I'm moving up from managed hosting to a VPS. What do I need to know?

Question

I'll be starting to use a VPS for my web hosting this week, which is a big step-up for me since I've only used managed/shared services before. I've a bit of experience with Linux and I'm not afraid of the terminal, but this is a completely different environment from the one I'm used to operating in.

I'm mainly concerned about security... while there's not going to be anything critical there for a while, I do intend to make this a learning exercise. From what I know, I want to:

• Configure user accounts with appropriate permissions,
• Only allow certain ports to be opened (HTTP, HTTPS, FTP and/or FTPS and SSH),
• Pay attention to directory/file permissions in the webroot of applications for the HTTP user

I haven't done much SSH/VNC so I intend to read up on that too. What advice could you offer me in my case? While I'd like this to be fairly generic, I'll be using Ubuntu Server 10.04, although I have the choice between CentOS and Debian (or Windows) as alternatives. Apache will be used for the serving websites.

Answer 1

Definitely review security with a good Linux Security Checklist as the first order of business. SANS publishes a nice one.

Second step is to get rid of packages that you won't use.

Third step is df -h and record how much disk space the install uses.

And then fourth step is to tar up the entire disk using the --exclude option to exclude the output tarball. For instance: tar --exclude=all.tar.gz cvf - / | gzip -9 >all.tar.gz

Then download it and use it to make a clone system, more or less, that runs on Virtualbox or whatever VM environment you use. From this point on, test changes on the VM before applying to your VPS and take regular data backups. Don't change anything on the VM or the VPS without writing it down on paper in a logbook. Even the smallest change should be recorded.

Answer 2

Double and triple check your firewall configuration. There are plenty of resources online for researching that.

Next, move SSH to a non standard port. If your box is secure, this won't matter as much but you'll have less log spam from script kiddies. If there are security issues (able to log in a root, week passwords, etc) moving to a non standard port will reduce the likelihood a script kiddie finds your ssh server. But again, this is only security through obscurity. So make sure you disable root login and have strong passwords or disable password login all together and use key-based authentication. If you need to leave ssh on 22, then install fail2ban or denyhosts to block brute force login attempts. Did I mention strong passwords?

Your most likely point of entry or compromise won't be through the OS or the services it runs, rather the software you present to the public. So your next priority is to stay current on updates to software such as wordpress, drupal, joomla and other third party applications. Also keep on top of security updates to your OS and Apache or whatever is powering your sites.

Lastly throw in some precautions for catching anything that does get by. I'd suggest something like 'aide' which basically checksums your configuration files, take a peak at log files occasionally and watch or any weird spikes in activity.

Do these steps and read up a bit on a few sites (the pdf linked in the above comment would be a good start) it doesn't take much to be way more secure than any shared hosting platform.

And if you really want to be secure, try to hack your own server sometime :)

Answer 3

Assuming that you choose to install Linux on your VPS, you might want to look into iptables for security. Just tailor it to the specific distro as the link I gave is for Debian/Ubuntu.

Installing other services would be fairly easy.

Good Luck!