Incident Response Playbook for VPS Breach

Introduction

When a breach occurs, time is critical. An incident response playbook ensures everyone knows their role and actions. This guide provides a template for VPS incidents.

1. Assemble Incident Response Team

Identify individuals responsible: lead, technical analyst, communications, legal (if applicable).

2. Detection Sources

AIDE/RKHunter alerts, fail2ban logs, intrusion detection systems, third‑party monitoring, user reports.

3. Initial Triage

Confirm the alert is not a false positive. Check recent changes, suspect processes, network connections.

4. Containment (Short‑term)

Disable compromised user accounts, cut network access (firewall rule), take the VPS offline if necessary.

5. Long‑term Containment

Migrate to a clean VPS, change all credentials, rotate API keys, update firewall rules.

6. Forensics (Preserve Evidence)

Capture memory (lime), disk image, keep logs. Do not reboot or change files blindly.

7. Eradication

Identify and remove backdoors, rootkits, cron entries, SSH keys, web shells.

8. Recovery

Restore from clean backup, rebuild the VPS from scratch (preferred), reinstall applications.

9. Post‑Incident Activity

Root cause analysis, lessons learned, update security controls, improve monitoring.

10. Communication Plan

Notify affected users, management, legal (if data breach), law enforcement if required.

11. Backup Strategy During Incident

Do not destroy compromised VPS until forensics complete; take snapshot.

12. Tools for Investigation

netstat -tulpn, ps auxf, lsof, rkhunter, chkrootkit, clamscan.

13. Analyzing Web Shells

Search for recently modified .php files, suspicious eval() calls.

14. Checking Persistence Mechanisms

Review cron, systemd timers, startup scripts, .bashrc, .ssh/authorized_keys.

15. Hostxpeed Support During Incident

Contact support to obtain network flow data, block malicious IPs at edge, or take snapshot.

16. Legal and Compliance Considerations

Data breach notification deadlines (GDPR 72h). Consult legal counsel.

17. Post‑Incident Monitoring

Intensify monitoring for the next 30 days, watch for re‑compromise.

18. Playbook Drills

Simulate a breach quarterly to practice the response.

19. Documentation

Keep incident timeline, actions taken, evidence chain of custody.

20. Improvement Tracking

Create action items from post‑mortem and assign owners to close gaps.

Conclusion

Prepare a playbook before an incident happens. Practice it. The goal is rapid, coordinated response to minimise damage.