How To Secure Your Server
One of the most important aspects of using a Virtual Private Server that you will be responsible for is the security of the server. This encompasses both keeping the bad people out and also keeping your secure data in. So how do you go about doing this?
Limit Access
The first thing to do is to ensure that you only allow access to areas and elements that you want the general public to access, and block or limit access to anything else running on your server. For example, if you are using your VPS as a web server for a WordPress blog then you’d want to keep access open to the web server but block other services. An attacker will use any access they can find to try and find a way into your server, and some access methods give them more power than others.
Firewalls
Normally a firewall is used to block this access. When setting this up, the first thing to think about is how you manage the server, typically with SSH on Linux or RDP on Windows. It is advised that you restrict remote access to these management tools to as few IP addresses as possible. If you have a static IP at your house or office then that is a great start, as you can limit it to that. If not, you may need to limit to groups of IPs that your ISP uses. The smaller the group of IP addresses that can access these services the harder it becomes for a potential attacker to use them.
The next considerations are the services running on the server that you use infrequently, such as, say, FTP to upload files for a website. An attacker will brute force FTP on a server (that is, making lots of login attempts at different username/password combinations until they find the right one) as it will enable them to upload scripts or programs to the server that they can then run through the website to take control of the server. So it’s worth making sure when you are not planning to upload with FTP that you configure your firewall to block it, or at least similarly limit access as to the management services. This advice also counts for many secondary services that only you use from time to time.
Additional Tools
Tools such as nmap will allow you to see which services are running on your server and are accessible. This can help you make sure you’ve blocked or limited access as needed for your server. It may help to imagine the person attacking your server as a bit like a car thief walking down the street tugging on all the door handles he walks past. Any services that you leave accessible to the internet at large is like an unlocked door that the attacker can pull the handle on.
Abandon Root Access
Once the access is limited, the next step is to ensure that your user accounts are safe. It’s recommended that you don’t use the default superuser accounts (root on Linux and Administrator on Windows) to manage the server, but instead create individual accounts for each user who may need to log in and manage your VPS, and provide those users with the superuser access they need to perform their tasks. Blocking remote access for the default superuser accounts is also a good idea, as if someone does manage to get access to a login to the server, they will often attempt to brute force those accounts as they have known usernames.
Update, Update, Update
The last big step is to keep your VPS up to date with software security patches. With the other security steps taken, the main exploitable part of your server becomes whatever you are exposing to the world, such as your website. Bugs and security flaws are found in software all the time and patches are regularly released. Once bugs are patched and the information about them is made public it isn’t long before hackers start trying to make use of those bugs to attack servers running the software. So it’s important to ensure those security patches are applied quickly whenever possible.