Welcome Guest, Not a member yet? Create Account  


Easy VPS protection for beginners!

#1
(This post was last modified: 07-15-2018, 06:41 AM by deanhills.)

1. Change the password of your VPS as soon as possible 
This should be the first thing you do.  All you do is use the command
Code:
passwd

Use a very complicated password.  Get one from this Website and make it as many complicated characters as you can - then keep it in a very safe place:
https://passwordsgenerator.net/

2. Change the number of your SSH port. 
Currently the default SSH port for VPSs is 22.  By changing the SSH port you will avoid at least 99% of all of the bots who have been created by hackers to log into your VPS.

Before you start to use your VPS choose a new random number between 49152 and 65535.  Here is a link to a tutorial for how to change the port with CentOS 7:
https://post4vps.com/thread-2151.html


3. Be careful with DNS and name servers
Make sure you get your name servers from a very reliable source.  DNS is an easy way for hackers to get access to your VPS and to use it as a launching pad for attacks on others.  Before you know it your VPS is suspended and you're not quite sure why.  Cloudflare comes very highly recommended by other VPS users so may be a good source of DNS. The Cloudflare nameservers don't prevent DDoS but the Cloudflare Dashboard allows one to minimize and monitor the attacks.  I personally prefer Namecheap for creating my own name servers with my domain.  Namecheap offers the ability to register two name servers with one IP

4. Make regular backups of EVERYTHING
Since one is a beginner, it is very easy to make mistakes.  VPSs are different to shared hosting.  With free unmanaged VPSs hosts don't make backups and backups are your responsibility only.  If your VPS is accidentally compromised for any good or bad reason, and the content is lost, it is permanently lost.  One of the first things you should do before you start to build anything on your VPS is to set up a system of backups.  Then to make backups regularly and make sure those are downloaded to your Website.  You should also test the quality of the backups and know how to restore them if and when needed. 

I personally use VestaCP to help with the backup and restore, however since most of my Websites are WordPress Websites I use the All-in-one WP Migration tool to save backups to my desktop and restore them if and when needed.  VestaCP has an added security bonus with having fail2ban installed and configured with the panel.

5. Use CMS scripts from a reliable source only and make sure updates are ALWAYS up to date - preferably automatically
One of the most important rules for beginners is to keep their CMS scripts - such as Joomla, WordPress, Drupal etc - always up to date.  Use scripts from a reliable source only.  Stay away from nulled scripts.  Preferably put all updates on automatic.  These scripts are a sitting duck for hackers and trouble makers, and one can never be secure enough with using them.

6. When you think you're going to be away from your VPS or find you're not using it for a while best to turn unused services OFF
One of the greatest threats for any server whether dedicated or VPS are scripts that are not up to date.  If you are planning to be away from your VPS for a while, it's better to turn off any of the scripts that are unused, particularly the ones that are regularly targeted by hackers such as BIND.  Hackers have bots that they send out to Websites that if and when there is a gap in security it can hijack your e-mail system and use your site for attacking other Websites.  Once that happens there are immediate alerts that are sent to the Data Center and an almost immediate suspension of your VPS.  This can also happen with out of date CMS scripts such as WordPress/Joomla/Drupal etc - any scripts that can be reconfigured by parties that can gain access of your admin system.  Better yet, if you think you're not going to be checking your VPS every day, rather use an external mail host like Zoho Mail, of Yandex Mail where you can still use your domain for the mail accounts, however your Website and mail service will be separate and more secure. 

There are obviously many other steps you can take to secure your VPS, including creating keyless entry, changing your root login, etc.  but the above are the easiest security steps for beginners. Bottom line for a beginner is not to take unnecessary risks until they know what they are doing.  Use Google to research what you do, better yet, ask other members in the FreeVPS.com support forum if you are unsure about anything first.
Reply

#2

(07-11-2018, 12:26 PM)deanhills Wrote: 1. Change the password of your VPS as soon as possible 
This should be the first thing you do.  All you do is use the command
Code:
passwd

Use a very complicated password.  Get one from this Website and make it as many complicated characters as you can - then keep it in a very safe place:
https://passwordsgenerator.net/

2. Change the number of your SSH port. 
Currently the default SSH port for VPSs is 22.  By changing the SSH port you will avoid at least 99% of all of the bots who have been created by hackers to log into your VPS.

Before you start to use your VPS choose a new random number between 49152 and 65535.  Here is a link to a tutorial for how to change the port with CentOS 7:
https://post4vps.com/thread-2151.html


3. Be careful with DNS and name servers
Make sure you get your name servers from a very reliable source.  DNS is an easy way for hackers to get access to your VPS and to use it as a launching pad for attacks on others.  Before you know it your VPS is suspended and you're not quite sure why.  Cloudflare comes very highly recommended by other VPS users so may be a good source of DNS. The Cloudflare nameservers don't prevent DDoS but the Cloudflare Dashboard allows one to minimize and monitor the attacks.  I personally prefer Namecheap for creating my own name servers with my domain.  Namecheap offers the ability to register two name servers with one IP

4. Make regular backups of EVERYTHING
Since one is a beginner, it is very easy to make mistakes.  VPSs are different to shared hosting.  With free unmanaged VPSs hosts don't make backups and backups are your responsibility only.  If your VPS is accidentally compromised for any good or bad reason, and the content is lost, it is permanently lost.  One of the first things you should do before you start to build anything on your VPS is to set up a system of backups.  Then to make backups regularly and make sure those are downloaded to your Website.  You should also test the quality of the backups and know how to restore them if and when needed. 

I personally use VestaCP to help with the backup and restore, however since most of my Websites are WordPress Websites I use the All-in-one WP Migration tool to save backups to my desktop and restore them if and when needed.  VestaCP has an added security bonus with having fail2ban installed and configured with the panel.

5. Use CMS scripts from a reliable source only and make sure updates are ALWAYS up to date - preferably automatically
One of the most important rules for beginners is to keep their CMS scripts - such as Joomla, WordPress, Drupal etc - always up to date.  Use scripts from a reliable source only.  Stay away from nulled scripts.  Preferably put all updates on automatic.  These scripts are a sitting duck for hackers and trouble makers, and one can never be secure enough with using them.

There are obviously many other steps you can take to secure your VPS, including creating keyless entry, changing your root login, etc.  but the above are the easiest security steps for beginners. Bottom line for a beginner is not to take unnecessary risks until they know what they are doing.  Use Google to research what you do, better yet, ask other members in the FreeVPS.com support forum if you are unsure about anything first.

Maybe we should add that they should uninstall/turn off any services that they aren't using. Unconfigured/misconfigured BIND services, or mail services are a huge attack vector.
Reply

#3

(07-11-2018, 04:24 PM)coreyman Wrote: Maybe we should add that they should uninstall/turn off any services that they aren't using. Unconfigured/misconfigured BIND services, or mail services are a huge attack vector.
Updated!   Smile

That is definitely so true.  With shared hosting accounts this type of attack is one of the most prevalent attacks there are.  Quite a large number gain access through the WordPress Admin as well.  Think all CMS scripts need to be turned off as well if they're going to be left alone for a while.  Only static sites that can be left alone for longer periods of time.
Reply

#4

I heard that you could protect you Vps and your website from DDos attack by adding a Port to your adress ip or your Hostname ..Is that correct ?
Reply

#5

(07-16-2018, 05:50 AM)Guerbou01 Wrote: I heard that you could protect you Vps and your website from DDos attack  by adding a Port to your adress ip or your Hostname ..Is that correct ?

It's a common misunderstanding to think you can do anything with your VPS that would protect it against DDoS attacks.  You can take measures to minimize, avoid and manage attacks, but for DDoS protection the host of the VPS has to do that at the dedicated server level when he purchases the server from the data center.  So it's always wise when you purchase a VPS to ask whether the host has DDoS protection with the server.  DDoS protection at the server level also costs more.  If you're going to use the VPS for a games server it is even more important to ask questions from the host about DDoS protection, whether the VPS has been created to also run games servers, and whether sufficient resources are available.  Games servers have different needs, particularly IT professionals who have experience to set them up.

Bottom line for the security protection of your VPS you need to know what security it has and security starts with knowing what protection you already have.

To minimize DDoS and to manage attacks, yes, you can take certain precautions.  You could change the SSH port number to start with and the root login. You can make a keyless entry for your VPS and disable login.  But you may have a Forum, e-mail accounts or games on your VPS where you have to have ports to communicate with your members and those can also make you vulnerable for attacks, particularly if their security is not up to date.  Suggestion by the owner of this Forum is when you're going to be away from your VPS for a while to turn off all of the scripts that create "holes" for your members to communicate with you.  Once someone gets through those holes they can hack into your admin and do serious damage to your VPS.

Some VPS members I've come across also use Cloudflare, as Cloudflare offers a dash board where you can manage a DDoS attack by monitoring and turning things off. 

In the end also what is important is to make sure you are in the company of a really good VPS host who is on top of the security of his servers and other VPS owners who don't have VPSs where attacks regularly happen.  In other words there is a security discipline where the host and the datacenter are strict with security rules and have a zero policy rule.  Most secure datacenters these days are set up to immediately detect when security rules have been breached and the VPS will be immediately suspended and questions asked later.  So hence why I say to make regular backups is very important, as you may be suspended during or after an attack and may have difficulty to get access to the content of your VPS.  In certain cases if it is a virus that replicates itself, they won't even allow you to make backups.  You'll have lost all of the content of your VPS.So security protection is not a luxury but a very important discipline to develop.
Reply

#6

The "ufw" is one of the very easy iptable rules making application. with makes custom rules for port allow and block.
Reply




Users browsing this thread:
2 Guest(s)