VPS opens up some exiting capabilities compared to shared servers. Resources and configuration ability that shared server users can’t even imagine. But with that increase in power comes a corresponding increase in security concerns. Put another way, having more means more to lose.
A secure VPS is the responsibility of the provider and the clients. What should you look for in a provider? How much responsibility can you take on? What kind of support do you need?
The obvious downside is that you have root access to your server and can introduce weaknesses all by your lonesome. If other users on your providers network are not using good secure VPS practices it is axiomatic that the whole network may be compromised to some extant.
If you are a savvy sysadmin that kicks black hat booty with scars dating back to HTML 1.0, then maybe a start up with low fees is for you. For the rest of us we are looking for an ISP with a long track record of customer satisfaction, and some kind of third party evaluation we can verify. Especially a provider with a good history of VPS security.
First and foremost, pick strong passwords. You should use them, your provider should enforce them. You also want to do your basic server hardening tasks, or verify that the ISP has someone do it for you.
Does your VPS hosting service offer you strong firewalls? Are they hosting any phishing, warez or other “black hat” sites? How secure is their network, and will they let you test it or show you a report from a reputable security consultant? How is their redundancy? Ate your files safe in case of physical failure? How is the physical security of the provider? Can anyone just walk in off the street?
Assuming that all of these questions are answered to your satisfaction by your prospective ISP, do you know how to attend to your own VPS security?
This includes basics like disabling telnet, finger, installing a firewall and a web application firewall, having a tool to detect port scans, running ssh on other than port 22, using SFTP, fixing your open DNS recursion, edit host.conf to defeat IP spoofing, secure php, install ModEvasive, and definitely a robust anti-virus such as ClamAV.
Your admin chores should include running your anti-virus as a cron job, checking user uploads, and of course keeping an eye on logfiles for errors, lack of entries and all the usual suspects. There are many excellent tutorials on the web that can take you through all of these steps, especially for Linux VPS servers.
If you aren’t up to securing your VPS then you really need a provider that will do it for you. VPS hosting which leaves the client on their own isn’t a good idea for any site admin without some real world security experience. Because the Virtual Private Servers are emulators running on powerful hardware, they are by definition an attractive target. It may be advantageous to pay extra for a managed VPS solution.
To sum up, Virtual Private Servers offer a clear step up from a web server on a shared machine and cost advantages over a stand alone blade or box in a rack. Getting the most out of your VPS means having a secure VPS.
Now you know.