20 Ways to Secure a Linux Virtual Server to Prevent Hacking

Linux virtual servers have many advantages. In fact, Linux VPS is more secure than other operating systems such as Windows because it has LSM (Linux’s security model) installed. But this system is not enough and can not fully secure your virtual server. In this article, we are going to teach you 20 ways to secure a Linux virtual server to prevent hacking.

20 Ways to Secure a Linux Virtual Server to Prevent Hacking

By default, Linux is more secure than its competitors, but there are still vulnerabilities that need to be addressed. The techniques we teach you today to make Linux more secure do not require much expertise to set up, and you can easily use these methods.

1. Disable the login with the root user

Want a secure VPS? You should never log in as a root user.

By default, every Linux virtual server has a “root” as the primary username, so hackers try to obtain and access the password with the bruteforce attacks they perform. Disabling the login from the “root” username adds another level of security to your server and prevents hackers from entering the root user.

Instead of logging in as a root user, you will need to create another username and use the “sudo” command to execute root level commands. Sudo is a special access right that can be given to authenticated users so that they can execute administrative commands and eliminate the need for root access.

Before disabling the root user, make sure that you specify the user permissions that you intend to use. When you are ready to do this, in the server console, open the command in nano or vi and find the “PermitRootLogin” parameter.

By default, its value is equal to “yes”. Change it to “no” and save the changes.

2. Change the SSH port

The first port hackers use to connect to your SSH server is port 22. If you change this port, you have largely blocked their access to SSH. To do this, you need to open it to make the appropriate settings in this section.

Of course, before doing this, make sure that the port of your choice is not used by another service on the server.

3. Keep the server software up to date

Keeping the server software up to date is not difficult. You can easily use rpm / yum [1] or apt-get (Ubuntu / Debian) package manager to update newer versions of installed software, modules and elements.

You can even configure the operating system to send yum package update alerts via email. This makes it easier to keep track of changes. And if you want to automate tasks, you can set cronjob to apply all the security updates on your side.

If you use panels like DirectAdmin or Cpanel, you should always update them, although most of these panels have automatic updates and are nothing to worry about.

You should always install security patches at the earliest opportunity, as the risk of infiltrating your server will increase over time.

4. Disable unused network ports

Open network ports that you do not use are a good target for hackers, closing them to protect you from attacks.

Use the “netstat” command to show you all the open network ports.

Use the “iptables” setting to close all ports, or use the “chkconfig” command to disable unwanted services. If you are using a firewall such as CSF, you can automate iptables rules.

5. Delete unwanted modules / packages

You probably have services on your server that not all of your Linux servers need. Note that every service you remove from your server will alleviate some of your security concerns, so make sure you use the services on your server that you really need.

Be sure to avoid installing unnecessary software in the future to avoid security problems.

6. Disable IPv6

IPv6 has many advantages over IPv4, but it is very unlikely that you will use it, because few people use it, but hackers use IPv6 a lot. Disable IPv6 if you are not using it.

They usually send malicious traffic over IPv6 and releasing the protocol puts them at risk. To resolve this issue, click edit /etc/sysconfig/ network and update the settings so that they read NETWORKING_ IPV6 = no and IPV6INIT = no.

7. Use GnuPG encryption

Hackers usually target data when data is being transmitted over the network. This is why it is essential to encrypt transfers to the server using passwords, keys and certificates. GnuPG is a popular tool, a key-based authentication system used to encrypt communications. This system uses a “public key” that can only be decrypted by a “private key” that is only available on the recipient side.

8. Set a strong password

A weak password is always a big threat to security. Do not allow your server users to use weak passwords that are easily found.

To choose a password, it is better to use uppercase and lowercase words, numbers and symbols. You can also specify a specific time period so that the user must change the password after that time.

Also use the “faillog” command to set the login failure limit and close user accounts after failed attempts to protect the system from brute force attacks.

9. Firewall configuration

You need a firewall if you really want to have a secure VPS.

NetFilter is a firewall integrated with the Linux kernel that you can configure to filter out unwanted traffic. With NetFilter and iptables, you can counter denial of service (DDos) attacks.

Firewall adjustment is not enough, make sure it is configured correctly.

TCPWrapper is another useful application, a host-based access control list system used to filter network access for various applications. It also offers hostname authentication, standardized logging, and spy protection, all of which help increase your security.

Other popular firewalls include CSF and APF, both of which have plugins for popular panels such as cPanel and Plesk.

10. Use disk partitioning

To increase security, it is a good idea to partition the disk to separate operating system files from user files, tmp files, and third-party programs. You can disable SUID / SGID (nosuid) access and run binaries (noexec) on the operating system partition.

11. Boot is just reading

On Linux servers, all kernel files are stored in the “/boot” directory.

But the default access level for this directory is “read-write”. To prevent unauthorized changes to boot files that are critical to your server’s performance, change the access level to “read-only”.

To do this, simply edit the / etc / fstab file and add the default LABEL= / boot / boot ext2, ro 1 2 at the bottom. If you need to change the kernel in the future, you can easily reset it to “read-write” mode. You can then make changes and return it to “read-only” mode when you’re done.

12. Use SFTP instead of FTP

The FTP file transfer protocol is no longer secure, even when using encrypted “FTP over TLS” (FTPS) connections.

Both FTPS and FTP are vulnerable when a computer program intervenes and monitors network traffic. FTP is clean, and FTPS file transfers are clean, meaning only certificates are encrypted.

SFTP, which is “FTP via SSH” (also called “Secure FTP”), completely encrypts all data, making your server secure.

13. Use a firewall

Your firewall is a gateway that both allows and blocks access to the server and is your first line of defense against hackers. Installing and configuring a firewall is the first thing you need to do when installing and securing a VPS or bare metal server.

14. Install antivirus software

The main job of a firewall or firewall is to prevent access to server information and is your first line of defense against hackers, but no firewall is completely secure and many malicious software can bypass it, so other security measures are needed. .

Many server administrators do not install antivirus on their servers because they find it limiting. They do not do this because the installation of these antiviruses requires a bit of expertise and cost. Because these people do not want to pay for the security of their server.

But if you do not have enough money to buy paid antivirus, you can use free versions like ClamAV and Maldet that can scan your server and show you suspicious files.

15. Automatic CMS update

Hackers are always trying to find security holes. Especially in content management systems, the most famous of which are Joomla, Drupal and WordPress, where most websites use these content management systems for their site. Most developers of these CMSs release a lot of security updates. Of these content management systems, WordPress releases the most updates. This content management system also allows you to update automatically with the release of a new version, if you are using the old version of WordPress, update it now to prevent hackers from infiltrating.

16. Activate cPHulk in WHM

In addition to the firewall, cPanel has a “cPHulk” brute force security system.

Firewalls are not without flaws, and sometimes they get it wrong, and hackers can break in, which is often due to incorrect firewall settings. Meanwhile, cPHulk acts as a secondary firewall, preventing brute force attacks on the server.

We know that cPHulk first blocks the login feature and the firewall later blocks it and blocks the entire IP. To enable it, you will need to go to the WHM Security Center and select the cPHulk Brute Force protection.

17. Prevent anonymous FTP upload

cPanel and Plesk both disable anonymous FTP uploads by default, but other services can be enabled by default.

Allowing anonymous users to upload via FTP is a major security risk. Because it allows anyone to upload whatever they want to your web server. As you can imagine, this is not recommended at all, it means you give your keys to a thief. To disable guest uploads, edit your FTP server configuration settings.

18. Install a rootkit scanner

One of the most dangerous malware is rootkit.

Rootkit exists at the operating system level, below other normal security software and allows undetected access to the server. Fortunately, you can use chrootkit, an open source tool, to find out if your server is infected. But rootkits are not always easy to remove, and the best way to remove them is to reinstall the operating system.

19. Back up regularly

There are many people who forget to back up regularly and regret it when something goes wrong and they do not have a copy of their data. No matter how careful you are, and no matter how secure your server is, there is always the possibility of error and trouble.

Never take dangerous risks, such as not backing up, and do not depend too much on your host to do so. Backing up yourself is the best way, even if your hosting provider backs you up daily. Save copies to different locations, and consider using backup space or Google Drive.

20. Use a strong password

Poor passwords are a security threat to your Linux server. Of course, this also applies to Windows servers! Try to choose a complex password, a password consisting of uppercase and lowercase letters, different numbers and symbols is very good. Try to choose your password as long and complex as possible.

Of course, both CPanel and Plesk can apply a strong password policy and expire the password periodically.

Conclusion

There are millions of hackers around the world working on the smallest vulnerabilities in your VPS. You need to secure your VPS against these threats, because sooner or later hackers will come to you. Corporate websites and online stores are the best targets for hackers around the world. Although most companies have basic security standards, they are usually easily compromised. This article tries to explain most of the ways to secure a Linux VPS Server and prevent hacker attacks.