Stop Handing Root Access to Script Kiddies

I recently audited a client's server cluster intended for a high-traffic Joomla deployment. They had great code, but their sysadmin practices were terrifying. Root login enabled? Check. Default SSH port? Check. No firewall rules defined beyond the default policy? Check. It took me exactly four minutes to simulate a compromise. If you are running a server without hardening it first, you aren't hosting; you're donating CPU cycles to a botnet.

Whether you are pushing a LAMP stack on CentOS 5 or experimenting with Nginx on Debian Lenny, security is not a feature you add later. It is the foundation. Here is how we lock down systems at CoolVDS to ensure high availability and compliance with Norwegian standards.

1. SSH: The Front Door Must Be Bolted

The default sshd_config is too permissive. I’ve seen logs on servers in Oslo showing thousands of brute-force attempts from IP ranges in Eastern Europe within hours of provisioning. You need to switch to key-based authentication immediately.

Open /etc/ssh/sshd_config and make these changes:

# Disable root login immediately
PermitRootLogin no

# Change the default port to reduce log noise (security by obscurity, but helps)
Port 2222

# Enforce Protocol 2 to avoid legacy vulnerabilities
Protocol 2

# Whitelist your users
AllowUsers deployer sysadmin

Restart the service. If you lose access, you’ll be thankful for the CoolVDS VNC console access. But if you do this right, automated bots will bounce off your server like rain off a tarp.

2. iptables: The Great Wall

Forget complex GUI firewalls. You need to understand raw iptables. A naked server on the public web is a target. We want a default DROP policy. If we didn't ask for the packet, we don't want it.

Here is a baseline configuration script I use for web nodes:

# Flush existing rules
iptables -F

# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections (crucial!)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (on your new port), HTTP, and HTTPS
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Pro Tip: Save these rules! On RedHat/CentOS, run /sbin/service iptables save. On Debian/Ubuntu, look into iptables-persistent. I've seen too many admins secure a box only to have it wide open after a reboot.

3. Fail2Ban: The Bouncer

Even with a custom SSH port, determined attackers will find you. Fail2Ban is mandatory software in 2009. It scans log files (like /var/log/auth.log) and updates iptables rules to ban IPs that show malicious signs—too many password failures, seeking exploits, etc.

A simple configuration in /etc/fail2ban/jail.conf can save you massive headaches:

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=2222, protocol=tcp]
logpath  = /var/log/secure
maxretry = 3
bantime  = 3600

4. The CoolVDS Architecture Advantage

Software hardening is useless if the underlying architecture is flawed. Many budget hosts oversell their nodes using OpenVZ, leading to "noisy neighbor" issues where one hacked container brings down the I/O for everyone else.

At CoolVDS, we prioritize Xen and KVM virtualization. This ensures strict resource isolation. When you deploy a VPS in Norway with us, your RAM is your RAM. Our datacenters are connected directly to NIX (Norwegian Internet Exchange), ensuring that your latency to local users is minimal—often under 10ms.

Data Integrity and Compliance

Operating in Norway means adhering to the Personopplysningsloven (Personal Data Act). The Datatilsynet (Data Inspectorate) does not look kindly on negligence. By hosting on CoolVDS, you ensure your physical data resides within Norwegian borders, simplifying your compliance with local data protection regulations compared to US-based safe harbor hosts.

5. Keep It Lean, Keep It Updated

Every extra service is an extra attack vector. Do you need Sendmail running if you use an external SMTP relay? No. Disable it.

Finally, set up a cron job for updates, or at least subscribe to the security mailing lists for your distro. In the world of managed hosting, we handle the hardware and network stability, but the OS security is a partnership.

Don't wait for a breach to take security seriously. Deploy a hardened, high-performance instance on CoolVDS today and experience the stability of true enterprise-grade hardware.