Perimeter Security is Dead: Building a Zero-Trust Architecture on Linux VPS
Letβs be honest. The traditional "castle-and-moat" security strategy is a failure. We saw it with the massive Sony Pictures breach last year. We saw it again with Anthem a few months ago. The moment an attacker breaches your firewall, they have free reign over your soft, unencrypted internal network.
If you are still operating under the assumption that your LAN is a trusted zone, you are already compromised. You just haven't checked the logs yet.
Enter the Zero-Trust model. Itβs a concept gaining traction after Google published their "BeyondCorp" research late last year. The premise is brutal but necessary: Trust no one. Verify everything. Even if the request comes from 192.168.0.x.
In this guide, we aren't talking about expensive enterprise appliances. Iβm going to show you how to build a Zero-Trust environment right now using standard tools available on any CoolVDS KVM instance running CentOS 7 or Ubuntu 14.04.
1. The Philosophy: "Inside" is the new "Outside"
In a typical setup, you lock down port 22 and 80/443 on the public interface, but leave your database ports (3306, 5432) or Memcached (11211) wide open on the private interface. This is suicide.
In a Zero-Trust architecture implemented on a VPS, every single interface is treated as hostile. Authentication is mutual. Encryption is mandatory, even for packets traveling two feet across a datacenter rack in Oslo.
2. Hardening the Node: Tables & Keys
First, kill password authentication. Passwords are for users, not for systems. If you haven't deployed SSH keys yet, stop reading and generate them.
Next, we configure the firewall. On CentOS 7, firewalld is the new default, but many of us still prefer the raw control of iptables. Here is a Zero-Trust compliant ruleset. Notice that we don't just ACCEPT everything on eth1 (private network).
# Flush existing rules
iptables -F
# Default Policy: DROP everything.
# If it's not explicitly allowed, it dies.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback (essential for local processes)
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections (so you don't lock yourself out)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH: Only from specific management IPs (VPN or Office Static IP)
iptables -A INPUT -p tcp -s 123.45.67.89 --dport 22 -j ACCEPT
# Web traffic (Public)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Database: Explicitly allow APP SERVER IP only.
# Do not allow the whole subnet.
iptables -A INPUT -p tcp -s 10.0.0.5 --dport 3306 -j ACCEPT
Pro Tip: Never apply firewall rules blindly. Run a scheduled cron job that flushes iptables every 10 minutes (iptables -F) before you apply new rules. If you lock yourself out, the cron job will save you. Once confirmed working, disable the cron.
3. Encryption on the Wire
A common mistake in VPS hosting is terminating SSL at the load balancer (Nginx/HAProxy) and sending plain HTTP to the backend application servers. In a Zero-Trust model, this is unacceptable. If an intruder taps the private network, they capture session cookies and data.
You must configure your backend application servers to accept SSL as well. Yes, it adds a few milliseconds of CPU overhead. On modern hardware, like the Xeon E5s we use at CoolVDS, this overhead is negligible.
MySQL over SSL:
By default, MySQL replication and client connections are unencrypted. Enable SSL in your my.cnf:
[mysqld]
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
Force the application user to require SSL:
GRANT ALL PRIVILEGES ON app_db.* TO 'app_user'@'10.0.0.5' IDENTIFIED BY 'password' REQUIRE SSL;4. Two-Factor Authentication (2FA) for SSH
Keys can be stolen. Laptops get lost. Adding a second factor to your SSH login is the final barrier. In 2015, the easiest way to do this is libpam-google-authenticator.
On Ubuntu 14.04:
sudo apt-get install libpam-google-authenticator
google-authenticatorThen edit /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveNow, even if an attacker has your private key, they cannot enter without the code from your phone. This effectively neutralizes the threat of compromised workstations.
5. Why Infrastructure Choice Matters
You cannot build a secure house on a swamp. Shared hosting or container-based virtualization (like OpenVZ) often exposes you to "noisy neighbor" kernel exploits. If the kernel is shared, the isolation is theoretical, not physical.
This is why CoolVDS exclusively uses KVM (Kernel-based Virtual Machine) virtualization. Each instance has its own kernel, its own memory space, and total isolation. It allows you to load your own kernel modules for security (like SELinux or Grsecurity) which is impossible on legacy container VPS platforms.
Data Sovereignty and The "Patriot Act" Problem
We need to address the elephant in the room: Data privacy. Since the Snowden leaks, we know that data hosted on US-owned infrastructure is subject to the US Patriot Act, regardless of where the server is physically located.
Hosting in Norway offers a distinct legal advantage. We operate under the Norwegian Personal Data Act (Personopplysningsloven). The Datatilsynet (Data Protection Authority) here is notoriously strict. By keeping your data on CoolVDS servers in Oslo, you add a layer of legal protection that physically separates your data from foreign jurisdiction.
Summary
Zero-Trust isn't a product you buy; it's a discipline. It requires more work. You have to manage certificates, maintain strict firewall tables, and rotate keys.
But the alternative is waking up to a database dump of your customers pasted on Pastebin. Efficiency is important, but security is absolute. Don't rely on the perimeter. Hardening starts at the kernel level.
Ready to lock down your infrastructure? Deploy a KVM instance on CoolVDS today. You get full root access, low latency to the NIX (Norwegian Internet Exchange), and the isolation you need to build a fortress.