# Securing OpenVZ VPS



## drmike (Oct 14, 2013)

Since many of us are on OpenVZ still these days and seems like endless problems with attacks...

What do you run to secure your OpenVZ VPS?  Emphasis on firewalls, software to manage blocks/ban, traffic filtering, etc.   Interested in recommendations and tutorials that work.

What are you doing / using?


----------



## Alto (Oct 14, 2013)

I'm pretty lazy, so I just use UFW block all connections by default, then open the ones I need up to my VPN IP's only (aside from the odd port I give public access to). I also remove pretty much everything I don't need, but that's very much a necessity as most of my VPS's are under 128MB.

One day I'll learn how to use IPTables properly, but until I need to I'm good with UFW.


----------



## Increhost (Oct 14, 2013)

at firewall and protection level LFD + CSF

also removing all not-really-needed services, using our own NTP's, configuring our own recursive

DNS's, and if we must have some port listening, change the default

This is not something new or extremely secure at all, but removes a lot

of noise and unexpected stuff.


----------



## kro (Oct 14, 2013)

Alto said:


> One day I'll learn how to use IPTables properly, but until I need to I'm good with UFW.


No time like the present ^_^


----------



## Raymii (Oct 14, 2013)

drmike said:


> Since many of us are on OpenVZ still these days and seems like endless problems with attacks...
> 
> 
> What do you run to secure your OpenVZ VPS? Emphasis on firewalls, software to manage blocks/ban, traffic filtering, etc. Interested in recommendations and tutorials that work.
> ...


Nothing wrong with OpenVZ, KVM or physical gets attacked ass well. Everything with uplink mostly..


But, for me fail2ban + iptables or PF works. And recently the OSSEC host intrusion detection system helps to see what happens all. And of course keeping things updated, os and app level. And using SSH Keys instead of passwords is a big plus...


----------



## Magiobiwan (Oct 14, 2013)

I use CSF + LFD on my VPSes now, disabled password auth for root, etc. Basic Security measures. Given I WORK for the provider I get most my stuff from, I know 100% that nobody is going to go snooping through my stuff (well, never know about Ishaq. Never can trust them Brits).


----------



## Alto (Oct 14, 2013)

kro said:


> No time like the present ^_^


Got plenty of other things the I need to learn first. So long as UFW meets my needs, I'll keep using it.


----------



## drmike (Oct 14, 2013)

I just busted open ufw and yeppers, very easy.   Mini no-torial maybe in a bit...  no excuse not to have ufw installed if others are too complicated.


----------



## Raymii (Oct 15, 2013)

Do remember kids, check IPTables chains to see what the default setting are before you flush it. Could save you a trip to your DC...


----------



## lifetalk (Oct 15, 2013)

CSF does the job very well, for the most part. That in addition to removing any unneeded/unwanted services that are installed by default.


----------



## ICPH (Mar 14, 2015)

Im using CSF, DdosDeflate, ssh non-standard port, optimised webserver with unneeded functions disabled, disallowing writing access where i can


----------



## wlanboy (Mar 15, 2015)

iptables - close all ports and open ports only on specific networks/targets
fail2ban - securing all logins on webserver, mailserver, ssh, sftp, mysql, ...
move ssh port to get rid of port scanners
ssh keys - disable passwords
ssh port forwarding for non public services
use vpn for non public service connections / or ssl secured


----------



## cloudxtnyHost (Mar 26, 2015)

i use CSF disable service you are not using and use none standard ports for thinks like ssh. Thata good enough.


----------



## QuadraNet_Adam (Mar 26, 2015)

Ensure root password is secure, change SSH port from default 22, configure some iptables rules (or use a firewall like CSF), and ensuring installed software is up to date are just a few basic measures you should always take with any server.

Now if you are running a website on your server, look into configuring mod_security rulesets, securing PHP.ini, securing apache configurations, etc.


----------

