This document explains the basic measures you should take to protect your server from attacks and avoid being hacked. But first, you should understand the legal implications of not securing your server properly.
Your responsibility as administrator
The following terms fully apply to VPS without a management contract, which are delivered without any security configuration. If you need help in this area, you can purchase a managed service (shared hosting or Managed VPS) and delegate the responsibility of securing your server to GINERNET.
According to our terms and conditions:
4.9. The customer is solely responsible for the administration of their services and the applications they install on their server, as well as for the effects these may have on the preinstalled standard software or the machine configuration, where applicable, and for any problems that may arise on their server, especially those related to the security measures they should have adopted.
4.10. In exceptional cases of conflict, GINERNET can only reinstall the service, deleting all data and configuration the server may contain.
4.11. Consequently, GINERNET is only responsible for the availability of the physical infrastructure, the network and the physical host corresponding to the service.
In practice, this means:
- The customer is responsible for the server's security.
- The customer must secure and protect their server with firewalls and intrusion-prevention tools.
- The customer must know the tools required to harden servers.
- If a server has been hacked and the customer does not know how to fix it, GINERNET can only reinstall the entire operating system of the VPS, deleting all of its contents.
Our goal is to provide an excellent network to the customers who trust us. For this reason, we suspend servers we detect as hacked, preserving the reputation of our network.
Tips to secure a server
- Strong passwords: always use long combinations of alphanumeric characters and symbols, mixing upper and lower case. Better yet: use a password manager and, for SSH, public-key authentication.
- Brute-force protection: install a login-failure monitoring system so that if someone enters a wrong password several times, their IP is blocked by the firewall. Recommended tools: Fail2Ban or CSF.
- Block the ports you do not use or, better still, set a default deny rule and only open the ones you need. If you are not sure how, you can install Webmin, a complete server management tool that does not conflict with other panels. Its "Firewall" module lets you harden the server from your browser very easily.
- Keep the operating system and all server software up to date. Most updates include security patches: an outdated system is a vulnerable system. This includes the operating system itself and the applications running on it, such as WordPress, PrestaShop or Drupal - CMS that are heavily targeted because of how many people use them.
- Never, ever use "nulled" software. If you found a seemingly free version of a paid application, module or template "somewhere", that download comes with a prize: the hacker offering you that "bargain" will have injected malicious code to take control of your server. They may steal your customer database, use your server to send SPAM or, in the worst case, install a proxy to commit crimes. Only use legally licensed software.
If you have already been hacked
It is easier to secure a server than to clean an infected one. If your server has been hacked, in 99% of cases the best option is a full reinstall: if the attacker installed a backdoor, they will keep access even if you "clean up" what is visible.
There are automated systems on the Internet, built by cybercriminals, constantly scanning for vulnerabilities to exploit - either to trade the victims' data or to commit crimes through the compromised systems.
Do not make it easy for them: protect your server as much as possible.