Cloud server setup can vary greatly since you are free to utilize any combination of software and applications to fit your needs. Opting for a cloud server versus a cPanel-managed VPS means greater control over your Linux operating system (OS) and environment.
But, this also means that it’s your responsibility to implement measures to help protect the cloud server and the data stored on it from unauthorized access, cyber-attacks, and other security threats.
While cPanel administrators use Web Host Manager (WHM) features to harden servers, you’ll need to manually install the necessary software once you upgrade to a cloud server. This guide will cover the best practices for cloud server security.
- Choose the Right Operating System (OS) For You
- Configure a Firewall
- Close/Change Default Ports
- Use SCP For Secure File Transfer
- Control Access
- Install an SSL Certificate
- Security HTTP Headers and Subresource Integrity (SRI)
- DNS Security (DNSSEC)
- Update Applications/OS
- Other Considerations
- Additional Support Resources
Choose the Right Operating System (OS) For You
One of the first things to take into consideration is the operating system you are going to install on your cloud server. There are many options available and you should ensure that you select the right server to suit your needs and the experience level of your system administration team.
Also, keep in mind that you can easily change the operating system (re-OS) your cloud server at any time with InMotion’s Cloud Server Hosting. Here are some basic tips for helping decide on the best option for you.
- Are you used to managing cPanel with RPMs and CentOS commands? Maybe stick with CentOS.
- Do you need the latest features and software versions – stable or not? Check out Ubuntu.
- Do you prioritize stability and minimalism? Try Debian.
Configure a Firewall
Some OSs don’t include a preinstalled firewall application but there are many available to choose from. Check to see if UncomplicatedFirewall (UFW) or Firewalld are installed. If not, install one of them, or ConfigServer Security & Firewall (CSF), and only open the ports you need. Here are some guides to help you get setup. Keep in mind that these are popular options but you can install any firewall that you prefer.
UFW (Uncomplicated Firewall)
UFW is a fast and easy option for installing and setting up a firewall on your cloud server.
Firewalld is another very popular firewall option for securing your linux based cloud server.
- How to Install Firewalld on Linux
- How to Configure Firewalld (Basic Commands)
- How to Open a Port in Firewalld
Whether you’re running Apache or Nginx, install ModSecurity for additional signature-based protection.
Close/Change Default Ports
Since commonly opened ports can be a target of attacks, closing or changing them can reduce the chances of this occuring. You can use the Network Mapper (Nmap) tool to scan for detailed information about the status of the ports on your server.
Once you have determined which ports are open you can decide to change or close them as needed. A popular port to change is the SSH port from 22 to something else.
We also have a helpful guide on how to close open ports for PCI compliance if that is needed.
Use SCP For Secure File Transfer
If you are closing port 21 which is usually used for FTP, you will need another way to handle file management. SCP is based on SSH and will utilize the same port as SSH.
It’s important to manage access to your server by limiting who is able to authenticate and login. Here are some ways to control access.
Disable Password Login
By default, password authentication is disabled on your server. This greatly decreases the chances of an unwanted login and means you must use SSH Keys to access your Cloud Server.
Since SSH keys are required before you can access your cloud server, you have the ability to manage them directly from your Account Management Panel (AMP).
If you have users that need the same level of access, it is helpful to create a group. You can then set the permissions or “roles” for the entire group at the same time. Now any users assigned to that group will have the same permission level. This can often be managed with the chmod command.
You can also create regular user accounts so that you’re not using root access unless needed. In many cases, it’s better to use the normal user account and
sudo when administrator privileges are required. This makes access log auditing easier by minimizing the expected activity for the root user account.
Install an SSL Certificate
cPanel servers rely on AutoSSL to maintain Comodo-signed, domain-validated (DV) SSL certificates. Without server management software, you’ll need to manage SSLs manually or with external tools. There are many websites that will create SSL’s for you such as letsencrypt.org. But, you can also purchase SSL certificates from AMP if needed.
We recommend installing Certbot to produce and automate SSLs. Then ensure all traffic is forced to port 443 (HTTPS).
Security HTTP Headers and Subresource Integrity (SRI)
Security HTTP headers and SRI assist your SSL with protecting your visitor’s privacy and from cross-site scripting (XSS). Start with Strict-Transport-Security (HSTS) to enforce SSL usage within browsers and Referrer-Policy to sterilize user input to analytics software. Then slowly work on Content-Security-Policy (CSP).
Submitting your website for preloading at Hstspreload.org isn’t required or recommended for websites that aren’t proactively maintained. It’s still a good practice to use the web application to check your HSTS header.
DNS Security (DNSSEC)
Add Domain Name System Security Extensions (DNSSEC) to your server, or enable DNSSEC with Cloudflare, to validate your websites to internet users with secure DNS resolvers.
InMotion Hosting nameservers and a long list of popular TLDs support DNSSEC including .com, .net, and .org. Contact your domain registrar for more information.
Ensure all installed software is updated regularly so any security patches or known vulnerabilities are addressed. If any software you use can’t alert you of available updates via email or log entry, follow the developer’s official social media account(s) or RSS feed. If you need assistance with upgrading your server OS, contact our Managed Hosting.
Prevent Data Loss With Backups
Having backups of your server environment is an important consideration when securing your cloud server since it can help reduce the amount of damage caused by malware, hacks, or breaches.
You can easily create server snapshots in AMP, but keep in mind that you cannot restore individual files from a snapshot. Therefore, create and verify server backups at least monthly. It’s also beneficial to store backups on another server or location so they would not be affected.
If you use Webmin, Vesta Control Panel, or another server management suite, learn how to create, verify, and download server backups manually and automatically. The redundancy ensures you always have a way to create and restore backups.
Assessing the security of your cloud server on a regular basis should be a priority. If you have a complex server environment requiring many open ports, consider using Nmap to audit your setup. After auditing, you can then try to pressure test any identified or suspected weaknesses. If any vulnerabilities are detected they can then be addressed.
Install an Anti-Virus Scanner
Does your web application allow users to upload files? If so, you should have an AV scanner check those files for malware signatures upon upload and periodically afterward as changes occur. Here are some popular options:
- Linux Malware Detect (LMD) (Also known as maldet)
- Rootkit Hunter (rkhunter)
There are many free cybersecurity training platforms and vulnerability assessment tools available to help you learn more about securing your website, or Linux in general.
I recommend starting with cybersecurity awareness training from DoD Cyber Exchange.
Additional Support Resources
Managed Hosting specializes in custom server-level configurations and optimizations. Ask Live Support about Launch Assist to help you get started and your allotted Managed Hosting time.
Community Support Center is the place to engage the community for support, alternatives, and additional assistance. Remember, the forum is not a live chat support medium and InMotion administrators do not have access to your hosting account. For immediate assistance with support and billing, contact our 24/7 Live Support.
Congratulations, you should now understand the best practices for how to secure your cloud server hosting. We recommend bookmarking our Cloud Server Hosting Product Guide for future reference.
If you don’t need cPanel, don't pay for it. Only pay for what you need with our Cloud VPS solutions.
CentOS, Debian, or Ubuntu No cPanel Bloat SSH Key Management