Skip to content

Server hardening, documented properly

Every control on this site carries three things: the exact directive to apply, the command that proves it actually took effect, and what to check before you apply it so you don’t lock yourself out.

Start with a service:

  • SSH — the front door on every host, and the most attacked service on the internet.
  • Redis / Valkey — where an open port is code execution rather than a data leak.
  • PostgreSQL — sane defaults, undone by pg_hba.conf edits and upgrades.
  • nginx — where being on the internet is the job, so hardening is about what you serve.
  • MySQL / MariaDB — two products that agree on everything except authentication.
  • MongoDB — the one that ships with authentication switched off.
  • Docker — where the socket is root and most escapes are configuration.
  • Apache httpd — good defaults, and what happens when they’re removed.
  • Elasticsearch — open by default for years, closed since 8.0, still breached where that’s undone.
  • RabbitMQ — the guest account, and the Erlang cookie that turns exposure into code execution.
  • Kubernetes — a control plane, a datastore, a network and a runtime, each hardened separately.

More services are being written. Each one arrives as a complete cluster rather than a stub.