User account

Every once in a while we have a customer that has been hacked. So I decided to make a short TO DO list for basic VPS security. Obviously security is a vast subject and you should hire a system administrator to take care of your VPS security if you don’t have the know how.

Anyways, here’s the basic list:

  1. Use strong passwords. Your passwords must have at least 8 characters (preferably more) and include all of the following: small and upper case letters, numbers and a few special signs, like: !@#$%^&*()_+{}|:”?><[]\’;/,. Or setup keys for SSH authentication. This applies for the root passwords, Hypanel account password and any user account from your VPS.
  2. Update your server. First time you login to SSH you should update your system (yum update in CentOS and alike, apt-get upgrade in Ubuntu and alike). The OS template that was used when deploying your system may not be up to date. Although we’re trying to keep all OS templates up to date, doing this for 30+ templates and tweaking new releases for OpenVZ is quite some work.
  3. And keep your server up to date. Make sure you update frequently or set up an update daemon/cron.
  4. Disable all daemons/services that you don’t need. For instance, if you need just VPN, it doesn’t make sense to run a mail server or web server. This will reduce the attack surface on your server and you won’t be affected by some of the software vulnerabilities. And you’ll have more memory available for the system processes that you need ;).
  5. Don’t give your root password to people you don’t know or don’t trust. We had some incidents with customers that picked up some guy on some forum which “secured” his VPS. Turned out that the “security guy” just wanted a machine for spamming.
  6. Consider changing the default ports. For instance for SSH configure port 2421 (this is just a random number that cropped up from my keyboard 😉 ), instead of default 22. But don’t rely on this too much, while some of the automatic bots that do brute force will try just on port 22, there’s no excuse for having a weak password.

Again, this is just a basic list. Talk to a professional system administrator if you don’t have the knowledge or you don’t have the time.

What is your  basic security check list?


  1. Adding another: Keep your scripts up to date! For example, if you run a forum or blog, “apt-get upgrade” won’t upgrade SMF, WordPress, phpBB3, etc…

  2. Yes, you’re right!

    My mind was focused on hacking a VPS to gain root access.

    Obviously most of the sites get hacked by exploiting scripts vulnerabilities.

  3. Here some more pretty basic security stuff:

    – the root shouldn’t be allowed to login via SSH. There’s an option within the SSH server configuration file (usually /etc/ssh/sshd_config): PermitRootLogin no (by default yes). Instead use an intermediate account that can execute the su command.

    – sudo shouldn’t be installed onto production servers. While it provides a mode comfortable way of running root commands, it actually is a security risk as it can provide privilege escalation.

    – go beyond the package management system if the software provided by the repositories is too old. RHEL & friends have PHP 5.1.6 for example. The main services (such as web server, dynamic language interpreter, database server) have priority if that’s the usage intention. The rest of the system can be upgraded via standard package management tools.

    I’d go against auto-updating an OS, except running stuff like apt-get update from Debian & friends which updates just the package list. I would go with a cron notification when the updates are available, but not with an auto-update since the custom configuration files may break during an auto update, or the newer version of the software may break with the old configuration files. It’s not a common situation, but it can happen.

  4. Perhaps the most obvious one has been left off. Set up a tight firewall and close all unneeded ports

    Then install fail2ban and logwatch (to monitor effectiveness of other security)

Leave a Reply

Your email address will not be published.