Online security is one of the biggest challenges in this hacker heavy digital arena. Security is the first parameter you should reinforce, as it is directly related to the brand value of your business and your user’s percious data. Along with other issues, the hosting service provider plays the most requisite role in housing your website within an imperishable castle, guarded by the walls of web-security. It’s true that VPS hosting technology has bridged the gap between pricey dedicated hosting and entry level shared hosting. So, for the most of the mid-sized businesses, VPS hosting is the hot cake.
Now, the single question that remains is ‘how to secure your VPS server’? Generally, for security issues, a VPS provider takes care of these following areas:
- Internal Encryption – server-to-server network communication
- Full-disk encryption within a virtual infrastructure(with a proper scope)
- Up-to-date standard of virtualization technology to fight latest security threats
- Security of the management interface
These are the bottom line of security features a regular VPS hosting provider delivers. According to the market leaders in web security, Linux VPS hosting is less vulnerable to security threats or malware attacks than that of Windows servers. Moreover, contemporary VPS hosting services have already marched ahead from this eternal fence buster of choosing any one of Window and Linux as their main server OS. Now, a Linux VPS host can also install programs that can combat malware for Windows ecosystem. Admittedly, with this feature Linux VPS hosting have turned themselves into a more versatile hosting solution for users when security is concerned.
One thing is for sure that, the power of the open source community behind Linux is the largest insurance for any user dealing with Linux VPS. They are an authority with their knowledge and at the same time they reach you pretty fast if you are facing any glitch.
Threats are unavoidable and they are evolving every single day to gain much more penetrating and destructive power. The current standard of web security is getting a real push to raise its power to combat these digital demons. Any VPS hosting provider can dodge these security threats by employing a standard set of rules. They are:
- Internal and external audit of server
When you run an audit on your server, everything regarding hosted websites on your server and any possible vulnerability from them get uncovered. It’s not always necessary to impose outside users with ‘malicious user’ tag. There can be security breaches from within. So, the first step to secure your server is to run an internal audit. Get a clear idea about what’s going on with your system and from where security loose ends are creating an ample backdoor for hackers. Thankfully, a herd of freeware isout there on the web to carry out such audits on both Linux and UNIX based server. Moreover, some tools offer a great flexibility of scheduling regular and automatic audits on your server.
- Server Hardening
Server hardening is a standard practice to make your server more secure by locating and eliminating security loop holes within your network, connected data centers, SSH access, Linux firewall and more. Following five security measures will help in Linux server hardening:
- > Use Secure Shell (SSH)
SSH is a secure protocol that usesan advanced encryption technology while communication with the server. You should never login directly as root unless it is necessary. Further, always use “sudo” to execute commands. sudo is specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor. It is advised to change the default port number SSH 22 with some other port number of higher level. You should open main SSH configuration file and make following parameters in order to restrict access of users.
- > Turn on SELinux
SELinux (Security-Enhanced Linux) is an access control security mechanism provided in the kernel. It is a compulsory security mechanism. You should think twice before removing this security mechanism. SELinux provides following three basic modes of operation:
Enforcing- it is a default mode that enable and enforce the SELinux security policy on the machine
Permissive- SELinux will not enforce the security policy on the systemIn this mode. It will only warn and log actions. This mode is helpful in terms of troubleshooting SELinux related issues.
Disabled- SELinux is turned off
You can also view the current status of SELinux mode from the command line. Use ‘system-config-selinux‘, ‘sestatus‘ or ‘getenforce‘ commands.
If SELinux mode is disabled, you can enable it using the following command:
- > Restrict Users to Use Old Passwords
The old password file is located at /etc/security/opasswd and it can be achieved using PAM module.
Open ‘/etc/pam.d/system-auth‘ file under RHEL / CentOS / Fedora
Open ‘/etc/pam.d/common-password‘ file under Ubuntu/Debian/Linux Mint.
Add the following line to ‘auth‘ section.
Add the following line to ‘password‘ section to disallow a user from re-using last 5 password of his or her.
Only last 5 passwords are remembered by server. If you tried to use any of last 5 old passwords, you will get an error like.
- > Enable Iptables (Firewall)
If you want to secure unauthorized access of your servers,you should enable Linux firewall. Further, apply rules in iptables to filters outgoing, incoming and forwarding packets. We can specify the destination and source address in order to deny and allow in specific udp/tcp port number.
- > Keep /boot as read-only
Linux kernel and its associated files are stored in /boot directory which is by default read-write. You should change it in read-only that reduce the risk of unauthorized modification of important boot files. If you want to change this, open “/etc/fstab” file.
Add the following line at the bottom, save and close it.
Here, note that you should reset the change to read-write if you need to upgrade kernel in future.
- Locking directory
This procedure is a little technical, but is quite effective. Websiteshave an array of folders and files that are stored on web hosting account.In addition to containing scripts and data required to make the website work, these files and folders are assigned a set of permissions which controls who can write, read, and execute any given folder or file.
In the Linux operating system, permissions can be viewed as a 3 digit code where each digit is an integer value between 0 and 7. In this code, first digit signifies permissions for the owner of the file, second digit signifies permissions for anybody assigned to the group that owns the file, and the last digit signifies permissions for everyone else. The assignation process works in the following way:
- 4 equals Read
- 2 equals Write
- 1 equals Execute
- 0 equals no permissions for that user
For example, take “644” as a permission code. Inthis case, the first digit “6” (or “4+2″) gives ability to the owner of file to write and read the file. The second and third digit “4” means that both group users and internet users can read the file only, thus protects the file from any unwantedmanipulations.
In similar way, a file with code “777” (or 4+2+1 / 4+2+1 / 4+2+1 ) is readable, write-able, and executable by the user, the group and everyone else in the world. It is always good idea to set your permissions as mentioned below:
- Folders and directories = 755
- Individual files = 644
If you want to set your file permissions, you can connect to your server via FTP or log in to your cPanel’s File Manager. After that, you will see a list of existing file permissions.
- Intrusion Detection System
For detecting unauthorized usage, you should have preventative measures in place. An intrusion detection system (IDS) catalogs configuration and file details when they are in a good state. Then, it runs comparisons against these recorded states to find out if any setting has been modified or files have been changed. Thereare various intrusion detection systems, some good IDS are Tripwire, Aide, Psad, Bro, and RKHunter.
- Data Backup
Different Security levels are required and maintained for eCommerce websites as these types of website deals with huge amounts of databases as these hose a plethora of products and the most important, user’s transaction data which contains their personal and financial details. So, it’s high priority to protect your e-commerce site from hackers. Alike other scenarios, taking frequent data backup and keeping the same on a different and more secure place is the only way out from this situation.
There are various ways through which you can back up your data. Some methods are listed below:
cp Command- Backing up Linux VPS with the cp command is the simplest process. It basically copies files from one location to another location. You could mount a removable driveon a local computer, and then copy files to it:
This example mounts a removable disk and copies the /etc directory to the disk. Then after, it unmounts the drive, which can be stored anywhere.
Rsync- rsync commandis a better alternative to the cp command. It can be used to perform local backups with the greater flexibility. You can perform the same operation as mentioned above using rsync with following commands:
Rsync is able to perform the remote backups as easily as it can complete the local backups. For remote backup, you need to use an alternative syntax. Use this command:
It will backup local machine's /etc directory to directory on remote_host located at /backup.
Backup Tools- Although cp and rsync commandscan be used easily, they are not always an ideal solution. If you want to perform automatic backups, you would need to script those utilities and write any code necessary for rotation.Fortunately, there are some good utilities that can perform complex backup procedures with great ease. Some of these tools are:
- Bacula- With this tool, you can backup one client to multiple storage devices, multiple clients to one storage device, and modify the backup scheme quickly by adding nodes or adjusting their details.
- BackupPC- Itoffers benefits of installing all of the related packages on one central machine.
- Duplicity- It uses GPG encryption to store and transfer the data. One main benefit of using GPG encryption is that the data is not stored in the plain text and only the owner of GPG key can decrypt the data.This provides some level of security.
Educate and help Clients to follow your security standards
- Provide utilities for them for a pre-cautionary checking of their website’s designing codes for locating any loop holes within them
- Make an agreement with your customers to prevent any misuse of client’s hosting account and be pretty vocal and informative with your security standards with them
- Set your own security standards and continually examine the codes of your hosted websites to locate any possible security vulnerabilities. Take immediate and strong measure to hunt them down if there is any code that hasn’t passed your security levels.
Security can’t be achieved when every part of a system is transparent and under control. Likewise, for any web hosting, if the customers are leaving loopholes within their hosted websites for the hackers then the entire server is exposed. So, the only measure to take care of this is to build a strong knowledge base for customers. Educate them to maintain the overall security by spreading the necessary security awareness among them.
As a VPS service provider one should set and implement these rules for his customers like:
These discussed tips and executions just show the tip of a colossal iceberg, submerged under a lack of proper knowledge and information but, I’m pretty sure that continuous updating of these same is the only key to overcome security issues with VPS hosting services.