Leaking customer data is never a good look for a business – in addition to the damage to your business’s reputation, it can result in serious legal penalties. In this post, we will discuss some ways to protect your VPS from an attacker, but first let’s understand what a VPS is.
What Is a Virtual Private Server (VPS)?
A VPS is a virtual machine that provides virtualized server resources on a physical server shared with other users. Unlike shared hosting, where resources are pooled among multiple users, a VPS offers dedicated server space with reserved resources.
Here are a few reasons why people pick VPS:
- Isolation: Each VPS operates independently, ensuring that activity in one VPS doesn’t affect others. If one website is attacked or infected, it won’t impact other secure VPS instances.
- Dedicated Resources: A VPS allocates its own CPU, memory, and storage – if one VPS consumes a ton of resources, then it will not affect any other servers.
- Customization: VPS allows custom security features tailored to your needs, such as advanced firewall configurations and intrusion detection systems.
Why Secure Your VPS?
Did you know that cyber-attacks happen every 39 seconds on average?
In March 2023, a staggering 41.9 million records, including drivers’ licenses, passport numbers, and financial statements, were compromised worldwide due to cyberattacks.
If you are hosting your website on RunCloud, then you’ll likely already have a few servers up and running. It’s essential to keep these servers secure and locked down for several reasons:
- Cyber Threats: Default configurations, outdated services, and weak access controls can leave your VPS vulnerable to unauthorized access, data breaches, and cyber-attacks.
- DDoS Attacks: A robust security solution will protect against Distributed Denial-of-Service (DDoS) attacks that overwhelm your server with traffic, causing downtime.
- Phishing and Malware: Implementing security measures prevents phishing attempts and malware infections.
- Data Protection: If your server gets hacked, then your sensitive data could be stolen or held to ransom.
How Can a VPS Server Be Hacked? – Common VPS Vulnerabilities
It is well-known that when running a server which is connected to the internet, hackers will try to exploit it.
Let’s take a look at some of the ways bad actors try to compromise servers:
- Website Vulnerabilities: Websites are public to the entire world, and attackers exploit vulnerabilities in web applications to gain unauthorized access or manipulate data. This vulnerabilities can be caused due to several reasons:
- Running outdated software exposes security flaws.
- Poorly written code may have vulnerabilities.
- Incorrect server settings can lead to exploitation.
- Server access via SSH: When you log in to a server via SSH, you gain complete access to that server’s file and all its resources. Due to this, hackers run an army of bots which constantly tries to SSH into servers on the internet using several techniques. (Read our guide on SSH service hardening to learn how to stop it.)
- Compromised Hosting Provider: If you are renting your VPS from a hosting company, then it is important to note that a physical server is still present somewhere in a datacenter. If the hacker is able to physically access the server, then it would be very hard for you to stop the hacker.
VPS Security Tips to Protect Your Server
If you’re running a server on the internet, it is essential to stay updated with the latest cyber threats and security practices.
Let’s take a look at some ways to protect your server on the internet:
1. Use Strong Passwords and 2 Factor Authention
It is absolutely essential to create complex passwords with a mix of uppercase and lowercase letters, numbers, and special characters for all administrative accounts. Moreover, you should enable two-factor authentication (2FA) for an additional layer of security.
If you are using RunCloud, you can take advantage of our password generator utility which automatically generates unique and random passwords for each login.
2. Use Passkeys instead of Passwords
Passkeys are a form of passwordless authentication which allow you to sign in without using a typical plaintext password. This method of authentication is considered more secure as it relies on public key cryptography.
3. Switch to SSH Keys for Server Login
Wherever possible, replace the password-based SSH authentication with SSH keys and configure your SSH server to allow key-based authentication only.
On RunCloud, you can take advantage of our key vault functionality to seamlessly log in to your servers in a secure manner.
4. Set Up Website Firewalls
If your cloud provider offers a firewall service at the network level, then you should configure it to block incoming traffic on all ports which are not in use. If you don’t have access to a firewall service, you can also install and configure iptables (built-in firewall service in Linux) and create rules to filter incoming and outgoing traffic based on your requirements.
On RunCloud, you can easily manage and update your firewall rules directly from the Security tab.
5. Use SFTP Instead of FTP
FTP relies on older technology and lacks encryption, making it vulnerable to sniffing attacks. If you’re still using FTP to transfer files, then you should switch to SFTP, a newer and more secure option.
6. Implement Fail2Ban for Brute force or DDoS
Although using a strong password will prevent robots from easily guessing your password, it will not stop them from trying to make incorrect guesses. Even if a hacker is not able to log in to your server, submitting an incorrect password still consumes resources on your server. This technique can be used to launch Denial Of Service attacks. To stop this, you can configure Fail2Ban, a service that monitors system logs and blocks IP addresses after multiple failed login attempts.
We have already written a detailed post which explains how to configure Fail2Ban on WordPress. If you want to learn more about this topic, we recommend reading the Fail2Ban documentation.
7. Review User Rights and Permissions
If you have a team of people who access your servers, then it is recommended to give each one of them their own login credentials with limited access. Moreover, we recommend creating a separate user account on your RunCloud server whenever creating a new web application to keep it isolated.
8. Keep Your Applications & Software Updated
One of the most common ways hackers gain access to sensitive information is by exploiting known vulnerabilities in softwares. Updating your applications regularly will address these security issues and close any backdoors that could be exploited by cybercriminals. We recommend reading the following posts to learn more about updating your servers:
- How To Check & Upgrade Your WordPress Version
- Upgrading Your Server’s Operating System on RunCloud
- Using Outdated PHP Versions on RunCloud
9. Pick a Reliable Hosting Provider
As we mentioned earlier, if an attacker is able to gain physical access to your server, then it becomes very easy for them to compromise your server. Although this seems far-fetched, these things do happen in real life. In 2023, Cloud Nordic lost all of their customers’ data because hackers were briefly able to access the servers during transportation.
Therefore, it is absolutely essential to pick a hosting provider with a good reputation and robust security practices.
10. Use a Secure Secure Cloud Server Manager
A safe and easy way to secure your website is by using a secure cloud service manager that takes care of your websites for you. RunCloud is a robust cloud server management tool that prioritizes security and implements best practices to ensure the safety of your server and website. Here’s how RunCloud enhances your server’s security:
- SSH Key Authentication: RunCloud supports public and private key authentication, which is generally considered more secure than password-based authentication.
- Permission Levels: You can assign different privileges to different users or teams within an app, enhancing control over user access.
- Password and Credential Storage: RunCloud enforces a complex password standard and stores credentials in hash form.
- Firewall Control: RunCloud allows you to fully control your firewall configuration.
- Free SSL Installation: RunCloud offers 1-click installation of free SSL/TLS by Let’s Encrypt.
- Strict Port Control: By default, only necessary ports are opened, reducing risks for attack.
- IP Whitelisting: You can whitelist IPs for unrestricted access to your dashboard.
- Automated Server Configuration: RunCloud automates server configuration with the best industry practices.
By using RunCloud, you’re not only opting for a tool that simplifies server management but also choosing a solution that prioritizes security. This makes RunCloud an excellent choice for managing your VPS in 2024.
Wrapping Up: Securing Your Server with RunCloud
Securing a server is no small feat, but it’s absolutely essential – whether you’re running a personal blog, an e-commerce site, or a complex web application, safeguarding your server ensures data integrity, privacy, and reliability.
RunCloud simplifies server management across various cloud providers (AWS, DigitalOcean, Google Cloud, etc.) and provides an intuitive dashboard for deploying, monitoring, and securing your servers.
With RunCloud, you can focus on your applications while benefiting from robust security features such as automatic security updates, web application firewall (WAF) rules, SSL certificate management, and much more.
FAQs about VPS security
Are VPSs really private?
Yes, each VPS is isolated from others on the same physical server, ensuring that your resources are not shared with other users. However, it’s essential to configure security settings properly to maintain this privacy.
Should I encrypt my VPS?
Encrypting your VPS is good practice because it protects your data from unauthorized access, especially if someone gains physical access to the server. Disk encryption ensures that even if someone breaches the server, they cannot access the data without the encryption key.
Is VPS safer than shared hosting?
VPS offers more security than shared hosting, because with VPS you have dedicated resources, isolation from other users, and control over server settings. Shared hosting, on the other hand, shares resources among multiple users, which can pose a security risk under certain conditions.
How much traffic can a VPS handle?
The capacity of a Virtual Private Server (VPS) can vary based on several factors. First of all, each provider has its own infrastructure, network, and resource allocation policies, so a VPS across two different providers would have very different capacity. Moreover, content-heavy websites with large images, videos, or dynamic elements require more resources.
How to secure SSH on VPS?
To secure SSH on your VPS: change the default SSH port, disable root login, limit authentication methods, set up a firewall, and use strong passwords or SSH keys.
Are VPS encrypted?
VPS itself is not inherently encrypted; however, different cloud providers may offer varying encryption options – consult your provider’s documentation for specific instructions.