Securing your VPS is essential to protect your data and ensure the stability of all content on your VPS, including websites and email. Although we take every effort to provide you with a secure environment from the outset, there are many additional steps you can take to further harden your virtual private server against potential vulnerabilities and attacks. In the guide below, we feature some key steps for securing your VPS, applicable to both cPanel and Plesk control panels.
Regular Software Updates
Keeping your software up-to-date is crucial for securing your VPS. Both cPanel and Plesk provide tools to easily apply updates via their web interfaces or you can perform updates via the command line over SSH. Updates include critical security patches but can also help improve VPS performance, ensuring regular updates to both the control panel and the server software (e.g. Apache/NGNIX, MySQL, PHP) can avoid vulnerabilities that allow a server to become compromised.
On an AlmaLinux server you can update the operating system and installed packages with the following command using dnf.
dnf update -yAlso, cPanel can be manually updated on your VPS using SSH with upcp script as shown below.
/usr/local/cpanel/scripts/upcpSimilarly you can update Plesk and its components with the Plesk command.
plesk installer install-all-updatesInstall CSF (ConfigServer Security & Firewall)
CSF is a robust firewall management tool specifically designed for cPanel. It simplifies the process of managing IP blocking, whitelisting, and brute force protection. While cPanel’s native tool, CPHulk, provides some basic protection, CSF takes security a step further with more advanced configuration options. Installing and configuring CSF should be one of your first actions after setting up your server.
Enable CPHulk for Brute Force Protection
CPHulk is a built-in brute force protection tool that guards essential services like email, cPanel, WHM, and SSH. Although its features are basic compared to CSF, enabling it adds an extra layer of security against brute force attacks.
Install Fail2Ban
Fail2Ban is an essential security addon for Plesk. It monitors log files for malicious activity and automatically bans IPs exhibiting suspicious behaviour. While it may not be as comprehensive as CSF on cPanel, it provides an effective first line of defence against brute force attacks on services like SSH, email, and Plesk logins. You can customise its settings, such as ban duration, to suit your needs.
Manually Apply Updates
Unlike cPanel, Plesk doesn’t apply patches automatically. You will receive update notifications within the Plesk interface, but it’s important to install these updates manually to stay protected. You can do this through the Tools & Settings section in Plesk or via the Plesk installer over SSH. Regularly checking for and applying updates is crucial to maintain the latest security standards.
SSH Key Authentication
For added security, disable password-based SSH logins and enable SSH key authentication. This prevents brute force attacks on your SSH service. Make sure to use a strong private key and keep it stored securely.
Learn how to add an SSH key and disallow password based authentication on your VPS.
Set Up a Firewall
Both cPanel (via CSF) and Plesk (via Fail2Ban or other tools) allow you to configure firewall rules to restrict access to sensitive services. Always ensure that only trusted IPs can access critical services like SSH and control panel logins. If possible, implement IP whitelisting for added security.
Use Two-Factor Authentication (2FA)
Both cPanel and Plesk support two-factor authentication (2FA). Enabling this adds an extra layer of security, requiring not just a password but also a verification code, typically sent to your phone or generated by an authentication app.
Regular Security Audits
Perform regular security audits to identify potential weaknesses. Both cPanel and Plesk offer security audit tools, but you can also use third-party services or hire professionals to conduct more in-depth reviews. Audits can help spot vulnerabilities you might have missed during your initial configuration.
Implement Antivirus Solutions
Tools like ClamAV can be installed on your VPS to provide antivirus protection against malware and viruses. Regular scans can help keep your server free from known threats.
Utilise Web Application Firewalls (WAFs)
Consider implementing ModSecurity as a WAF to protect your web applications against common vulnerabilities.
Regular Backups
Implement a robust backup strategy to ensure that you can restore your services quickly in the event of an attack or data loss.
By following these steps, you can ensure that your VPS is as secure as possible, helping to protect both your data and your users’ data from malicious attacks. Make security a routine part of your server management to stay ahead of evolving threats. With careful planning and diligent maintenance, you can create a secure environment for your hosted services.