Tetsu VPS Logo Tetsu VPS / Documentation

Security Hardening

What is Security Hardening?

Security hardening is the process of securing a system by reducing its attack surface and eliminating potential vulnerabilities. Think of it as fortifying your server - closing unnecessary doors, strengthening locks, and installing security systems to protect against unauthorized access and cyber threats.

Every server comes with default configurations designed for ease of use and compatibility, not security. These defaults often leave services exposed, use weak encryption, or allow overly permissive access. Hardening transforms these permissive defaults into a security-focused configuration.

Why Hardening Matters

Reduced Attack Surface: Fewer open ports and services mean fewer opportunities for attackers to exploit.

Protection Against Common Attacks: Hardening prevents well-known attack vectors like brute force attempts, privilege escalation, and network reconnaissance.

Compliance Requirements: Many regulatory standards require specific security configurations that hardening addresses.

Performance Benefits: Disabling unnecessary services frees up system resources for your actual applications.

Peace of Mind: Properly hardened systems significantly reduce the likelihood of successful breaches.

⚠️ CRITICAL: Read Before Proceeding

Testing Environment First

ALWAYS test hardening configurations on a staging environment before applying to production servers.

Security hardening makes fundamental changes to your system configuration. What works perfectly on one setup may have unintended consequences on another. Testing on a non-critical staging server allows you to:

  • Verify compatibility with your specific applications
  • Ensure all required services remain accessible
  • Confirm you can still access the server after hardening
  • Test your disaster recovery procedures

Tested Configuration

At Tetsu, our hardening scripts are thoroughly tested against:

  • Operating System: Ubuntu 24.04 LTS
  • Provider: Cloud Infrastructure Provider
  • Installation State: Fresh, minimal installations

While the hardening may work on other configurations, we cannot guarantee compatibility with:

  • Other Ubuntu versions or Linux distributions
  • Servers with existing custom configurations
  • Heavily modified systems
  • Servers running legacy applications

🔴 MANDATORY Prerequisites

1. Create Full Server Backup

Before running ANY hardening, create a complete backup of your server. This includes:

  • Full system image/snapshot
  • Configuration files
  • Application data
  • Database backups

Your hosting provider likely offers snapshot functionality - use it. If something goes wrong, this backup is your only way to restore access.

2. SSH Access Requirements

⚠️ CRITICAL SSH WARNING ⚠️

The SSH hardening module implements the following security measures:

  • Disables root login completely
  • Disables password authentication
  • Enforces key-based authentication only

BEFORE running SSH hardening, you MUST:

  1. Create a non-root user with sudo privileges

    adduser yourusername usermod -aG sudo yourusername

  2. Set up SSH key authentication for this user

    ssh-copy-id yourusername@yourserver

  3. Test SSH access with the non-root user

    ssh yourusername@yourserver sudo echo "I have sudo access"

  4. Ensure you have your SSH private key backed up safely

If you proceed without completing these steps, you WILL be permanently locked out of your server. No one, can help you regain access to a locked server.

For best results and maximum compatibility, we strongly recommend running hardening on:

  • A fresh Ubuntu 24.04 installation
  • Minimal server setup with no existing services
  • Before installing your applications

Running hardening on existing production servers increases the risk of:

  • Service disruptions
  • Configuration conflicts
  • Unexpected behavior
  • Access issues

Disclaimer of Liability

By using this hardening service, you acknowledge and agree that:

  • You are solely responsible for ensuring proper backups and access methods before hardening
  • You understand the risks of being locked out if prerequisites are not met
  • You have tested the hardening process on a non-production environment
  • We are not liable for any data loss, service disruption, or access issues
  • Recovery from lockout is your responsibility and may require provider intervention

Remember: It's much easier to prepare properly than to recover from a lockout.