Today a friend (Amr Eldib) asked a question on Facebook that I think a few of you may have as well:
I’ve never setup a Virtual Private Server out in the open on the Internet, and I was wondering how safe it would be?
I prefer Windows, because it’s what I know.
It’s intended to run all kinds of applications, blog, CMS, Wiki, file sync, photo storage, etc.
From your experience, what safety/security steps I need to pay attention to?
Does the security of the server depend on the applications or the OS, or both?
I had a relatively short and simple answer to this question. I’m sharing it here with you pretty much as-is.
If you are looking for affordable host, I’ve always recommended SoftSys Hosting.
For most hosts, the server is locked down by default. Any OS will be subject to vulnerabilities though, so, make sure you have latest Windows updates (it’s OK to have Windows 2008 R2 instead of 2012 R2, might be better actually due to less resources it uses, any OS that’s not out of support should be OK).
The most common attacks are usually random attacks, the attacks that go to random servers trying to open default port numbers, default usernames and weak passwords, and try to identify / guess what software is installed on the server, and use the known vulnerabilities that exist in that software, in the hope that you didn’t have these patched.
Things you can do are removing/disabling accounts with default names like Administrator, etc., changing default port numbers for things like SQL DBMS and FTP / SSH if you use any, making sure things like SQL DBMS do NOT allow remote connections in the first place.
Also the application can be a thread. For example, hMailServer uses OpenSSL, so you need the latest version to make sure you don’t have OpenSSL hole. WordPress now installs minor/security updates automatically but you always want to check, and maybe even be careful what plugins you use.
Apply same rule to similar software packages.
P.S. Please help me out by checking this offer, then look below for a small Thank You.
How did I learn that?
As a bonus for coming here, I'm giving away a free newsletter for web developers that you can sign up for from here.
It's not an anything-and-everything link list. It's thoughtfully collected picks of articles and tools, that focus on Angular 2, ASP.NET 5, and other fullstack developer goodies.