13 Ways to Secure Your Cloud VPS
13 Ways to Secure Your Cloud VPS
No matter which operating system you choose, there are a number of security measures that you can implement to secure your cloud VPS.
Join the DZone community and get the full member experience.Join For Free
Choosing to host your Virtual Private Server (VPS) in the cloud opens a world of possibilities to share new content with your customers. No matter which operating system you choose, be it Linux, Windows, or any other, there are a number of security measures that you can implement to secure your cloud VPS.
The only good cloud server is a secure cloud server. If you are opting to harness the power of on-demand, public cloud computing, it is vital to make sure you follow these top tips to secure the server. Fortunately, the cloud provider will have taken care of all of the platform level security concerns such as DDoS, hacking, and malware prevention.
However, the cloud provider can only secure the infrastructure. They have limited control over how you choose to secure your server. Give yourself the upper hand. These security measures do not take much time or effort to implement, but you may need a little experience in managing the operating system of your VPS.
Enable automatic security updates — This is by far the most important step to take when securing your server. Security updates, such as Windows Update, plug a huge number of gaps identified in the operating system. We appreciate it might not always be possible to allow your server to update and reboot. The timing might be a significant concern and finding the opportunity to reboot a business-critical production server might be more challenging than it sounds.
That being said, updates are a hugely important way to secure your VPS. If you choose not to update, you are leaving the server-wide open to hackers exploiting system vulnerabilities. If patching timings are of concern, plan ahead and create a timed maintenance window in your server operation to enable updates and reboots. The update process can be completely automated which can greatly reduce downtime.
Make your system lightweight — This might not sound like an obvious security tip, but it is a really helpful strategy to reduce the footprint of your VPS. A lightweight server will naturally limit the scope of vulnerabilities the system is exposed too.
A VPS will typically have one or two purposes. It might serve websites or an application server. Either way, the system usually has an intended purpose. It is bad practice to have a single VPS acting as a single resource for all the features you require.
Remove packages and applications that are not needed greatly reduces the risk of an application being exploitable. This could be Windows features such as media features, the Microsoft Store, or Microsoft Games. For Linux based systems, you would typically build the server using a minimal image. This features the core operating system and the necessary tools for the server to boot. Then everything that is needed is built on top of the base image.
Disable root and administrator accounts — The root and administrator accounts are super-user profiles that have unfettered access to all system resources. You can practically do whatever you want as the root user. For this reason, these accounts are the number one target for hackers. If an administrator account is compromised, then the entire system, and possibly the attached network, are at risk.
Creating single-user accounts reduces the risk significantly. Giving all users regular system accounts greatly reduces the risk of accidental or deliberate damage. Privileged access can still be granted to those who need it, such as the IT department, but you don't want an environment where everyone has domain administrator privileges.
Use encryption — Using tools such as BitLocker, PGP, or GnuPG to encrypt all disks on the VPS adds a significant security barrier that protects your data. The 2048 bit encryption algorithms are so strong that they are impossible to break without the master key. Encryption will not only protect data on the local VPS but also any data that is intercepted via a man-in-the-middle attack on data packets transmitted over the network.
Network layer protection is nearly always a hardware-level solution. This is usually implemented by your cloud provider so check with them to ensure that your VPS is protected.
Applications such as Outlook, Exchange, and other email clients can encrypt emails sent internally and externally. If you need to encrypt emails, add-ons can be installed that scramble the message, preventing unauthorized access. This feature is usually identified by a red padlock in the email client. Other features, such as blocking the forwarding of sensitive email messages can also be enabled.
Change default ports — Ports are used as an application-specific TCP endpoint. Common applications such as ssh (port 22), RDP (port 3389), and https (port 443) use ports that are widely known, however, you can amend these default port numbers to boost the security of your network.
Setting a custom port for a common application such as RDP can confuse scanning software used by hackers, so much so that they will most likely just move on, as it would look like RDP is switched off on your VPS.
Combining this strategy with disabling unused network ports on a hardware or software firewall will double down on the security enhancements this achieves.
Backups — The ability to roll back and restore data from a backup is very important for any workload, especially for production workloads that process sensitive data.
For some compliance regulations, such as PCI or HIPAA, backups are a mandatory requirement demanded by legislation. Even if you have no compliance concerns, having a backup is still key to getting your VPS up and running in the event of unexpected downtime.
Disable IPV6 — This is the Internet Protocol that assigns hex addresses to any server with it enabled. It was created by Microsoft in an attempt to solve the problem facing gigantic organizations that run out of IPV4 addresses (your standard 10.1.1.XX type of addresses)
Very few people use IPV6 intentionally. If you do not use it, switch it off and disable the feature. It will close off one potential area for hackers to exploit.
SELinux — For those who intend to use a Linux based distribution, do not be tempted to disable SELinux for an easier time. Yes, SELinux can be a nuisance when configuring applications, but its core strength is that it prevents any process from doing any damage, and restricts privileged access.
SELinux is a great tool for VPS security as it hardens the operating system immensely. Even if a hacker got access to the system, SELinux will prevent them from doing anything.
Use multi-factor authentication — Multi-Factor Authentication is a tool that enforces a login policy on a computer. The user will typically have a username and password, but will also have a pin code and an access token code. Internet banking is an everyday example of MFA.
These days your token is usually generated on a mobile phone application that is synchronized to an MFA appliance. RSA SecurID is a very popular MFA product that is compatible with practically every known operating system.
Deploy AntiVirus and AntiMalware software — Many people are happy using Windows Defender to protect Windows-based systems. Although this is a good start, deploying additional, dedicated antivirus and dedicated malware protection will offer greater protection to the system.
If you are hit by malware or ransomware, usually the antivirus will detect it, however, there are malware that force-deactivate antivirus upon infection. In those scenarios, the AntiMalware software will catch the rest. This is only true if both products are updated daily to protect against the very latest strains.
Keep your applications updated — It is vital to keep the operating system updated, but it is also important to keep your applications updated. Applications like Joomla, cPanel, Wordpress, and PHP are constantly being updated by developers.
Staying updated protects the software from vulnerabilities. It is important to update regularly as with these kinds of products it is easy to fall behind, making the update process significantly more difficult in the long term.
Use sFTP — This is a secure way of transferring files between servers and over the internet. Do not be tempted to use the easy to configure FTP protocol. sFTP is absolutely essential for anyone who needs to transfer files securely.
There are many benefits to using VPS for your business. Implementing the aforementioned tips to secure your cloud VPS will give you the upper hand in securing your server and protecting against any malicious activity directed toward your investment. Security is so important in the digital age. Securing all servers, especially public-facing servers, can save yourself a lot of time and effort in the long term.
Opinions expressed by DZone contributors are their own.