# I can kill your server by overloading your disk ![Fuck Security](https://cdn.setka.ru/019811ac-b2fb-4059-8c37-0c122df2dc52_original) ## You dont have a firewall ## You dont have a VPN for your internal services ## You dont have a DMZ ## You are mixing your production deployment and your test deployment # PLEASE Set up firewall so at least DRONE CI API isnt exposed # Server & Deployment Security Hardening Guide ## Threat model (what we’re defending against) * Disk exhaustion / resource exhaustion * Direct access to internal services * Lateral movement after compromise * Accidental exposure of test systems * No network segmentation or trust boundaries --- ## 1. Network Segmentation (Non-Negotiable) ### Environments **NEVER mix these on the same host or network segment:** * Production * Staging * Test / Dev **Minimum setup** * Separate VMs or nodes * Separate subnets/VPCs * Separate credentials * Separate databases ### Zones * **Public zone**: Load balancer / reverse proxy only * **DMZ**: Web servers * **Internal zone**: Databases, queues, caches * **Management zone**: SSH, monitoring, CI/CD --- ## 2. VPN for Internal Services Internal services **must not be publicly routable**. Options: * WireGuard (recommended) * OpenVPN * Cloud-native private networking (AWS VPC, GCP VPC, etc.) **Rules** * Databases listen on private IPs only * Redis, Kafka, internal APIs → VPN or private subnet * No public IPs for internal services --- ## 3. Firewall Policy (IPtables) ### Firewall Philosophy * **Default deny** * Explicit allow * Log drops (rate-limited) * Stateful filtering --- ## 4. IPtables Baseline Configuration ### Flush existing rules ```bash iptables -F iptables -X iptables -t nat -F iptables -t mangle -F ``` --- ### Default policies ```bash iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ``` --- ### Allow loopback ```bash iptables -A INPUT -i lo -j ACCEPT ``` --- ### Allow established connections ```bash iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ``` --- ### SSH (restricted) ```bash iptables -A INPUT -p tcp --dport 22 -s /24 -m conntrack --ctstate NEW -j ACCEPT ``` **Never expose SSH to the world.** --- ### HTTP / HTTPS ```bash iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT ``` --- ### Rate-limit connections (DDoS / abuse mitigation) ```bash iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 50 -j DROP iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j DROP ``` --- ### Protect against SYN floods ```bash iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP ``` --- ### ICMP (limited) ```bash iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 5 -j ACCEPT ``` --- ### Log and drop everything else ```bash iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTABLES DROP: " iptables -A INPUT -j DROP ``` --- ### Persist rules ```bash iptables-save > /etc/iptables/rules.v4 ``` --- ## 5. Disk Exhaustion Protection ### Enable disk quotas ```bash mount -o remount,usrquota,grpquota / quotacheck -cum / quotaon / ``` ### Log rotation ```bash apt install logrotate ``` ### Tmpfs for temp files ```bash tmpfs /tmp tmpfs defaults,noexec,nosuid 0 0 ``` --- ## 6. Application-Level Protections ### Reverse proxy (mandatory) * Nginx / HAProxy / Envoy * Rate limiting * Request body size limits Example (Nginx): ```nginx client_max_body_size 10M; limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; ``` --- ## 7. Deployment Security Best Practices ### CI/CD * No SSH deploys * Use short-lived credentials * One-way artifact promotion (build once → promote) ### Secrets * Never in Git * Use Vault / SSM / Secrets Manager * Rotate regularly --- ## 8. OS Hardening * Disable password SSH auth * Use SSH keys only * Fail2ban * Automatic security updates * Remove unused packages * Run services as non-root --- ## 9. Monitoring & Alerting You don’t have security if you don’t have visibility. Monitor: * Disk usage * Connection counts * Failed auth attempts * Firewall drops * CPU / memory saturation --- ## 10. Final Reality Check If: * You don’t have a firewall * You don’t have segmentation * You don’t have a VPN * You mix prod and test Then **you don’t have security — you have hope.**