Kill the Perimeter: Why "Trust But Verify" is Failed Logic
Let’s be honest with ourselves. If you are still relying solely on a perimeter firewall to keep your infrastructure safe, you are asking to be breached. The Target data breach late last year proved that once an attacker is inside the network, the "soft chewy center" of your LAN offers zero resistance. As systems administrators operating in 2014, we need to abandon the "Castle and Moat" mentality. The new standard is Zero Trust: assume the network is hostile, even if it's your own VLAN.
I've spent the last week auditing a client's setup who thought a single Cisco ASA at the edge was enough. It wasn't. We migrated them to a host-based security model where every single server treats its neighbor like a potential threat. Whether you are running a high-traffic e-commerce site on Magento or a complex backend for a mobile app, security must be granular. This guide cuts through the marketing fluff and shows you how to lock down a CentOS 6.5 or Ubuntu 14.04 LTS server using tools you already have.
The First Line of Defense: Strict IPTables
Forget hardware firewalls for a moment. If your server accepts connections on port 3306 (MySQL) from "anywhere" because you're lazy, you're doing it wrong. Zero Trust means a default policy of DROP. We only whitelist what is explicitly necessary. Here is the standard iptables configuration script I deploy on every new CoolVDS instance before it even goes into production.
# Flush existing rules
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
# Allow established sessions (keep your current SSH session alive!)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (Change 22 to your custom port)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow Web Traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Log dropped packets (crucial for debugging)
iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "
# Save rules
service iptables save
service iptables restartThis configuration ensures that even if another server in the same rack is compromised, it cannot talk to your database or internal APIs unless you explicitly allow that specific IP address. On CoolVDS, where we offer high-performance VPS Norway hosting, we provide a clean slate KVM environment. Unlike OpenVZ containers used by budget hosts where kernel-level firewalling can be tricky, our KVM instances give you full control over Netfilter modules.
SSH Hardening: The Keys to the Kingdom
Passwords are dead. If you are still logging into your servers with a password, you are vulnerable to brute-force attacks which are currently flooding networks across Europe. We recently saw a botnet originating from Eastern Europe trying millions of password combinations against port 22. If you use keys, they waste their time.
Edit your /etc/ssh/sshd_config file immediately. We are disabling root login and enforcing key-based authentication.
# /etc/ssh/sshd_config
# Port 22 is default, consider moving it to reduce log noise
Port 22
# Protocol 2 only. Protocol 1 is broken.
Protocol 2
# Disable root login. Login as a user, then sudo up.
PermitRootLogin no
# Disable password auth completely
PasswordAuthentication no
ChallengeResponseAuthentication no
# Use PubKey
PubkeyAuthentication yes
# Whitelist specific users
AllowUsers deployer sysadmin
Pro Tip: For the truly paranoid, integrate Google Authenticator for Two-Factor Authentication (2FA) on SSH login. Install the libpam-google-authenticator package. It adds a second layer ensuring that even if your private key is stolen, the attacker still needs your phone. This is becoming a standard requirement for compliance with the Norwegian Data Protection Authority (Datatilsynet).
Database Isolation and Tunneling
In a Zero Trust model, your database port (3306 for MySQL or 5432 for PostgreSQL) should never be exposed to the public internet. Not even with a password. If your web server and database are on different nodes, use a private network interface (available on our managed hosting plans) or use an SSH tunnel.
Here is how to create a persistent tunnel so your web server can talk to the database securely, wrapping the traffic in encryption without complex VPN setups:
# Run this on your App Server
ssh -f -N -L 3306:127.0.0.1:3306 user@database-server-ip -i /path/to/keyThis binds the local port 3306 on your App Server to the remote database server. Your application config simply points to localhost. It's fast, encrypted, and completely invisible to port scanners.
The Hardware Factor: Why CoolVDS?
You can have the best security config in the world, but if your host overloads the node, your encryption overhead will kill your throughput. Zero Trust implies encryption everywhere—HTTPS, SSH tunnels, VPNs. This requires CPU cycles.
At CoolVDS, we don't oversell our cores. We use enterprise-grade hardware that handles the encryption overhead without sweating. Furthermore, we are rolling out NVMe storage (PCIe SSDs) on select nodes. While standard SSDs are great, NVMe reduces I/O latency drastically, ensuring that your logs (which you should be writing aggressively for security auditing) don't become a bottleneck.
Comparison: Encryption Impact on Latency
| Storage Type | Unencrypted Write | Encrypted Write (LUKS) |
|---|---|---|
| Standard HDD (7.2k RPM) | 80 MB/s | 45 MB/s |
| Standard SSD (SATA) | 450 MB/s | 380 MB/s |
| CoolVDS NVMe/PCIe | 1200+ MB/s | 1050+ MB/s |
When you are logging every dropped packet and encrypting data at rest (crucial for complying with EU Data Protection Directive requirements), you need that I/O headroom.
Conclusion
The days of setting up a firewall and forgetting it are over. In 2014, security is an active, layered process. By locking down iptables, enforcing SSH keys, and utilizing tunneling, you create an environment where a breach in one area doesn't guarantee total system compromise.
Don't let legacy infrastructure dictate your security posture. We built CoolVDS to provide the low latency and raw compute power required for modern, hardened systems. Our data centers in Oslo connect directly to the Norwegian Internet Exchange (NIX), ensuring your traffic stays local and fast.
Ready to harden your stack? Deploy a KVM instance on CoolVDS today and get full root access to build your fortress.