The Safe Harbor Safety Net is Gone. Now What?

It has been three months since the European Court of Justice struck down the Safe Harbor agreement. If you are a CTO or Lead SysAdmin in Norway, the dust hasn't settled; it has turned into mud. The comfortable lie that "data in the US cloud is compliant enough" is over. With the Datatilsynet (Norwegian Data Protection Authority) sharpening their knives, reliance on US-based hosting giants is now a liability.

But legal jurisdiction is only half the battle. You can host your data in a bunker in Oslo, but if your root password is 'password123' or your SSH daemon is accepting Protocol 1, you are negligent. Compliance isn't a document you sign; it is a state of infrastructure.

In this guide, we are going to look at how to automate security compliance on a standard CentOS 7 or Debian 8 deployment. We aren't doing this manually—manual hardening is how mistakes happen. We are using Ansible to codify our paranoia.

Step 1: The Foundation Matters (OpenVZ vs. KVM)

Before we touch a config file, let's talk about isolation. In the budget VPS world, container-based virtualization like OpenVZ is common. It's cheap, but it shares the kernel with the host and other neighbors. For strict compliance, shared kernels are a non-starter. A kernel panic in a neighbor's container could theoretically impact you, and certain kernel-level hardening flags are impossible to set inside a container.

This is why at CoolVDS, we strictly use KVM (Kernel-based Virtual Machine). You get your own kernel. You get true isolation. If you are trying to prove to an auditor that your data is segregated, KVM is the only honest answer in the virtualized space.

Step 2: Automating SSH Hardening

The first thing a script kiddie or a botnet checks is port 22. We need to lock this down. We don't edit /etc/ssh/sshd_config by hand. We deploy a configuration state.

Here is an Ansible task list that enforces a secure SSH configuration. This disables root login, forces SSH Protocol 2 (to avoid legacy vulnerabilities), and disables password authentication in favor of SSH keys.

- name: Secure SSH Configuration
  hosts: web_servers
  become: yes
  tasks:
    - name: Ensure SSH Protocol 2 is set
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: '^Protocol'
        line: 'Protocol 2'
        state: present

    - name: Disable Root Login
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: '^PermitRootLogin'
        line: 'PermitRootLogin no'
        state: present

    - name: Disable Password Authentication
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: '^PasswordAuthentication'
        line: 'PasswordAuthentication no'
        state: present
        
    - name: Restart SSH
      service:
        name: sshd
        state: restarted

Pro Tip: Always verify your SSH keys are correctly deployed before running this playbook. If you disable password auth without a valid key in ~/.ssh/authorized_keys, you will lock yourself out. On CoolVDS, you can use the VNC console to recover, but let's avoid the embarrassment.

Step 3: The Firewall (IPTables State)

Many sysadmins are moving to firewalld on CentOS 7, but raw iptables remains the lingua franca for granular control. We want a default-drop policy. If traffic isn't explicitly allowed, it dies.

Here is a shell script approach to establishing a clean slate firewall. This is suitable for a web server (HTTP/HTTPS/SSH).

#!/bin/bash
# Flush existing rules
iptables -F

# Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH, HTTP, HTTPS
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Log dropped packets (limit to avoid log flooding)
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: "

# Save rules (Distro dependent command)
service iptables save

Step 4: Strong Diffie-Hellman Groups

Last year's "Logjam" attack demonstrated that standard 1024-bit Diffie-Hellman groups are vulnerable to state-level actors. If you are serving HTTPS, you need to generate a unique 2048-bit (or 4096-bit) DH group.

Run this on your server (warning: this will take time, especially on low-entropy virtual machines without hardware RNG):

Then, inside your Nginx configuration (nginx.conf), reference this file:

ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:kEDH+AES128:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;

Note the removal of RC4 and MD5. Old browsers might complain, but compliance requires deprecating weak ciphers.

Step 5: File Integrity Monitoring (FIM)

For PCI-DSS or serious internal compliance, you need to know if system files change. AIDE (Advanced Intrusion Detection Environment) is the standard open-source tool for this.

Install it via yum or apt:

Schedule a daily check in crontab:

Why Infrastructure Location Matters

You can automate all the hardening in the world, but if the physical disks reside in a jurisdiction that allows warrantless seizures, you have a compliance gap. The invalidation of Safe Harbor has made it clear: Data Residency is the new firewall.

Hosting with CoolVDS ensures your data sits physically in our Norwegian datacenters. We operate under Norwegian law, which provides some of the strongest privacy protections in the world. When you combine our NVMe storage performance with a KVM-isolated environment, you aren't just getting a fast server; you are getting a defensible compliance strategy.

Final Thoughts

Security is a process, not a product. By automating your hardening with Ansible and choosing a provider that respects data sovereignty, you reduce your surface area for both hackers and auditors.

Don't wait for the next regulatory ruling to scramble for a solution. Spin up a hardened CoolVDS instance today and keep your data where it belongs.