For new VPS hosting website builders, I always recommend using the VPS hosting control panel. There are many free VPS host control panels on the market now. Many friends who have just transitioned from virtual hosts to VPS are not very familiar with the commands. The VPS host control panel is easy to use and can greatly improve work efficiency.
However, a fatal possibility of using a free VPS control panel is that there are security issues. The "VestaCP security vulnerability caused hundreds of Digital Ocean servers to become meat machines" that has been revealed in the past few days has been discussed in VestaCP official website forum and lowendtalk forum exploded, and many users began to complain about VestaCP security issues.
According to a message from my friend baoang, the popular Linux control panel VestaCP was found to have a zero-day vulnerability. Generally speaking, someone may have inserted tricks into the REPO of the panel program before it was released, so no matter how the user installs it, there will be problems. The code inside is run with root privileges after installation, and will use the VPS as a bot to attack externally at a specific time.
Considering that many users have tried the VestaCP panel after seeing the introduction of website digging, we strongly recommend that you back up your data quickly (it would be better if you have a previous backup to avoid the current website files or database being infected). Reinstall the VPS system, reinstall the latest version of VestaCP, and pay close attention to the latest developments of VestaCP.
I would like to take this opportunity to share with you how to ensure the safety and reliability of your own server while using the free VPS hosting control panel. Here are more website building tools:
- Three command tools Rsync, SCP, and Tar-quick solution to VPS remote website relocation and data synchronization
- Lsyncd builds synchronization mirror-use Lsyncd to achieve real-time synchronization between local and remote servers
- Linux VPS mounts Google Drive and Dropbox-realizes VPS host data synchronization and backup
1. Follow the official forum and update patch vulnerabilities
Qi has previously made a VPS host control panel summary topic: Server Control Panel List. You can pay more attention to the VPS panel you use. Generally speaking, the official forum will be the first to release panel patches and update procedures, and update panel patches and updates in a timely manner. Vulnerabilities are the fastest way to reduce losses.
2. Strengthen your own security and check logs regularly
The security of the server itself is often ignored by many people. In fact, no matter how good the VPS control panel is, if the security of the VPS itself is not good enough, it will be in vain. To strengthen the security of the server itself, it is best to choose a big-name and reliable VPS provider. For relevant evaluation reference: VPS host ranking list.
If there is a problem with the VPS control panel, you can see clues in the website logs. Here are two log analysis tools and performance monitoring tools recommended. Once the server is hacked, you can basically see abnormal information from the log + performance monitoring chart, helping us quickly locate the problem.
- Server log analysis tools: ngxtop and GoAccess - real-time monitoring and visual management to quickly find the source of exceptions
- Free open source PHP probe x-prober and cool Linux server performance real-time monitoring tool Netdata
3. Make data backups and deploy off-site disaster recovery
It is necessary to develop a good habit of regular backup of website data. Friends who have the conditions can also deploy an off-site disaster recovery backup plan. In short, data is priceless. Once the server is hacked, the previous normal website data can be restored in the shortest time. .
Regarding synchronization backup, here are several automated methods:
- Linux VPS mounts Google Drive and Dropbox-realizes VPS host data synchronization and backup
- Three ways to share folder directories in Linux - NFS remote mounting, GlusterFS shared storage and samba shared directories
- VPS mounts domestic and foreign network disks to achieve free expansion tools: Rclone, COS-Fuse and OSSFS
4. Check the program code and regularly detect and kill Trojans
If you are using WordPress, it is recommended not to use pirated or cracked WordPress themes, unofficial plug-ins, etc. These themes or plug-ins are likely to have malicious code implanted in advance. For novice friends, you can regularly check your website program files for viruses to ensure that there are no problems.
How can I know if my server has vulnerabilities or Trojans? The most direct way is to check the server's process and port usage in real time. The relevant commands are as follows:
- Summary of Linux system monitoring commands - master CPU, memory, disk IO, etc. to find performance bottlenecks
5. Give up free and switch to paid or pure commands
If you have money, it is still recommended to use a paid VPS control panel. For a panel like WHMCS, it is even more important to use a paid one. After all, security is the most important thing. Reference: WHMCS from beginner to proficient. If you have the ability, it is recommended to manually install Nginx, MysqL, PHP and other website building kits yourself, which is safe and secure.
If you want to use purely imperative LNMP and LAMP scripts to build a website, we recommend the following two:
- OneinStack one-click installation script - easily deploy Let’s Encrypt certificate and configure HTTPS site
- Linux VPS website building tool LNMP 1.4 installation and use-SSL automatic configuration renewal and multi-version PHP support
6. Summary
Regarding the issue of choosing a free VPS control panel, whether it is domestic or foreign, there will be more or less security problems. It is recommended not to use those VPS panels that have not updated the official website for a long time and have no one to maintain it, because once something goes wrong, it is basically "Self-rescue" attitude.
For veterans, it is recommended to get rid of the influence of the VPS panel as soon as possible. No matter how powerful the VPS panel function is, as long as you are willing to toss, you can manually use commands to achieve it. In addition, purely imperative scripts will also have problems, such as openssl vulnerabilities, Nginx vulnerabilities, etc., which require attention.