Automating Compliance: Surviving the Datatilsynet Audit with Ansible and KVM
If you are still manually editing /etc/ssh/sshd_config on your production servers, you are already compromised. It is not a matter of if, but when. With the recent explosion of vulnerabilities like Heartbleed and the terrifyingly new POODLE attack against SSLv3, the era of "configure it once and forget it" is dead.
In Norway, the stakes are higher. The Data Inspectorate (Datatilsynet) does not care that you were "too busy" to patch OpenSSL. Under the Personal Data Act of 2000, you are responsible for the integrity of your users' data. If you are hosting customer data on a VPS, you need a repeatable, audit-proof strategy that guarantees compliance every time you spin up a new instance.
I have seen too many sysadmins in Oslo lose their weekends hunting down rootkits because they relied on a "golden image" created six months ago. Images rot. Configuration management is the only cure.
The Compliance-as-Code Philosophy
Compliance is not a PDF binder sitting on your CTO's shelf. It is the living state of your infrastructure. We need to move from manual checklists to executable code. This ensures that every server you deploy matches a strict security baseline immediately.
We will use Ansible (version 1.7 is solid) because it requires no agents—just SSH. This keeps our attack surface on the CoolVDS instances minimal.
1. Hardening SSH Automatically
The first step in any Norwegian VPS deployment is locking down access. We want to disable root login, enforce key-based authentication, and ban empty passwords. Here is a production-ready Ansible task list for CentOS 7 and Ubuntu 14.04 LTS.
- name: Secure SSH Configuration
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: '/usr/sbin/sshd -T -f %s'
with_items:
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
- { regexp: '^X11Forwarding', line: 'X11Forwarding no' }
- { regexp: '^MaxAuthTries', line: 'MaxAuthTries 3' }
- { regexp: '^Protocol', line: 'Protocol 2' }
notify: restart ssh
- name: Ensure SSH Protocol 1 is disabled
lineinfile:
dest: /etc/ssh/sshd_config
state: absent
regexp: '^Protocol 2,1'
Pro Tip: Always use thevalidateargument in Ansible when editing critical configs. If you break the syntax insshd_config, the service won't restart, but you won't get locked out immediately. If you restart a broken config without validation, you are driving to the datacenter.
2. The Firewall: IPsets and IPTables
DDoS attacks are becoming cheaper. While CoolVDS offers upstream DDoS protection, you must have local filtering. Don't rely on simple chains; use ipset to handle large blocklists efficiently without killing your CPU.
Here is a bash script wrapper to set up a stateful firewall that drops invalid packets and prevents SYN floods. This script is designed to run on system boot.
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
# Default Policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block Null Packets (Reconnaissance)
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block XMAS Packets (Reconnaissance)
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# SSH Access (Limit rate to prevent brute force)
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Web Traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Log dropped packets (Optional, careful with disk I/O)
# iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: "
3. File Integrity Monitoring with AIDE
To satisfy the strict logging requirements often found in enterprise audits, you need to know if system binaries have changed. Tripwire is the classic choice, but AIDE (Advanced Intrusion Detection Environment) is open source and lighter.
Install it: yum install aide
Configure /etc/aide.conf to monitor your web roots and binary directories. Then, initialize the database:
aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Schedule a nightly check via Cron:
0 3 * * * /usr/sbin/aide --check | /bin/mail -s "AIDE Report $(hostname)" security@yourdomain.no
The Hardware Reality: KVM vs. Containers
Automation is useless if the underlying virtualization is insecure. This is where the architecture of your hosting provider becomes a compliance issue.
Many budget providers use OpenVZ or other container-based technologies. In these environments, all VPS instances share the same kernel. If a vulnerability is found in the host kernel (like the recent heavy hitters), isolation can be broken. For strict data separation, you need true hardware virtualization.
| Feature | OpenVZ (Container) | CoolVDS (KVM) |
|---|---|---|
| Kernel Isolation | Shared Host Kernel | Dedicated Kernel |
| Swap Management | Unreliable / Burstable | Dedicated Partition |
| SELinux Support | Limited / Disabled | Full Support |
| Compliance Audit | Harder to verify | Clean separation |
At CoolVDS, we exclusively use KVM. This allows you to run your own kernel, load your own modules, and enforce SELinux policies that are completely independent of the host node. When you are storing Norwegian user data, that kernel-level isolation is your safety net.
Data Sovereignty and Latency
We are operating in a post-Snowden world. Trust in US-based Safe Harbor agreements is eroding fast. Hosting your data physically in Norway or the EEA is no longer just about performance; it is a legal safeguard.
Beyond the legalities, physics still wins. If your customers are in Oslo or Bergen, routing traffic through Frankfurt or London adds unnecessary milliseconds. CoolVDS infrastructure is peered directly at NIX (Norwegian Internet Exchange). We are seeing ping times as low as 2-3ms from major Norwegian ISPs. That low latency, combined with our pure SSD storage arrays, means your database queries aren't waiting on I/O or network hops.
Final Thoughts
Compliance isn't exciting, but downtime and data breaches are expensive. By using Ansible to enforce your configuration and hosting on isolated KVM instances, you build a fortress that is easy to manage.
Don't let manual configuration drift kill your security posture. Deploy a hardened CentOS 7 instance on CoolVDS today and sleep better knowing your architecture is solid.