Getting your VPS hacked generally is NOT a pleasant experience. Please follow these basic ways of hardening your VPS security. This tutorial should work for most Linux VPS’s. I use an OpenVZ Debian 32 bit VPS.
Step 1: Change SSH Port
Login to your VPS using Filezilla or Putty. I recommend Filezilla (you do not need an active FTP server on your VPS for this).
- Navigate to /etc/ssh/.
- Download the file sshd_config.
- Change the port number to any 5 digit number.
- Save the file and go to your Filezilla window. It should now automatically upload back.
Now you can reboot your VPS and login via SSH at the chosen port number. Your VPS is now invulnerable to bots that automatically scan IPs for open SSH ports.
Step 2: Use a Secure Password
It is recommended for you password to include special characters, numbers, and capital + lowercase letters. Example of a secure password: fE1@& (generated randomly – anything around 5-7 characters is usually fine).
Step 3: Update and Upgrade
Your system should always be up to date.
Use the “apt-get update” and “apt-get upgrade” commands.
On CentOS, replace “apt-get” with “yum”. On Ubuntu, change it to “sudo apt-get”. If you don’t know what command to use, test out all of them.
Step 4: Don’t use FTP
The FTP protocol is NOT secure. Switch to SFTP. Unlike FTP, SFTP uses encryption, which is necessary to prevent eavesdropping.
Step 5: Remove Unnecessary Programs/Services
Having services you don’t need only creates complexity. More complexity typically means more vulnerabilities and less available resources.
If your VPS provider has this option, I recommend using a minimal remplate (E.g. CentOS 32 bit minimal or Debian 6.0 32 bit minimal). Not only will it not be stuffed with unnecessary programs, but it will also use much less RAM than other templates. I usually run my Debian minimal with 9Mb of ram.
Step 6: Secure your Website/Blog
If you use a CMS like WordPress or Joomla, you must keep it update and install necessary plugins to prevent your site from getting hacked. Although this will be in a future post, some recommended WordPress plugins are BPS Security, WordPress Firewall 2, and Spam Free WordPress.
Also, make sure your web-server’s settings and PHP installation is secure. Honestly, I’m not familiar with securing PHP and Apache/nginx/lighttpd, so please consult your search engine for it.
Congratulations. Your VPS is now 10 times more secure. Please comment if I’m missing anything.
