Security Hardening

Security configuration and hardening guidelines for tasmanian.cloud infrastructure

This document outlines the security hardening measures implemented across tasmanian.cloud's infrastructure.

Security Architecture

flowchart TB
    subgraph "Defense in Depth"
        L1[Perimeter Layer
        Cloudflare WAF
        DDoS Protection]
        
        L2[Network Layer
        Firewall Rules
        IDS/IPS
        Netbird VPN]
        
        L3[Host Layer
        Wazuh EDR
        Tetragon eBPF
        CIS Hardening]
        
        L4[Application Layer
        Input Validation
        Auth/AuthZ
        Secrets Management]
        
        L5[Data Layer
        Encryption at Rest
        Encryption in Transit
        Key Management]
    end
    
    L1 --> L2
    L2 --> L3
    L3 --> L4
    L4 --> L5

Perimeter Security

Cloudflare Configuration

Feature	Configuration
DDoS Protection	Always On
WAF Rules	OWASP Core Rule Set
Rate Limiting	100 req/min per IP
Bot Management	Challenge suspected bots
SSL/TLS	Full (strict)

Firewall Rules

# PFsense base rules
# WAN Interface
block in log quick on wan from <bogons> to any
block in log quick on wan from <private> to any
pass in quick on wan proto tcp from any to (wan) port 443 keep state
pass in quick on wan proto tcp from any to (wan) port 80 keep state

# Internal Rules
pass in quick on lan proto tcp from 10.0.10.0/24 to 10.0.20.0/24 port 8006 keep state
block in log quick on lan from 10.0.40.0/22 to 10.0.10.0/24

Host Security

CIS Benchmarks

All systems are hardened according to CIS Level 2 benchmarks:

# Install CIS benchmark tools
apt install -y cis-hardening aide

# Run CIS scan
cis-hardening scan --level 2

# Apply CIS hardening
cis-hardening apply --level 2 --exclude "6.1.1,6.1.2"

Key Hardening Measures

Category	Control	Implementation
Authentication	Password policy	16+ chars, complexity, 90-day expiry
Authentication	MFA	Required for all admin accounts
Access	SSH	Key-only, port 2222, fail2ban
Logging	Auditd	All privileged commands logged
Filesystem	AIDE	File integrity monitoring
Network	TCP Wrappers	Service-level access control

SSH Hardening

# /etc/ssh/sshd_config
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers admin@10.0.10.* deploy@10.0.10.*

Endpoint Detection & Response

Wazuh XDR

flowchart TB
    subgraph "Wazuh Architecture"
        SERVER[Wazuh Server
        Indexer + Manager]
        
        subgraph "Agents"
            A1[Proxmox Nodes]
            A2[Service VMs]
            A3[Customer VMs]
        end
        
        subgraph "Detection"
            FIM[File Integrity]
            LOG[Log Analysis]
            VULN[Vulnerability Detection]
            INTEGRITY[Configuration Assessment]
        end
        
        subgraph "Response"
            ALERT[Alerting]
            ACTIVE[Active Response]
            SOAR[SOAR Integration]
        end
    end
    
    A1 --> SERVER
    A2 --> SERVER
    A3 --> SERVER
    
    SERVER --> FIM
    SERVER --> LOG
    SERVER --> VULN
    SERVER --> INTEGRITY
    
    FIM --> ALERT
    LOG --> ACTIVE
    VULN --> SOAR

Wazuh Agent Installation

# Install Wazuh agent
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt update
apt install -y wazuh-agent

# Configure agent
sed -i 's/MANAGER_IP/10.0.10.100/g' /var/ossec/etc/ossec.conf
systemctl restart wazuh-agent

Tetragon eBPF Security

# Install Tetragon
helm repo add cilium https://helm.cilium.io
helm install tetragon cilium/tetragon -n kube-system

# Enable process execution monitoring
cat > /etc/tetragon/tetragon.yaml << 'EOF'
enableProcessCred: true
enableProcessNs: true
processCacheSize: 65536
EOF

Tetragon Policies

# Detect cryptomining
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: detect-cryptomining
spec:
  kprobes:
  - call: "__x64_sys_execve"
    syscall: true
    args:
    - index: 0
      type: "string"
    selectors:
    - matchArgs:
      - index: 0
        operator: "Prefix"
        values:
        - "/tmp/xmrig"
        - "/tmp/minerd"
      matchActions:
      - action: Sigkill

Network Security

Netbird Mesh VPN

flowchart TB
    subgraph "Netbird Network"
        CTRL[Netbird Controller
        control.tasmanian.cloud]
        
        subgraph "Access Control Groups"
            INFRA[Infrastructure
            10.0.10.0/24]
            CUSTOMER[Customers
            10.0.40.0/22]
            MGMT[Management
            100.64.0.0/10]
        end
        
        subgraph "Peers"
            P1[Proxmox Node 1]
            P2[Proxmox Node 2]
            P3[Proxmox Node 3]
            C1[Customer Site 1]
            C2[Customer Site 2]
        end
    end
    
    CTRL --> P1
    CTRL --> P2
    CTRL --> P3
    CTRL --> C1
    CTRL --> C2
    
    P1 --> INFRA
    C1 --> CUSTOMER
    C2 --> CUSTOMER

Netbird Configuration

# Install Netbird
curl -fsSL https://pkgs.netbird.io/install.sh | sh

# Join network
netbird up --management-url https://control.tasmanian.cloud:33073

# Configure ACLs via API
curl -X POST https://control.tasmanian.cloud/api/groups \
  -H "Authorization: Token $NETBIRD_TOKEN" \
  -d '{
    "name": "infrastructure",
    "peers": ["pve1", "pve2", "pve3"],
    "rules": [
      {
        "proto": "tcp",
        "port": "22",
        "action": "accept"
      }
    ]
  }'

Secrets Management

HashiCorp Vault

# Install Vault
apt install -y vault

# Initialize Vault
vault operator init -key-shares=5 -key-threshold=3

# Unseal Vault
vault operator unseal <unseal-key-1>
vault operator unseal <unseal-key-2>
vault operator unseal <unseal-key-3>

# Enable KV secrets engine
vault secrets enable -path=secret kv-v2

# Store Paymenter secrets
vault kv put secret/paymenter/database \
  username=paymenter \
  password=$(openssl rand -base64 32)

Application Integration

// Paymenter Vault integration
use Vault\Client;

$client = new Client(['base_uri' => 'http://vault.tasmanian.cloud:8200']);
$secret = $client->read('secret/data/paymenter/database');

$dbPassword = $secret['data']['data']['password'];

Compliance

ISO 27001 Controls

Control	Implementation	Evidence
A.9.1.1	Access control policy	Documented ACL matrix
A.9.2.1	User registration	Automated provisioning
A.9.4.1	Password policy	PAM configuration
A.10.1.1	Cryptographic policy	PQ crypto standards
A.12.3.1	Information backup	3-2-1 backup strategy
A.12.4.1	Event logging	Wazuh SIEM
A.12.6.1	Vulnerability management	Weekly scans

Essential 8 Alignment

Mitigation Strategy	Implementation
Application Control	Allow-listing with AIDE
Patch Applications	Automated patching (unattended-upgrades)
Configure MS Office Macros	N/A (Linux environment)
User Application Hardening	Browser hardening, apparmor
Restrict Admin Privileges	RBAC, sudo logging
Patch Operating Systems	Automated kernel updates
Multi-Factor Authentication	Required for all admin access
Regular Backups	Daily backups, 90-day retention

Incident Response

Playbooks

Incident Type	Response Time	Actions
Unauthorized Access	15 minutes	Isolate, investigate, restore
Malware Detection	30 minutes	Quarantine, analyze, remediate
Data Breach	1 hour	Contain, notify, investigate
DDoS Attack	5 minutes	Activate Cloudflare, scale

Contact Information

Role	Contact	Escalation
Security Team	security@tasmanian.cloud	24/7
On-Call Engineer	oncall@tasmanian.cloud	24/7
Management	cto@tasmanian.cloud	Business hours

On this page