Securing Publicly Accessible Services on Your VPS

Updated 3 months ago

Overview

This guide covers how to secure services and fix common vulnerabilities detected on your VPS. Services like MySQL, PostgreSQL, Redis, and web servers may be configured to accept connections from any IP address, creating security risks.

Database Vulnerabilities

MySQL

Issue: MySQL is accepting connections from all IP addresses (0.0.0.0)

Solution:

1. Open the MySQL configuration file:

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

2. Update the bind address:

bind-address = 127.0.0.1

3. Restart the service:

sudo systemctl restart mysql

PostgreSQL

Issue: PostgreSQL is listening on all network interfaces

Solution:

1. Edit the PostgreSQL configuration:

sudo nano /etc/postgresql/*/main/postgresql.conf

2. Update the listen addresses:

listen_addresses = 'localhost'

3. Restart the service:

sudo systemctl restart postgresql

MongoDB

Issue: MongoDB is publicly accessible

Solution:

1. Edit the MongoDB configuration:

sudo nano /etc/mongod.conf

2. Update the network binding:

net:
  bindIp: 127.0.0.1

3. Restart the service:

sudo systemctl restart mongod

Redis

Issue: Redis is bound to all interfaces

Solution:

1. Open the Redis configuration:

sudo nano /etc/redis/redis.conf

2. Update the bind address:

bind 127.0.0.1

3. Ensure protected mode is enabled:

protected-mode yes

4. Restart the service:

sudo systemctl restart redis

Search and Caching Services

Elasticsearch

Issue: Elasticsearch is accepting external connections

Solution:

1. Edit the Elasticsearch configuration:

sudo nano /etc/elasticsearch/elasticsearch.yml

2. Set the network host:

network.host: 127.0.0.1

3. Restart the service:

sudo systemctl restart elasticsearch

Memcached

Issue: Memcached is listening on all interfaces

Solution:

1. Edit the Memcached configuration:

sudo nano /etc/memcached.conf

2. Update the listen address:

-l 127.0.0.1

3. Restart the service:

sudo systemctl restart memcached

Web Server Vulnerabilities

HTTP Server Information Disclosure

Issue: Web server is exposing version information and sensitive details

Apache

1. Edit the security configuration:

sudo nano /etc/apache2/conf-available/security.conf

2. Add or update:

ServerTokens Prod
ServerSignature Off

3. Disable directory listing:

<Directory /var/www/>
    Options -Indexes
</Directory>

4. Restart Apache:

sudo systemctl restart apache2

Nginx

1. Edit the Nginx configuration:

sudo nano /etc/nginx/nginx.conf

2. Add inside the http block:

server_tokens off;

3. Restart Nginx:

sudo systemctl restart nginx

<h2″>SSL/TLS Vulnerabilities

POODLE Vulnerability (SSLv3)

Issue: Server allows vulnerable SSLv3 protocol

Apache

1. Edit SSL configuration:

sudo nano /etc/apache2/mods-available/ssl.conf

2. Update SSL protocols:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

3. Restart Apache:

sudo systemctl restart apache2

Nginx

1. Edit site configuration:

sudo nano /etc/nginx/sites-available/default

2. Add or update in server block:

ssl_protocols TLSv1.2 TLSv1.3;

3. Restart Nginx:

sudo systemctl restart nginx

FREAK Vulnerability (Weak Ciphers)

Issue: Server allows weak export-grade cipher suites

Apache

1. Edit SSL configuration:

sudo nano /etc/apache2/mods-available/ssl.conf

2. Update cipher suite:

SSLCipherSuite HIGH:!aNULL:!MD5:!EXP:!LOW:!MEDIUM

3. Restart Apache:

sudo systemctl restart apache2

Nginx

1. Edit site configuration:

sudo nano /etc/nginx/sites-available/default

2. Add or update:

ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

3. Restart Nginx:

sudo systemctl restart nginx

Authentication and Secrets

Bad Secrets / Weak Credentials

Issue: Default credentials, weak passwords, or exposed secrets detected

Database Credentials

Change MySQL user password:

mysql -u root -p
ALTER USER 'username'@'localhost' IDENTIFIED BY 'NewStrongPassword123!';
FLUSH PRIVILEGES;

Environment Files

1. Find exposed .env files:

sudo find /var/www -name ".env" -type f

2. Secure permissions:

sudo chmod 600 /var/www/your-site/.env

Best Practices

  • Use passwords with minimum 12 characters
  • Include uppercase, lowercase, numbers, and symbols
  • Rotate API keys regularly
  • Use a password manager

Mail Server Security

SMTP Open Relay / Authentication Issues

Issue: Mail server may be configured as an open relay or lacks proper authentication

Postfix

1. Edit the configuration:

sudo nano /etc/postfix/main.cf

2. Add or update:

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

3. Restart Postfix:

sudo systemctl restart postfix

Exim

1. Edit the configuration:

sudo nano /etc/exim4/update-exim4.conf.conf

2. Update relay networks:

dc_relay_nets='127.0.0.1'

3. Apply changes:

sudo update-exim4.conf
sudo systemctl restart exim4

Firewall Configuration

Additional Security Layer

Allow SSH and enable firewall:

sudo ufw allow ssh
sudo ufw enable

Allow remote access from trusted IP only:

sudo ufw allow from <YOUR_IP> to any port 3306

Verification

Test SSL/TLS Configuration

Visit: https://www.ssllabs.com/ssltest/

Check Open Ports

sudo netstat -tuln

Review Active Services

sudo systemctl list-units --type=service --state=running