Keeping your Linux server secure in 3 easy steps
- Tuesday, 8th September, 2020
Linux is an extremely secure operating system, however, that doesn't mean to say that it's wise to apply a "set and forget" mindset, as doing so could lead to a security breach, and data loss - costing your business time and money. It's for that reason that Ethernet Servers recommends all Linux VPS customers follow these 3 easy steps to maintain a secure, high-performance hosting environment.
- Use strong and unique passwords. As standard, we deploy all of our Linux VPS's with a 21-character randomly generated root password, which would take over 500 billion years to be cracked at today's standards. With that in mind, we do understand that remembering a password like this is not ideal, and so, changing it to something shorter may be more convenient. A short password can be secure, but try to include a variety of mixed case, symbols, and numbers, and ideally, ensure it is not a dictionary word.
You can have all the latest updates (more on that below) and security software, but with a weak root password, none of those things matter. Remember: security is a cumulative process.
- Keep your operating system up-to-date. On a typical out-the-box Linux system, whether that be CentOS, Debian, Ubuntu, and so on, you'll find there are typically security-related updates released at least once a week. This is no surprise given the number of packages involved in making Linux what it is - everything from the kernel, to the SSH protocol and systemd to sudo. You must keep up with the latest security updates.
This doesn't mean to say you need to be logging in and running
apt-get upgradedaily, as many distributions offer automated updates, for example using the unattended-upgrades feature in Debian or Ubuntu. The saying "if it isn't broke, don't fix it" is known by many, and whilst it might be tempting to avoid security updates to avoid the possibility of something wrong, as long as you maintain regular backups (which you should!), you'll always be safe in the unlikely event an unattended-upgrade causes problems.
- Restrict access as much as you can. Let's say you have a static IP address at your house or workplace, and you'll be the only person connecting to SSH, phpMyAdmin, WHM - whatever it might be - consider locking down those daemons to your IP address. The exact procedure for doing so will vary depending on what you're looking to lockdown. To achieve this with SSH, for example, you could use iptables. In the case of phpMyAdmin, this can typically be done with the phpmyadmin.conf file. And for WHM, you'll want to use Host Access Control.
With that in mind, you'll want to ensure that you have a plan to fall back on in case your IP address changes. Typically there are ways around this, for example, we provide an SSL secured HTML 5 serial console that authenticated customers can use to access their servers if that they get locked out via SSH.
We hope this short guide has been helpful! Please feel free to contact us if you'd like to know how we can help secure your critical infrastructure, or if you have any questions about our products and services! We're here to help - 24/7/365.