Top 10 VPS security best practices for server admins

Protecting your UK VPS is paramount due to its status as a virtual machine sharing server resources with others.

One weak link leaves the entire operation susceptible to attack.

A VPS frequently serves as the foundation for website hosting, storing sensitive information, and facilitating mission-critical tasks.

Therefore, securing the VPS safeguards everything dependent upon it from potential threats such as hacking, malware, and ransomware.

Investing in robust security measures defends against data breaches, losses, and operational interruptions.

Ultimately, VPS administrators must prioritise security to shield themselves and their clients from digital dangers.

Fortunately, our managed VPS hosting services include several safety features by default.

Nevertheless, those utilising our unmanaged VPS offerings should consider implementing these suggestions on their own.

1. Use strong, unique passwords

In today’s digital age, we rely heavily on our electronic devices and online platforms to store and transmit sensitive information.

As a result, the importance of strong, unique passwords cannot be overstated. But why exactly should you prioritize this seemingly mundane task? Let me explain.

First off, let’s define what constitutes a strong password.

A strong password is one that combines uppercase and lowercase letters, numbers, and symbols to form a lengthy string that is difficult for hackers to decipher through brute-force methods.

While many users opt for short, easily memorable passwords, this approach leaves their accounts vulnerable to attack.

After all, a weak password is just an invitation for cybercriminals to gain unauthorized access to your sensitive data.

Now, you might argue that relying solely on a single strong password isn’t sufficient for protecting all of your online accounts.

And you’d be right!

That’s where unique passwords come into play.

By generating a distinctive password for each individual account, you minimise the risk of a “domino effect” scenario in which a breached password exposes several connected accounts.

Unique passwords add yet another layer of defence against cyber threats, further safeguarding your privacy and assets.

But here’s the kicker – crafting and maintaining strong, unique passwords can feel like a Herculean task.

Who has time to conjure up new combinations every month while adhering to ever-shifting complexity requirements?

Fortunately, technology has evolved to simplify this process without sacrificing security.

Password managers now offer robust solutions for generating and storing highly secure passwords, allowing you to focus on running your business rather than worrying about password strength.

Strong, unique passwords deserve your utmost attention when it comes to guarding your digital identity.

With the help of modern tools and best practices, you can bolster your defences against cyberattacks without breaking a sweat.

2. Enable two-factor authentication

Ah, yes, enabling two-factor authentication (2FA) for your virtual private server (VPS) login.

It may sound like a minor detail amidst the vast sea of technical jargon out there, but trust us – this measure could make all the difference in keeping your digital assets secure.

Allow me to elaborate.

For starters, 2FA provides an extra layer of protection beyond simply remembering a username and password combination.

When logging in to your VPS, you must first verify your identity using something you know (your password), followed by something you have (a physical token or smartphone).

This second factor ensures that even if someone were to obtain your login details through nefarious means, they still couldn’t access your system without possessing the corresponding device or authenticator app.

Such multi-factor authentication represents a significant barrier against phishing attacks, credential stuffing attempts, and other forms of malicious activity.

Given the sheer volume of cyber threats facing individuals and organisations alike, implementing 2FA for your VPS login seems like a no-brainer.

Plus, most popular operating systems and web applications already support this feature natively, so activating it typically involves minimal setup hassle.

Of course, some folks may baulk at the prospect of carrying around yet another gadget or having to remember multiple codes.

However, modern 2FA methods often employ push notifications or biometric scanning, eliminating much of the inconvenience associated with traditional tokens or SMS messages.

Besides, the benefits of increased security far outweigh any perceived drawbacks.

So, dear reader, I implore you not to neglect this vital aspect of VPS management.

Your data, reputation, and potentially even livelihood depend upon taking proper precautions.

By embracing 2FA and encouraging its widespread use among colleagues, clients, and collaborators, we can collectively create a safer, more resilient digital ecosystem for everyone involved.

Some examples of two-factor authentication (2FA) systems often used on Linux virtual private servers (VPS) are:

1. Google Authenticator: This nifty tool generates time-based one-time passcodes (TOTPs) through its mobile application, requiring users to input these temporary codes along with their regular login credentials for increased security. Setting up Google Authenticator on your VPS involves downloading relevant packages according to your distribution, generating QR codes, and following configuration instructions. With just a few steps, you can bolster your VPS's defences against potential breaches and enjoy greater peace of mind knowing your data stays safe behind multiple layers of protection.
2. SSH Key Pairs: For those seeking a more low-maintenance 2FA solution, SSH key pairs represent a viable alternative. Essentially, you generate public/private key pairs on your local machine and upload the public keys to your VPS. During subsequent connections, the VPS automatically verifies your identity based on the presence of the correct private key, providing an effective secondary check alongside standard passwords. Most Linux distributions include built-in tools for creating and managing SSH key pairs.
3. Duo Security: Although primarily designed for enterprise environments, Duo Security offers flexible 2FA options that can also benefit personal VPS usage. Their platform supports a range of authentication methods, such as push notifications, phone calls/texts, and biometric verification. Once registered, you can connect your VPS to Duo's service and enable two-step verification for added security.

Overall, choosing a suitable 2FA system depends largely on your familiarity with different technologies, available resources, and desired level of complexity. Regardless of which method you select, however, be sure to thoroughly test everything before relying on it in production settings. After all, a well-configured 2FA mechanism remains critical to protecting your VPS from potential intruders and safeguarding sensitive information within.

3. Keep the VPS and software up to date

Maintaining your virtual private server (VPS) and associated software currently entails ensuring timely updates and patches are applied.

Neglecting these crucial tasks may expose your VPS to known vulnerabilities and leave your systems susceptible to attacks.

However, keeping pace with frequent releases often proves challenging amidst busy schedules and competing priorities.

Here, I outline several approaches to help streamline this process and ensure your VPS remains secure and optimised at all times.

Firstly, automation represents a powerful ally in any sysadmin's arsenal.

Utilise tools like Ansible, SaltStack, or Puppet to script routine maintenance activities and schedule recurring jobs.

Not only do these solutions simplify manual processes, but they also reduce human error and improve consistency across various deployments.

Secondly, subscribing to official mailing lists or newsletters related to your VPS software helps stay informed regarding new releases and important announcements.

Many developers actively communicate pending changes, release dates, and notable improvements via these channels, allowing administrators to prepare accordingly.

Thirdly, establishing monitoring and alerting mechanisms serves as an essential preventive measure.

Set up services like Nagios, Zabbix, or Prometheus to continuously monitor your VPS and notify designated contacts upon detecting issues or outdated components.

This proactive strategy enables swift action in response to identified problems, minimizing downtime and reducing potential impacts.

Lastly, periodically reviewing your VPS configurations and evaluating installed applications ensures unnecessary bloat or unused components don't unnecessarily burden performance or introduce unnecessary risks.

Prune away any unwanted elements and optimise configurations where possible to maintain optimal efficiency and security.

4. Use a firewall

Firewalls represent a critical component in securing online assets, whether physical or virtual.

By regulating incoming and outgoing network traffic based on predefined safety policies, firewalls provide an extra layer of defence against cyber threats.

These systems come in either hardware, software, or hybrid forms, making them flexible enough to suit diverse deployment scenarios.

On Virtual Private Servers (VPS), firewalls play a pivotal role in safeguarding the environment from unauthorised intrusion and harmful incidents.

The mechanism works by filtering incoming packets based on established guidelines, permitting legitimate traffic while blocking suspicious ones.

For instance, a firewall might permit connections from trustworthy sources while barring communication attempts originating from recognised malware distributors.

Two primary categories exist in the world of firewalls: Network and Host-Based.

The former operates by inspecting packets moving between distinct sections inside a network, whereas the latter concentrates on controlling incoming/outgoing transmissions bound for particular machines or servers.

To leverage the power of a firewall on a VPS, installing and configuring suitable software or devices becomes necessary.

Customers must define rules specifying what kinds of traffic should be allowed or blocked before activating the solution.

Farbyte Cloud KVM VPS IaaS clients benefit from a complimentary network firewall bundled into each VPS deployment.

Our state-of-the-art infrastructure further benefits from perimeter edge firewalls designed to obstruct numerous malevolent sources, providing customers with an added layer of security and peace of mind.

How to setup CSF on your VPS

ConfigServer Security & Firewall (CSF) represents a powerful host-based protection tool tailored to secure Virtual Private Servers (VPS).

In this guide, we'll walk through the process of implementing CSF on your beloved VPS.

Follow along to ensure robust defenses against digital dangers lurking on the web.

1. Install CSF:
   The first step is to install CSF on your VPS.
   Run the following commands to download & install the software:

   wget https://download.configserver.com/csf.tgz
   tar -xzf csf.tgz
   cd csf
   sh install.sh

2. Configure CSF:
   Once CSF is installed, you will need to configure it to suit your specific needs. To do this, you will need to edit the configuration file for CSF, which is located at /etc/csf/csf.conf. In the configuration file, you can set various options such as which ports to allow or block, which IP addresses to allow or block, and which services to monitor.

3. Restart CSF:
   Once you're happy with your changes to the configuration, you will need to restart CSF for the changes to take effect. You can do this by running the following command:

   csf -r

4. Disable CSF testing mode:
   If CSF restarts OK, you can no disable the anti-lockout feature in /etc/csf/csf.conf. Open /etc/csf/csf.conf & change TESTING = "1" to TESTING = "0". Then restart csf once more:

   csf -r

5. Secure access to the VPS

Securing access to your precious VPS is crucial to safeguard it from unauthorised intruders and cyber threats.

How to restrict access to the VPS from specific IP addresses using CSF

To restrict access to your VPS from specific IP addresses using CSF, you will need to add those IP addresses to the firewall's configuration.

Here is a general outline of the steps you can follow:

1. Determine the IP addresses you want to allow:
   The first step is to identify the IP addresses you want to allow. You can do this by checking your VPS logs or by using a tool such as WhatsMyIP to identify the origin of incoming traffic.
2. Edit the CSF configuration file:
   The next step is to edit the CSF configuration file, which is located at /etc/csf/csf.allow. In the configuration file, you will find options for controlling access to your VPS from specific IP addresses.
3. Block all other non-public ports:
   You will need to make configuration changes in your  /etc/csf/csf.allow file. For IPv4 you will need to configure the TCP_IN & UDP_IN ports to only allow public ports such as web server (80 & 443), etc. For IPv6 you will need to configure the TCP6_IN & UDP6_IN port settings.
4. Restart CSF:
   You will need to restart the CSF daemon/service. To do so run the following command:

   csf -r

6. Monitor logs and activity

Monitoring logs and activity on your virtual private server (VPS) is crucial for maintaining strong security measures, as it allows you to track any suspicious or malicious behaviour that may be taking place on your system.

By regularly reviewing log files and monitoring activity, you can quickly identify potential threats and take action to prevent them from causing harm to your data and applications.

One of the main benefits of logging and activity monitoring is that it enables you to detect intrusions early on before they have had time to cause significant damage.

For example, if an attacker gains access to your VPS, they will typically attempt to cover their tracks by deleting log files or disabling monitoring tools.

However, with regular log reviews and active monitoring in place, you can catch these attempts at concealment and respond accordingly.

In addition to helping you detect and respond to security incidents, logging and activity monitoring also provide valuable insights into how your VPS is being used.

This information can help you optimise performance, troubleshoot issues, and make informed decisions about future upgrades or changes to your infrastructure.

Overall, the importance of logging and activity monitoring cannot be overstated when it comes to securing your VPS.

By investing in robust logging solutions and actively monitoring your system, you can rest assured knowing that your data and applications are well-protected against potential threats.

In the world of tech, keeping tabs on your virtual private server (VPS) is key to ensuring its health and safety. That's where log analysis software, security analytics platforms, custom scripts, and manual review come in handy. Here's a breakdown of each method:

1. Log Analysis Software - Tools such as Splunk, Elastic Stack (formerly known as ELK) and Logz.io enable you to analyze log files from your VPS and uncover patterns, trends, and irregularities.
2. Security Analytics Platforms - With options like Splunk Enterprise Security, IBM QRadar, and Sumo Logic, you can keep an eye out for potential security threats lurking within your VPS logs.
3. Custom Scripts & Tools - Tailor-made scripts and tools can zero in on specific areas of interest on your VPS, whether it's parsing log files or checking the status of services and processes.
4. Manual Review - Sometimes there's no substitute for human eyes. A good old-fashioned manual review of logs and activity can reveal unique issues or abnormalities that automatic systems might miss.

When it comes to safeguarding your VPS, choosing the appropriate approach requires considering your unique situation.

However, one aspect remains consistent - remain watchful and constantly lookout for any signs of trouble on your VPS.

It's essential to prioritise the protection of your digital assets.

The peace of mind is worth it.

7. Use a reputable hosting provider

The hosting provider's security measures can have a significant impact on the security of your VPS in a number of ways.

Here are a few examples:

• Physical security of the data centre:
  The hosting provider should have strong measures in place to physically secure the data centre where your VPS is located. This could include things like access controls, surveillance, and backup power systems. At Farbyte we employ multiple physical security protection layers including high-security fencing & pass-protected door access within the data centre.
• Network security:
  The hosting provider should have a secure network configured to protect against external threats such as DDoS & hacking attacks. This could include things like intrusion detection systems, firewalls and virtual private networks (VPNs). At Farbyte we have multiple infrastructure firewalls & intrusion prevention systems in place to protect client VPS.
• Host-level security: The hosting provider should have measures in place to ensure that the host servers are secure and that the operating system and other software is kept up to date with the latest security patches. You can rest assured that we regularly monitor our hosts for updates & apply them where necessary.
• Backups: The hosting provider should have a robust backup system in place to protect against data loss due to hardware failures, human error, or other disasters. Backup & snapshot services are available for all Farbyte VPS services.

Ultimately, selecting a reputable hosting provider with strong security features can greatly enhance the overall security posture of your VPS.

Be sure to research available options and carefully evaluate each provider's security capabilities before making a decision.

Click the following link to learn more about our VPS infrastructure & security.

8. Implement network segmentation

Network segmentation has become increasingly important in modern cybersecurity practices, particularly when it comes to securing virtual private servers (VPS).

By dividing your VPS into smaller networks, you can limit the spread of potential attacks and contain damage if a breach does occur.

In simple terms, network segmentation involves creating separate subnetworks within your larger network infrastructure.

Each subnetwork operates independently, allowing you to control traffic flow between them.

By implementing proper firewall rules and routing configurations, you can isolate critical systems and applications from less sensitive ones, reducing the attack surface and minimizing the potential impact of successful intrusions.

From a security standpoint, network segmentation offers several benefits:

• Enhanced visibility: Segmentation enables better tracking of network traffic flows, helping you spot suspicious activities earlier.
• Reduced exposure: By separating different parts of your VPS, you reduce the likelihood of a single point of failure that could affect multiple systems.
• Fine-grained controls: Network segmentation allows you to implement granular access policies and permissions across distinct subnetworks, enhancing your ability to manage risk and maintain compliance.
• Simplified incident response: If a breach occurs, segmentation makes it easier to contain the damage and restore normal operations without disrupting the entire network.

How to implement network segmentation on your VPS

As a small business owner using a Virtual Private Server (VPS) for your online presence, ensuring the safety and integrity of your data should be a top priority.

One way to improve your VPS's security is by implementing network segmentation.

We will discuss how to set up network segmentation on your VPS from scratch.

Network segmentation refers to the process of dividing a computer network into smaller subnetworks.

This helps to restrict communication between devices within the same subnetwork while limiting access to other segments.

By doing so, you create a more secure environment where potential threats are contained within isolated sections of the network.

To begin setting up network segmentation on your VPS, follow these steps:

1. Choose a virtualisation technology: There are two popular containerised virtualisation technologies for VPSes – OpenVZ and Docker. Both have their pros and cons, but for our purposes here, let's assume you're using Docker.
2. Create new containers: Containers represent independent "virtual machines" within your VPS. You can create as many containers as needed based on your requirements. For example, you might want to segregate your web server, database server, and email server into separate containers.
3. Configure networking settings: To create separate subnetworks within your VPS, you need to modify the container's network configuration file. Specify the IP address range, netmask, default gateway, DNS servers, and other parameters according to your needs. Make sure to use non-overlapping IP addresses for each container network.
4. Install necessary software: Depending on your usage scenario, you may need additional software installed inside each container. For instance, if you plan to run a web server, install Apache or Nginx along with PHP. Similarly, for a database server, install MySQL or PostgreSQL. Ensure that all software packages are updated to the latest versions.
5. Secure access to each container: Once you've created and configured your containers, make sure you secure access to each with secure passwords.
6. Test your implementation: After completing the above steps, test your newly implemented network segmentation solution to make sure everything works as expected. Try accessing services running within each container from outside the VPS using their respective public IP addresses or hostnames. Verify that communication only happens within the designated subnetworks and not between them unless explicitly allowed through firewall rules.
7. Maintain and monitor your system: Regularly review and update your firewall rules, patch vulnerabilities, and keep an eye out for any unusual activity within your VPS. A reliable monitoring tool like Nagios or Zabbix can provide real-time alerts and notifications to quickly respond to issues.
8. Consult experts if required: While this guide provides a high-level overview of how to implement network segmentation on your VPS, there may still be challenges you encounter during the process. Don't hesitate to seek assistance from qualified professionals who specialise in VPS management and security. They can advise you on best practices, optimise performance, and ensure optimal protection against cyber threats.

Alternatively, using Farbyte's Cloud KVM solution, you can deploy multiple KVM VPS on your own Virtual LANs (VLANs), thus achieving a high level of segmentaion.

By following these steps, you can effectively implement network segmentation on your VPS, significantly improving its security posture and peace of mind.

With careful planning and execution, you can rest assured knowing that your valuable assets are well protected from potential intruders.

Keep experimenting, learning, and refining your skills to stay ahead of evolving cyber risks!

All of the above segmentation methods can be implemented on Farbyte UK IaaS Cloud (Infrastructure as a Service).

9. Regularly test and review security measures

It is important to regularly test and review security measures for your VPS because the threat landscape is constantly changing and new vulnerabilities are constantly being discovered.

By regularly testing and reviewing your security measures, you can ensure that your VPS is protected against the latest threats and that your security measures are effective.

Here are a few specific reasons why it is important to regularly test and review your VPS security measures:

• Identify and fix vulnerabilities:
  Regular testing and reviewing of your security measures can help you identify vulnerabilities in your system that could be exploited by attackers. By fixing these vulnerabilities, you can significantly reduce the risk of your VPS being compromised.
• Stay up to date with the latest threats:
  The threat landscape is constantly evolving, and new threats are being discovered all the time. By regularly testing and reviewing your security measures, you can ensure that your VPS is protected against the latest threats.
• Ensure compliance with industry standards and regulations:
  Depending on your industry and the type of data you are handling, you may be required to meet certain security standards and regulations. Regular testing and reviewing of your security measures can help you ensure that you are compliant with these requirements.
• Improve security posture:
  Regular testing and reviewing of your security measures can help you identify areas where you can improve your security posture and make your VPS more resistant to attacks.

Overall, regularly testing and reviewing your security measures is an important part of maintaining the security of your VPS and protecting your data and systems.

10. Create & Test VPS backups

Creating and testing backups for your VPS is an important part of maintaining the security and availability of your data and systems.

Backups allow you to recover your data and systems in the event of a disaster such as a hardware failure, data loss, or security breach.

Here are a few tips for creating and testing backups for your VPS:

• Determine your backup needs:
  Consider the types of data and systems you need to back up, the frequency with which you need to create backups, and the level of protection you need.
• Choose a backup solution:
  There are many different options for creating backups of your VPS, including backup software, cloud storage services, and physical media such as hard drives or tapes. Choose a solution that meets your needs and budget.
• Configure your backup solution:
  Follow the instructions for your chosen backup solution to configure it for your VPS. This may include specifying the data and systems you want to back up, the frequency of backups, and the location where backups will be stored.
• Create and store backups:
  Create regular backups of your VPS according to your configured schedule. Store backups in a secure location, such as a separate physical location or a cloud storage service, to protect them from data loss or damage.
• Test your backups:
  Regularly test your backups to ensure that they are being created correctly and that you can restore your data and systems from them if necessary. This may involve restoring a backup to a test environment or simply verifying that the backup files are complete and usable.

Overall, creating and testing backups is an essential part of maintaining the security and availability of your VPS and its data.

Some backup solutions for your VPS include:

Here are a few VPS backup solutions that are popular among users:

1. Veeam Backup & Replication: A comprehensive backup and disaster recovery solution that supports a wide range of platforms, including VPS environments.
2. Acronis Backup: A comprehensive backup and recovery solution that supports a wide range of platforms and offers flexible scheduling, data compression, and encryption options.
3. Carbonite: A cloud-based backup solution that offers automatic, continuous data protection and flexible restore options.
4. CloudBerry Backup: A cross-platform backup solution that supports a variety of storage destinations, including popular cloud storage services.
5. Backblaze: A cloud-based backup solution that offers unlimited storage and flexible restore options.
6. CrashPlan: A cloud-based backup solution that offers unlimited storage and the ability to restore data from any point in time.
7. Arq: A cross-platform backup solution that supports a variety of storage destinations, including popular cloud storage services.

These are just a few examples of the many VPS backup solutions that are available.

To choose the best solution for your needs, consider factors such as the types of data you need to back up, the frequency of backups, the level of protection you need, and your budget.