15 ways to secure and harden your Linux VPS
By Tristan P in Security, Servers, Tips & Tricks, Tutorials, Web Hosting
22nd November 2022 • 14 minute read
Hacking is big business. Regardless of who you are or what you do, you're already a target.
Every day we see another news story about a company being hacked, data being stolen and businesses going under. I would love to tell you that this is nothing more than the media using a few edge cases to stir up some drama to help their bottom lines, but I can't.
In reality, you're only hearing about the really big attacks. Hundreds of sites are hacked every single day, businesses are irreparably damaged. You're just not seeing it.
I do have some good news. You don't have to be a cybersecurity expert to greatly reduce your risk of being hacked. Rather, you just need to be harder to hack than the next target on the list.
Luckily for you, if you're reading this, you're probably already using a Linux VPS.
Linux VPS's certainly have their advantages in many ways. One of these advantages is in overall security. Thanks to Linux's Security Model (LSM), you are already much more secure than other operating systems like Windows.
While this is a fantastic starting point, it does not make you invulnerable.
In this blog post, we are going to cover:
- Finding a secure hosting service
- Strong password policy
- Disabling Root logins
- SSH Keys
- Changing the default SSH listening port
- Disabling unused ports
- Removing unwanted modules and packages
- Using a firewall
- Malware detection and AV software
- Brute force detection and prevention
- PHP versioning
- Software updates
- Social engineering
- Disaster Recovery plans
- PCI DSS compliance
Finding a secure hosting service
Creating a secure VPS is similar to building a house. Why bother locking the door if the foundation has crumbled and taken your walls with it?
Your host is your foundation, and the first step is to read up on the hosts in your shortlist. Thoroughly examine the product page and pay particular attention to the security features they offer. I would also suggest reading through their reviews (TrustPilot and Google reviews are more independent than other sources!).
If you're still unsure or have any specific questions, you should always contact them and ask!
Ensure that you ask them about their security and Technical Support policies and experiences. If the information below has not been included within their product page, ensure you double-check:
- Server location
- Power outage mitigation and backups within the data centre
- Physical security at the data centre
- Availability of on-site support for physical server maintenance
- DDoS Prevention
- Network monitoring
- Backups for your data and applications
- Backup and recovery plans during server outages
A reliable and trustworthy host should be able to provide this information straight away.
Many of the hosts you are going to speak to will not have one or more of the key aspects to ensure your VPS is secure.
In my experience, most clients end up with either a Krystal VPS or Katapult VPS after multiple negative experiences with other hosts.
I would suggest looking towards either a managed Krystal VPS that is powered by Katapult, or a self-managed Katapult VPS.
Strong password policy
It doesn't matter how strong your front door is if someone has a copy of the key.
Strong passwords are preached throughout IT. Everybody knows how important this is and yet, most people still use the same password for every website that barely meets most website's minimum password strength!
Having a strong password policy means that everyone with access to your VPS should be using a secure password that is entirely unique.
Creating a strong password
You could opt for the standard requirements set by the majority of online services:
Password length of 8 characters or more, with at least 1 capital letter, a number, and a special character
Sounds like a great policy, Right?
Modern brute force techniques can crack an eight character password in less than an hour.
You can make your passwords much stronger by following a few quick tips:
1. Use a unique password:
Your password should be unique to each and every site, we all know this, but following this advice is hard.
That's where your password manager comes in. There are a few good options available online that I would suggest you look into such as LastPass, Keeper, Dashlane or 1Password.
These allow you to use unique passwords for every site without having to memorise them.
2. Randomly generate your password
Following on from the first tip, most password managers will give you the option to randomly generate your password.
This is without a doubt the best policy, as brute force attacks rely heavily on dictionary words (Hackers also know about the number trick. If your password is "Pa55w0rd123", stop reading this and update your passwords right now!).
A good randomly generated password is much more difficult to crack.
Example: A randomly generated password like: Qa65Hez3y23^ would take 34 THOUSAND years to crack.
3. Make your password hard to crack & easy to remember
If you prefer to create your own passwords, a best practice is to use sentences rather than words.
For example, take a typical password like "Orange1!". This can be turned into a sentence that is just as easy to remember, such as: "WeWalk!BytheOrangeTree!".
The first password would take a computer around 8 hours to crack. The second password would take a computer 19 septillion (That's 24 zeros!) years to crack. See the difference?
If you like the idea but don't want to think of your own passwords, I have a solution!
Useapassphrase.com will generate secure and memorable multi-word passphrases for you!
Disabling Root logins
On a standard VPS, the default user is “root”. Root access gives you complete access to everything on the server. This makes your Root user a very tempting target to any would-be hackers.
You can get around this by creating a new user and using the "sudo" command to execute any root-level commands that you may need.
Before you go ahead and disable the root account, ensure that your new admin account has the appropriate access level!
To disable root access, you will have to update the PermitRootLogin parameter within the sshd_config file to "No". This will prevent the root user from logging in to the server.
While this is a good start, you can go much deeper with users and access levels. It's important to tailor access levels to each user. A web developer likely won't need root access, however, a SysAdmin may only need a few root level commands.
Managing security when you have multiple users can be a real challenge. The best way to overcome this is by using SSH-key authentication. Public & Private key pairs mean that your users can log in without a password while ensuring a secure login.
The way SSH Keys work is quite simple. You have two keys, the public key and the private key.
The public key is visible to the user and is shared with the server where they require access. The private key is hidden from the user and is paired with the public key when the login is attempted. If the keys match, the user can log in without using a password!
If your server uses cPanel, we have a guide on SSH keys for both Windows and macOS that I would suggest reading and implementing. We also have separate guides that cover Organisation SSH keys for your Katapult VPS.
Once you have added your SSH keys, I would suggest disabling SSH password authentication entirely to eliminate this as a brute force attack avenue.
Changing the default SSH listening port
Time for a quick win!
As standard, your server will use port 22 for SSH. Less advanced hacking attempts will target this port by default, as the majority of people never update this.
The following steps will allow you to update your SSH port:
Step 1: SSH into your server as root
Step 2: Open the port in your server firewall
Step 3: Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Step 4: Edit the
#Port 22 line to your preferred port number and remove the
Step 5: Restart SSHD
systemctl restart sshd.service
Step 6: Finally, while your current SSH session is still open, log into the server with a new terminal session using the new port to confirm it works
ssh email@example.com -p 1234
This is a good way to avoid random brute force attacks, however, there are other, better methods available.
While outside of the scope of this guide, I would suggest you also look towards setting up Multi-Factor Authentication (MFA) for SSH.
Disabling unused ports
This can get quite technical and, it will vary depending on what your server is being used for.
I'm going to try to make this as simple as possible.
When you leave your house, a basic home security step is to close and lock your doors and windows to make it harder for anyone to gain access. This also applies to your server.
You will have open ports that are not being used by default. Hackers use a technique known as port scanning to identify the open ports on a server that can be exploited, in a similar way that a burglar would case a house. In order to lock down your server as much as possible, I would suggest creating a list of ports that are being used and closing any port that is not in use.
Before closing ports, I would recommend consulting your developer as a port may be necessary.
You can run the
ss commands to view all of the open ports and their associated services, from here you and your developer can build a list of ports that should remain open and close any other ports.
Removing unwanted modules and packages
You probably don't need all of the packages and services that come by default with your Linux distribution. Every service is a risk and removing any that you aren't using is one less thing to worry about!
You should also avoid installing any unnecessary packages, software and services if you want to minimise threats to your server. This also comes with the added benefit of reducing the overall load on your server. It's a win-win.
TOP TIP : More advanced users may wish to employ cycloneDX for this.
CycloneDX can generate an SBOM (Software Bill of Materials) that you can use to identify vulnerabilities. This can also be used to see an overview of your installed packages & modules.
Using a firewall
Your firewall is one of the first things you should set up when you first spin up your VPS. It's the gatekeeper responsible for allowing and denying access to your server and is the first line of defence against would-be hackers.
It is worth checking with your host to find out if any firewalls are installed by default. Katapult servers make use of security groups to fulfil this role while Krystal VPS's with management have CSF by default.
A good option for most users is UFW (Uncomplicated Firewall). This is included by default with Ubuntu distributions.
UFW runs on top of
iptables and provides a streamlined interface to configure common firewall usecases using the command line.
You can use UFW to:
- Blacklist / Whitelist an IP address
- Block a subnet
- Block connections to a Network Interface
- Open SSH and allow specific IP addresses
And much, much more.
Another option is firewallD.
FirewallD is more flexible than UFW in many cases, however, it can be much more verbose and this can be intimidating for some users.
Both options will be sufficient in most cases. Generally I would advise using whichever comes packaged with your chosen distribution!
Malware detection and AV software
Malware, to put it plainly, is a nightmare.
Malware is constantly evolving and, as such, the systems that monitor and remove malware are stuck in a permanent game of cat and mouse. No matter how good your security is on your server, it can never be perfect. Malware can still occasionally make it through your other defences and that's why anti-malware software is so crucial.
You should always have anti-malware software installed, updated and in use. The fact is, anti-malware software is an essential part of your security plan.
When purchasing a managed Krystal VPS, you can opt to purchase an Imunify360 / ImunifyAV license. Imunify's offerings come highly recommended!
Other options include ClamAV and Maldet. These are open-source applications that can scan your server to identify potential threats.
As with a lot of the other tips, I strongly suggest speaking to your host before deciding on an AV solution as their recommendations are incredibly valuable.
Brute force detection and prevention
We've discussed brute force attacks a few times now, however, it is worth taking a closer look.
Brute force attacks are not very sophisticated. The attacker simply attempts to log in, hundreds of times a second, with multiple username and password combinations in the hopes of guessing the correct details.
Brute force attempts are easy to detect and there are multiple solutions that exist to prevent attacks.
If your server uses cPanel, you will want to look into cPHulk. This is a brute force protection application that is provided by cPanel. This works on the Pluggable Authentication Module (PAM) level and detects failed login attempts. Once the attacker hits a predetermined number of failed attempts, cPHulk will block further login attempts from that IP.
Due to how cPHulk blocks IP addresses (On the PAM level), it is generally safe to blacklist entire blocks of IP addresses. This could be used to block login attempts from a certain country, for example. Blacklisting these IP's on the PAM level means that users in this IP block will still be able to access your website and send you emails, but will not be able to access any cPanel core services.
Other options include:
Fail2Ban - Fail2Ban scans log files like
/var/log/auth.log and bans IP addresses conducting too many failed login attempts.
Crowdsec - CrowdSec is a free and open-source Intrusion Prevention System.
CSF Login Failure Detection - ConfigServer Firewall (CSF) can be used to block brute force attempts by enabling LFD (Login Failure Detection).
PHP is the language that runs the majority of the CMS's (Content Management Systems) and applications you're likely to use on your VPS.
It is incredibly important to keep on top of PHP updates. While these updates may improve performance and introduce new features, they also include large security patches for known and unknown vulnerabilities.
PHP versions will generally be installed through the backend of the server. If you have a CENTOS server, a new version of PHP is likely to be installed through EasyApache.
How promptly you get access to new PHP versions will vary depending on your host and the newest versions may not be available straight away. I strongly suggest checking with your host to get a better understanding of when new versions will become available to ensure that you can keep your server as up-to-date as possible.
Following on from updating your PHP versions, software updates are equally important.
For the majority of applications, updates are mainly made up of a few minor changes and many security patches.
Keeping your software up-to-date sounds like a very basic task and you might be wondering why it's even in this list at all.
While updating your software is normally an easy process, it can easily become incredibly complex as one software update may break another application somewhere on your server. A good server administrator will manage this and ensure that low risk software is allowed to update automatically, while other core software that is likely to break is updated manually.
I won't lie to you, keeping track of the software and the related updates can be a real nightmare, however, it is important. Up-to-date software ensures that known vulnerabilities are patched in time to prevent an attack and leaving it a little too long between updates is a recipe for disaster.
When talking about VPS security, social engineering is the psychological manipulation of people into performing actions or giving out confidential information. To put it plainly, this is where the malicious actor convinces you to give them access to your server or information that can lead to unwanted access.
The most common form of social engineering is the classic phishing scam.
The majority of these are easy to spot and tend to target those with little technical knowledge, but that is changing.
Phishing scams are becoming more advanced and while you may not fall for it, one of your users might.
We have a separate blog post that gives you all the information you will need to effectively identify a phishing scam.
Disaster Recovery plans
Lets make this very simple.
YOU NEED A DISASTER RECOVERY PLAN.
Just imagine - you've done everything else right, but something has still managed to go wrong.
For most people a disaster recovery plan looks like this:
Average users disaster recovery plan:
Step 1: PANIC.
Step 2: CRY.
Step 3: PANIC MORE.
This doesn't have to be you.
Much like wearing your seatbelt, we hope that nothing will go wrong, but we're still taking the necessary precautions.
Your recovery plan is going to revolve around backups. Your plan should consider and pre-empt anything that could go wrong:
- Account intrusion.
- Loss of services.
- Loss of personnel.
- Critical hardware failure.
You should have secure documents that will allow you to recover your data and logins if necessary.
If you have everything you need to restore your services on a different host in an emergency, you should be able to resume operations with minimal downtime.
Ever heard the phrase "Two is one and one is none"? Well, when it comes to backups you can be even more cautious.
Introducing the 3/2/1 rule:
Follow the 3/2/1 rule to prevent data loss
You should have:
 Three copies of data, stored on:
 Two different storage mediums (e.g a local drive and a remote server) with
 One complete server backup. This should be stored off-site in a remote location.
The last one is particularly important for successful recovery from any natural disasters that might impact your data centre. (Planning for an alien invasion doesnt look so silly now, does it?)
Your backup process should be fully automated and it is essential that you review this regularly.
It's easy to imagine a world where you do everything right and it all works out. Unfortunately, that is not the world we live in.
Planning for things to go wrong can seem like a waste of time and resources, right up until you need to put your disaster recovery plan into action. I am willing to bet the data on your VPS is priceless and, as such, you should be verifying the integrity of the backups and ensuring that they're secure.
PCI DSS compliance
PCI DSS stands for Payment Card Industry Data Security Standard. (You can see why it was shortened!) This is simply a set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.
If you want to take card payments through your site, you will have to ensure that you are PCI DSS compliant as this is required by all card brands.
Even if you choose to circumvent some of the requirements with a service like Stripe, aiming for PCI DSS compliance is a fantastic target.
This post has already covered a number of requirements for PCI compliance and increasing your security to this level can only help protect you further.
Regarding third-party software
Throughout this guide I have suggested quite a number of third-party solutions.
At the time of writing, these are solutions that I personally use and trust. That being said, I cannot guarantee that the services I have recommended will be suitable for your particular situation.
As with everything you consider installing to your server, speak to your developer first!
When writing a guide, do not let the lawyers read it until after it has been posted!
Where to learn more
Now that we’ve covered the basics of VPS security, you should have the necessary tools and knowledge to make your VPS a much less appealing target for malicious actors.
Security is a constantly changing game, as hackers get better, your security needs will evolve to match this. There are a few other resources that I would suggest to ensure your server is as secure as possible.
Speak to your developer!
If you have a developer on hand that will be building your project, they should be able to advise you on additional steps to ensure that security is a priority for your VPS. They will know your project better than anyone, meaning that they know where the project is most vulnerable.
Did you know we have a Krystal Discord channel?
This is an online community filled with Krystal staff and like-minded individuals who use Krystal products and have a wealth of knowledge in a vast range of subjects.
If you’d like to bounce ideas around and get advice from others that have been in your position, I invite you to join the Krystal Discord Community, say hello and ask away!
So, you've now seen behind the veil. You should now have a better understanding of the risks involved in hosting valuable data on a VPS and the basic steps to lock down your server.
Security can be genuinely scary. Businesses regularly close due to breaches in security.
By reading this, you've taken the first tentative steps to securing your VPS and protecting yourself and your business, but it's not enough just to read a blog post. You need to implement everything we've mentioned and continue to secure and harden your VPS.
As mentioned in the beginning, all of this work means nothing if you don't have a strong foundation.
For less experienced users a managed Krystal VPS or for more experienced users, a self-managed Katapult VPS is the perfect foundation for you to build on and do what you do best.
About the author
I'm Tristan! I'm Krystal's Technical Community Manager and self-proclaimed documentation wizard. When I'm not writing, you'll normally find me playing some form of instrument or harnessing the power of the internet to pretend to drive a truck with my little plastic wheel.