The Perimeter is Dead: Implementing "Trust No One" Security on Linux in the Wake of Shellshock
If the last six months have taught us anything—between Heartbleed in April and the absolute catastrophe of Shellshock just last week—it is that the concept of a "trusted network" is a dangerous myth. For years, sysadmins have hidden soft, vulnerable services behind a hard firewall, assuming that once an attacker is inside the perimeter, they deserve access. That philosophy is now a liability.
In the Norwegian hosting market, where data sovereignty and strict adherence to Datatilsynet regulations are paramount, we cannot afford to be lax. The solution is a security model that Forrester Research calls "Zero Trust," but I prefer to call it "Paranoid Systems Administration." It means verification at every step, even for traffic coming from `192.168.x.x`.
This guide breaks down how to architect a Trust-No-One environment using standard tools available on CentOS 6/7 and Ubuntu 14.04 LTS, ensuring your infrastructure on CoolVDS remains resilient even if the perimeter is breached.
1. The Death of the Trusted LAN
Traditionally, you might run a MySQL server listening on a private IP and allow all traffic from your Web Server's private IP. Simple. But if your Web Server is compromised via a bash injection (Shellshock), the attacker instantly owns your database. In a Zero Trust model, the database shouldn't trust the web server just because of its IP address.
The Solution: Host-Based Firewalls (Not Just Edge)
Hardware firewalls at the datacenter edge are necessary, but insufficient. Every single VPS must run its own strict firewall. We don't rely on the hosting provider's edge router to save us. On CoolVDS KVM instances, you have full kernel control, meaning iptables is your first line of defense.
Here is a "Default DROP" policy for a CentOS 6/7 database server. It explicitly rejects everything that isn't white-listed, logging dropped packets for auditing.
# Flush existing rules
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections (Critical!)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH: Only from specific Admin IPs (Replace x.x.x.x)
iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
# MySQL: Only from the specific Web Server IP, not the whole subnet
iptables -A INPUT -p tcp -s 10.0.0.5 --dport 3306 -j ACCEPT
# Log dropped packets (limit to prevent disk flooding)
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
# Save rules
service iptables save
service iptables restartPro Tip: Never define `10.0.0.0/8` as trusted. Always pin specific IPs. If a neighbor on a shared segment gets compromised (common in low-quality OpenVZ hosting, though not on CoolVDS's isolated KVM setup), you don't want them scanning your ports.
2. Encryption Everywhere: Tunneling and SSH
Plain text traffic inside the private network is a relic of the 90s. Even if you are transferring data between two servers in the same Oslo datacenter, you must assume the wire is tapped. This is where the "Zero Trust" model shines: we encrypt local traffic.
Since configuring SSL for every legacy application is painful, SSH Tunnels are the pragmatic CTO's best friend. They are robust, standard, and use strong encryption.
Scenario: You need to connect to a Redis instance on Server B from Server A securely.
# On Server A (Web), create a persistent tunnel to Server B (Redis)
ssh -f -N -L 6379:127.0.0.1:6379 user@10.0.0.2 -i /home/user/.ssh/id_rsa_tunnelNow, your application connects to `localhost:6379`, and the traffic is encrypted over the wire to Server B. No packet sniffer at the NIX (Norwegian Internet Exchange) or within the datacenter can read your data.
3. Hardening Access: Beyond Passwords
If you are still using passwords for SSH, you are wrong. With the rise of massive botnets scanning specifically for weak credentials, keys are mandatory. Furthermore, recent vulnerabilities in OpenSSL suggest we need to be picky about our ciphers.
Here is a battle-tested `sshd_config` for October 2014 standards, disabling weak HMACs and enforcing Protocol 2.
# /etc/ssh/sshd_config
Port 2222 # Security through obscurity helps reduce log noise
Protocol 2
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
# Restrict Ciphers to the strong ones (Exclude Arcfour/RC4)
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha1,hmac-ripemd160For high-value targets, implement Two-Factor Authentication (2FA) using `libpam-google-authenticator`. It integrates directly with SSH, requiring a code from your phone even if the attacker has your private key.
4. The Hardware Factor: Isolation and I/O
Software security is useless if the hypervisor leaks data. In 2014, many budget providers in Europe still rely on older OpenVZ kernels where resources are shared too aggressively. This can lead to "noisy neighbor" issues and potential kernel exploits affecting all containers.
This is why CoolVDS utilizes KVM (Kernel-based Virtual Machine). KVM provides hardware virtualization, treating your VPS as a distinct machine with its own kernel. This isolation is critical for a Zero Trust architecture—you cannot trust the host OS to manage your memory tables securely in a shared kernel environment.
The Storage Bottleneck
Security logging (iptables logs, auditd, auth.log) generates massive I/O. On traditional spinning rust (HDD), enabling full auditing can degrade application performance. We use pure SSD arrays to ensure that writing 50GB of logs per day doesn't impact your SQL query time. When you are logging every dropped packet to verify your Zero Trust model, you need high IOPS.
5. Comparison: Traditional vs. Zero Trust Setup
| Feature | Traditional (Perimeter) | Zero Trust (CoolVDS Recommended) |
|---|---|---|
| Firewall | Edge Only | Edge + Host-level iptables |
| Internal Traffic | Cleartext | Encrypted (SSH Tunnels/VPN) |
| SSH Access | Trusted Subnet + Password | Public/Private Keys + 2FA |
| Trust Assumption | "Inside is Safe" | "Verify Every Packet" |
Conclusion
The era of "set it and forget it" security ended when the NSA slides leaked, and it was buried by Shellshock. Security is no longer a product you buy; it is a configuration you maintain.
By enforcing strict iptables rules, tunneling internal traffic, and utilizing the hardware isolation of KVM on CoolVDS, you ensure that your data remains safe, compliant with Norwegian privacy standards, and resilient against the next big vulnerability disclosure. Don't wait for the next Heartbleed.
Ready to lock down your infrastructure? Deploy a KVM-based, SSD-powered instance in our Oslo datacenter today and start building a true Zero Trust environment.