Lock Down Your Server: The 2009 Survival Guide
Let’s be honest: the default installation of CentOS 5 or Debian Lenny is not ready for the public internet. If you leave a server connected to the web with port 22 open and password authentication enabled, you aren't hosting an application—you're hosting a honeypot. In the last month alone, I've seen logs from the Nordic region showing a 400% spike in brute-force attempts coming from automated botnets.
If you care about uptime and don't want to explain to your boss why the database was dropped by a script kiddy, you need to harden your stack. Now.
1. Kill Passwords, Use Keys
In 2009, passwords are dead. They are sniffable, guessable, and weak. If you are still logging in as root with a password, you are asking for trouble. We need to switch to RSA keys immediately.
First, generate a key pair on your local machine:
$ ssh-keygen -t rsa -b 2048
Once you've pushed your public key to the server (~/.ssh/authorized_keys), edit your SSH config. This is the single most effective change you can make to secure your VPS.
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
UseDNS no
AllowUsers yourusername
Pro Tip: Move SSH off port 22. It doesn't stop a determined hacker, but it stops 99% of the automated scripts scanning the NIX (Norwegian Internet Exchange) IP ranges. ChangePort 22to something likePort 2299.
2. The Firewall: Learn to Love Iptables
We don't have fancy GUIs for firewalls that work reliably yet. You need to get your hands dirty with iptables. A "default accept" policy is suicide. You want a "default drop" policy.
Here is a battle-tested configuration script I use for web servers deployed in Oslo:
#!/bin/bash
# Flush old rules
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept established connections (Critical!)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (If you moved port, change this!)
iptables -A INPUT -p tcp --dport 2299 -j ACCEPT
# Allow Web Traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Save settings
/sbin/service iptables save
3. Banish Unnecessary Services
Red Hat and CentOS love to enable services you don't need. Does your web server need cups (printing) or bluetooth? No. Every running service is a potential exploit vector.
Run this to see what's listening:
netstat -tulpn
If you see port 111 (portmap) or sendmail listening on 0.0.0.0, kill it. Use chkconfig to ensure they don't come back after a reboot:
chkconfig sendmail off
chkconfig cups off
chkconfig bluetooth off
4. The Hardware Factor: Why Virtualization Matters
Software hardening is useless if your host node is compromised or unstable. In the current VPS market, too many providers are overselling OpenVZ containers. This leads to "noisy neighbors" stealing your CPU cycles and, worse, potential kernel exploits that can bleed through containers.
This is why at CoolVDS, we rely on Xen HVM virtualization. Xen provides true hardware isolation. Your RAM is your RAM. Your kernel is your kernel. When we deploy high-performance storage arrays (utilizing the new enterprise SLC SSDs or 15k SAS drives), that I/O throughput belongs to you, not the guy mining bitcoins next door.
5. Norwegian Privacy & Compliance
Hosting in Norway isn't just about latency to Oslo; it's about the law. With the Personopplysningsloven (Personal Data Act) and the watchful eye of Datatilsynet, you need to ensure your data handling is compliant. Hosting outside the EEA (European Economic Area) can introduce headaches with the Safe Harbor framework.
By keeping your servers on CoolVDS infrastructure in Oslo, you benefit from direct connectivity to NIX and full compliance with Norwegian privacy standards. Low latency + Legal safety = Peace of mind.
Final Thoughts
Security is not a product; it's a process. Run yum update nightly. Watch your logs (`/var/log/secure`). And verify your backups.
If you need a server that respects these principles out of the box—with true hardware isolation and enterprise-grade storage—stop gambling with budget hosts.