How to Secure а VPS Server? – Actionable Tips
In 2012, Sophos estimated that more than 30,000 websites are hacked every day. Given how much the internet has grown over the last few years, the current number is likely much higher.
As an owner of a cPanel VPS that can host multiple websites, you have a sizeable target painted on your back. Luckily, the setup you’ve chosen has many mechanisms to protect your virtual server.
Today, we’ll see what they are…
Table of Contents:
- Why cPanel VPS Hosting?
- Great VPS Hosting Use Cases
- Managed Server vs Unmanaged VPS Server for Security
- Cpanel VPS Hosting Security – Tips and Tricks
- ScalaHosting and VPS Security
Why cPanel VPS Hosting?
First, let’s see why a cPanel VPS is one of the best possible hosting platforms you can choose.
Shared hosting may be the cheapest available solution, but it’s riddled with problems. You utilize the same system resources as dozens of other users, so you can never be sure whether the performance will be up to par. The implications of sharing an IP with multiple other users could also be serious, especially if your “neighbors” decide to send spam.
A Virtual Private Server gives you much better security and more reliable performance. You get guaranteed hardware resources reserved just for you and available all the time. As you will be the only one using it, you don’t need to worry about getting your dedicated IP blacklisted, either.
You have the entire server to yourself, so the host allows you full control over the machine. A VPS is extremely flexible when it comes to customizations and can do wonders…if you know what you’re doing.
WHM & cPanel ease the client’s burdens when it comes to secure server management. With them, you get all the tools you need to create the best possible hosting environment with minimum technical work. The management platform streamlines and automates many of the administration tasks. In the case of organizations, this can be an amazing time saver, and Time often equals Money in the business world.
Great VPS Hosting Use Cases
The secure VPS acts as a standalone dedicated server. It has its own operating system, an underlying hardware setup, and an IP address. As a result, it can do pretty much anything a dedicated server can.
Among other things, you can use it as:
- a file storage facility
- an offsite backup facility
- a testbed for new applications
- a mail server
- a game server
- a VoIP server
- a Virtual Private Network
Managed Server vs Unmanaged VPS Server for Security
Shopping around for a reliable VPS server, you first need to determine the type of service that best suits your security plans – managed VPS or self-managed VPS. It all boils down to one simple question:
How much do YOU know about security and setting it up?
If you are well-versed with technologies and server management, opting for unmanaged solutions is more logical given the freedom you’ll get when configuring your hardware and software for maximum protection.
Still, in most cases, business owners prefer to focus on website building and promotion instead of diving into technicalities. A managed VPS plan ensures they always have the hosting provider’s support behind their back. From spam and virus prevention to advanced DDoS protection or security updates – there is little your host can’t handle.
Either option can work great for you in the right circumstances.
Cpanel VPS Hosting Security – Tips and Tricks
Although a single physical machine can host multiple virtual servers, the virtualization technology that powers VPS hosting allows for a completely isolated environment.
Compared to a shared server, it’s a much more secure setup, but you should always strive for more if you want to achieve the level of protection suitable for a successful online business.
You might be surprised to learn just how much WHM & cPanel can help you out. Here’s where to start.
Set up a firewall
A firewall is one of the first tools a sysadmin uses to protect a server and filter network access. Its job is to follow preset policies to keep the malicious traffic out and let the good one in.
Since we are talking about cPanel VPS platforms, your virtual server runs Linux and has a firewall utility called Iptables. You can try to configure it on your own, but since you have cPanel & WHM, you’re much better off navigating through their intuitive Graphical User Interface (GUI).
Many Linux server owners use ConfigServer Security & Firewall (CSF). You would need root user access and a couple of commands to install it on the server, and you can then activate and configure it through WHM. Because it’s so widely used, there is plenty of information available online on setting it up correctly.
CSF has proven its worth as a firewall utility, and it can help you immensely if someone decides to launch a DDoS attack against your server.
A good idea is to also install a Web Application Firewall (WAF) to protect your site against cross-site scripting attacks, SQL injections, and other attacks.
There are quite a few WAFs available on the market, but ModSecurity remains a firm favorite for many. One reason for its popularity is its easy integration with WHM & cPanel. ModSecurity is part of the Apache module, and you can activate it in WHM with a couple of mouse clicks.
Along with the secure solution, make sure to set the proper firewall rules.
Malware and virus protection
Running a Linux VPS server means you have fewer security concerns than you would have had with a Windows machine.
It’s dangerous to run a virtual server without a malware scanner that periodically checks for malicious code and infected files.
For Linux servers with cPanel, the two most popular malware scanners are ClamAV and ImunifyAV.
The appeal comes from the fact the two offer relatively seamless integration with WHM & cPanel. Both can be activated in WHM and have pretty much equal malware detection capabilities.
That said, although there are a few GUI options, properly configuring ClamAV may require some command-line work. Meanwhile, ImunifyAV is easier to use, but you can only initiate its scans via WHM. Plus, the free version lacks a few essential features.
Minimizing the number of unsolicited emails that land in your inbox is essential. If you don’t have any protection in place, junk mail could quickly fill up your account’s quota, making you miss essential communication.
In a corporate environment, spam filters are even more critical. Attackers often target phishing campaigns against click-happy employees, and the results can sometimes be devastating.
IMPORTANT: WHM & cPanel come with Apache’s SpamAssassin – a tried and tested spam filter, often pre-installed and enabled by default on a Linux VPS. If you suspect it might not be working properly, you can always check whether it’s turned on in WHM’s Service Manager.
Individual cPanel users have another way of filtering junk mail. You can take advantage of a tool called BoxTrapper to request additional action from senders of suspicious-looking messages before delivering them to the recipient’s inbox. The idea is to stop junk mail sent by automated scripts.
According to Verizon, weak passwords sit at the bottom of an estimated 81% of all data breaches, highlighting people’s lack of respect for the importance of login credentials.
With sensitive data leaking left, right, and center, the problem is no longer concerning weak passwords alone. Same passwords across platforms are just as dangerous because they enable hackers to use a single data breach to compromise multiple accounts.
For years, security experts have been advocating the use of reputable password management solutions for creating and storing login credentials. There are plenty of free and premium options out there, and they all guarantee you’ll be able to protect your accounts with unique, impossible-to-guess passkeys.
As yet another precaution, you can use WHM & cPanel’s two-factor authentication system. With it, every time you try to log into WHM or cPanel, you’ll need to provide a temporary security code in addition to a valid username and password authentication. The idea is that a hacker who has stolen your login credentials won’t be able to access your server without your phone device.
Limit root access
By default, you can use any IP to manage your Linux VPS. This is convenient if you’re working on your server on the move, but it’s hardly the most secure setup. What’s more, you are much more likely to control the server from a single network with a static IP.
WHM’s Host Access Control gives you the option of allowing or denying individual IPs access to the following services:
- FTP and Secure FTP
- Web Disk
Using the Host Access Control tool, you can block hackers from executing root-level commands. You just need to be careful not to disrupt the work of other users who need access to the VPS or the website backend.
Change the default SSH listening port
Your server communicates with your SSH service via a listening port. By default, this port is set at 22. The problem is that pretty much every hacker and robot knows that, so if anyone wants to target you – this will be one of the first places they’ll look into.
To prevent automated attacks and breaches through your SSH port, you can execute the following command:
IMPORTANT: The ‘vim’ prefix is used for this particular text editor. If you are using another one – replace vim with its name.
Inside the configuration file, find a line that says something similar to:
#What ports, IPs, and protocols we listen for
You can change the SSH port number here. Make sure you choose unused network ports that are not already assigned to something else in your system.
Ensure brute-force attack protection
Brute-force attacks are one of the most common tools for hackers to gain access to a server. What they do is employ tools that launch thousands of password combinations in an attempt to guess the right one. This is especially effective with fewer-character passkeys but given enough time – can eventually break even longer credentials.
So what can you do to tackle brute-force attacks?
For starters, you can turn back to the section about strong passwords as this is an important line of defense to slow attackers down. Limiting login attempts is another trick that can do wonders because your system will simply lock itself after a few unsuccessful attempts.
As for extra helpers, installing an intrusion prevention server software like Fail2Ban is always worth considering. The tool scans your log files looking for any malicious signs, like too many login attempts. It then bans all suspicious IPs, helping you stop the attack in its tracks.
IMPORTANT: You can find more information and installation instructions for Fail2Ban on the official documentation page.
Keep everything updated
Most modern websites are built using Content Management Systems. Their owners manage them through a point-and-click backend interface that requires little to no skills to navigate around.
Behind the scenes, however, there are millions of lines of code. Some bugs will inevitably pop up, and they could easily open the doorway for attackers.
Developers spend a lot of time identifying security vulnerabilities and producing patches for them. Still, it’s your responsibility to install security patches, and you should do so promptly after their release.
The only way to ensure you’re as well protected as possible is to regularly update every piece of software and associated plugins on your server. Furthermore, avoid installing unnecessary software that can be used as a backdoor in the future.
IMPORTANT: Cpanel’s automatic updates are enabled by default, and if you use WordPress – you have access to the WordPress Toolkit. It features an auto-update functionality for the CMS core, the themes, and the plugins.
Secure offsite backups
You can’t take anything for granted in the online world, and you must be prepared for the worst. You probably already know that you need to have a backup of your data at all times, but you have to bear in mind that this is not enough.
If you keep your backups on the same VPS, a potential hardware failure can lead to terminal data loss. Your home computer might seem like an alternative option, but it’s not that viable, especially if your website is big.
Your best bet is to store your backups on a remote server.
You don’t need to install any additional tools or services to have an automatic offsite backup system. Through WHM’s Backup Configuration interface, you can configure your server’s scheduled backups to your exact requirements and schedule the system to send your archived site copies to a remote server of your choice.
SSL certificates utilize the Transport Layer Security (or TLS) protocol to encrypt the flow of information between your site visitors and the hosting server. Without them, the data would be transmitted in plain text and easily intercepted or altered.
An SSL certificate also verifies the site’s identity and confirms the visitor’s connection to the right server.
In the past, getting an SSL certificate used to cost a lot of money, and installing it was usually a manual process done by the hosting provider’s support team. Nowadays, however, certificate authorities like Let’s Encrypt offer free SSL certificates. Thanks to WHM’s AutoSSL tool, deploying certificates across different projects is completely automated.
Cpanel also has an SSL manager, which lets you control certificates for individual websites.
If you see that something’s not quite right with your Linux VPS, you need to be able to quickly determine where the problem lies. Even if all seems well – you must have easy access to analytics telling you exactly how your server is doing and what you may need to improve.
WHM has all this data and more.
It integrates several different tools, giving you vital information on resource usage, uptime, and load averages over a set period of time. You can also see all the running services, processes, and their status.
With all this information, you can get an insight into how well you’re utilizing your server, draw a growth plan, and, crucially, spot potential security problems.
Be careful with Evil Twins on public Wi-Fi
You have to be extra careful when logging in to your hosting server or account on public Wi-Fi. One of the many dangers of such networks is called “evil twins.”
Evil Twins closely resemble your typical phishing scam. But instead of the hacker setting up a bogus website to lure you in, they are configuring a fake wi-fi point. Anything the user types while using this fraudulent wireless connection goes straight into the attacker’s hands as well.
Evil Twin networks are pretty hard to detect, especially if you are an inexperienced user. That’s why you have to be very careful and avoid free networks, public hotspots, and funny-sounding wi-fi names. Additionally, you can employ a reliable VPN platform to give your connection an extra layer of protection.
ScalaHosting and VPS Security
At ScalaHosting, we firmly believe that VPS hosting is at the heart of our industry’s future. For over a decade, we’ve been working hard to make our virtual private servers more reliable, affordable, and secure.
All of our Linux VPS solutions are based on KVM virtualization, and thanks to our partnership with DigitalOcean – you can now choose from 11 centers spread around the world.
IMPORTANT: ScalaHosting now partners with Amazon AWS for managed Linux VPS offerings as well. Various options are available on our homepage.
With our managed VPS plans, you can opt to use cPanel & WHM to take full advantage of its numerous security features. Alternatively, you can choose a much more affordable solution that is just as powerful.
SPanel is an all-in-one management solution designed specifically for ScalaHosting’s virtual private servers. It’s our answer to cPanel’s 2019 pricing policy changes, and its goal is to allow users to have a reliable, fully managed VPS service at a reasonable price. SPanel is equipped with all the tools and features you need to operate your projects in the best possible hosting environment.
SPanel VPS servers also come with an innovative security system called SShield. It monitors your server in real-time, and it uses artificial intelligence services to block almost all known attacks. If it does detect an unusual behavior – it informs the client immediately.
Because we developed SPanel and SShield ourselves, we can offer them as a part of our managed VPS hosting plans at no additional cost. This enables us to have some of the most competitively-priced managed virtual servers on the market.
Security is a major aspect of running a virtual private server, and there are many things you need to think about, especially on a self-managed VPS. To protect your server properly, you have to know what the main threats are, so you can build a strategy that covers as many scenarios as possible.
This may sound like an extremely complicated job, but the truth is, WHM & cPanel have plenty of options to make your hosting life a whole lot easier.
Do I need WHM & cPanel on my VPS?
Strictly speaking, you don’t necessarily need WHM or cPanel for your VPS. There are a number of other web hosting control panels that help you manage your virtual server, and you can even try and operate everything without such a panel.
However, WHM/cPanel’s wide range of tools and features makes the management platform a firm favorite with millions of site owners.
What are the security threats to VPS servers?
A virtual private server acts as an independent physical machine. All online threats applicable to dedicated servers are also valid for VPS machines, meaning the proper configuration and secure setup are absolutely essential.
Poor security setup, weak passwords, lack of security updates, and utilizing unlicensed software are just a few of the vulnerabilities hackers exploit as means to get to your account and website.
Why should I choose managed VPS security?
If you are not well-versed with server management and don’t have an experienced developer behind your back – your best bet is managed VPS services.
With this type of web hosting, your provider takes care of most security aspects for you – from the initial configuration and server software setup to active monitoring and malware prevention. The support team is available for other technical issues as well, giving you much-needed peace of mind when building an online business on a VPS.
Can cPanel be hacked?
By default, WHM & cPanel work with a simple username-and-password login mechanism, and there’s no way of changing the login URL. In theory, if the hackers know (or guess) your login credentials, they will be able to break in. You have plenty of tools to stop their attacks, though.
Utilizing two-factor authentication, restricting access to the login URL, and using cPanel’s built-in brute force protection are just a few of the ways to avoid unwanted breaches.
Does managed VPS hosting offer virus protection?
In most cases, hosting providers offer some level of virus protection on managed VPS solutions. While this varies between hosts, any reliable company should at least provide you with basic security measures for malware protection.
In the case of ScalaHosting, we go even one step further. Our custom-built security tool, SShield, utilizes AI and machine learning to detect almost every known attack out there, stopping hackers before they can reach your server.
Comes for free with any SPanel VPS with Scala.
ScalaHosting – How to Secure Your cPanel VPS? – Actionable Tips