Tag: tutorial

Best Practices for Running a Secure Email Server on VPS

Leave a Comment on Best Practices for Running a Secure Email Server on VPS
Best Practices for Mail Server on VPS

Running your own email server on a Virtual Private Server (VPS) offers increased control, privacy, and customization compared to third-party email services. However, with greater control comes the responsibility to secure your server from threats like spam, data breaches, and unauthorized access. In this article, we’ll cover the best practices for setting up and maintaining a secure email server on your VPS.

1. Use Strong Authentication and Secure Credentials

  • Strong Passwords: Ensure that all email accounts use strong, complex passwords. Consider implementing password policies that enforce minimum length, character diversity, and expiration periods.
  • Two-Factor Authentication (2FA): If supported, enable 2FA for accessing email server administration panels and webmail interfaces to add an extra layer of security.

2. Use Secure Protocols (SSL/TLS)

  • Enable TLS Encryption: Configure your mail server to use STARTTLS for encrypting communications with email clients and other servers. This helps protect data during transmission.
  • Install an SSL Certificate: Obtain a valid SSL certificate from a trusted Certificate Authority (CA) and install it on your email server. This ensures that your email clients can securely connect to the server without warnings.
  • Disable Unencrypted Connections: Ensure that plaintext connections (non-SSL/TLS) are disabled to prevent potential eavesdropping.

3. Configure Anti-Spam and Anti-Virus Filters

  • SpamAssassin: Consider using SpamAssassin or similar anti-spam software to filter out unwanted and malicious emails.
  • ClamAV: Use an antivirus solution like ClamAV to scan incoming and outgoing emails for viruses, malware, and other malicious attachments.

4. Implement Rate Limiting and IP Blacklisting

  • Rate Limiting: Set limits on how many emails a user or domain can send per hour/day to prevent spamming and abuse.
  • IP Blacklisting: Use dynamic IP blacklists to block known sources of spam and malicious traffic. Configure tools like Fail2Ban to detect and ban suspicious IP addresses based on authentication failures.

5. Use Secure Ports and Firewall Rules

  • Configure Ports Correctly: Use the following ports for secure email traffic:
  • IMAP over SSL/TLS (IMAPS): Port 993
  • POP3 over SSL/TLS (POP3S): Port 995
  • SMTP over SSL/TLS (SMTPS): Port 465
  • SMTP with STARTTLS: Port 587
  • Set Up Firewall Rules: Use iptables or a firewall management tool like UFW to allow only the necessary ports for email traffic while blocking all other unnecessary traffic.

6. Enable DKIM, SPF, and DMARC

These email authentication protocols help ensure that emails sent from your domain are legitimate, reducing the chances of spoofing and phishing:

  • DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your emails, proving that they originated from your domain.
  • SPF (Sender Policy Framework): SPF specifies which IP addresses are authorized to send emails on behalf of your domain.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC ties together SPF and DKIM, providing instructions to email servers on how to handle messages that fail authentication.

7. Secure the Mail Transfer Agent (MTA)

  • Use Secure MTAs: Ensure that your mail server software (such as Postfix or Exim) is securely configured. Disable open relays to prevent your server from being used as a source of spam.
  • Enforce Authentication for SMTP: Require users to authenticate before sending email to prevent unauthorized access and abuse of your server’s resources.

8. Regularly Update and Patch Your Server

  • Apply Security Updates: Regularly update your email server software, operating system, and any related packages to protect against known vulnerabilities.
  • Automate Updates: Where feasible, consider automating security updates to reduce the risk of delayed patching.

9. Monitor Logs and Security Events

  • Log Review: Regularly review email server logs for signs of unusual activity, such as repeated login failures or high volumes of outgoing messages.
  • Monitoring Tools: Use tools like Logwatch or Graylog to monitor and analyze logs for suspicious behavior in real-time.

10. Enforce Mailbox Quotas and Archiving Policies

  • Mailbox Quotas: Set limits on mailbox sizes to prevent a single user from consuming excessive resources.
  • Email Archiving: Implement policies for archiving old emails, reducing the amount of active data and improving server performance.

11. Consider Using Web Application Firewalls and Intrusion Detection Systems

  • WAFs and IDS: Use tools like ModSecurity (web application firewall) or Snort (intrusion detection system) to protect against malicious web traffic and detect attacks on your server.

12. Backup Your Server Regularly

  • Automated Backups: Implement a robust backup solution to regularly back up email data, configurations, and critical server files.
  • Offsite Backups: Store backups offsite or on a separate server to ensure data can be recovered in case of a major incident.

Conclusion

Running a secure email server on your VPS requires diligence, ongoing monitoring, and a robust set of security measures. By following these best practices, you can ensure that your email server is protected against common threats, provides reliable communication, and maintains your user’s trust. Hosteons.com offers reliable VPS solutions to give you the control and performance you need for running your email server securely and efficiently.

Ready to set up a secure email server on Hosteons.com VPS? Get started with our reliable and scalable VPS plans today!

How to Set Up a VPN Server on Windows Server 2022 KVM VPS

Leave a Comment on How to Set Up a VPN Server on Windows Server 2022 KVM VPS
windows 2022 vpn server tutorial
Windows 2022 VPN Server Tutorial

Here’s a step-by-step tutorial for setting up a VPN server on a Windows Server 2022-based KVM VPS:

Setting up a VPN (Virtual Private Network) on your Windows Server 2022 KVM VPS can be a great way to securely access resources, mask your IP address, or bypass network restrictions. Here’s how to set up a basic VPN server quickly.

Prerequisites:

  • A KVM VPS running Windows Server 2022.
  • Administrator access to your VPS.
  • Basic networking knowledge.

Step-by-Step Guide:

1. Connect to Your VPS

  • Use Remote Desktop Protocol (RDP) to connect to your Windows Server 2022 VPS.
  • Log in using your administrator credentials.

2. Install the Remote Access Role

  1. Open Server Manager.
  2. Click on Manage > Add Roles and Features.
  3. In the wizard, select Role-based or feature-based installation and click Next.
  4. Select your server from the server pool and click Next.
  5. On the Select server roles page, check the box for Remote Access and click Next.
  6. Click Next until you reach the Role Services section.
  7. Check DirectAccess and VPN (RAS) and click Next.
  8. Complete the installation by clicking Install. This process might take a few minutes.

3. Configure the VPN Server

  1. Open Server Manager again, go to Tools > Routing and Remote Access.
  2. In the Routing and Remote Access window, right-click your server name and select Configure and Enable Routing and Remote Access.
  3. In the wizard:
  • Select Custom configuration.
  • Check VPN access and click Next.
  • Click Finish.
  1. Right-click the server again and select Start service.

4. Configure VPN Ports

  • Make sure your VPS firewall allows incoming traffic on port 1723 (used for PPTP VPN) and port 47 (GRE protocol).

5. Configure IP Address Assignment

  1. In the Routing and Remote Access window, right-click on your server, and select Properties.
  2. Go to the IPv4 tab.
  3. Select Static address pool, then click Add.
  4. Enter a range of IP addresses that your VPN clients will use (e.g., 192.168.100.1 to 192.168.100.20).
  5. Click OK.

6. Add a User for VPN Access

  1. Open Computer Management (from Server Manager > Tools).
  2. Click on Local Users and Groups > Users.
  3. Right-click on Users and select New User.
  4. Create a new user with a username and password. Make sure to uncheck User must change password at next logon.
  5. Click Create.
  6. Go to the Properties of the user you just created, click on the Dial-in tab, and select Allow access for Network Access Permission.

7. Connect to Your VPN

  • On a client device, add a new VPN connection using the public IP address of your KVM VPS.
  • Use the credentials created in the previous step.

Troubleshooting Tips:

  • Ensure the ports needed for VPN are not blocked by your VPS provider’s firewall or your internal firewall.
  • Double-check your user credentials.
  • Make sure your VPS’s network interface is properly configured.

Conclusion

Setting up a VPN server on your Windows Server 2022 KVM VPS offers a robust solution for secure connections. Following this guide, you should have your VPN service up and running quickly.

Securing Your Windows Server 2022 VPS: A Comprehensive Guide

Leave a Comment on Securing Your Windows Server 2022 VPS: A Comprehensive Guide
windows 2022 security
windows 2022 security

Windows Server 2022 is a robust operating system designed to power the most demanding enterprise applications, databases, and web servers. However, like all systems exposed to the internet, it’s a potential target for malicious actors. This guide will walk you through essential steps to ensure your Windows Server 2022 VPS or server remains secure, giving you peace of mind for your data and applications.

1. Update Windows Server Regularly

Keeping your server updated with the latest patches is crucial for security. Microsoft frequently releases updates to address vulnerabilities and bugs.

  • Open the Windows Update Settings:
  • Go to Settings > Update & Security > Windows Update.
  • Click Check for updates and install any available updates.

Tip: Consider enabling automatic updates to ensure your server stays current without manual intervention.

2. Secure Remote Desktop Protocol (RDP)

RDP is commonly targeted by attackers, so taking measures to protect it is essential.

  • Change the Default RDP Port: By default, RDP uses port 3389, making it a popular target.
  • Open Regedit and navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber.
  • Change the port value to an alternative unused port number.
  • Limit RDP Access:
  • Use a firewall to allow RDP connections only from trusted IP addresses.
  • Consider using a VPN for RDP access, providing an additional layer of security.

3. Create Strong Password Policies

Using complex passwords and requiring periodic changes helps mitigate brute-force attacks.

  • Go to Group Policy Management: gpedit.msc.
  • Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
  • Configure settings such as minimum password length, complexity requirements, and password expiration.

4. Enable Windows Firewall

The built-in Windows Firewall is a powerful tool for filtering incoming and outgoing traffic.

  • Open Windows Defender Firewall and click on Advanced Settings.
  • Create inbound and outbound rules that allow only the necessary ports and applications.
  • Block any unnecessary connections that may pose a risk.

5. Configure User Account Control (UAC) and Least Privilege Access

UAC prompts users to confirm changes that require administrative privileges, limiting unauthorized system changes.

  • Go to Settings > Control Panel > User Accounts > Change User Account Control settings.
  • Ensure UAC is enabled.

For access control, create limited accounts for day-to-day tasks and use administrative accounts sparingly.

6. Install and Configure Antivirus Software

Protect your server from malware by installing a reputable antivirus solution. Microsoft Defender Antivirus, which is included in Windows Server 2022, is a good starting point.

  • Enable Real-time Protection: Regularly scan your system for threats.
  • Schedule Regular Scans: Configure the antivirus to automatically scan at regular intervals.

7. Regularly Backup Data

Having a solid backup strategy ensures your data remains safe in case of a security breach.

  • Configure Windows Server Backup:
  • Go to Server Manager > Add Roles and Features > Windows Server Backup.
  • Schedule regular backups, storing them offsite for additional security.

8. Disable Unnecessary Services and Features

Minimize your attack surface by disabling services you don’t need.

  • Open Server Manager, click on Manage, and select Remove Roles and Features.
  • Carefully review and deselect roles or features not required for your server’s operation.

9. Enable Network Level Authentication (NLA) for RDP

NLA adds an additional layer of security by requiring users to authenticate before a session is established.

  • Open System Properties > Remote Settings.
  • Under Remote Desktop, select Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended).

10. Audit Security and Event Logs

Regularly review security logs to identify and respond to suspicious activity.

  • Go to Event Viewer > Windows Logs > Security.
  • Review logs for login attempts, access violations, or other suspicious activity.

Conclusion

Securing your Windows Server 2022 VPS or server requires a multi-layered approach. By following these best practices, you can greatly reduce your risk of cyberattacks, keep your data safe, and ensure that your server performs optimally. At Hosteons, we prioritize security and are here to support you every step of the way.

Stay safe and secure!

Basic Security Guide for AlmaLinux 9

Leave a Comment on Basic Security Guide for AlmaLinux 9
Almalinux Security
Almalinux Security

Securing your server is a critical task for any system administrator, developer, or business owner. AlmaLinux 9, as a stable and robust RHEL-based distribution, offers great tools and features that make it an excellent choice for hosting websites, applications, or services. In this tutorial, we’ll walk you through basic security measures you can implement to keep your AlmaLinux 9 server secure.

1. Update Your System

The first and foremost step in securing your system is ensuring that it’s up-to-date with the latest security patches.

Command:

sudo dnf update -y

This command updates all installed packages to their latest versions, closing any known vulnerabilities.

2. Create a Non-Root User

Running your system as the root user is risky, as any command executed with root privileges can make sweeping changes to the system. Instead, create a non-root user and use sudo for administrative tasks.

Command:

sudo adduser yourusername
sudo passwd yourusername
sudo usermod -aG wheel yourusername

Now you can switch to this new user with:

su - yourusername

3. Configure a Firewall Using firewalld

AlmaLinux 9 comes with firewalld, a dynamic firewall management tool that provides a simple way to manage firewall rules.

Start and enable firewalld:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Check the status of the firewall:

sudo firewall-cmd --state

Allow or deny services/ports:
For example, to allow SSH (port 22):

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

4. Enable SELinux (Security-Enhanced Linux)

SELinux provides an additional layer of security by controlling access to files, processes, and ports.

Check SELinux status:

sestatus

If it’s disabled, enable it by editing /etc/selinux/config:

sudo nano /etc/selinux/config

Set SELINUX=enforcing, then reboot the server:

sudo reboot

5. Install and Configure Fail2Ban

fail2ban is a service that helps protect your server from brute-force attacks by banning IP addresses that show malicious signs.

Install fail2ban:

sudo dnf install fail2ban -y

Start and enable the service:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Configure fail2ban:
Create a local configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the file to enable the SSH jail:

sudo nano /etc/fail2ban/jail.local

Set [sshd] parameters like:

[sshd]
enabled = true

6. Disable Root Login via SSH

To further secure SSH access, prevent direct root logins.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find and set:

PermitRootLogin no

Restart the SSH service:

sudo systemctl restart sshd

7. Set Up Automatic Updates

You can automate security updates with the dnf-automatic tool.

Install dnf-automatic:

sudo dnf install dnf-automatic -y

Configure automatic updates:
Edit the configuration file /etc/dnf/automatic.conf to set:

apply_updates = yes

Enable the service:

sudo systemctl enable --now dnf-automatic.timer

8. Install and Configure an Intrusion Detection System (IDS)

For added security, consider installing an IDS like AIDE (Advanced Intrusion Detection Environment).

Install AIDE:

sudo dnf install aide -y

Initialize the AIDE database:

sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run a manual check with:

sudo aide --check

Conclusion

By following these basic security steps, you’re well on your way to securing your AlmaLinux 9 server. These measures provide a solid foundation for system hardening and mitigating potential threats. As always, security is an ongoing process, and regular audits and updates are crucial for long-term protection.

Feel free to share your own security tips or ask questions in the comments!

Basic Tutorial to Secure an Ubuntu VPS

Leave a Comment on Basic Tutorial to Secure an Ubuntu VPS
Secure Ubuntu VPS
Secure Ubuntu VPS

Securing your Ubuntu VPS is essential for protecting data, ensuring stability, and preventing unauthorized access. Here’s a straightforward guide on some basic yet effective steps to secure an Ubuntu VPS.

1. Update Your System

Start by updating your system to ensure all software is up-to-date with the latest security patches.

sudo apt update && sudo apt upgrade -y

2. Create a New User and Disable Root Login

For security, avoid using the root account directly and create a new user with sudo privileges.

  1. Create a new user: sudo adduser yourusername
  2. Add the user to the sudo group: sudo usermod -aG sudo yourusername
  3. Switch to the new user: su - yourusername
  4. Disable root login by editing the SSH configuration file: sudo nano /etc/ssh/sshd_config Find the line:
   PermitRootLogin yes

Change it to:

   PermitRootLogin no
  1. Restart SSH to apply changes:
    sudo systemctl restart ssh

3. Enable Firewall (UFW)

Ubuntu’s Uncomplicated Firewall (UFW) provides a straightforward way to manage firewall settings.

  1. Allow SSH access: sudo ufw allow OpenSSH
  2. Enable the firewall: sudo ufw enable
  3. Check the status:
    sudo ufw status

Optionally, if you’re hosting a web server, allow HTTP and HTTPS traffic:

sudo ufw allow http
sudo ufw allow https

4. Change the Default SSH Port

Changing the SSH port can add an additional layer of security against automated attacks.

  1. Open the SSH configuration file: sudo nano /etc/ssh/sshd_config
  2. Find the line: #Port 22 Uncomment and change 22 to your desired port, e.g., 2222: Port 2222
  3. Restart SSH to apply changes: sudo systemctl restart ssh
  4. Don’t forget to allow the new SSH port through the firewall:
    bash sudo ufw allow 2222/tcp

5. Disable Password Authentication and Enable SSH Key Authentication

Using SSH keys instead of passwords enhances security.

  1. Generate an SSH key pair on your local machine: ssh-keygen -t rsa -b 4096
  2. Copy your public key to your VPS: ssh-copy-id -p 2222 yourusername@your_server_ip
  3. Disable password authentication for SSH: sudo nano /etc/ssh/sshd_config Find the line: PasswordAuthentication yes Change it to: PasswordAuthentication no
  4. Restart SSH:
    sudo systemctl restart ssh

6. Install Fail2ban

Fail2ban monitors login attempts and blocks IPs with repeated failures, protecting against brute-force attacks.

  1. Install Fail2ban: sudo apt install fail2ban -y
  2. Start and enable Fail2ban: sudo systemctl start fail2ban sudo systemctl enable fail2ban
  3. Configure Fail2ban by creating a local jail file: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  4. Modify settings as needed: sudo nano /etc/fail2ban/jail.local You can adjust the ban time, retry limits, and monitored services.
  5. Restart Fail2ban:
    sudo systemctl restart fail2ban

7. Install and Configure Automatic Updates

Automatic updates reduce the risk of security vulnerabilities by ensuring software remains current.

  1. Install the unattended-upgrades package: sudo apt install unattended-upgrades -y
  2. Enable automatic updates:
    sudo dpkg-reconfigure --priority=low unattended-upgrades

8. Regular Backups

Always keep regular backups to quickly recover in case of an attack or data loss. Many hosting providers, like Hosteons, offer backup solutions, making it easy to automate and restore from snapshots or backups.

Summary

By following these steps, you enhance the security of your Ubuntu VPS against common threats. Regular updates, secure login configurations, a robust firewall, and monitoring tools like Fail2ban all contribute to a safer and more reliable server environment. With these basics covered, your VPS will be better protected against potential attacks.

Getting Errors while booting a OpenVZ 7 VPS Container running on Ploop File System ?

Leave a Comment on Getting Errors while booting a OpenVZ 7 VPS Container running on Ploop File System ?

Getting errors like:

2019-08-09T08:24:10-0400 : Error in e2fsck (fsutils.c:471): e2fsck failed (exit code 4)

2019-08-09T08:24:10-0400 vzctl : CT 392 : Failed to mount image /vz/private/392/root.hdd: Error in e2fsck (fsutils.c:471): e2fsck failed (exit code 4)
[41]

#vzctl start 392

Starting container…
Opening delta /vz/private/392/root.hdd/root.hdd
Adding delta dev=/dev/ploop61204p1 img=/vz/private/392/root.hdd/root.hdd (rw)
/dev/ploop61204p1p1: UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.
(i.e., without -a or -p options)
Error in e2fsck (fsutils.c:471): e2fsck failed (exit code 4)
Failed to mount image: Error in e2fsck (fsutils.c:471): e2fsck failed (exit code 4)

It can happen due to a file system crash or VPS Node crash etc…, don’t worry follow following tutorial to fix.

Solution:

1)Stop the container.

#vzctl stop 392

#vzlist 392

2)Mount the ploop image.

#ploop mount /vz/private/392/root.hdd/DiskDescriptor.xml

3)Perform fdisk -l

#fdisk -l /dev/ploop61204p1

4)Perform a file system check for the partition(note p1 at the end):

#e2fsck /dev/ploop61204p1p1

5)Unmount the ploop image

#ploop umount -d /dev/ploop61204p1

Unmounting device /dev/ploop61204p1

6)Start the container

#vzctl start 392

How to enable iptables in CentOS 7

Leave a Comment on How to enable iptables in CentOS 7

Just use the following commands to disable firewalld and enable the good old iptables in any CentOS 7 based VPS or server:

[root@test2 ~]# systemctl stop firewalld

[root@test2 ~]# systemctl mask firewalld
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.

[root@test2 ~]# yum install -y iptables iptables-services
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.centos.org
* extras: mirror.centos.org
* updates: mirror.centos.org
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
Package iptables-1.4.21-24.1.el7_5.x86_64 already installed and latest version
Resolving Dependencies
–> Running transaction check
—> Package iptables-services.x86_64 0:1.4.21-24.1.el7_5 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================================
Installing:
iptables-services x86_64 1.4.21-24.1.el7_5 updates 51 k

Transaction Summary
=========================================================================================================================================
Install 1 Package

Total download size: 51 k
Installed size: 25 k
Downloading packages:
iptables-services-1.4.21-24.1.el7_5.x86_64.rpm | 51 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : iptables-services-1.4.21-24.1.el7_5.x86_64 1/1
Verifying : iptables-services-1.4.21-24.1.el7_5.x86_64 1/1

Installed:
iptables-services.x86_64 0:1.4.21-24.1.el7_5

Complete!
[root@test2 ~]#

[root@test2 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@test2 ~]#
[root@test2 ~]# systemctl start iptables