance VPS security in general. When it comes to shared hosting servers, we offer Monarx anti-malware software.

Furthermore, Hostinger offers automated regular backups and live snapshots you can use to restore your website immediately in case it goes down.

2. Change the Default SSH Port

If you still use port 22 to access your virtual server via an SSH connection, there is a high chance that hacking attempts will occur. This is because attackers can scan open ports to perform brute-force attacks and obtain remote access to the server.

We recommend using a different port for SSH to protect your data against cyber attacks.

Here’s how to change the SSH port:

  1. Open Terminal and log in to SSH.
  2. Edit the service configuration file by running the following command:
nano /etc/ssh/sshd_config 
  1. Locate the line that reads Port 22.
  2. Replace 22 with a new port number and remove #.
Changing SSH port
  1. Save the changes and exit.
  2. Restart the service by inserting the following command and pressing Enter:
  • For Debian and Ubuntu
service ssh restart 
  • For CentOS and Red Hat Enterprise Linux (RHEL)
systemctl restart sshd.service
  1. Finally, try to log in to SSH using the new port.

3. Disable Root Logins

Every Linux VPS has a root user that has the most privileges compared to the other users of the system. Cyber criminals might target them to gain full access to the server.

Therefore, it is critical to disable logins from the root user to secure your server from brute-force attacks. We also recommend creating an alternative username with the privilege to execute root level commands.

Follow the steps below to disable root logins:

  1. Open Terminal and log in to your SSH account.
  2. To open and edit the configuration file, run the following command using nano or vi:
nano /etc/ssh/sshd_config
  1. Find the following parameter and change it to no:
PermitRootLogin=no
The SSH configuration file
  1. Save the changes and restart the SSH service by running the following command:
  • For Debian and Ubuntu
service ssh restart 
  • For CentOS and Red Hat Enterprise Linux (RHEL)
systemctl restart sshd.service
  1. This will disable the root login.

4. Use Strong Passwords

Passwords containing information related to your identity or simple passphrases are easy to guess. Therefore, create a long and strong password with several elements, such as lower and upper case letters, numbers, and special characters. Doing so will secure your system against brute-force attacks.

Additionally, don’t reuse the same password.

You can also employ online tools such as NordPass or LastPass to create strong passwords. Both provide customization options, such as limiting the password length and the usage of characters.

5. Start Using SSH Keys

If you are still using a password to log in to your SSH account, you may become a target of sniffing attacks. To avoid this, use SSH keys instead. Essentially, SSH keys are a more secure authentication method than passwords.

As computers generate these keys, they can be up to 4096 bits in length, making them longer and more complex than a password.

SSH keys come in two sets – public and private. The former is saved on the server while the latter is stored on the user’s machine. When a login attempt is detected, the server will generate a random string and encrypt it with a public key. The encrypted message can only be decrypted using the associated private key.

Here’s how to generate an SSH key on a Linux server:

  1. Open the Terminal application and log in to SSH.
  2. To generate public and private keys, type the following command and press Enter:
ssh-keygen -t rsa
  1. Once a reply appears, hit Enter:
Enter file in which to save the key (/root/.ssh/id_rsa):
Generating public:private SSH keys
  1. You will be prompted to fill in a passphrase twice. If you don’t have it, you can press Enter two times.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Inserting paraphrase for SSH keys
  1. Your private and public keys are now saved successfully.

6. Setup an Internal Firewall (IP Tables)

As HTTP traffic can come from anywhere, it is essential to filter it to ensure that only visitors with an excellent reputation can access your system. Doing so will help you avoid unwanted traffic and DDoS attacks.

Linux distributions come with an internal firewall service called iptables. This tool monitors traffic from and to your server using tables. It employs rules called chains to filter incoming and outgoing data packets.

Using it, you can adjust firewall restrictions according to your needs. Here’s how to install and check the current configuration of iptables on Ubuntu:

  1. Open Terminal and log in to SSH.
  2. Install iptables by running the following command:
sudo apt-get install iptables
Installing iptables
  1. After the installation is complete, type the following command and press Enter:
sudo iptables -L -v
  1. The output will include a list of all rules in a detailed format.
Current rules of iptables

7. Configure Your UFW Firewall

We recommend enabling an Uncomplicated Firewall (UFW) as an additional layer to control your system’s inbound and outbound traffic. It is a netfilter firewall that is designed to be easy to use.

UFW acts as the front-end for iptables and usually comes pre-installed on Linux distributions. In general, it will deny all incoming connections and allow outgoing ones, decreasing the risk of potential threats. In addition, you can modify and add rules to the firewall according to your preferences.

Here’s how to enable it on Ubuntu:

  1. Open Terminal and connect via SSH.
  2. Type the following command to enable UFW and press Enter:
sudo ufw enable
  1. If the reply states that the command was not found, install the firewall using this command:
sudo apt-get install ufw
Installing UFW firewall
  1. Once the installation is complete, run the command in step two to enable UFW.
Activating UFW firewall
  1. Verify the firewall status using the following command:
sudo ufw status
Checking UFW firewall status

8. Use SFTP Instead of FTP

While FTP connections don’t have encryption enabled, FTP over TLS (FTPS) only encrypts credentials and not file transfers.

As a result, using both connections may put your data at risk. Hackers can easily perform a sniffing attack to steal your login credentials and intercept file transfers.

To avoid it, use FTP over SSH or SFTP instead. It is a secure FTP connection as it fully encrypts all data, including the credentials and files being transferred. Furthermore, SFTP protects users from man-in-the-middle attacks as the client needs to be authenticated by the server before gaining access to the system.

Follow these steps to set up an SFTP connection:

  1. Open Terminal and log in to SSH.
  2. Initiate an SFTP connection by inputting this command and pressing Enter:
sftp user@server_ipaddress

or

sftp user@remotehost_domainname
  1. If you’re using a custom port, run the following command:
sftp -oPort=customport user@server_ipaddress

or

sftp -oPort=customport user@remotehost_domainname
  1. Once you’re connected, an SFTP prompt will appear.
Connecting using SFTP

9. Set Up Fail2Ban

Fail2Ban is software that monitors system logs and blocks hackers after multiple failed logins. In addition, it protects servers against DoS, DDoS, dictionary, and brute-force attacks. Fail2Ban uses iptables and firewalld to ban IP addresses.

Follow the steps below to set up the Fail2Ban software package on Ubuntu:

  1. Open Terminal and start an SSH connection.
  2. Install the Fail2Ban software package by inputting the following command and pressing Enter:
sudo apt-get install fail2ban
  1. The following output will appear. Type Y and hit Enter.
Do you want to continue? [Y/n] y
Installing Fail2Ban
  1. Once the installation is finished, verify the status by running the following command:
sudo systemctl status fail2ban
  1. The Fail2Ban software should be active and running.
Checking Fail2Ban status

10. Install an Antivirus

In addition to setting up a firewall to filter incoming traffic, consider monitoring the files stored on your VPS. As Linux is not innately immune to virus attacks, cyber threats can target your servers and damage your data.

Therefore, it is critical to install antivirus software as a security hardening practice. There are many options available, but the most notable one is ClamAV. It’s open-source and used to detect suspicious activity and quarantine unwanted files.

Follow these instructions to install ClamAV on CentOS:

  1. Open Terminal and log in to SSH.
  2. Install Extra Packages for Enterprise Linux (EPEL) by running this command:
sudo yum -y install epel-release
  1. The Complete! output will signal that the EPEL installation is done.
Installing EPEL
  1. Clear all cached information by typing in the following command and hitting Enter:
sudo yum clean all
Clearing cached information
  1. Install ClamAV by running the following command:
sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
  1. Look out for another Complete! line to know when the installation has finished.
ClamAV installation is finished
  1. ClamAV should now be up and running.

11. Set Up a VPN for Your VPS

If you use a public connection, there is a high chance that someone will intercept your traffic and steal your data.

To avoid this, we recommend setting up a VPN to combat security threats. It will route your traffic through an encrypted tunnel and mask your actual location since your machine will use the VPN’s IP address. This will also allow you to maintain anonymity while browsing the internet as your IP won’t be traceable.

In short, a VPN keeps your data safe and prevents hackers from intercepting your traffic. It works hand in hand with a firewall to provide additional VPS security.

Pro Tip

A VPN is also beneficial for users who live in an area with location-based restrictions since it lets them change their IPs to bypass internet censorship.

Follow these steps to install OpenVPN on CentOS:

  1. Open Terminal and connect with SSH.
  2. Install the net-tools package before installing OpenVPN. Run this command:
sudo yum install net-tools
  1. Type in the following curl command to download the OpenVPN package and hit Enter:
curl -O http://swupdate.openvpn.org/as/openvpn-as-2.7.3-CentOS7.x86_64.rpm
Downloading OpenVPN package
  1. Print SHA256 checksum to validate the installation by running the following command:
sha256sum openvpn-as-*
  1. The output will print the checksum as shown below:
Checksum output
  1. Compare the downloaded binary’s checksum with the one provided on the website. If they match, you can start installing OpenVPN with this command:
sudo rpm --install openvpn-as-*.rpm
  1. When the installation is complete, you will get the Admin UI and Client UI details, as shown below:
OpenVPN installation complete
  1. Next, set up a password with the following command:
passwd openvpn
  1. You will be prompted to retype the new password.
Setup password for OpenVPN
  1. Visit the Admin or Client UI to access the screen below:
OpenVPN admin login page
  1. Enter the username openvpn and the password you have just set up and press Sign In.

12. Review Users Rights

If many users use your VPS hosting, the distribution of control and rights needs to be considered carefully. Providing all users with root level privileges may put your resource usage and sensitive data at risk.

Therefore, you need to set an access limit to prevent issues on your server. This can be done by managing users and granting them different levels of permissions to specific sets of files and resources.

Linux has a system privileges feature that will help you define user rights. To do it, create a group for users with the same privileges.

Here’s how to manage users and their privileges on Ubuntu:

  1. Open Terminal and connect via SSH.
  2. Input the following command to create a group and press Enter:
sudo addgroup my_group
Creating a user group
  1. Next, create a new user by running the following command:
adduser first_user
Creating a user
  1. The output will prompt you to set a password and fill in the bio, such as full name, room number, and phone. Type y and press Enter to confirm the entered information.
Configuring the newly added user
  1. To add a user to a group, run the command below. Note that it doesn’t produce any output.
sudo usermod -a -G group1,group2 first_user
Adding the user to the group
  1. If you want to grant root access to a user, run the following command. Keep in mind that this also doesn’t produce any output.
sudo usermod -aG sudo first_user
Granting access to the group
  1. On the other hand, if you have a directory and want to add read and write privileges to it, here’s the basic syntax:
sudo chmod -R g+w /directory

13. Disable IPv6

Having IPv6 enabled exposes security vulnerabilities and makes your VPS hosting prone to various cyber attacks. If you aren’t actively using it, we recommend disabling it entirely.

As hackers often send malicious traffic through IPv6, leaving the protocol open can expose your server to many potential security breaches. Even if you’re not actively using IPv6, some of your programs may open listening sockets on it. Therefore every time a packet comes in, they will process it including malicious packets.

Follow these instructions to disable IPv6 on Ubuntu:

  1. Open Terminal and log in to SSH.
  2. Type in the following command to disable IPv6 and press Enter:
sudo nano /etc/sysctl.d/99-sysctl.conf
  1. The configuration file will open. Add the following lines at the bottom:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Adding command lines to disable IPv6
  1. Save and close the file.
  2. Next, run the following command to execute the changes:
sudo sysctl -p
Executing changes
  1. Lastly, insert the following command and hit Enter. If you see 1, that means IPv6 has been disabled successfully.
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
Checking IPv6 status

14. Monitor Your Server Logs

Monitoring your server logs helps you to stay in control of what’s happening with your VPS hosting. These logs can also be used in analysis and reports for detailed information about the server’s current state.

Server logs will let you know whether the server is experiencing cyber attacks or other security threats. The sooner those vulnerabilities are fixed, the less opportunities will attackers have to intercept data.

One of the critical directories on your Linux system is called /var/log. It stores a collection of log files that contain crucial information related to the system, kernel, package managers, and various applications running on the server.

Here’s how to open /var/log and check system logs on an Ubuntu server:

  1. Open Terminal and log in to SSH.
  2. Run the command below to change the working directory to /var/log. Keep in mind that this won’t produce any output.
cd /var/log
  1. To list all the files, insert the following command and hit Enter:
ls
Listing down the entire files inside :var:log directory
  1. To check the system logs, enter the below command and press Enter:
sudo cat syslog
Checking syslog inside :var:log directory

15. Keep Your Applications Up to Date

The older the software your VPS is using, the more vulnerable it is. Developers usually release updates and security patches regularly. Be sure to look out for the latest versions of your software and install them as soon as they become available.

Here’s how to do it on Debian or Ubuntu:

  • If you are updating the entire package list, run the following command:
sudo apt-get update
  • If you are updating the actual package, input this command and hit Enter:
sudo apt-get upgrade

Follow these steps to do it on CentOS/RHEL:

  • To refresh the package database and install updates, type this command and press Enter.
sudo yum update
  • To check for any updates, insert the following command and hit Enter.
sudo yum check-update

We recommend automating this process by enabling auto-updates if you are using a content management system (CMS) on your server. In addition, you can also create cron jobs, a Linux-based utility to schedule a command or script to run at a specified time and date.

The most convenient way to install and run a cron job on CentOS or RHEL is by using yum-cron. It will automatically update the software every time a new version is released. Here’s how to set it up on CentOS or RHEL:

  1. Open Terminal and connect via SSH.
  2. Install yum-cron by running the following command:
sudo yum install yum-cro
Installing yum-cron
  1. Enable the service by inserting the below command and hitting Enter. Note that this won’t produce any output.
sudo systemctl enable yum-cron.service
  1. Start the service by typing in the following command and clicking Enter. Keep in mind that this command won’t produce a reply.
sudo systemctl start yum-cron.service
  1. Check the status of the service by running this command:
sudo systemctl status yum-cron.service
Checking yum-cron service status
  1. Open the configuration file with the following command:
sudo vi /etc/yum/yum-cron.conf
  1. Find the following line on the output and replace no with yes. Save the changes and exit the file.
apply_updates = yes
Replace a command line

Conclusion

It is important to protect and keep your VPS secure at all times, especially since it stores your sensitive data and programs.

Although Linux is famous for its robust security, it still has vulnerabilities you should watch out for. Common cyber attacks and issues to be aware of include malware, sniffing and brute-force attacks, SQL injections, cross-site scripting (XSS), missing function-level control, and broken authentication.

Therefore, the owners of virtual private servers must know how to protect and monitor them. To help you out, we have compiled the 15 best security tips:

  1. Make sure your hosting provider has robust security measures on their servers.
  2. Use a more secure SSH port.
  3. Disable root logins.
  4. Use complex passwords.
  5. Enable SSH keys as an authentication method.
  6. Use iptables on your server.
  7. Install a UFW firewall as an additional security layer.
  8. Start using SFTP instead of FTP.
  9. Activate the Fail2Ban feature.
  10. Install antivirus software.
  11. Setup VPN for VPS.
  12. Review user privileges.
  13. Disable IPv6 on your server.
  14. Monitor server logs.
  15. Check for security updates.

We hope this article has helped you secure your VPS hosting. If you have any questions or suggestions, please leave them in the comments below.

Was this tutorial helpful?

Author
The author

Noviantika Gita

Noviantika is a Digital Content Writer at Hostinger. Passionate in web hosting, WordPress, and SEO, she's driven to share her knowledge with the world through her writing. During her free time, Noviantika likes to hop on a plane and discover places.