Is it hard to maintain a VPS and have it up to date against security risks? Are there ways to simplify the tasks?

January 27, 2016 902 views
Security Linux Basics Control Panels Getting Started

I run my own website and am worried about the security concerns, this website will be commercial and will contain valuable information so I can't risk any breach. I've read many of the digitalocean tutorials, i've set up the accounts, disabled password login to use only ssh, use sftp, disabled remote root login, enabled firewall, added fail2ban, etc.

The problem is that i am not aware on what it takes for a server to have a very solid protection, i am willing to buy management software (if it simplifies other stuff much better) or hire a server admin if necessary, i don't expect it to cost a fortune tho, so this is pretty much my situation.


4 Answers

Keeping a VPS up to date is no different from keeping any server up to date.

The simplest means to do this is to have a routine cron job which runs an automated update (though you should be somewhat wary of just blindly installing package updates on Prod servers without having verified them on Dev boxen).

For example, one of my servers (CentOS 6) has the following entry as root in its crontab:

@weekly yum -y upgrade

It sounds like you're already on the right track. Just like a desktop system or laptop, the most important thing you can do is be sure you are keeping all of your software up to date. I'd recommend using OS provided packages for as much of your software as you can, since these are generally regularly updated. Also be sure to actually run package updates on a regular basis (either manually or via a cron job).

Some other things to consider:

  • Turn off any services that you aren't using. For example, my hosting control panel installs an FTP server by default; I only use SSH and SFTP (which is essentially FTP tunneled through SSH), so I've disabled the FTP server.
  • Be sure your firewall is configured to only allow public access to services that should be publicly accessible (if your website uses MySQL, for example, you'll need to have MySQL running, but you can usually block Internet access to port 3306 because localhost is the only thing that ever needs to connect to MySQL directly).
  • Configure Fail2Ban for all of your services--by default it only monitors SSH. Protip: Fail2Ban can be a great way to decrease spam if you have it block SMTP senders after X attempts to send to non-existant addresses. Legitimate servers that inadvertently get blocked will generally keep trying if they can't successfully send a message (just don't make your block last too long), spammers trying to send to a dictionary of possible email addresses will be continuously thwarted.
  • If you are running multiple web applications, consider running each one under a different user ID (using suexec) so that if one gets compromised it will have limited access to impact the others.
  • Be sure to monitor any software you install manually (not through OS repos) for new versions and patch as needed. This includes web applications, software you complie, and anything you may install from alternate sources like cpan (Perl), PyPi (Python), NPM (Node), etc.
  • If you have non-admin users accessing the server (such as if you're a web hosting company), consider using chroot "jails" to isolate users from each other and from sensitive system resources.
  • If you're really paranoid, there are tools available to alert you any time a file on the server changes. If you're alerted to a change in an important system file and you didn't make it, you might have an issue to investigate.

I'm sure I could think of more if I thought about it a little longer, but these should be a good start. Security, however, is a moving target. You want to stay at least one step ahead of the bad guys, so when they find a new way to attack, you need to have your artillery in place to meet them.

  • I really appreciate your comment and will take into account. Most likely i will hire someone who can administrate the server for me for some months and help me learn how to do it.

I asked on serverfault ( and they told me it takes a lot to learn from begining. I don't mind spending 2 days learning, i would also like to learn it, but my worry is if it takes a lot of time to learn.

I've been told that would be a good start for maintaining security automatically for you, especially their paid service

Have another answer? Share your knowledge.