![\"\"](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/11\/Linux-cheat-sheet.png\/public\")
<\/a><\/figure><\/div>\n\n\n\n<\/p>
Linux security and common weaknesses<\/h2>
While Linux VPS security is generally robust, it does have some weaknesses. Many cyber threats can compromise your Linux server’s security and data. Here are the most common ones:<\/p>
- \n
- Malware <\/strong>– intrusive software intentionally designed to harm computers and their operating systems. It comes in many forms, including Trojans, ransomware, viruses, and spyware.<\/li>\n\n\n\n
- Sniffing attack<\/strong> – a cyber attack that happens when a hacker uses packet sniffers to intercept and extract data from a network.<\/li>\n\n\n\n
- Brute-force attack <\/strong>– a hacking method involving an attacker who uses trial and error to guess login credentials.<\/li>\n\n\n\n
- SQL injection <\/strong>– an attack that occurs when a hacker exploits code in a web application to gain access to the server’s database.<\/li>\n\n\n\n
- Cross-site scripting (XSS) <\/strong>– a client-side attack during which a hacker injects malicious code into a website.<\/li>\n\n\n\n
- No function-level control <\/strong>– when the access rights to a server aren’t verified properly, giving unauthorized users root privileges.<\/li>\n\n\n\n
- Broken authentication <\/strong>– identity theft that happens due to unencrypted data, weak passwords, or poorly configured application session timeouts.<\/li>\n<\/ul>
Before implementing any security measures, learn the crucial elements you should monitor in your virtual private server, which include:<\/p>
- \n
- VPS hosting security<\/li>\n\n\n\n
- Server software<\/li>\n\n\n\n
- SSH connection<\/li>\n\n\n\n
- Root access and logins<\/li>\n\n\n\n
- Passwords and credentials<\/li>\n\n\n\n
- Firewalls<\/li>\n\n\n\n
- FTP connection<\/li>\n\n\n\n
- User rights and privileges<\/li>\n\n\n\n
- Server logs<\/li>\n<\/ul>
16 VPS security tips to protect your server security<\/h2>
This section contains 16 security tips for preventing cyber attacks on VPS hosting.<\/p>
1. Research your web hosting security<\/h3>
Your VPS hosting provider must have a strong security infrastructure and offer additional protection to keep your server safe. While users can install extra security features, some are pre-configured.<\/p>
Depending on the provider, the security features will differ. At Hostinger, we apply comprehensive security practices for all our virtual machine hosting plans<\/a> to ensure optimal safety, including:<\/p>
- \n
- Web application firewall<\/strong> – <\/strong>a dedicated security feature that analyzes and filters incoming requests based on predefined security rules. It adds extra protection to your server, ensuring only legitimate and secure traffic reaches your websites.<\/li>\n\n\n\n
- Suhosin PHP hardening <\/strong>– a module that fortifies your PHP applications against vulnerabilities that cyber criminals often exploit to launch an attack. It also patches PHP flaws to help reduce the risk of successful hacking attempts.<\/li>\n\n\n\n
- PHP open_basedir protection <\/strong>– a security measure that restricts PHP script access to specific directories only. It helps prevent unauthorized access to sensitive files and mitigate potential security breaches.<\/li>\n\n\n\n
- BitNinja’s full-stack server protection <\/strong>– a suite of security solutions with various modules for IP reputation, malware detection, and proactive defense mechanisms. It provides complete protection for your VPS against various cyber threats.<\/li>\n\n\n\n
- Advanced DDoS mitigation <\/strong>– a distributed denial-of-service (DDoS) attack sends malicious internet traffic to slow down your entire server performance. Hostinger mitigates DDoS<\/a> using the remotely triggered black hole (RTBH) and traffic filtering.<\/li>\n\n\n\n
- Monarx anti-malware <\/strong>– a security tool that continuously scans your VPS for malware, suspicious files, and potentially malicious activities. It helps ensure your server is safe without needing to manually scan it.<\/li>\n\n\n\n
- Secure sockets layer (SSL) <\/strong>– SSL certificates encrypt data transmission between your website and its visitors. It helps prevent hackers from stealing sensitive data from the network.<\/li>\n<\/ul>
\nSuggested Reading<\/h4>\n
Check out our guide on how to install SSL certificate on Linux running CentOS 7<\/a>.<\/p>\n <\/div>\n\n\n\n<\/p>
Furthermore, Hostinger offers automated backups and live snapshots for easy data restoration in case of cyber attacks or other incidents.<\/p>
All of this is made easy with managed VPS security, which is recommended to most users. It means the provider handles all your hosting server security features, updates outdated software, and scans for malware. It keeps your VPS server secure with minimal effort.<\/p>
However, advanced users that want more flexibility and control over their VPS security can still benefit from Hostinger’s self-managed hosting. Users get root access to the VPS servers – plus, we offer a dedicated technical support team for assistance.<\/p>
![\"\"](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/02\/VPS-hosting-banner.png\/public\")
<\/a><\/figure>2. Change the default SSH port<\/h3>
If you still use port 22 to access your virtual server via an SSH connection, hacking attempts may be more likely. This is because attackers can scan open ports to perform brute-force attacks and obtain SSH access to the remote server.<\/p>
We recommend changing your default SSH listening port to protect your data against automated attacks. Here’s how to change the SSH port<\/a>:<\/p>
- \n
- Open Terminal <\/strong>and log in to SSH.<\/li>\n\n\n\n
- Run the following command to edit the service configuration file:<\/li>\n<\/ol>
nano \/etc\/ssh\/sshd_config<\/pre>
- \n
- Locate the line that reads Port 22<\/strong>.<\/li>\n\n\n\n
- Replace 22 <\/strong>with a new port number and remove #<\/strong>.<\/li>\n<\/ol>
![\"The](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/06\/SSHport1026-1.png\/public\")
<\/a><\/figure><\/div>- \n
- Save the changes and exit.<\/li>\n\n\n\n
- Enter the following command to restart the service:<\/li>\n<\/ol>
- \n
- For Debian and Ubuntu<\/strong><\/li>\n<\/ul>
service ssh restart<\/pre>
- \n
- For CentOS and Red Hat Enterprise Linux (RHEL)<\/strong><\/li>\n<\/ul>
systemctl restart sshd.service<\/pre>
- \n
- Log in to SSH using the new port to check if the changes were applied successfully.<\/li>\n<\/ol>
3. Disable root login<\/h3>
Linux VPS has a root user that possesses the most privileges on the operating system and can modify any aspect of the server. Cyber criminals might target this user to gain full access to the server.<\/p>
Deactivating this account helps improve root access security, safeguarding your server from brute-force attacks. However, we recommend creating an alternative username with the privilege to execute root-level commands for server configuration purposes.<\/p>
Follow the steps below to disable root login:<\/p>
- \n
- Open Terminal <\/strong>and log in to your SSH account.<\/li>\n\n\n\n
- To open and edit the configuration file, run the following command using the nano<\/strong> or vi <\/strong>text editor:<\/li>\n<\/ol>
nano \/etc\/ssh\/sshd_config<\/pre>
- \n
- Find the following parameter and change it to no <\/strong>to disable the root login:<\/li>\n<\/ol>
PermitRootLogin=no<\/pre>
- \n
- Run the following commands to save the changes and restart the SSH service:<\/li>\n<\/ol>
- \n
- For Debian and Ubuntu<\/strong><\/li>\n<\/ul>
service ssh restart<\/pre>
- \n
- For CentOS and Red Hat Enterprise Linux (RHEL)<\/strong><\/li>\n<\/ul>
systemctl restart sshd.service<\/pre>
4. Use strong passwords<\/h3>
Passwords containing information about your identity or simple passphrases are easy to guess. To prevent successful brute-force attacks, create a long and complicated password with several elements, such as numbers and special characters.<\/p>
You can use tools like NordPass<\/a> to easily create and store strong passwords. These IT tools<\/a> provide various customization options, such as limiting the password length and the used characters.<\/p>
Don’t use the same password for more than one account, and remember to change it regularly, ideally once every three months<\/a>. In addition, avoid sharing login credentials for accounts with root privileges to prevent unauthorized server modification.<\/p>
5. Start using SSH keys<\/h3>
If you’re only using a password to log in, you may become the target of sniffing attacks. To avoid this, use SSH keys<\/a> instead of a password for VPS authentication.<\/p>
These encryption keys are additional login credentials for securing an SSH connection on VPS. Since they’re computer-generated, they can be up to 4096 bits long. That means they are more complex and harder to decipher than a manual root password.<\/p>
SSH keys come in two sets – public <\/strong>and private<\/strong>. The former is saved on the server, while the latter is stored on the user’s machine. When the server detects a login attempt, it will generate a random string and encrypt it with a public key. The encrypted message only decrypts using the associated private key.<\/p>
Here’s how to generate an SSH key on a Linux server:<\/p>
- \n
- Open the Terminal<\/strong> application and log in to SSH.<\/li>\n\n\n\n
- To generate public and private keys, enter the following command:<\/li>\n<\/ol>
ssh-keygen -t rsa<\/pre>
- \n
- Once a reply appears, hit Enter<\/strong>:<\/li>\n<\/ol>
Enter file in which to save the key (\/root\/.ssh\/id_rsa):<\/pre>
- \n
- You will be prompted to fill in a passphrase twice. If you don’t have it, press Enter <\/strong>twice.<\/li>\n<\/ol>
Enter passphrase (empty for no passphrase):<\/pre>
Enter same passphrase again:<\/pre>
- \n
- Your private and public keys are now saved successfully.<\/li>\n<\/ol>
If you are using Hostinger VPS, you can ask Kodee AI assistant <\/strong>to list, add, and remove SSH keys on your server. Simply ask it, “Add this new SSH key to my VPS: your-ssh-key,” and it will handle the task. <\/p>
6. Setup an internal firewall (IP tables)<\/h3>
Since HTTP traffic has various origins, setting up a firewall for VPS helps filter the requests to ensure only legitimate visitors can access your system. Doing so helps you avoid malicious traffic and potential DDoS attacks.<\/p>
Linux distributions<\/a> come with an internal firewall service called iptables<\/a>. This tool monitors traffic from and to your server using tables. It employs rules called chains to filter incoming and outgoing data packets.<\/p>
It lets you adjust firewall rules according to your needs. Here’s how to install and check the current iptables configuration on Ubuntu:<\/p>
- \n
- Open Terminal <\/strong>and log in to SSH.<\/li>\n\n\n\n
- Run the following command to install iptables:<\/li>\n<\/ol>
sudo apt-get install iptables<\/pre>
- \n
- After the installation is complete, enter the following command:<\/li>\n<\/ol>
sudo iptables -L -v<\/pre>
Terminal will output a list of all iptables rules in detail. Here’s what the output may look like:<\/p>
![\"Current](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/Current-rules-of-iptables.png\/public\")
<\/a><\/figure><\/div>7. Configure your UFW<\/h3>
The Uncomplicated Firewall (UFW)<\/a> is a built-in application on Ubuntu that acts as the front end for iptables. Simply put, it will deny all incoming connections and allow outgoing ones, decreasing the risk of potential threats.<\/p>
You can modify and add rules to the firewall according to your preferences. Here’s how to enable it:<\/p>
- \n
- Open Terminal <\/strong>and connect via SSH.<\/li>\n\n\n\n
- Type the following command to enable UFW and press Enter<\/strong>:<\/li>\n<\/ol>
sudo ufw enable<\/pre>
- \n
- If the reply states that the command was not found, install the firewall using this command:<\/li>\n<\/ol>
sudo apt-get install ufw<\/pre>
- \n
- Once the installation is complete, run the command from step two to enable UFW.<\/li>\n\n\n\n
- Verify the firewall status using the following command:<\/li>\n<\/ol>
sudo ufw status<\/pre>
![\"Checking](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/Checking-UFW-firewall-status.png\/public\")
<\/a><\/figure><\/div>Alternatively, use our integrated VPS Firewall on hPanel. Select your VPS and go to Security<\/strong> →<\/strong> Firewall<\/strong> on the left side menu:<\/p>
![\"Hostinger's](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/vps-firewall-side-menu.png\/public\")
<\/a><\/figure><\/div>Then, create a new firewall configuration. Once created, select the Edit<\/strong> button:<\/p>
![\"Hostinger's](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/vps-firewall-edit-button.png\/public\")
<\/a><\/figure><\/div>Lastly, create any preferred rules:<\/p>
![\"Hostinger's](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/vps-firewall-configuration.png\/public\")
<\/a><\/figure><\/div>Alternatively, Hostinger VPS users can easily configure their server firewall by asking Kodee AI assistant. For example, you can ask it to “List all active firewall rules on my VPS” or “Create a new firewall rule that allows connections to port 12345 <\/strong>from any IP address.”<\/p>
We also recommend installing Suricata on your Ubuntu system<\/a>. This tool automatically identifies malicious traffic on your network and its sources, which you can later include in the UFW blocklist. <\/p>
8. Using SFTP instead of FTP<\/h3>
While commonly used, the file transfer protocol<\/a> (FTP) connection is unsafe due to the lack of encryption. Even though FTP over transport layer security (TLS) or FTPS encrypts the login credentials, it doesn’t secure the file transmission.<\/p>
As a result, using either of these connections may put your data at risk. Hackers can easily perform a sniffing attack to steal your login credentials and intercept file transfers.<\/p>
To avoid this, use the secure file transfer protocol<\/a> <\/strong>(SFTP) instead. It encrypts all data, including the credentials and transferred files. Furthermore, SFTP protects users from man-in-the-middle attacks, as the client needs to be authenticated before accessing the system.<\/p>
Follow these steps to set up a secure file transfer protocol connection:<\/p>
- \n
- Open Terminal <\/strong>and log in to SSH.<\/li>\n\n\n\n
- Initiate an SFTP connection by using this command:<\/li>\n<\/ol>
sftp user@server_ipaddress<\/pre>
or<\/p>
sftp user@remotehost_domainname<\/pre>
- \n
- If you’re using a custom port, run the following command:<\/li>\n<\/ol>
sftp -oPort=customport user@server_ipaddress<\/pre>
or<\/p>
sftp -oPort=customport user@remotehost_domainname<\/pre>
Once you’re connected, an SFTP prompt will appear like the following:<\/p>
![\"The](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/Connecting-using-SFTP.png\/public\")
<\/a><\/figure><\/div>9. Set up Fail2Ban<\/h3>
The security software Fail2Ban<\/a> monitors system logs and blocks hackers after multiple failed logins. In addition, it protects servers against DoS, DDoS, dictionary, and brute-force attacks. Fail2Ban uses iptables and a firewall to ban IP addresses.<\/p>
Follow these steps to set up the Fail2Ban software package on Ubuntu:<\/p>
- \n
- Open Terminal <\/strong>and start an SSH connection.<\/li>\n\n\n\n
- Input the following command to install the Fail2Ban software package:<\/li>\n<\/ol>
sudo apt-get install fail2ban<\/pre>
- \n
- The following output will appear. Type Y <\/strong>and hit Enter<\/strong>.<\/li>\n<\/ol>
Do you want to continue? [Y\/n] y<\/pre>
- \n
- Once the installation is finished, verify the status by running the following command:<\/li>\n<\/ol>
sudo systemctl status fail2ban<\/pre>
If the Fail2Ban software package is active and running, Terminal should return the following:<\/p>
![\"An](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/Checking-Fail2Ban-status.png\/public\")
<\/a><\/figure><\/div>10. Install an antivirus<\/h3>
In addition to setting up a firewall to filter incoming traffic, it’s important to monitor files in your VPS. Virus attacks are one of the main Linux server vulnerabilities, and they can potentially target your servers and damage your data.<\/p>
That makes installing an antivirus especially crucial. Many options are available, but the most notable one is ClamAV<\/a>. It’s open-source and used to detect suspicious activity and quarantine unwanted files.<\/p>
Important!<\/strong> Don’t enable ClamAV if your VPS has less than 2 GB of spare RAM. Doing so may consume all the remaining memory, crashing your server.<\/p><\/div>\n\n\n\n<\/p>
Follow these instructions to install ClamAV on CentOS:<\/p>
- \n
- Open Terminal <\/strong>and log in to SSH.<\/li>\n\n\n\n
- Install Extra Packages for Enterprise Linux (EPEL) using this command:<\/li>\n<\/ol>
sudo yum -y install epel-release<\/pre>
- \n
- The Complete!<\/strong> output will signal that the EPEL installation is done. Press Enter <\/strong>to create a new line.<\/li>\n\n\n\n
- Enter the following command to clear all cached information:<\/li>\n<\/ol>
sudo yum clean all<\/pre>
- \n
- Run the command below to install ClamAV:<\/li>\n<\/ol>
sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd<\/pre>
A Complete!<\/strong> line will appear, indicating that the installation is finished and ClamAV is running. Here’s how the final output should look:<\/p>
![\"Terminal](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/ClamAV-installation-is-finished.png\/public\")
<\/a><\/figure><\/div>11. Use a malware scanner<\/h3>
While an antivirus protects your VPS from threats like trojans and worms, it may be unable to detect newer exploits like zero-day malware<\/a>.<\/p>
To enhance your VPS security, pair an antivirus with a malware scanner. This type of software updates the detection rule faster<\/a>, allowing it to distinguish newer threats on your system.<\/p>
Linux supports various malware scanners, which you must install manually via Terminal. At Hostinger, all our VPS plans include a free Monarx<\/strong> malware scanner. The tool’s graphical user interface makes it easy to use, especially for non-technical users.<\/p>
<\/a><\/figure>After setting up your VPS, follow these steps to install Monarx:<\/p>
- Enter the following command to clear all cached information:<\/li>\n<\/ol>
- Install Extra Packages for Enterprise Linux (EPEL) using this command:<\/li>\n<\/ol>
- Open Terminal <\/strong>and log in to SSH.<\/li>\n\n\n\n
- Once the installation is finished, verify the status by running the following command:<\/li>\n<\/ol>
- Input the following command to install the Fail2Ban software package:<\/li>\n<\/ol>
- Open Terminal <\/strong>and start an SSH connection.<\/li>\n\n\n\n
- Initiate an SFTP connection by using this command:<\/li>\n<\/ol>
- Open Terminal <\/strong>and log in to SSH.<\/li>\n\n\n\n
- Type the following command to enable UFW and press Enter<\/strong>:<\/li>\n<\/ol>
- Open Terminal <\/strong>and connect via SSH.<\/li>\n\n\n\n
- Run the following command to install iptables:<\/li>\n<\/ol>
- Open Terminal <\/strong>and log in to SSH.<\/li>\n\n\n\n
- Your private and public keys are now saved successfully.<\/li>\n<\/ol>
- You will be prompted to fill in a passphrase twice. If you don’t have it, press Enter <\/strong>twice.<\/li>\n<\/ol>
- To generate public and private keys, enter the following command:<\/li>\n<\/ol>
- Open the Terminal<\/strong> application and log in to SSH.<\/li>\n\n\n\n
- For CentOS and Red Hat Enterprise Linux (RHEL)<\/strong><\/li>\n<\/ul>
- For Debian and Ubuntu<\/strong><\/li>\n<\/ul>
- Run the following commands to save the changes and restart the SSH service:<\/li>\n<\/ol>
- To open and edit the configuration file, run the following command using the nano<\/strong> or vi <\/strong>text editor:<\/li>\n<\/ol>
- Open Terminal <\/strong>and log in to your SSH account.<\/li>\n\n\n\n
- Log in to SSH using the new port to check if the changes were applied successfully.<\/li>\n<\/ol>
- For CentOS and Red Hat Enterprise Linux (RHEL)<\/strong><\/li>\n<\/ul>
- For Debian and Ubuntu<\/strong><\/li>\n<\/ul>
- Replace 22 <\/strong>with a new port number and remove #<\/strong>.<\/li>\n<\/ol>
- Run the following command to edit the service configuration file:<\/li>\n<\/ol>
- Suhosin PHP hardening <\/strong>– a module that fortifies your PHP applications against vulnerabilities that cyber criminals often exploit to launch an attack. It also patches PHP flaws to help reduce the risk of successful hacking attempts.<\/li>\n\n\n\n
- Web application firewall<\/strong> – <\/strong>a dedicated security feature that analyzes and filters incoming requests based on predefined security rules. It adds extra protection to your server, ensuring only legitimate and secure traffic reaches your websites.<\/li>\n\n\n\n
- Sniffing attack<\/strong> – a cyber attack that happens when a hacker uses packet sniffers to intercept and extract data from a network.<\/li>\n\n\n\n
![\"Hostinger's](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/05\/vps-malware-scanner-screen.png\/public\")
<\/a><\/figure><\/div>