Basic security for your VPS server

Some customers ask us, “How do I secure my VPS server”
With this blog post we would like to share some basic security tips and tricks for securing your Linux or Windows VPS server.

SupCloud will protect your VPS with some advanced DDoS protection equipment by default, there is nothing
you have to pay extra or nothing that you have to activate. Your VPS will be routed through our VAC system which will filter
DDoS attacks to prevent damage on your server.

But.. There are things you should secure too!

Please note, this guide is for basic security only. It will protect your VPS a lot better than a clean install but we are not responsible for any damage..

Firewall
Since all ports are opened on your VPS by default you will need to do some filtering first.
You can use build in software like IPTables or the Windows firewall to do this but if you are unfamiliar with
configuring a firewall it can be a pain to do.

Security company Dome9 offers users a cloud-based firewall that leverages the build in firewall
capabilities in Linux and Windows.
The “Lite Cloud” package can protect up to 5 servers for free.

After you’ve signed up for Dome9 you will be represented with your security dashboard. The first thing you want to do is make a new Security Group. Give it a nice name and hit “Create Security Group”
We can now add some firewall rules, first you have to find out which services you (will be) run(ning)
and which ports these services require. You can do this by simply googling your server software and find

Dome9 itself offers some presets to help you out:
Screen Shot 2015-02-09 at 22.06.17

So, in case you are running a blog, you could use the following rules:

Web (HTTP) – Open For All IPs
Web (HTTPS) – Open For All IPs

After you’ve added the required rules, you should add an IP whitelist, for your home (or secure VPN) IP.
This whitelist allows you to access other ports (like FTP/SSH) even though they are not forwarded.
If you use a CDN network like CloudFlare you can even configure Dome9 to only accept HTTP or HTTPS requests
from the CloudFlare CDN IPs
Screen Shot 2015-02-09 at 22.12.09
Screen Shot 2015-02-09 at 22.13.16
Now that your Security Group is ready and you’ve whitelisted your own IP we can begin
installing the Dome9 agent on your VPS.
Simply hit “Install new agent” and follow the steps for your OS.
Make sure you assign a security group to your VPS, for Linux you can enter this before
you paste the wget URL. Windows will ask you to enter a security group during the setup.

After the installation is completed you can check if for example, port 22 is still open for the world by
visting a nice little website called YouGetSignal
You should see that SSH is closed!
Screen Shot 2015-02-09 at 22.16.22

Nice! Your firewall is configured..

Strong Passwords
Let’s face it, “1234” isn’t the password you should use and even though remembering passwords could be a pain
you should definitely use hard-to-guess passwords.
There are free password managers available like Lastpass or paid alternatives like 1Password
that can help you manage your passwords.

Stay up-to-date both local, and on your VPS
You should always install the latest security updates for Windows and Linux.
For Debian based Linux distributions you can use

apt-get upgrade && apt-get upgrade

For RHEL based Linux distributions you can use:

yum update && yum upgrade

If you use Windows on your VPS you should turn on Windows update.

You should also keep your own system up-to-date! You can secure your VPS
server a lot but in the end, a Word file containing your VPS root password can result in a disaster.
Make sure you don’t save your passwords in plain-text on your system and always install
the latest security updates.

Don’t trust everyone with your VPS
Giving login credentials to people other than yourself isn’t a smart thing to do.
If someone needs to manage your website a simple FTP account with access to your webfolder
would be sufficient in most cases.

Use a secure webserver
Basic installations of IIS, Apache or any other webserver is not the safest you can get.
You should always search for tips on securing your webserver.
Some of our customers used XAMPP for production website, we do not recommend this
at all, here’s why.

Use a secure and up-to-date CMS
If you use a CMS system you should always use the latest version if possible.
Leaks are easily found in older version and can result in a SQL injection:

“SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a web application.”

So what can happen if you use an old or insecure CMS is that someone can use this leak to execute multiple SQL commands like “DROP” that can eventually result in an empty database.
This is probably not what you want so make sure you use the right CMS!

More tips and tricks?
Are there more things you could do? Yes, you definitely can but the basic security guide
ends here and adds some basic security to your VPS.

Feel free to leave a comment, if you need help following this guide you may contact the SupCloud
support team if you have a server with us.