User account

Basic VPS security checklist

Every once in a while we have a customer that has been hacked. So I decided to make a short TO DO list for basic VPS security. Obviously security is a vast subject and you should hire a system administrator to take care of your VPS security if you don’t have the know how.

Anyways, here’s the basic list:

  1. Use strong passwords. Your passwords must have at least 8 characters (preferably more) and include all of the following: small and upper case letters, numbers and a few special signs, like: !@#$%^&*()_+{}|:”?><[]\’;/,. Or setup keys for SSH authentication. This applies for the root passwords, Hypanel account password and any user account from your VPS.
  2. Update your server. First time you login to SSH you should update your system (yum update in CentOS and alike, apt-get upgrade in Ubuntu and alike). The OS template that was used when deploying your system may not be up to date. Although we’re trying to keep all OS templates up to date, doing this for 30+ templates and tweaking new releases for OpenVZ is quite some work.
  3. And keep your server up to date. Make sure you update frequently or set up an update daemon/cron.
  4. Disable all daemons/services that you don’t need. For instance, if you need just VPN, it doesn’t make sense to run a mail server or web server. This will reduce the attack surface on your server and you won’t be affected by some of the software vulnerabilities. And you’ll have more memory available for the system processes that you need ;).
  5. Don’t give your root password to people you don’t know or don’t trust. We had some incidents with customers that picked up some guy on some forum which “secured” his VPS. Turned out that the “security guy” just wanted a machine for spamming.
  6. Consider changing the default ports. For instance for SSH configure port 2421 (this is just a random number that cropped up from my keyboard 😉 ), instead of default 22. But don’t rely on this too much, while some of the automatic bots that do brute force will try just on port 22, there’s no excuse for having a weak password.

Again, this is just a basic list. Talk to a professional system administrator if you don’t have the knowledge or you don’t have the time.

What is your  basic security check list?