Our Blog

Self-hosting your application has many advantages but it also comes with a number of risks. Any web server is continuously attacked by hackers these days, with scripts that probe all services for potential vulnerabilities or configuration issues.

In a managed environment, the server administrators will make sure that solid mechanisms are in place to protect your servers against such attacks.

If you host and manage your own application, you will have to handle security yourself. This is a very difficult task because no system can ever be fully secure and it’s unlikely that you’ll have the time to follow the latest security updates.

However, here are three basic steps that can protect your self-hosted application against a wide range of attacks.

PLACE SSH ACCESS BEHIND A VPN

The secure shell protocol (SSH) allows you to connect to your server remotely and has very strong cryptographic features that guarantee safe communication even on unsecure networks.

At the same time, it is probably the most targeted service by hackers and bots. A persistent brute force attack can eventually breach your server, even if you have a very complex password.

There are several ways to protect the SSH service against such attacks, one of the most effective is to setup a virtual private network (VPN) in front of it.

A VPN creates a tunnel between your remote computer and the server, which can only be accessed through the VPN. The network configured for the SSH service becomes a private one, with no direct connection from the outside world.

This setup makes brute force attacks impossible and adds one more layer of protection. An attacker would have to first hack your VPN and then the SSH service, which is very difficult to accomplish because VPN authentication usually relies on digital certificates.

We have already described how to setup your own Linux VPN in this article.

KEEP YOUR SOFTWARE UPDATED AND ENABLE AUTOMATIC UPDATES

Application developers react to security vulnerabilities by releasing patches and new versions that eliminate bugs and flaws in their code.

Any outdated software that runs on your server is a major security risk because it has well-known vulnerabilities that can be exploited even by inexperienced attackers, using scripts available on the Internet. In addition, penetration bots constantly scan the web for old applications.

The consequences can be dreadful. The popular WordPress platform for example has been affected by several massive security exploits that caused a large number of servers to be hacked. The initial wave of attacks started in 2007 and other serious vulnerabilities have emerged periodically to this day.

The only way to protect a site against these issues was to immediately apply new patches and WordPress has greatly simplified the process in 2008, when it introduced the one-click update.

As a result, it is very important to make sure that your applications are always up to date. Many programs, such as WHM, have an auto-update option that you should activate.

Others have to be manually updated from their backend interface or using the packet manager included in your Linux distribution. Follow a disciplined update schedule, you can for example dedicate a few minutes once per week to apply patches.

If you run an old version of an application that is no longer supported and the update procedure is difficult, contact an experienced system administrator who can migrate it to the newest release.

DISABLE UNNEEDED SOFTWARE

Any software that runs on your server can be targeted by hackers and is a potential security risk.

Every Linux distribution comes with a number of services activated by default; you probably don’t use all of them. Disabling the ones you don’t need is an easy way to make your server more secure.

A CentOS server for example will include some potentially useless services, even in a minimal installation.

Two of them are especially dangerous because they listen on network ports and can be exploited remotely: the Postfix (mail) service and the chronyd daemon that handles time synchronization.

If you don’t send emails from your server and time accuracy isn’t very important, you can stop and disable both services.

This is easily accomplished from the command line, these are the commands to stop Postfix and completely remove it from your server:

You can run the command netstat -tulpn (requires the net-tools package to be installed) in order to see all services that listen on various ports.

Don’t disable services unless you fully understand their purpose, otherwise you can cripple your system. For example, disabling the avahi daemon might close all your network connections.

The three steps outlined in this article will significantly enhance the security of your self-hosted application, but there are many other measures you can implement to harden it even further.

Are you looking for a cheap, rock solid VPS hosting for your self-hosted application? Check out our insanely cheap VPS plans.

Stay vigilant and follow our blog for more articles on security tips & tricks to protect your server.