The dev-sec.io Framework
TetsuVPS is built on the dev-sec.io hardening frameworkâan open-source project that provides production-ready security baselines trusted by enterprises including Fortune 500 companies and major organizations
What is dev-sec.io?
The dev-sec.io project is a community-driven initiative that transforms security best practices into automated, testable configurations. Rather than relying on manual checklists or ad-hoc scripts, dev-sec.io provides systematic hardening that can be consistently applied across your infrastructure.
Why Enterprises Trust dev-sec.io
- Battle-tested in production - Used by Fortune 500 companies and more.
- Compliance-ready - Aligns with CIS benchmarks, STIG, and BSI guidelines
- Community-driven - Continuously updated by security professionals
- Vendor-neutral - Works across different platforms and providers
Operating System Hardening
The OS hardening component implements comprehensive security controls at the system level, following industry best practices and security guidelines.
System Hardening Overview
This implementation is based on the OS hardening roles from dev-sec.io, adapted for compatibility with Kamal. The configuration items below are largely derived from the original dev-sec.io documentation, with modifications only where necessary to ensure proper integration with Kamal deployment workflows.
Security Controls Applied:
- Repository security: Removes unused yum repositories and enforces GPG key validation
- Package management: Removes packages with known security vulnerabilities
- Authentication: Configures PAM for strong password requirements
- Auditing: Installs and configures auditd for system monitoring
- Memory protection: Disables core dumps via soft limits
- File permissions: Configures execute permissions for system path files
- Access control: Hardens shadow and passwd file permissions
- Filesystem security: Disables unused filesystem modules
- Network security: Disables rhosts-based authentication
- Terminal security: Configures secure TTY access
- Kernel hardening: Applies security parameters via sysctl
- SELinux: Enables mandatory access controls on EL-based systems
- Privilege reduction: Removes unnecessary SUID/SGID permissions
- Account security: Configures system account login restrictions
Excluded Operations:
- System package updates
- Security patch installation
Removed Packages:
xinetd- Legacy internet services daemon (NSA Ch. 3.2.1)inetd- Internet super-server (NSA Ch. 3.2.1)tftp-server- Trivial file transfer protocol server (NSA Ch. 3.2.5)ypserv- NIS server (NSA Ch. 3.2.4)telnet-server- Unencrypted remote access (NSA Ch. 3.2.2)rsh-server- Remote shell server (NSA Ch. 3.2.3)prelink- Binary optimization tool (OpenSCAP Guidelines)Disabled Filesystems:
cramfs- Compressed ROM filesystemfreevxfs- Veritas filesystemjffs2- Journaling flash filesystemhfs- Hierarchical file systemhfsplus- Extended HFSsquashfs- Compressed read-only filesystemudf- Universal disk formatvfat- FAT filesystem (disabled only on non-UEFI systems)
SSH Hardening
Configures:
- Enforces public key authentication only (disables password authentication)
- Disables root login and empty passwords
- Sets strong cryptographic ciphers, MACs, and key exchange algorithms
- Configures strict host key algorithms (4096-bit RSA keys)
- Sets login grace time (30s) and max auth retries (2)
- Implements connection limits (max sessions: 10, max startups: 10:30:60)
- Enables verbose logging and PAM integration
- Configures secure SFTP with chroot isolation
- Sets client alive intervals (300s) and count (3)
- Applies restrictive file permissions and umask (0027)
- Configures SELinux contexts on EL-based systems
- Disables systemd socket activation on Debian 12+/Ubuntu 22.04+
- Maintains revoked keys list and authorized principals
- Hardens both SSH client and server configurations
Disables:
- TCP forwarding
- X11 forwarding
- Agent forwarding
- Gateway ports and tunnel devices
- DNS lookups
- Compression
- Host-based authentication
- Challenge-response authentication
- MOTD, last login, and Debian banner display
- Roaming (client-side)
Removes:
- Weak Diffie-Hellman moduli (< 2048 bits)
- Legacy SSH protocol v1 support
- Weak ciphers (3DES, RC4, CBC modes)
- SHA1 and MD5-based algorithms
Will not:
- Update SSH packages
- Install security patches
- Modify system firewall rules
- Change default SSH port (remains 22)
Webserver Hardening
Beyond the dev-sec.io base, TetsuVPS includes specialized hardening for web-facing servers, implementing defense-in-depth strategies specifically for containerized applications.
Configures:
- UFW (Uncomplicated Firewall) with deny-by-default policy
- Default policies: deny incoming, allow outgoing, deny forward
- Firewall rules for SSH (port 22 by default)
- Firewall rules for HTTP (port 80)
- Firewall rules for HTTPS (port 443)
- Fail2ban intrusion prevention system
- Fail2ban SSH jail (10m default)
- Fail2ban find time window (10m default)
- Fail2ban max retry attempts (5 default)
- Automatic service enablement and startup
Enables:
- UFW firewall service
- Fail2ban service
- Systemd service management for both UFW and Fail2ban
Will not:
- Install web server software (nginx, apache)
- Configure SSL/TLS certificates
- Modify web server configurations
- Update system packages
- Install security patches
- Configure application-specific firewall rules automatically
- Reset UFW rules by default (optional via variable)
The TetsuVPS Advantage
Pre-Configured for Kamal
Unlike generic hardening tools, TetsuVPS has carefully adapted each component for Kamal deployments:
Docker Compatibility Deployment Workflow
One-Click Implementation
Instead of manually implementing hundreds of settings:
- Connect your server to TetsuVPS
- Run a security scan to see current status
- Click "Apply Hardening" to implement all configurations