How to optimize and secure your VPS
If you already know what is VPS hosting and how to use a VPS, then security and optimization should be the first steps to be taken after you migrate from shared to VPS hosting.
Depending on your VPS service provider, the transition from shared to VPS should be seamlessly smooth without any hiccups. If you have opted for an unmanaged VPS package, there are a number of things you need to do on your own at your server. Below are some of the tips to ensure that you do it the right way.
1. SSH connection
The Secure Shell (SSH) protocol is a cryptographical network protocol to operate network services securely over an unsecured network.
If you’re wondering “How to access my VPS?”, wonder no more.
Before anything can be done using VPS, you must log in to your server. To login to your website’s container, you will need your SSH client and login details. If you are using Linux PS, you can start right away by using SSH from the terminal without additional software. However, if you have selected a Windows OS, you will need an SSH client. The most freely available and popular one is PuTTY.
Before you log into your server via SSH, you have to get ready some information such as server address, username, password and port. The server address is usually your domain name/ IP address.
For Windows user, you will need to download the PuTty. Once it is downloaded, you can run it by double clicking the icon with a screen that pops up with the title of “PuTTY Configuration”. The steps to be taken subsequently are as follows:
- Insert your server address in the host name input field
- Enter the port number in the port field
- Ensure that the protocol is set to SSH
- Click open at the bottom
- Enter your username and press enter once you see a window that looks like a Linux terminal
- Enter password and press enter
- Wait to be logged in
- A few notifications may appear along the way which can you just press OK
For Mac or Linux users, directly open the terminal and issue a command which is in the form of “ssh username@hostname -p portnumber” by substituting the information required with yours and press enter. Then insert password and press enter again. Likewise, a few notifications may appear along the way which you can press enter or “y” as a response.
2. Change your root password
It is very important to attend to the change of root password as soon as you get access to doing so. Make it a routine to change the password for each service you are using and don’t ever use the same password for root account as that of your email.
- open a terminal window by pressing Ctrl+Atl+T that will lead to a command prompt
- type “su” at the command prompt, press enter
- you will see a “password” line opening below the command prompt
- type in the current root password and then press enter
Note: all passwords are case-sensitive - If the password is correct, you will be brought back to the command prompt as the root user
- If the password is incorrect, try steps b) to d) again
- Type “passwd” and press Enter
- You will see a “Enter new UNIX password” line appearing below the prompt
- Type in your new password and press enter
- Retype your new password and press enter
- If successful, you will see a line that reads “password updated successfully”
- Type “exit” and press enter to log out from the root account
3. Update your time zone
Update your server’s time zone in accordance with your current location as the default time zone does not automatically change to match yours.
4. Create a sudo user
A new sudo user with root access must be created after which you must disable root access to the root username. The reason behind this is to prevent attacks on your server when they use default root username.
Let’s first explain what are root and sudo. Root refers to the system administrator account. It has user ID o and unlimited privileged and advantages to access any file, run any programs, modify any setting and executor system call. However, there are often circumstances that require you to share part of the administrative powers to other users. That’s when sudo command comes into the picture by allowing multiple administrators.
The sudo command allows you to execute commands like a root privilege provided that your user ID is first authorized to do so in the sudoers files. The sudoers file decides who can use the sudo command, the scope of the authorization as well as the period of the authorisation.
This is especially when you have an IT expert to do all the technical job for you. In this scenario, you may not know the root password of your own computer. However, that is not an issue as long as you are in the sudoers file.
It is important to note that a new user by default is unprivileged meaning that they can only modify files in their own home directory.
5. Securing your SSH
This is important to avoid brute force attacks on the SSH service that compromise accounts and passwords by using an automated program to test combinations of possible usernames and passwords.
The indicator of such attack against your SSH server is an excessive number of failed log-ins. You can toughen up the security of your SSH with one of the following tips:-
a) Change SSH port number
The default port for SSH client connection is 22. As it is the most used port due to its identity as the default port, attacks are normally launched and tailored specifically on port 22. It is also a target of worms, script kiddies and other forms of brute force attacks. To hide your SSH and make it secure, change your port.
b) Setting up port knocking
Pork knocking is an authentication method used by administrators to control access to computers behind a firewall. You can do this by simply using iptables to create simple yet secret knocking sequence to open the port. The purpose is to mitigate the chance of brute force attacks and to protect against an attack that scans a system for potentially exploitable services via port scan. Daemon, a program that monitors firewall log files for requests to connect determine whether a client seeking the network is from an approved IP address and whether it has performed the knock sequence correctly. Unless the attacker sends the correct knock sequence, the ports will be protected and appear close. If the knocking sequence was produced correctly, it would open up and allow access.
c) Using TCP Wrappers
TCP Wrappers is a host-based networking ACL system that is used to filter network access to Internet Protocol servers. So, when a network request reaches the server, TCP wrappers use hosts.allow and hosts.deny to determine if that request should be given access to the service. If you do not use TCP Wrappers, your system relies only on the firewall for full protection. However, that does not mean that with TCP Wrappers, you no longer need a properly configured firewall as TCP Wrappers act merely as a host-based access control list that adds another layer of security to your server. The TCP Wrappers help you to block out the uninvited comers and allow only the specified IP addresses.
d) Filtering the SSH port on your firewall
After you have installed the OS, you have to configure your firewall to a server-side software firewall that filters the logs and rejects SSH access packets unless the packet is heading to or originates from specified IP addresses. The most common and best practice to secure the server is by allowing only trusted public static IPs or private LAN connections. The whole purpose is to block unfamiliar and untrusted connections.
e) Disabling root login
Disabling root access is one of the popular and old school methods to keep the cyber attack at bay. Root login is allowed on most Linux operating systems that allows anyone to connect to port 22. By using the root user as default, brute force attacks can happen to your public server IP. This is especially the case if your root password is weak and require password authentication to log in to your SSH service. One way to check on the number of brute force attacks you receive is to check the security log. Even with a strong root password, it is still more secure to just disable root login and use a primary SSH user by issuing su command to gain root access if required.
f) SSH keybased login
As brute force attack tries various combination of usernames and passwords repeatedly until it gets in, it is only a matter of time before the password with a character such as uppercase, lowercase, numbers, symbols, is cracked. A password-based login is also prone to dictionary attack where the password may eventually be cracked.
Instead of using a password, a keybased authentication, aka public key authentication uses asymmetric cryptography algorithms with public and private keys. How keybased authentication works is that it assigns a pair of asymmetric keys (one public and one private) to each user. The public key will be stored in the system that they want to use while the private keys would be kept secure on the computers.
To establish connection, the server would use the public key to authenticate. One of the examples is asking the client to decrypt a certain number using the private key that corresponds with the public key. A keybased logins enhanced the security yet allow fast SSHlogin without further prompt in the process.
g) Strong password
If you are more comfortable and used to login passwords, then make sure it consists of strong and unique character combination.
A strong password is a good mix of uppercase and lowercase letters, numbers, symbols, and length of at least 8 characters.
A weak password is usually single information related to you such as birthday, anniversary dates, pet name or simple number or keyboard character in a sequence that is easily predictable such as 12345 or QWERTY.
h) Configure idle timeout interval
Setting a timeout period for SSH connections is important to maintain the server stability and security because an open and unattended SSH session is more likely to be attacked.
If the account is inactive for a period of time, the connection should be shut down with login to be done again. You can set the timeout interval in your system’s TCP settings.
SSH servers are automatically configured to use TCPKeepalive that probes at a preset time to check whether the connection is still there. Depending on your system, the default can vary from five seconds to two hours.
You can modify it to your liking by altering the ClientAliveInterval value so that once the timeout is reached, the SSH session will be logged out instantly.
i) Disable empty passwords
Having an empty password is convenient especially if you trust all the people who access your computer. However, not having a password is a recipe to cyber attack as practically anyone can log onto your computer. You can disable login remotely for accounts without a password by editing the sshd_config file.
j) Set a custom SSH warning banner
SSH warning banners and welcome messages are a must especially against an unauthorized user trying to access or if you wish to make other kinds of the announcement.
A pre login SSH warning banner pops up before the password prompt that contains legal warnings with terms and conditions on the usage of the system. Another set of post-login message will be displayed just before the system is used.
This is not exactly a security tip but it serves to warn the connecting user on the site’s policy and may assist in the prosecution of IT trespassers on the computer system.
k) Detect and block brute force attacks
The best option to block brute force attacks is to isolate the offending IP address. By doing so, this will prevent future attacks from the particular IP address. Therefore, detecting the offending IP address is key.
There are two different ways to detect an IP address, one is the manual method or the automated method. The manual method is a simple straight forward process where you would analyze the system logs, located the suspicious IP address who is trying to access the server and then block it via the system’s firewall.
This process is simple however, it is time-consuming as you would have to go through each system log to find the suspicious IP address. A more efficient process is by using software tools this is the automated method.
By using software tools, these software tools will be able to perform the same task of scanning the system logs and immediately blocking the IP address. In order to set up an automated system using software tools, you would be required to modify certain parameters to isolate the searching criteria of the offender.
This script depends on the software tool you are going to utilize for your protection as each software defers from the other. Therefore, basic scripting knowledge is recommended.
l) Disable OpenSSh server on the home-based machine
OpenSSH is a tool for remote controlling or transferring files between computers. Its server component sshd listens continuously and carefully for client connections from any of the client tools.
So, if a remote computer is connecting with the SSH client application, the OpenSSH server will require authentication before setting up a remote control session. As such for machines like laptops and desktops, OpenSSH Server is not required.
m) Disable or restrict X11 forwarding
X11 forwarding is a secure shell feature with the mechanism that allows a user to start up remote applications but forward the display of the application to your local Windows machine.
An enabling X22 forwarding on the host allows a malicious user to open another X11 connection to another remote client during the session and perform unobtrusive activities.
If you don’t need X11 services especially if you are running a remote server and not graphics server in Windows, you should disable or restrict as appropriate in accordance with your needs.
n) Limit the maximum consecutive authentication attempts
One of the benefits of limiting the authentication attempts to a lesser amount is that it disconnects attacker who tries to enter and significantly limits the speed of such attack.
Normally, for each failed attempt, there will be some time penalty imposed and if the attacker reached the attempt limits, the connection will be rejected altogether.
o) Enable login notifications over email
An email sent to you on unrecognized login will alert you and protect your account from unfamiliar activity.
All you need to do is to quickly set up a script to send an alerting email to you once someone is logged in as root user. If you receive such notification and you are not the one that logged in, you should change your password as soon as you can.
p) Keep SSH up to date
Keep your server up to date as an updated server includes the latest critical patches to security holes. Many harmful attacks normally take advantage of the vulnerability of an out of date server which is not protected against constantly changing threats.
q) Enable strict mode
Strict mode checks some cases such as SSH key, configuration files ownership, permission checks before the SSH server starts. If the check fails, then SSH server daemon will not start. You should make sure that the strict mode is enabled for security purpose.
r) Disable .rhosts. Files
Rhosts is used to control which machine to trust for access to your account. If your machine trusts another machine, then it will allow the user to access your account without the need to enter a password.
This convenience is normally outweighed by the risk that carries with it. If your account on the other machine is compromised, then it is very simple for a malicious user to access to your account.
Rhosts should be disabled if your machine is not switched on 24/7 as it is easy for the malicious user to take over your IP address by imitating the behavior of the obsolete rsh command and trick the trusted machine.
s) Disable challenge response
A challenge response authentication works by one party presenting a challenge in a form of question and another party answering by providing a response.
When you have configured pluggable authentication mode (PAM) to use the challenge response protocol, the authentication is complete only after the user enters the correct answer to a question. Disabling it adds another layer of security to your SSH.
t) Disabling SSH-1 Protocol
Even though legacy SSH protocol 1 is most disabled by default, you should double check to make sure that it is. Legacy SSH protocol 1 is not secure. A lot of problems were discovered after its introductions due to its vulnerabilities.
If your infrastructure relies on this protocol, you should update it to SSH-2 protocol immediately
u) Hash Known Hosts
When you are connected to a SSH server, the client keeps a few details such as the server’s hostname, IP address and host key in a file called known_hosts which is located in the ~/.ssh/ directory. It poses a privacy and security risk to have a file containing a list of all the servers which you have access to.
To minimize the information to be given to an attacker when a machine or your client is compromised, you can hash the known_hosts file using the ssh-keygen command or set it to default by configuring your SSH to record a hash or the hostnames instead. This will obscure all current host keys.
v) OTP setup
A one time SSH password mode provides secure authentication for access to machines via the SSH protocol. When an attacker gains access to the virtual machine, they can takeover most of the running applications, data and also the machines and systems connected to it.
You will need to install a Vault SSH Helper to help verify the OTP used during the SSH authentication. A one-time password will be created every time a client wants to SSH into a remote host using helper command on the remote host for verification.
Once an authenticated client requests an OTP from the server, the Vault server would issue and return an OTP. Once the SSH connection is established, the Vault server then deletes this OTP ensuring that it is used only once.
6. Update your server
This is one of the main ways to secure the data stored on your server. You can update your server manually or automatically.
Updating it manually is time-consuming and may not bring your server up to date in a timely manner as you have to check manually for an update from time to time on each of the services.
To set an automatic update on Linux server is relatively easy with the condition precedent that you must have root level access to your server.
7. Install a firewall
A firewall is one of the security necessity. It helps to detect if the system is compromised. The firewall can filter outbound traffic, add anti-spam or anti-virus modules, protect against known application vulnerabilities and blocking IP address or port within certain range centrally instead of trying to make sure that there is no service listening for that particular port on each machine.
If you have many users who are not experts in security or find that manually checking the security condition of the server is too time-consuming for your business, then a firewall is a very good defense mechanism.
A firewall also saves a lot of time by providing central logs which helps to detect vertical scans and determine whether some suspicious user or client tries to connect to the same port as your servers periodically. Essentially, it is a good central choke point which makes things more convenient and safe for all users.
As one of the best VPS hosts in Australia, VPSBlocks offers our customers the service of managed hardware firewall as one of its many outstanding standard features where any unwanted traffic is firewalled out at hardware level before it reaches your server. You will be glad to know that VPSBlocks have partnered with SPAM Experts to filter SPAM at only a marginal cost to make sure that all your vital companies correspondence do not get buried under mountains of unsolicited emails.
8. Set up automatic backups
Backing up your data can help you protect and restore your data when something goes wrong bearing in mind that a lot of threats steal and erase data or encrypts your data making it useless.
Choosing multiple places to back up your data whether duplicate or triplicate is your safest bet. There are many ways to backup your data. However, if you have already selected a good VPS plan, then it should offer VPS cloud storage.
What is a VPS cloud storage?
VPS Cloud storage allows users to back up their data in hardware at a remote location which is accessible anytime via any device as long as there is internet access.
If you have chosen VPSBlocks as your Aus VPS host service provider, then you are one of the lucky ones to enjoy the supreme backup solutions that will give you peace in mind. With managed server backups, your whole VPS is backed up twice every week with at least 5 backups and you can restore everything should you need to do so.
You can also purchase SATA space which is mounted as a second disk on your VPS so that you can back up directly within your VPS at the price of only 15 cents per GB. The other backup service offered by VPSBlocks is Offsite Server Backups where your entire VPS is backed up weekly to an offsite location with at least 3 backups offsite. If you have special requirements, we can also cater to custom backup requirements.
9. Uptime monitoring
You will want to be the first person to know if your website is experiencing any technical difficulties. Downtime can impact your business negatively such as unhappy clients, appearing unprofessional, lost of sales or leads, slow in detecting hackers, poor ranking in search engine. However, it is not viable to hire a person to stare at your monitor all the time just for this especially if you run a small to medium operation.
If you have chosen a reliable VPS service provider, they will do this task for you and work on getting your site back up before anyone else including yourself notice the problem. Choose wrongly and an unreliable VPS service provider can contribute to website unavailability too due to lack of maintenance and quality infrastructure.
As such, choosing the reputable VPS service provider with a good track record is important in ensuring that your website loads properly.
As one of the leading Australian VPS hosting companies around, VPSBlocks offers a 24x7 service monitoring where you can setup 24x7 HTTP/URL monitoring to notify you of any failures via email and/or SMS alerts. It features 1-minute monitoring which means that it checks your website as often as once per minute. We also keep you in the loop by sending multiple notifications prompting you with updates and our staff are ready to attend to any automatic reboots of your Aus VPS after a certain number of failures.
10. Automate repetitive work
This is one of the top methods to optimize your VPS and your business’ productivity as it reduces the time and labour costs taken to perform repetitive tasks. Most of the repetitive tasks are administrative in nature such as database backups, email reminders, etc.
You can do so by using Cron which is a Linux based tool for scheduling time-based jobs that run automatically at a predetermined date and time and fixed interval.
11. Install a hosting control panel
Hosting control panel is an efficient tool to manage your VPS package. Two of the most powerful and popular control panels are cPanel and Plesk. With the hosting control panel, you can manage your entire server as you wish by creating and running applications, working with FTP, email management, upload website’s files, database management, etc.
VPSBlocks has a wide variety of options of the control panel in our VPS services offered including Windows VPS. The good news is if you want to use another control panel, you can contact them directly to inquire on whether they can configure it for you.
Does the above information sound a little too much for you to handle?
In an unmanaged VPS server environment, the entire server administration and the responsibilities of configuration and management including the security rest on the end user.
Even though unmanaged VPS is less expensive than managed or semi-managed VPS hosting when you compare the packages with the same allocated resources, you must have extensive knowledge in administration of server and a lot of spare time on top of focusing on the core of your business to constantly safeguard the server by making sure that the server’s services and website scripts are up to date to the latest version to avoid cyber-attacks.
As such, unmanaged VPS is only suitable for those with highly skilled and tech-savvy people with a reasonable amount of knowledge on configuration and VPS management. Unmanaged VPS is definitely not recommended for beginners with limited technical knowledge who wonder how to access my VPS? How to use a VPS? What is VPS server configuration?
Confused about what you’ve just read? Maybe it’s time to brush up with our ultimate guide to what is VPS Hosting and How to Use a VPS!
Well, the good news is that there are actually a lot of Australian VPS hosting companies that can manage your Aus VPS for you where the expert will set up and make the changes for you for almost all the tasks listed above in this article.
VPSBlocks offers a managed VPS package where support is provided for every single server management task on request including software installations, configurations, network issues, DNS setup, maintaining the virtual server’s security, security updates and even troubleshooting with guaranteed of receiving priority if any critical issues arise.
Essentially, everything will be managed from head to toe and all you need to do is to create the hosting account and update your domain DNS to kickstarts everything.
If you are not skilled in server administration or don’t mind paying a little bit more for peace of mind so that you get to focus on the core objectives of the businesses by leaving your VPS to an expert to manage, then VPSBlocks should be your go-to service provider.
On the other hand, if you are indecisive as to whether managed VPS plan or unmanaged VPS plan suits you, then you should consider a “semi-managed VPS”.
Put simply, it means that the VPS service provider being the administrator will handle any hardware, operating system or basic configuration issues which you may encounter.
The issues range from basic website relates issues (such as 404s, Internal server errors etc), slow loading webpage, basic task automation, configuring specific settings, basic firewall setup/ troubleshooting to failure of the server to restart.
If you choose a semi-managed VPS plan from VPSBlocks, we can firewall out any unwanted traffic at the hardware level before it even reached your VPS and even block out all the other ports and their expert will advise on getting the best performance from your server.
Semi-managed VPS plan is a good idea for someone who is not experienced in command line Linux administration as you get to use control panel interface to manage your Linux server making it easier. VPSBlocks offers an extensive control panel which allows you to shut down, start, suspend, take snapshots, mount DVDs, console access, etc
While you can totally take a ride in the backseat in the server management if you have chosen a managed VPS plan or take a slightly relax stance if you have chosen a semi-managed VPS plan, it is still very important that you conduct some research to ensure that you choose the right VPS service provider for your business since the very first day.
If you are serious about making the upgrade from shared to VPS, then you should consider a few factors including the essential features of the VPS service provider before you make your decision. Here are some questions to get you going:
- How is the company’s reputation?
- What are the types of support options in relation to customer service?
- Is the storage SSD or HDD?
- Do they offer semi manage or fully manage VPS plan?
- Do they have the self-healing failover feature?
- Most importantly, will I actually get what the VPS company promises?
It can be a difficult task to look for a good and reliable VPS hosting provider.
To begin with, there are only a handful of reliable and reputable companies that provide top quality VPS service in Australia that are truly Australian.
Some companies choose to outsource their customer care services to a foreign country to save on operation costs whilst some have data centers with outdated technology.
On the contrary, VPSBlocks is proud to be a true Australian VPS hosting company that provides a wholesome package and complete suite of support services that is tailored to suit your business and make it work.
Our entire support team is based in Melbourne and happy to tend to your questions at any given moment. You’ll also be glad to also know that all their data centers are located in Melbourne backed by robust network infrastructure that offers unparallel redundancy at the highest level of security.
It is not surprising that despite the top security measures taken, many businesses are still worried that using cloud services such as VPS cloud hosting would increase the risk of their data being stolen and wiped off.
This is when a good VPS service provider such as VPSBlocks that provide high-quality VPS features consistent with the latest technology advancement would make all the difference. Not only does VPSBlocks use SSD, but all storage is also fast 100% SSD RAID storage which is the best data storage that VPS Australia can find with the main aim at protecting the important data of all businesses by distributing redundant data blocks across various SSDs.
Even though you have more control over the VPS with an unmanaged VPS, you are unable to reap the fullest benefits of what VPS can do for your business if you lack of the knowledge or time for the VPS management.
Now that you know the ways to optimize and maximize the security of VPS, looking for a good Australian VPS hosting provider that will take care of those for you should no longer be a problem.