Jump to content

VPS security


Recommended Posts

Hello and a Happy New Year to everyone!

Some questions concerning making my VPS more secure, as I think that there are actually people trying to get in.

1. If I disable SSH (via Hestia CP), I suppose I can re-enable it (same way) if I need it. But, what happens, if Hestia CP breaks down? No more possibility at all to access the VPS? Or is it possible that HelioHost may re-enable SSH and can log in to the VPS again? Would changing the port each week or so be a good idea? I ask this, because there seems to be regular SSH traffic, without myself using it.

2. For some weeks, there is lots of web access to url = /phpmyadmin (175 during December). I guess that that is someone who tries to hack my databases. How risky such trials are and what is the best I can do? Would it affect Hestia CP, if I renamed the phpMyAdmin folder?

3. In order to be sure to be somehow prepared if my VPS broke down, is there a (simple) way to take an image of the whole system?

Thanks for any suggestions.

 

Link to comment
Share on other sites

1. No. You might want to pick a nonstandard port number, but no need to change it regularly. Our servers have had public-facing SSH open for 16 years and no issues. If you do this, make sure you open that port in the VPS's firewall before you change it. I've seen others change it and lock themselves out by getting blocked by their own firewall.

2. Renaming the folder would work but could break Hestia if it expects the files to be there. If you're using Apache, another option is an .htaccess file to restrict the folder to certain IPs.

3. If it's possible to back it up while running, possibly, though there's data integrity issues that can result from this when you live capture things like in-use database files. If you need a full image taken while offline, no.

Link to comment
Share on other sites

1. I run SSH on a custom port. My sorrows, that someone tries to hack me on this port, are not justified, I think. If there is all this traffic, I suppose it's because of myself, doing file upload using ftps (i.e. using the custom SSH port).

2. So you think that Hestia needs access to phpMyAdmin? Limiting access to a given IP would of course be a solution, but having no own Internet connection and using public WiFi networks in the street, this is not really possible.

3. On Windows, creating an image of a shadow copy works fine and restoring the image does not cause any problems. Isn't there anything similar for Ubuntu server? Or should I backup the filesystem, databases, etc separately?

Link to comment
Share on other sites

Hestia would need PMA in order to link into it, as well as for it to successfully update it as part of the package.

There may be a linux version of shadow copies (I don't know enough about linux, I manage windows for a living), but they aren't really supported for things like running MySQL instances. It will appear to work, but the files will be left in an unknown state because part of the data is in memory and not committed to disk (the in-memory part will not be captured). You would need to stop the database server before making the snapshot to ensure the database is flushed to disk and not in use if you wanted to go this route.

Alternately, just dump the databases to .sql files with mysqldump and back up your home folder every now and then. That's the data primarily needed to restore the site if the VPS crashes.

 

Link to comment
Share on other sites

I guess that what you said about MySQL applies also to my local database server on Windows? What would mean when playing back one of my images and MySQL was running during this time, I could have problems with MySQL data integrity? Are there perhaps other services that have also to be stopped before taking an image?

Link to comment
Share on other sites

Correct. Running database servers don't like file-level backups. If you do this, it's basically luck as to whether the backup of the database server would work when restored (on a good day, it'll work, on a bad one, it'll either refuse to start at all, or it will start with missing data or databases that are marked as crashed).

When backing up a running database server, you have to back it up using software that understands it's a database server. Software designed for this will be able to tell the server it's being backed up, so the server can do things like unload a database's files and flush them to disk, or produce a dedicated copy of the database that can be backed up safely.

If you don't use such software, your choices for safe backups are generally to either dump the databases (e.g. mysqldump) and back up the .sql file, or stop the database server and make normal backups of the server's files.

  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...