We all know that VPS cloud hosting is a wonderfully flexible solution for any user that demands great performance, user flexibility, and hardened security to protect their investment. It doesn’t matter if the VPS is a virtual machine or a dedicated physical host, the threat is the same, and the threat is very real.
Hosting providers expect the user to manage and maintain the local operating system, user application code, and content, as well as security patches and software updates. The provider is responsible for the data center, redundancy capability, power, cooling, the network stack, the storage stack, cloud integration, internet connectivity, and so on.
As the provider controls so much of the physical environment, you expect the service to be architected to a very high standard, you expect data integrity, server uptime guarantees on a security defined platform. You want to rest easy that the infrastructure is fault-tolerant and incredibly robust to external threats.
The provider looks after the cloud data center, and physical security is always high at a data center. Data centers are typically anonymous-looking buildings, protected by a perimeter fence, security detail, and occasionally guard dogs. Access to the building is controlled, no-one can just walk in, a minimum of 24 hours notice is required, and the visitor must be on an approved user list.
Guests are chaperoned at all times, doors are protected by keycards and security codes, security cameras watch every corner. Inside the data center, the infrastructure is often locked in security cages, and the servers are also kept inside locked and alarmed racks.
The servers are often protected with a key lock to prevent unauthorized opening of the equipment, and in the unlikely event someone manages to connect a KVM (Keyboard Video Mouse) to a server, the video output is protected because the servers operate in a lockdown mode. Resulting in a disabled KVM that must be enabled server-side by a remote engineer.
As the cloud provider is also responsible for servers, network, and storage, logical protections are implemented. The Cloud Infrastructure comprises of many host hypervisors, the cloud provider looks after the underlying Operating systems, all access is audited and protected by complex passwords, default passwords are changed, data is encrypted at the storage and network layers making it hard to intercept, and even if it was the data would be unusable.
On top of all this, all of the cloud infrastructure data is stored on highly redundant storage that is backed up and replicated offsite on a daily basis. Most providers will offer optional DDOS protection, and some have a consultancy team that can advise on all manner of cybersecurity issues.
However, as some security practitioners might exclaim, a chain is only as secure as its weakest link. With VPS hosting, unfortunately, the weakest link is often the user, this is because ultimately its the end-user manages the VPS, and that includes all local elements of cybersecurity.
Arguably the most severe risk to virtual private server security is ransomware, viruses, or other malicious types of malware. It does not matter how robust the provider’s cloud hosting infrastructure is, if the user ‘leaves the door open’ for an attack, any in-place security will be bypassed as authenticated traffic.
The attack vectors of these types of malware vary, most successful breaches to Windows Servers involve a brute-force remote desktop attack (RDP) or API challenge password attacks. To reduce the risk of being targeted by malware, users must observe strict security best practices. Users must get the basics right, recent evidence has suggested that at least 30% of successful ransomware attacks were because of a weak or guessable password.
Brute-force Remote Desktop (RDP) and API challenge exploits are nothing new, they are one of the most common methods of ransomware delivery. One of the most infamous breaches was the 2014 attack on Apple’s iCloud service. A brute-force API challenge was successful many times over because there were no security measures in place to track this kind of unusual behavior.
Cloud providers these days have introduced security measures such as an intelligent Intrusion Protection System (IPS) and Web Application Firewalls (WAF) that will monitor, alert and drop traffic that is identified as a significant threat by a predefined security algorithm.
The next greatest threat to your VPS is hardware and software vulnerabilities. Right now, there are hacking communities trying to exploit servers and infrastructure all over the world. This is why it is so important to patch your operating systems, applications, and harden your server against exploits.
Manufacturers and/or vendor security teams are constantly releasing security updates to protect their software, updates are usually released monthly unless there is a major exploit discovered that requires immediate remediation.
Reputable cloud providers conduct regular vulnerability and threat detection scanning of their entire cloud platform. The scans create a list of known exploits that are applicable to the server/infrastructure, rank the threat by severity, and provide a how-to guide to remediate. The provider has a much bigger footprint to protect, and risk damaging their reputation if lapses in security are discovered.
The provider is responsible for firmware/microcode updates to server hardware, storage systems, network appliances, controllers, disks, and also the hypervisor layer that hosts the VPS. The hypervisors are often a custom-built platform, but operating system updates are still needed, plus updates to the replication appliances, the backup nodes, and all the hardware that controls the hyper-converged networking, plus the consideration that the cloud VPS service must remain online at all times during the maintenance windows.
Configure the cloud VPS server with strict network access controls, these are normally found on the cloud control panel. Ensure that remote desktop access is restricted to a predefined IP range, and drop all other port 3389 requests at the firewall level. Reduce the footprint of your servers that have public-facing IP addresses, not every server needs RDP, consider configuring one as a bastion or jump box into the environment.
Any servers that must have RDP access should enforce multi-factor authentication, there are many software solutions available, some open-source, some licensed. All public-facing servers must have secure, and complex passwords. Having a strong password might seem like an obvious inclusion, but ever since the introduction of passwords in the 1960s, hackers have sought ways to exploit and crack passwords.
With the proliferation of cloud computing, some sources suggest 100,000 RDP sessions are attacked every day. Right now, botnets are targeting RDP, SSH, and FTP connections on the public internet. Make sure your RDP password is complex, using 16 letters, numbers, and special characters. Complex password generators are available in local software password repositories such as KeePass, Password Manager, Roboform, and LastPass. These are helpful if you are having difficulty choosing a suitable password.
Make sure you have an antivirus installed, again this might seem obvious, but antivirus and anti-malware protection are one of the best lines of defense against threats and vulnerabilities, especially when the antivirus definitions are updated daily and the agents are actively checked to be available at all times.
Automate your security patching schedule, most update tasks can be performed out-of-hours with minimal impact. Patching is a great way to prevent vulnerabilities. Security teams and application developers are constantly updating the security levels of an application, and the upgrade process is very reliable.
Protect against a Man In The Middle Attack (MITMA), which is a cyber-attack that allows a hacker to intercept and eavesdrop on the communication between two devices. It is most likely to happen between a remote connection and a server, so if you remotely manage your VPS server, this is undoubtedly something to consider.
A weak local network is usually the primary reason behind successful MITMA. Public Hotspots and hotel WIFI are examples of insecure networks where an attacker can sniff your system and spoof DNS, HTTPS, ARP, and hijack SSL certificates. If any of these protocols are out of date, it can make the MITMA more likely to succeed.
To prevent such an attack, network security should be robust, make sure that all WIFI connections used have a minimum of WPA2 network security protocol invoked, and only use a public WIFI when necessary.
It is evident that protecting a VPS is a joint responsibility between the cloud provider and the customer. The cloud team has the responsibility to protect the hardware layer, and the customer must follow best practices to secure their VPS.
Choosing a VPS hosting platform provides several genuine security initiatives that are created to protect your investment. The hosting provider has a duty of care to safeguard all hosted servers upholding security best practices. The provider’s infrastructure is hardened from attack and monitored 24/7 by a team of experts. Cloud services such as DDOS protection and application firewalls will protect your investment from large scale attacks.
That being said, when you purchase a dedicated server or VPS server, there is a lot of emphasis on the user to be fully aware of how to protect the server. The fundamental rules are to protect your server with complex passwords that are regularly changed.
Encrypt your data in a database, use a VPN, prevent MITMA by patching known vulnerabilities, encrypt hard disks if you are using a physical server, so that in the event data is stolen in a ransomware attack, it is unusable by the attacker. Always have a backup of your server, preferably offsite, and regularly check the log files of your server for any unexpected activity.