Server hardening, documented properly
Every control on this site carries three things: the exact directive to apply, the command that proves it actually took effect, and what to check before you apply it so you don’t lock yourself out.
Start with a service:
- SSH — the front door on every host, and the most attacked service on the internet.
- Redis / Valkey — where an open port is code execution rather than a data leak.
- PostgreSQL — sane defaults, undone by pg_hba.conf edits and upgrades.
- nginx — where being on the internet is the job, so hardening is about what you serve.
- MySQL / MariaDB — two products that agree on everything except authentication.
- MongoDB — the one that ships with authentication switched off.
- Docker — where the socket is root and most escapes are configuration.
- Apache httpd — good defaults, and what happens when they’re removed.
- Elasticsearch — open by default for years, closed since 8.0, still breached where that’s undone.
- RabbitMQ — the guest account, and the Erlang cookie that turns exposure into code execution.
- Kubernetes — a control plane, a datastore, a network and a runtime, each hardened separately.
More services are being written. Each one arrives as a complete cluster rather than a stub.