New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What do you think of VPS Security?
What do you think of VPS Security?How can do it safe?
Thanked by 1support123
Comments
http://lowendtalk.com/discussion/2253/building-the-ultimately-secure-vps-add-to-this-list
Note: A real man doesn't care about security. In the true spirit of Web 2.0 leave server access open allowing strangers to interact and collaborate with each other.
The most important security: pick your provider wisely.
All you do for VPS security is for naught if your provider is not secured and got hacked easily.
It is the same as your home computer connected to internet without a router. However, if the provider gets compromised, it is like thieves came in your house and looked at your computer (they can even steal it completely).
The safe in bank looks pretty secured, but they still can take away the whole safe...
It's pointless securing it if your host doesn't. Go with a reputable host. Look for reviews.
These are the bare minimum and usually taken for granted but it's worth repeating. SolusVM and WHMCS are so leaky in terms of their database, it's not funny anymore.
Going the extra mile, raindog's thread has most of the bases covered. But I'd add using syslog-ng and ship your logs off the VPS immediately so you can properly run tripwires/HIDS.
Real security isn't for shared servers and datacenters. Real security is disconnected and comes with a bullet for anyone who comes after it :P
But basic security you mostly keep yourself off the radar by being different. A person with a simple password and an alternate ssh port goes without an intruder longer than the one with a simple password and port 22. Give people less reason to scan and brute force, they'll do it less. Effective filtering for the actual humans to kick them out after a few failed attempts handles the rest.
What comes to mind when I see this thread title, is...
...In the first two cases "the provider" also includes anyone who managed to brute-force their 6 character dictionary word master password to the management panel...
As you can see any "security" to speak of is pretty much impossible on VPSes (but in any case, forget about using OpenVZ right away); and it is debatable if it's possible to implement an encryption scheme on an untrusted remote host that can't be stealthily backdoored (because any decryption program you will run has to be first stored on that host, in the unencrypted part of its storage).
Perfect security is impossible, but if we're talking about something realistic like PCI compliance, then it's doable. You need to hit up an actual audited IaaS provider. Amazon AWS for instance has PCI DSS 2.0 so at least you can use their Xen (ec2) vps without having to worry about the intricacies of their host-node / network / management console security.
The safest is to unplug your VPS from the internet.