Secure VPS Tips

Clara - VPS Hosting Team

Upgrade Your VPS Security: A Quick Guide

1. Change the SSH Port

Port 22 is a frequent target. Switching it helps deter attackers. To change the port:

Open the SSH configuration file:

nano /etc/ssh/sshd_config
Find the line:

#Port 22

Un-comment it and set a new port number (e.g., 2222):

 `Port 2222`

Save and exit (Ctrl + X). Restart SSHD:

service sshd restart

Tip: Keep your original session open. Test the new port before closing it to avoid lockout.

Update IPtables to allow the new port:

nano /etc/sysconfig/iptables

Add:

 `-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT`

Save and restart IPtables:

service iptables restart

2. Use Strong Passwords

Weak passwords are a major vulnerability. Ensure your passwords:

Are at least 10 characters long
Include numbers, letters (both uppercase and lowercase), and symbols

Example: T=ep@Uy*ST

Change your root password:

passwd

3. Disable Root User Access

Disable direct root access for added security.

Add a new user:

useradd newuser
passwd newuser
Edit SSH configuration to disable root login:

nano /etc/ssh/sshd_config

Set:

 `PermitRootLogin no`

Save and restart SSHD:

service sshd restart

Use the new user and su for root tasks.

4. Restrict SSH Access by IP

Add another layer of protection by allowing SSH access only from specific IPs.

Edit IPtables rules:

nano /etc/sysconfig/iptables

Add:

 `-A INPUT -p tcp -s YOUR_IP_ADDRESS --dport 2222 -j ACCEPT`

Save and restart IPtables:

service iptables restart

5. Install RkHunter

RkHunter scans for rootkits and malware.

Install RkHunter:

yum install rkhunter -y
Create a daily cron job for scans:

nano -w /etc/cron.daily/rkhunter.sh

Add:

     #!/bin/sh
     /usr/local/bin/rkhunter --versioncheck
     /usr/local/bin/rkhunter --update
     /usr/local/bin/rkhunter --cronjob --report-warnings-only
     /bin/mail -s 'rkhunter Daily Run (YourServerName)' your@email.here

Secure the script:

chmod 700 /etc/cron.daily/rkhunter.sh
Test RkHunter:

rkhunter -c -sk

6. Install CSF (ConfigServer Firewall)

CSF provides comprehensive firewall protection.

Ensure Perl is installed:

perl -v

If not installed, add Perl:

 `yum install perl perl-libwww-perl perl-Time-HiRes -y`

Install CSF:

     cd /usr/src
     rm -fv csf.tgz
     wget https://download.configserver.com/csf.tgz
     tar -xzf csf.tgz
     cd csf
     sh install.sh

Check required IPtables modules:

perl /etc/csf/csftest.pl
Configure CSF:

nano /etc/csf/csf.conf

Update TCP ports:

 `TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2222"`
 `TCP_OUT = "20,21,25,53,80,110,113,443,2222"`

Set connection limits:

 `CONNLIMIT = "21;5,2222;5,80;20"`

Configure port flood protection:

 `PORTFLOOD = "21;tcp;5;300,80;tcp;20;5,2222;tcp;5;300"`

Set email for reports:

  `X_ARF_TO = "your@email.here"`

Save and start CSF:

csf -s
Disable test mode:

nano /etc/csf/csf.conf

Set:

  `TESTING = "0"`

Restart CSF:

`csf -r`

Remove installation archive:

cd ../
rm -fv csf.tgz