Stop Leaving Your Digital Front Door Open
Let’s be honest: the moment you spin up a new VPS, it is being scanned. Somewhere in a basement in Eastern Europe or a dorm room in China, a script is already hammering port 22. I see it every day in the logs. If you leave your server running with default settings and a root password for more than an hour, you aren't an admin; you're a victim waiting to happen.
In the hosting business, we see two types of servers: those that are locked down, and those that are part of a botnet. At CoolVDS, we provide the infrastructure—redundant power, high-performance RAID arrays, and low-latency upstream links to NIX (Norwegian Internet Exchange)—but the OS layer? That’s your territory.
Here is how to secure a fresh CentOS 6 or Debian Squeeze install before you even think about deploying Apache or MySQL.
1. Kill Password Authentication (Immediately)
Passwords are dead. Brute force attacks are getting faster, and rainbow tables are getting larger. If you are still typing a password to log into SSH, you are doing it wrong. You need RSA keys.
On your local machine, generate a key pair if you haven't already:
ssh-keygen -t rsa -b 4096
Push it to your server. Once you confirm you can log in without a password, edit your ssh config file. This is non-negotiable.
vi /etc/ssh/sshd_config
Find these lines and change them:
PasswordAuthentication no PermitRootLogin no UseDNS no
Pro Tip: Setting UseDNS no prevents the SSH daemon from trying to resolve the client's hostname, which speeds up login times significantly. If your SSH feels sluggish, this is usually the culprit.
Restart the service (service sshd restart). Now, even if they guess your username, they can't get in without the private key.
2. The Firewall: Learn to Love iptables
Many developers are scared of iptables. They shouldn't be. It is the kernel's native packet filtering system. Unlike some "friendly" wrappers that might mask what's really happening, raw iptables rules give you exact control.
A basic policy usually looks like this: Drop everything, then open only what you need.
# Flush existing rules
iptables -F
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections (so you don't lock yourself out)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (ensure this matches your port)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow Web
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Save these rules. On RedHat/CentOS systems, use /etc/init.d/iptables save. On Debian/Ubuntu, you might need the iptables-persistent package. Without this, a reboot wipes your security.
3. Banish the Script Kiddies with Fail2Ban
Even with keys, your logs will be flooded with failed login attempts. This wastes CPU cycles and fills up disk space. Enter Fail2Ban. It scans log files (like /var/log/auth.log or /var/log/secure) and updates iptables to ban IPs that show malicious signs.
Install it via your package manager:
yum install fail2ban
Configure the jail in /etc/fail2ban/jail.conf. I usually set the ban time to -1 for repeat offenders. If you try to break into my server three times, you don't get a fourth try. Ever.
4. Keep It Local: The Norway Advantage
Security isn't just about software; it's about jurisdiction. With the passing of the Patriot Act in the US, many European businesses are realizing that data hosted on US soil (or by US companies) is not private.
By hosting with CoolVDS in Norway, your data falls under the Personal Data Act (Personopplysningsloven). We answer to Datatilsynet, not foreign intelligence agencies. For Norwegian businesses, keeping data within the borders isn't just about latency (though 2ms pings to Oslo are nice)—it's about legal compliance and trust.
5. Architecture Matters: KVM vs. OpenVZ
Security also depends on isolation. Many budget hosts stuff hundreds of customers onto a single OpenVZ node. If the host kernel panics, everyone goes down. If there is a kernel exploit, isolation can be breached.
At CoolVDS, we prioritize KVM (Kernel-based Virtual Machine). This gives you a dedicated kernel. It acts more like a dedicated server. Your memory is your memory. No one can steal your RAM, and your file system is completely isolated from the neighbors. It costs us more to run, but for a production environment, it is the only professional choice.
Summary Checklist
| Action | Impact | Difficulty |
|---|---|---|
| Disable Root Login | Prevents standard brute force | Low |
| Configure Iptables | Blocks unauthorized ports | High |
| Install Fail2Ban | Automated active defense | Medium |
| Use KVM Virtualization | Full Kernel Isolation | Automatic on CoolVDS |
Don't wait until you've been compromised to take this seriously. A hardened server runs better, scales safer, and lets you sleep at night.
Ready to deploy on infrastructure that takes security as seriously as you do? Deploy a KVM instance on CoolVDS today and experience the stability of Norwegian hosting.