The Castle Moat is Dry: Why Perimeter Security Fails
If you are still relying solely on a hardware firewall at the edge of your network to keep your servers safe, you are already compromised; you just don't know it yet. The old school mentality—"hard shell, soft center"—is a relic. In 2013, threats don't just come from the outside; they come from a compromised WordPress plugin on your web server trying to sniff packets from your database server on the same LAN.
Enter the Zero Trust model. Originally outlined by Forrester Research a few years back, the concept is brutal but necessary: never trust, always verify. It doesn't matter if the traffic is coming from a Chinese botnet or the server sitting next to you in the rack at the NIX (Norwegian Internet Exchange). Treat all traffic as hostile.
Most hosting providers in Europe sell you a VPS and dump you into a shared VLAN with hundreds of other customers. If one neighbor gets infected, ARP spoofing or sniffing can expose your data. This is why at CoolVDS, we prioritize KVM isolation and private networking features, but technology alone doesn't fix bad policy. Here is how to lock down your infrastructure today.
1. The Host-Based Firewall: iptables is Mandatory
Many sysadmins disable iptables because it's "too complex" or interferes with debugging. This is negligence. In a Zero Trust architecture, every single server is its own perimeter. You cannot rely on an external firewall to save you.
On a CentOS 6 or Debian 6 system, your default policy for INPUT should always be DROP. You only open what is absolutely necessary. Here is a battle-tested configuration script that secures a standard web node while allowing management access.
# Flush existing rules
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback access (vital for local processes)
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections (keep your SSH session alive!)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH - LIMIT to your office IP if possible, otherwise rate limit it
# CoolVDS Pro Tip: Use a VPN IP here for true stealth
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Web Traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Log dropped packets (careful with disk I/O on busy servers)
iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "
This configuration ensures that even if the VLAN is noisy, your server ignores everything that isn't explicitly invited. Save this to /etc/sysconfig/iptables (RHEL/CentOS) or use iptables-save (Debian).
2. Death to Passwords: SSH Hardening
In 2013, using a password for root access is professional suicide. Brute force attacks are constant. We see logs on our CoolVDS nodes showing thousands of attempts per hour from global botnets. The only acceptable authentication method is RSA keys, preferably 4096-bit.
First, generate a strong key pair on your local machine:
ssh-keygen -t rsa -b 4096 -C "admin@coolvds-workstation"Once the public key is on the server, edit /etc/ssh/sshd_config. We are going to lock this down tight. No root login, no passwords, strictly protocol 2.
# /etc/ssh/sshd_config
# Network Protocol
Protocol 2
# Disallow root login directly
PermitRootLogin no
# Disable password auth completely
PasswordAuthentication no
UsePAM no
ChallengeResponseAuthentication no
# Whitelist users
AllowUsers cooling_admin
# Change default port to reduce log noise (Security through obscurity, but helpful)
Port 2202Restart the service with service sshd restart. Now, the only way into your server is possessing the private key. Even if an attacker compromises a password database elsewhere, they cannot enter your infrastructure.
3. Encrypting the "Soft Center": MySQL over SSL
A classic mistake in multi-tier applications is leaving the database traffic unencrypted. You have a web server (Frontend) and a database server (Backend) connected via a private switch or VLAN. You trust that link. Don't.
If an attacker gets shell access to the web server, they can run tcpdump and watch your SQL queries—containing user emails, passwords, and credit card data—fly by in plain text. Datatilsynet (The Norwegian Data Protection Authority) takes a dim view of this kind of negligence, especially under current Personopplysningsloven regulations.
Enable SSL replication and connection in MySQL 5.5. Generate your certs (CA, Server, Client) using OpenSSL, then configure my.cnf:
[mysqld]
ssl-ca=/etc/mysql/certs/ca-cert.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
# Force SSL for specific users
# GRANT ALL PRIVILEGES ON app_db.* TO 'webapp'@'192.168.10.5' REQUIRE SSL;This ensures that even if the internal network is sniffed, the data remains opaque.
CoolVDS Insight: SSL adds a slight CPU overhead. On older virtualization platforms like OpenVZ, this context switching can be costly. This is why CoolVDS uses KVM with modern Xeon processors; the overhead for SSL encryption on our infrastructure is negligible, ensuring high performance without sacrificing security.
4. Private Networking & Isolation
The ultimate implementation of Zero Trust is physical (or virtual) segmentation. Do not run your database on a public IP address. It shouldn't even have a public route.
On CoolVDS, you should configure a private backend network. Your web server has two interfaces: eth0 (Public) and eth1 (Private/LAN). Your database server has only eth0 (Private). To update the database server, you tunnel through the web server or use a bastion host.
Here is a snippet for /etc/network/interfaces on a Debian 7 database node to ensure it never leaks traffic to the internet:
# The loopback network interface
auto lo
iface lo inet loopback
# The private network interface
auto eth0
iface eth0 inet static
address 10.10.0.5
netmask 255.255.255.0
# NO GATEWAY defined here prevents accidental internet routingConclusion: Paranoia is a Virtue
The days of setting up a firewall and forgetting it are over. Regulatory pressure in Europe is mounting, and the technical sophistication of attacks is outpacing the defense of standard shared hosting.
By implementing strict iptables rules, enforcing key-based authentication, and encrypting internal traffic, you build a grid where a breach in one sector doesn't collapse the whole system. Security isn't a product; it's a process. But having the right foundation helps.
If you need a hosting partner that respects data sovereignty and provides the raw KVM access required for this level of hardening, we are ready for you. Deploy a secure KVM instance in Oslo today with CoolVDS.