Assume You Are Already Compromised

It has been a rough year for security. Between LulzSec tearing apart Sony Pictures and the endless barrage of SQL injections hitting heavy-hitters, one thing is clear: security through obscurity is dead.

If you just spun up a fresh VPS and left it on default settings, you are a target. Bots are scanning your IP range right now. If you are still using FTP and password authentication, your server belongs to them; you just haven't realized it yet.

I’ve spent the last week cleaning up a client's compromised eCommerce stack. They lost data. They lost trust. Don't be them. Here is the exact hardening protocol I use for every new node, whether it's a dev box in Ukraine or a production cluster here in Norway.

1. Kill the Root Password

The first thing a botnet tries is `ssh root@your-ip` with a dictionary attack. Stop letting them try.

First, generate an RSA key pair on your local machine (Mac/Linux users, use Terminal; Windows users, grab PuttyGen).

Push your public key to the server using `ssh-copy-id`. Once you verify you can log in without a password, edit your SSH daemon config.

# /etc/ssh/sshd_config

Port 2222  # Move off default port 22. It reduces log noise by 90%.
PermitRootLogin no
PasswordAuthentication no
UseDNS no
AllowUsers yourusername

Restart SSH. If you lock yourself out, you better hope your provider has a decent VNC console (CoolVDS does, fortunately).

2. The Firewall is Not Optional

In 2011, we use iptables. It's cryptic, it's unforgiving, and it works.

Don't just leave everything open. Here is a baseline configuration for a web server. This drops everything by default and only opens what is necessary.

# Flush existing rules
iptables -F

# Default policies: Block everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback (critical for local services like MySQL)
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH (on your new port), HTTP, and HTTPS
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save rules (CentOS/RHEL)
/sbin/service iptables save

Pro Tip: If you are running a PHP application, keep `expose_php = Off` in your `php.ini`. Don't advertise your version number to script kiddies looking for a specific vulnerability.

3. Virtualization Matters: OpenVZ vs. KVM

This is where your choice of hosting provider becomes a security decision. Many budget hosts oversell resources using OpenVZ. It’s container-based. You share the kernel with every other customer on that physical node.

If there is a kernel exploit (and there are always kernel exploits), a hacker on a neighboring VPS could theoretically break out and impact your data. This is the "noisy neighbor" problem, but with security implications.

This is why at CoolVDS, we standardized on KVM (Kernel-based Virtual Machine). It provides true hardware virtualization. Your OS kernel is yours. If the guy next door gets hacked or runs a fork bomb, your instance keeps humming along. For data sensitive to the Norwegian Personal Data Act (Personopplysningsloven), KVM is the only responsible choice.

4. Automate the Bans

Even with a custom SSH port, persistent attackers will find you. Install Fail2Ban. It parses your log files (SSH, Apache, FTP) looking for suspicious patterns and updates iptables dynamically to ban the offending IP addresses.

On Debian/Ubuntu:

Configure it to ban an IP for one hour after 3 failed login attempts. It’s simple, effective, and saves your CPU cycles for serving web pages rather than rejecting auth requests.

5. The Norwegian Advantage

Latency isn't just a performance metric; it's a usability factor. If you are managing servers from Oslo or providing services to Nordic clients, hosting in Germany or the US adds unnecessary millisecond delays.

Furthermore, keeping your data within Norwegian borders satisfies the strict requirements of Datatilsynet. While the Data Protection Directive applies across Europe, local implementation varies. Physical proximity combined with KVM isolation is the gold standard for compliance.

Final Thoughts

Security is a process, not a product. Run `yum update` or `apt-get upgrade` weekly. Monitor your logs. And stop buying the cheapest hosting you can find.

If you need a rig that supports these hardening practices out of the box—with pure SSD storage for high I/O performance—spin up a KVM instance with us.

Deploy a secure KVM VPS on CoolVDS today.