Beyond the Firewall: Why "Trust but Verify" is Killing Your Servers
There is a dangerous misconception pervading the hosting industry right now. It is the idea that once a packet passes your perimeter firewall—whether it's a Cisco ASA at the edge or a cloud security group—it is suddenly "safe." This "hard shell, soft center" approach is exactly how large enterprises are getting compromised in 2013. We are seeing a paradigm shift, championed by groups like the Jericho Forum, moving toward De-perimeterization. Some are calling it the "Zero Trust" model.
As a systems architect who has spent the last decade debugging compromised clusters, I can tell you: your LAN is a war zone. If you are running a high-performance stack for a Norwegian e-commerce site or a SaaS platform, you cannot afford to trust 192.168.x.x any more than you trust the public internet. If one web node is breached via a zero-day in Apache, an attacker shouldn't have an open road to your database.
Here is how we lock down a Linux infrastructure in 2013, assuming every connection is hostile until proven otherwise.
1. The Death of "Root" and Password Auth
It is January 2013. If you are still logging in as root or using passwords for SSH, you are already owned. Brute force botnets are scanning IP ranges in Oslo and across Europe continuously. The first step in a Zero Trust architecture is Identity Assurance.
You need to enforce 4096-bit RSA keys and disable password authentication entirely. Furthermore, with the rise of smartphones, we should be looking at Two-Factor Authentication (2FA) for SSH. Google Authenticator is an excellent PAM module for this.
Configuration: Hardening SSH
Edit your /etc/ssh/sshd_config to ensure the following directives are set. This prevents the "low hanging fruit" attacks immediately.
# /etc/ssh/sshd_config
# Protocol 2 is mandatory. Never use Protocol 1.
Protocol 2
# Disable root login. Login as a user, then use sudo.
PermitRootLogin no
# Disable password auth. Keys only.
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
# Use strict modes to check file permissions
StrictModes yes
# Allow only specific users
AllowUsers sysadmin deployer
Pro Tip: Always generate your keys with a passphrase. If your laptop is stolen, an unencrypted private key is a master key to your infrastructure. Use ssh-keygen -t rsa -b 4096 for sufficient entropy.
2. Micro-Segmentation with IPTables
Many SysAdmins disable iptables or ufw on internal nodes because "it's just too complicated" to manage. This is laziness, and it is fatal. In a Zero Trust environment, every server is its own perimeter.
If you have a Web Server (Node A) and a Database Server (Node B), Node B should only accept traffic on port 3306 from Node A's specific IP. It should drop everything else. This limits the blast radius if Node A is compromised.
Here is a battle-tested iptables script for a dedicated database server running on CentOS 6 or Debian 7. It drops everything by default—the only sane policy.
#!/bin/bash
# Flush existing rules
iptables -F
# Set default policies to DROP.
# If we don't explicitly allow it, it dies here.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback (essential for local services)
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections (so the server can reply)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from your Management IP ONLY (Replace x.x.x.x)
iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
# Allow MySQL only from the Web App Private IP (Replace 10.10.0.5)
iptables -A INPUT -p tcp -s 10.10.0.5 --dport 3306 -j ACCEPT
# Log dropped packets (Optional, be careful with disk I/O)
# iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "
# Save rules
# On RHEL/CentOS: service iptables save
# On Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4
3. Encrypting the "Soft Chewy Center"
Standard practice has been to terminate SSL at the load balancer (like HAProxy or Nginx) and talk cleartext HTTP or unencrypted MySQL to the backend. This assumes no one is sniffing your VLAN. In a shared hosting environment or even a VPS cloud, can you guarantee that?
With CPU power becoming cheaper (especially with the sandy bridge/ivy bridge Xeons we use at CoolVDS), the overhead of internal SSL is negligible. You should configure MySQL to require SSL for replication and application connections.
Securing MySQL 5.5
First, generate your certs. Then, add this to your my.cnf:
[mysqld]
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
# Force SSL for specific users
# GRANT ALL PRIVILEGES ON app_db.* TO 'app_user'@'10.10.0.5' REQUIRE SSL;
4. The Importance of True Virtualization (KVM vs OpenVZ)
Security is not just software; it's architecture. This is why we at CoolVDS have standardized on KVM (Kernel-based Virtual Machine) rather than container-based solutions like OpenVZ for our premium tiers.
In container virtualization (OpenVZ), all VPS instances share the same host kernel. If a vulnerability is found in the kernel (and 2012 saw several local root exploits), an attacker on a neighboring VPS could theoretically escape their container and access your memory space. KVM provides hardware-level virtualization. Your kernel is yours. This isolation is a critical component of a Zero Trust strategy.
Furthermore, because we control our hardware in Oslo, we ensure no resource stealing happens. When you deploy a KVM instance with us, you get dedicated resources, ensuring that a DDoS attack on a neighbor doesn't tank your I/O latency.
5. Compliance: The Norwegian Context
Operating in Norway brings specific legal obligations. Under the Personal Data Act (Personopplysningsloven) and the EU Data Protection Directive (95/46/EC), you are the data controller. If you store customer data on a VPS, you must ensure appropriate technical measures are in place to prevent unauthorized access.
The Data Inspectorate (Datatilsynet) is clear: security must be proportional to the sensitivity of the data. Implementing the strict access controls and encryption methods detailed above is not just "good practice"—it is often a legal necessity when handling sensitive personal information of Norwegian citizens. By hosting with CoolVDS, you ensure your data remains within Norwegian jurisdiction, simplifying your compliance posture compared to hosting with US-based giants subject to the PATRIOT Act.
Final Thoughts
Security is a process, not a product. You cannot simply buy a firewall and relax. It requires constant vigilance, regular patching of your CentOS or Debian systems, and a mindset that assumes the network is compromised.
If you are ready to build a serious, secure infrastructure with low latency to the Nordic market, you need a foundation that respects these principles. CoolVDS offers the pure SSD performance and strict KVM isolation you need to implement a Zero Trust architecture effectively.
Don't leave your backend exposed. Deploy a hardened KVM VPS on CoolVDS today and lock the door properly.