The "Trusted Network" is a Myth
If you are still operating under the assumption that your private LAN (eth1) is a safe zone, you are already compromised. The events of this springâspecifically the OpenSSL Heartbleed vulnerabilityâshould have been the final nail in the coffin for the "Castle and Moat" security philosophy.
For decades, sysadmins built hard outer shells (corporate firewalls) and soft, gooey centers (unencrypted internal networks). The theory was simple: once you're inside, you're trusted. In 2014, with sophisticated persistent threats and script kiddies scanning every IPv4 range in existence, that theory is negligence.
Enter the Zero-Trust Model. Coined by Forrester a few years back, itâs a concept that hasn't seen enough traction in the Linux community yet. The premise is brutal but necessary: Verify everything. Trust nothing. Not even the database server sitting on the same rack switch.
1. Host-Level Isolation: The End of "Allow All"
Many hosting providers in Norway and Europe sell you a "Private Network" feature. They claim it's secure. It's not. It's just a VLAN. If one neighbor on that VLAN gets their shell popped via a WordPress plugin exploit, they can sniff your unencrypted internal traffic.
On a proper KVM setup like CoolVDS, you have full kernel control. Use it. Every single interface needs a firewall policy. Drop everything by default.
The paranoid iptables configuration
Forget complex management GUIs. Get your hands dirty. Here is the baseline configuration we deploy on high-security nodes hosting sensitive data in Oslo:
# Flush existing rules
iptables -F
# Set default policies to DROP.
# If you screw this up via SSH, you are locked out. Be careful.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections (keep your SSH session alive)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from SPECIFIC IPs only (e.g., your office VPN IP)
iptables -A INPUT -p tcp -s 85.x.x.x --dport 22 -j ACCEPT
# Log dropped packets (crucial for forensics)
iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "
Pro Tip: When applying new firewall rules on a remote server, run a cron job that flushes the firewall every 5 minutes (iptables -F). If you lock yourself out, wait 5 minutes, and you're back in. Delete the cron job only when you verify the rules work.
2. Authentication: Passwords are Dead
If I see PasswordAuthentication yes in your sshd_config, I assume your server is part of a botnet. Brute force attacks against port 22 are constant. I've seen logs on a fresh CoolVDS instance show 4,000 login attempts within an hour of provisioning.
Zero-Trust means identity verification is absolute. We use 4096-bit RSA keys. Nothing less.
# Generate a strong key pair on your local machine
ssh-keygen -t rsa -b 4096 -o -a 100
Once your key is on the server, lock the door. Edit /etc/ssh/sshd_config:
Port 2222 # Security through obscurity isn't security, but it reduces log noise
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
AllowUsers deploy_user
For the truly paranoid, integrate Google Authenticator for 2FA on SSH login. It requires the libpam-google-authenticator package (available in the EPEL repo for CentOS 6).
3. Encryption Inside the Wire
In a Zero-Trust architecture, internal traffic must be encrypted. If your web server talks to your database over plain text TCP port 3306, you are failing. Even if it's on a "private" IP.
MySQL supports SSL. Enable it. Here is how you verify if your current MySQL instance supports SSL connections:
mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/ca-cert.pem |
| ssl_cert | /etc/mysql/server-cert.pem |
| ssl_key | /etc/mysql/server-key.pem |
+---------------+----------------------------------+
You must generate these certificates and enforce REQUIRE SSL on your database users. Yes, there is a slight CPU overhead for the handshake. But with the modern Xeons we use at CoolVDS, the latency impact is negligibleâmeasured in microseconds, not milliseconds.
The Virtualization Factor: KVM vs. OpenVZ
You cannot build a secure fortress on a foundation of sand. This is where the choice of virtualization technology becomes a security decision, not just a pricing one.
Many budget VPS providers use OpenVZ (Container-based virtualization). In OpenVZ, all guests share the host's kernel. If a vulnerability is found in the kernel (like the recent CVE-2014-0196), an attacker can potentially escape their container and access your memory. That is a violation of Zero-Trust principles.
At CoolVDS, we strictly use KVM (Kernel-based Virtual Machine). Each VPS has its own isolated kernel. If your neighbor does something stupid and crashes their kernel, your instance keeps humming along. It provides the hardware-level isolation required for compliance with strict data standards, like those enforced by the Norwegian Data Protection Authority (Datatilsynet).
Summary: Trust No One
The era of the trusted perimeter ended years ago; we just didn't admit it until recently. By moving security controls to the data itselfâthrough host firewalls, strict encryption, and isolated KVM virtualizationâyou reduce your blast radius from "Total Disaster" to "Minor Incident."
Don't wait for the next Heartbleed to audit your stack.
Ready to lock down your infrastructure? Deploy a KVM-based, NVMe-accelerated instance in our Oslo datacenter. Launch your CoolVDS instance today.