Here’s my quick list of best practices for securing your VPS. This list is the first of several I use in order to secure customers’ servers as well as my own, I hope you find it useful.
Turn on auto notification of security updates in Webmin or your package manager, and apply them as soon as possible. Attacks are coming out very quickly after vulnerabilities are found, so the sooner you plug the holes the better. Don’t forget to include updates for the applications you’re running in addition to the operating system itself. If you manually install any applications rather than using the package manager remember that you’ll need to manually check for updates on those applications.
Use strong passwords. Don’t use words found in the dictionary or words and dates people might be able to guess, like your spouse’s name or your birthday. Use letters, numbers, and symbols, and make it memorable so you won’t need to write it down.
Disable services and applications you don’t need. Hackers can’t attack a service that’s turned off. Why run a mail server or content management system if you only use your system for FTP?
Read your system and applications logs daily. Know what normal activity is for your system. You won’t know you’ve been broken into if you’re not looking.
Apply the CIS Benchmarks or DISA STIGs to your system. They’re detailed guidelines on how to secure your system. Be aware that they might recommend changing settings that could break your specific setup. Know your system and how the changes you make will affect it.
http://www.cisecurity.org/benchmarks.html
http://iase.disa.mil/stigs/stig/index.html
Make regular backups. If all else fails and your server is hacked you’ll need a safe copy of your data to start over. Test your backups to make sure you can restore from them, and encrypt them during transmission and storage. You don’t want someone sniffing your sensitive data as you make a backup across the Internet, or walking off with your unencrypted backup drive. If possible, store your backups in a fireproof and waterproof safe at a site other than where your server is located. This will help prevent your server and backups both being destroyed by theft, fire, or natural disaster.
Subscribe to your operating system and application vendors’ security or news lists. It will notify you of new security updates or temporary fixes to prevent a compromise until an official update is released.
Feel free to contact me for a more complete list of recommendations, or if you need help securing your VPS.
Bryan Zimmer
Zimmer and Associates LLC
www.zimmerandassociates.com