Securing OpenVZ VPS

drmike

100% Tier-1 Gogent
Since many of us are on OpenVZ still these days and seems like endless problems with attacks...

What do you run to secure your OpenVZ VPS?  Emphasis on firewalls, software to manage blocks/ban, traffic filtering, etc.   Interested in recommendations and tutorials that work.

What are you doing / using?
 

Alto

New Member
I'm pretty lazy, so I just use UFW block all connections by default, then open the ones I need up to my VPN IP's only (aside from the odd port I give public access to). I also remove pretty much everything I don't need, but that's very much a necessity as most of my VPS's are under 128MB.

One day I'll learn how to use IPTables properly, but until I need to I'm good with UFW.
 

Increhost

New Member
Verified Provider
at firewall and protection level LFD + CSF

also removing all not-really-needed services, using our own NTP's, configuring our own recursive

DNS's, and if we must have some port listening, change the default

This is not something new or extremely secure at all, but removes a lot

of noise and unexpected stuff.
 

Raymii

New Member
Since many of us are on OpenVZ still these days and seems like endless problems with attacks...


What do you run to secure your OpenVZ VPS? Emphasis on firewalls, software to manage blocks/ban, traffic filtering, etc. Interested in recommendations and tutorials that work.


What are you doing / using?
Nothing wrong with OpenVZ, KVM or physical gets attacked ass well. Everything with uplink mostly..


But, for me fail2ban + iptables or PF works. And recently the OSSEC host intrusion detection system helps to see what happens all. And of course keeping things updated, os and app level. And using SSH Keys instead of passwords is a big plus...
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
I use CSF + LFD on my VPSes now, disabled password auth for root, etc. Basic Security measures. Given I WORK for the provider I get most my stuff from, I know 100% that nobody is going to go snooping through my stuff (well, never know about Ishaq. Never can trust them Brits).
 

drmike

100% Tier-1 Gogent
I just busted open ufw and yeppers, very easy.   Mini no-torial maybe in a bit...  no excuse not to have ufw installed if others are too complicated.
 

Raymii

New Member
Do remember kids, check IPTables chains to see what the default setting are before you flush it. Could save you a trip to your DC...
 
  • Like
Reactions: kro

lifetalk

New Member
Verified Provider
CSF does the job very well, for the most part. That in addition to removing any unneeded/unwanted services that are installed by default.
 

ICPH

Member
Im using CSF, DdosDeflate, ssh non-standard port, optimised webserver with unneeded functions disabled, disallowing writing access where i can
 

wlanboy

Content Contributer
  • iptables - close all ports and open ports only on specific networks/targets
  • fail2ban - securing all logins on webserver, mailserver, ssh, sftp, mysql, ...
  • move ssh port to get rid of port scanners
  • ssh keys - disable passwords
  • ssh port forwarding for non public services
  • use vpn for non public service connections / or ssl secured
 

QuadraNet_Adam

Active Member
Verified Provider
Ensure root password is secure, change SSH port from default 22, configure some iptables rules (or use a firewall like CSF), and ensuring installed software is up to date are just a few basic measures you should always take with any server.

Now if you are running a website on your server, look into configuring mod_security rulesets, securing PHP.ini, securing apache configurations, etc.
 
Top