How to secure your VPS

Securing your VPS is essential to protect your data and ensure the stability of all content on your VPS, including websites and email. Although we take every effort to provide you with a secure environment from the outset, there are many additional steps you can take to further harden your virtual private server against potential vulnerabilities and attacks. In the guide below, we feature some key steps for securing your VPS, applicable to both cPanel and Plesk control panels.

General Security Tips (for Both cPanel and Plesk)

Regular Software Updates
Keeping your software up-to-date is crucial for securing your VPS. Both cPanel and Plesk provide tools to easily apply updates via their web interfaces or you can perform updates via the command line over SSH. Updates include critical security patches but can also help improve VPS performance, ensuring regular updates to both the control panel and the server software (e.g. Apache/NGNIX, MySQL, PHP) can avoid vulnerabilities that allow a server to become compromised.

On an AlmaLinux server you can update the operating system and installed packages with the following command using dnf.

dnf update -y

Also, cPanel can be manually updated on your VPS using SSH with upcp script as shown below.

/usr/local/cpanel/scripts/upcp

Similarly you can update Plesk and its components with the Plesk command.

plesk installer install-all-updates

Security Tips for cPanel

Install CSF (ConfigServer Security & Firewall)
CSF is a robust firewall management tool specifically designed for cPanel. It simplifies the process of managing IP blocking, whitelisting, and brute force protection. While cPanel’s native tool, CPHulk, provides some basic protection, CSF takes security a step further with more advanced configuration options. Installing and configuring CSF should be one of your first actions after setting up your server.

Enable CPHulk for Brute Force Protection
CPHulk is a built-in brute force protection tool that guards essential services like email, cPanel, WHM, and SSH. Although its features are basic compared to CSF, enabling it adds an extra layer of security against brute force attacks.

Security Tips for Plesk

Install Fail2Ban
Fail2Ban is an essential security addon for Plesk. It monitors log files for malicious activity and automatically bans IPs exhibiting suspicious behaviour. While it may not be as comprehensive as CSF on cPanel, it provides an effective first line of defence against brute force attacks on services like SSH, email, and Plesk logins. You can customise its settings, such as ban duration, to suit your needs.

Manually Apply Updates
Unlike cPanel, Plesk doesn’t apply patches automatically. You will receive update notifications within the Plesk interface, but it’s important to install these updates manually to stay protected. You can do this through the Tools & Settings section in Plesk or via the Plesk installer over SSH. Regularly checking for and applying updates is crucial to maintain the latest security standards.

Additional Tips for Both Platforms

SSH Key Authentication
For added security, disable password-based SSH logins and enable SSH key authentication. This prevents brute force attacks on your SSH service. Make sure to use a strong private key and keep it stored securely.

Learn how to add an SSH key and disallow password based authentication on your VPS.

Changing Default Ports
When your VPS is created, many of its services will be set to use default ports, which criminals actively scan for. SSH over port 22 is one such service, and due to the nature of SSH (i.e. root access), it’s best to change the default SSH port to enhance your VPS’s security.

Set Up a Firewall
Both cPanel (via CSF) and Plesk (via Fail2Ban or other tools) allow you to configure firewall rules to restrict access to sensitive services. Always ensure that only trusted IPs can access critical services like SSH and control panel logins. If possible, implement IP whitelisting for added security.

Use Two-Factor Authentication (2FA)
Both cPanel and Plesk support two-factor authentication (2FA). Enabling this adds an extra layer of security, requiring not just a password but also a verification code, typically sent to your phone or generated by an authentication app.

Regular Security Audits
Perform regular security audits to identify potential weaknesses. Both cPanel and Plesk offer security audit tools, but you can also use third-party services or hire professionals to conduct more in-depth reviews. Audits can help spot vulnerabilities you might have missed during your initial configuration.

Implement Antivirus Solutions
Tools like ClamAV can be installed on your VPS to provide antivirus protection against malware and viruses. Regular scans can help keep your server free from known threats.

Utilise Web Application Firewalls (WAFs)
Consider implementing ModSecurity as a WAF to protect your web applications against common vulnerabilities.

Regular Backups
Implement a robust backup strategy to ensure that you can restore your services quickly in the event of an attack or data loss.

Conclusion

By following these steps, you can ensure that your VPS is as secure as possible, helping to protect both your data and your users’ data from malicious attacks. Make security a routine part of your server management to stay ahead of evolving threats. With careful planning and diligent maintenance, you can create a secure environment for your hosted services.