Thread: How to secure vps server

Any1 know of secure vps server. I heard vps is more secure than dedicated server.

VPS more secure than dedicated? I highly doubt that

VPS seems more secure than a server which is shared because of the its file system. Although you are actually sharing memory, CPU and network, you do not share the file system. What this means is that if someone else's virtual server is accessed by someone else, it is impossible for them to break into your virtual file system. There is only one file system in a shared system so if anyone were to break into a shared system he/she would have access to all of the sites hosted on that server.

Other benefits are no downtime when upgarding hard drive or mounting.

I used to get hacked 3 to 4 times a week on my dedicated server since i move to vps i havent had a single hack

Below is what i followed step by step to secure my vps server.

How To: Secure and Optimize Your VPS for newbs.
Original/complete walk-through HERE.


These are the following changes I made:

SECURING CPANEL - WHM - AND ROOT on a VPS

=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items...

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(SET TO FAIL)

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Security =>> Security Center
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Security =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Security =>> Security Center =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users

Goto Mysql =>> MySQL Root Password
Change root password for MySQL (Use a very hard, random password that is not used elsewhere as the chances of actually using it are probably slim and actually using it for databases is a security risk.)

Goto Security and run Quick Security Scan and Scan for Trojan Horses often.

=========================================
More Security Measures
=========================================

These are measures that can be taken to secure your server, with SSH access.

Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.

=========================================
Brute Force Detection
=========================================

Goto Security =>> Security Center =>> cPHulk Brute Force Protection


A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
--------------------------------------------------
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
--------------------------------------------------
Change Passwords
Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.
--------------------------------------------------
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
--------------------------------------------------
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone - no exceptions.
--------------------------------------------------
Security Center (CPanel)
From the root WHM, Security -> Security Center, you will most likely want to enable:
- php open_basedir Tweak.
- SMTP tweak.
You may want to enable:
- mod_userdir Tweak. But that will disable domain preview. (Will disable: http://serverip/~account)
--------------------------------------------------
Use SuExec (CPanel)
Already enabled for HostV
--------------------------------------------------
Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
--------------------------------------------------


Optimizing your VPS server (help it run more efficiently)

cPanel Tweak Setings
Login to WHM as root, and under "Server Configuration" on the nav bar hit "Tweak Settings".

Here are some suggested settings:
Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
- Use "FAIL". If you already have some accounts setup not to use "FAIL" (by default it will not) then run this command to convert to FAIL from BLACKHOLE --> perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*

Mailman
- Mailman tends to use a lot of resources, so if you don't need cpanel mailing lists then uncheck this.

Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
- This is just generally a good idea. So check this.

Analog Stats
- I find this useless, so uncheck this. If you want to delete the existing analog stats files just run this command --> rm -rf /home/*/tmp/analog/*

Awstats Reverse Dns Resolution
- Make sure this is unchecked, I find it pretty much useless for most users.

Delete each domain's access logs after stats run
- Make sure this is checked, otherwise disk space usage can really rack up!

I hope this was useful ;-)

A 'dedicated' server gives you full control over everything, a VPS does in 'ways' but also opens up more possibilities for attacks as you have different users on the system, more software running.

Any attacks on a dedicated server you experiences before was the lack of the dedicated server setup security wise, not a dedicated not being as secure as a VPS, or the possibility of it.

You also jump from 'shared' to 'dedicated' they are two totally different beasts. A shared you have no real control over and yes is nowhere as near secure as a good vps/dedicated setup.

Thnaks for the info can you recommend and relaiable hosting company? Would appreciate it

tnx

VPS is a great lower cost way to learn about server administration before you jump into full dedicated. There is a lot more involved than shared hosting of course. If you are new to vps it can take a while to learn.

A dedicated server is more secure if you know how to maintain/secure it.

I'd say, if you want a simple turn key ready solution for not very big projects, it's better to take VPS, but if you are experienced in security issues and have a bigger budget at your disposal - dedicated solution sounds better.

There seems to be some debate here over which is more secure, VPS or dedicated. In my opinion it it all depends on the administrator. I can picture a dedicated server admin who knows what they're doing preventing security problems. At the same time, a VPS admin who doesn't know what they're doing might leave security holes open. I can also picture the inverse where a VPS admin knows what they're doing and secures the system well while a dedicated server admin across town doesn't do as good a job of prevention.

Originally Posted by Justclone

VPS seems more secure than a server which is shared because of the its file system. Although you are actually sharing memory, CPU and network, you do not share the file system. What this means is that if someone else's virtual server is accessed by someone else, it is impossible for them to break into your virtual file system. There is only one file system in a shared system so if anyone were to break into a shared system he/she would have access to all of the sites hosted on that server.

Shared Linux servers can still use jailshell, virtual FTP and other methods to keep people from accessing each others files. Using those methods, the person's directory shows as / instead of /home/username. They are prevented from changing directory up one level in the tree. This is how I have managed shared servers for many years without security issues.

If you are using centos OS, refer following website.

securecentos.com

The nature of a VPS is very secure in itself already. There is plenty of flexibility in the OS with CentOS and the Linux kernel and in most cases the security depends on your host who has the responsibility of keeping your software up to date.

securecentos.com seems a very useful website, thanks for posting it.

I've found CentOS to be common on VPS

VPS is not necessarily more secure than a dedicated server, however it is more likely to be fully managed and so the host might just take care of server hardening for you.

VPS is less secure then a dedicated on so many levels. For one, you can't partition correctly unless you're on a XEN but you're still running in a virtual environment.

There are some classic moves to secure server like a changing ssh port, enabling 128bit ssl encryption, disabling root ssh access, drop incoming ssh from all except your trusted IPs (home,office etc). That is the basics