Securing a VPS

Securing a VPS

Securing a VPS: Best Practices for Enhanced Security

A Virtual Private Server (VPS) is a powerful solution for hosting websites and applications. However, securing it is essential to protect your data, users, and reputation. Follow these guidelines to harden your VPS security effectively:

1. Disable Root Login

The root account has unlimited privileges, making it a prime target for attackers. Disabling root login reduces the risk of unauthorized access.

Steps:

1. Open the SSH configuration file:

   sudo nano /etc/ssh/sshd_config
   

2. Find and update the following line:

   PermitRootLogin no
   

3. Restart the SSH service:

   sudo systemctl restart sshd
   

2. Open Only Necessary Ports

Restricting open ports reduces the server's attack surface. Allow only essential ports like SSH (22), HTTP (80), HTTPS (443), and DNS (53).

Steps:

1. Configure the firewall using ufw:

   sudo ufw allow 22    # SSH
   sudo ufw allow 80    # HTTP
   sudo ufw allow 443   # HTTPS
   sudo ufw allow 53    # DNS
   sudo ufw enable
   

2. Check the active rules:

   sudo ufw status
   

3. Restrict Access to Sensitive Files

Sensitive files like /etc/passwd, wp-config.php, and others should have limited access.

Steps:

1. Restrict wp-config.php:

   sudo chmod 600 /var/www/html/wp-config.php
   sudo chown www-data:www-data /var/www/html/wp-config.php
   

2. Verify permissions for other critical files:

   ls -l /etc/passwd
   

4. Disable Unnecessary Modules

Unnecessary modules like autoindexing expose directory listings, which can reveal sensitive data.

Steps (for Apache):

1. Disable autoindex:

   sudo a2dismod autoindex
   

2. Restart Apache:

   sudo systemctl restart apache2
   

5. Harden PHP Configuration

Securing PHP prevents exposure of sensitive information and reduces vulnerabilities.

Steps:

1. Open the PHP configuration file:

   sudo nano /etc/php/7.x/apache2/php.ini
   

   (Replace 7.x with your PHP version.)

2. Make these changes:

   expose_php = Off
   disable_functions = exec,passthru,shell_exec,system
   

3. Restart the server:

   sudo systemctl restart apache2
   

6. Install and Activate SSL

SSL encrypts communication between the server and clients, enhancing security.

Steps (using Let’s Encrypt):

1. Install Certbot:

   sudo apt install certbot python3-certbot-apache
   

2. Generate and apply the SSL certificate:

   sudo certbot --apache
   

3. Verify SSL is active:

   sudo certbot renew --dry-run
   

7. Update WordPress Files & Folder Permissions

Incorrect permissions can allow unauthorized users to modify critical files.

Recommended WordPress Permissions:

1. Update permissions for folders:

   sudo find /var/www/html/ -type d -exec chmod 755 {} \;
   

2. Update permissions for files:

   sudo find /var/www/html/ -type f -exec chmod 644 {} \;
   

8. Secure wp-config.php Access

This file contains sensitive credentials and should not be accessed publicly.

Steps:

1. Restrict access in .htaccess:

   <Files wp-config.php>
       Order Allow,Deny
       Deny from all
   </Files>
   

2. Save the .htaccess file in the root WordPress directory.

9. Install Fail2Ban for Brute-Force Protection

Fail2Ban monitors logs and bans IPs attempting brute-force attacks.

Steps:

1. Install Fail2Ban:

   sudo apt install fail2ban
   

2. Configure Fail2Ban for SSH:

   sudo nano /etc/fail2ban/jail.local
   

   Add:

   [sshd]
   enabled = true
   port = ssh
   filter = sshd
   logpath = /var/log/auth.log
   maxretry = 3
   

3. Restart Fail2Ban:

   sudo systemctl restart fail2ban
   

10. Install ClamAV for Malware Scanning

ClamAV helps detect and remove malware on your server.

Steps:

1. Install ClamAV:

   sudo apt install clamav clamav-daemon
   

2. Update the virus database:

   sudo freshclam
   

3. Scan your server:

   sudo clamscan -r /var/www/html
   

11. WordPress Security Configurations

To secure your WordPress installation further:

1. Install a security plugin like Wordfence or iThemes Security.
2. Enable two-factor authentication (2FA) for admin accounts.
3. Regularly update WordPress core, themes, and plugins.
4. Use strong, unique passwords for all accounts.

Conclusion

By following these steps, your VPS will be fortified against common threats. Regular maintenance, updates, and monitoring are critical for sustained security. Don’t just set it and forget it—stay vigilant to keep your VPS and WordPress site secure.