The Era of Manual Hardening is Over

It is April 2017. We are staring down the barrel of the General Data Protection Regulation (GDPR), set to become enforceable next year. If you are still manually editing /etc/ssh/sshd_config on your production servers, you are not just inefficient; you are a compliance liability waiting to explode. I recently consulted for a fintech startup in Oslo that failed a preliminary audit because one developer left a debug port open on a secondary node. That single mistake nearly cost them their Series B funding.

As a CTO, my job isn't just code; it's risk mitigation. With the invalidation of Safe Harbor and the skepticism surrounding the new Privacy Shield framework, data sovereignty is no longer a buzzword—it is a legal requirement. Placing data outside the EEA is becoming a headache that requires expensive legal counsel. This is why we are seeing a massive repatriation of workloads to Norwegian soil.

But geography alone doesn't save you. You need a rigorous, automated defense strategy. Here is how we build compliant infrastructure on CoolVDS using Ansible and OpenSCAP, ensuring that every single node meets the Norwegian Data Protection Authority (Datatilsynet) standards from the moment it boots.

The Architecture of Trust: KVM vs. Containers

Before we touch code, we must address the substrate. For compliance-heavy workloads, I refuse to use container-based virtualization (like OpenVZ/LXC) for the host layer. Shared kernels introduce a vector for escape vulnerabilities that auditors hate.

Pro Tip: Always verify your virtualization type. Run virt-what or check /proc/cpuinfo. If you don't see hardware virtualization flags (vmx/svm), you are fighting for resources with your neighbors.

We deploy strictly on KVM (Kernel-based Virtual Machine) instances. CoolVDS provides true hardware virtualization, meaning our kernel capabilities are isolated. We can load specific kernel modules for encryption or strip out unneeded network stacks (like IPv6 if not vetted) without asking a hosting provider for permission. This isolation is critical for PCI-DSS and forthcoming GDPR requirements.

Step 1: Infrastructure as Code (Ansible Hardening)

We use Ansible (v2.2) to enforce state. A server should never exist outside of our inventory definition. Below is a snippet of our standard hardening role. This ensures that even if a junior dev spins up a new instance, it is locked down immediately.

This playbook disables root login, forces protocol 2, and limits authentication retries to prevent brute-force success.

---
- name: Harden SSH Configuration
  hosts: all
  become: yes
  tasks:
    - name: Secure sshd_config
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        validate: 'sshd -t -f %s'
      with_items:
        - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
        - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
        - { regexp: '^Protocol', line: 'Protocol 2' }
        - { regexp: '^MaxAuthTries', line: 'MaxAuthTries 3' }
        - { regexp: '^X11Forwarding', line: 'X11Forwarding no' }
      notify: restart sshd

  handlers:
    - name: restart sshd
      service:
        name: sshd
        state: restarted

Step 2: Network Layer Defense

Firewalls are not optional. While CoolVDS offers network-level DDoS protection (which is vital given the rise in NTP reflection attacks we saw last year), host-level filtering is your last line of defense. We utilize iptables-persistent on Debian/Ubuntu or firewalld on CentOS 7.

However, kernel parameters are often overlooked. We must prevent IP spoofing and man-in-the-middle attacks by hardening the TCP/IP stack in /etc/sysctl.conf.

# /etc/sysctl.conf - Network Hardening

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Log Martians
net.ipv4.conf.all.log_martians = 1

# Syn flood protection
net.ipv4.tcp_syncookies = 1

Apply these instantly with sysctl -p. If you are on a shared kernel VPS (not CoolVDS), many of these commands will fail because you don't own the network namespace. That is an audit failure waiting to happen.

Step 3: Continuous Auditing with OpenSCAP

How do you prove to an auditor that your infrastructure is secure? You don't show them config files; you show them a report. We use the OpenSCAP ecosystem to scan our RHEL/CentOS systems against the DISA STIG or PCI-DSS profiles.

First, install the scanner:

yum install openscap-scanner scap-security-guide

Then, run a scan against the PCI-DSS profile. This process consumes significant CPU, which is why the dedicated resource allocation on CoolVDS is necessary to prevent production application jitter during audit scans.

oscap xccdf eval \
  --profile xccdf_org.ssgproject.content_profile_pci-dss \
  --results /var/www/html/scan-report.xml \
  --report /var/www/html/scan-report.html \
  /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

The output provides a rigorous HTML report highlighting every failed rule, from file permissions to password complexity policies. This is the document you hand to your compliance officer.

The Storage Bottleneck: Encryption Overhead

Compliance often mandates Data at Rest Encryption (LUKS). Encryption is computationally expensive and I/O intensive. On legacy spinning rust (HDD) VPS, turning on full-disk encryption can tank your database performance by 30-40%. This is unacceptable for high-load Magento or MySQL setups.

We migrated our encrypted database clusters to CoolVDS specifically for the NVMe storage. The I/O throughput handles the AES-NI decryption overhead without the application layer ever noticing.

Conclusion: Sovereignty is Strategy

The regulatory landscape in Europe is shifting. Relying on US-based giants is becoming a calculated risk that many Norwegian CTOs are no longer willing to take. By combining local, high-performance infrastructure with automated hardening via Ansible and OpenSCAP, you build a fortress that is both performant and compliant.

Do not wait for May 2018 to panic. Start building your compliance automation today. If you need a sandbox that respects your need for kernel-level control and low-latency IO, spin up a CoolVDS instance. It is the solid foundation your compliance strategy needs.