$ man 7 hardening

[$ ] Linux hardening for offshore VPS — defense-in-depth baseline

// NAME

hardening — pillar entry. The XMRHost hardened-by-default baseline at the kernel, sshd, ssh-key, auditd, network, and package-update layers. Links into the per-layer runbooks under /docs.

// MODEL

Defense in depth: each layer narrows the attack surface for the next. A hardened sshd does nothing if the kernel is unpatched; a hardened kernel does nothing if sshd accepts password auth. The layers are not substitutes — they compose.

// LAYERS

$ ls /etc/xmrhost/hardening.d

// layer	// surface	// runbook
kernel	memory protection, syscall lockdown, exploit primitives	/docs/kernel-hardening-checklist
sshd	remote-management surface, credential exposure	/docs/harden-sshd
ssh keys	credential algorithm, key rotation	/docs/ssh-key-migration
audit	post-incident forensic trail	auditd ruleset (XMRHost default)
network	listening surface, ingress/egress filter	nftables baseline (XMRHost default)
package updates	CVE-window exposure	unattended-upgrades (XMRHost default)

// KERNEL — KSPP BASELINE

$ man kspp

The Kernel Self-Protection Project (KSPP) curates the upstream kernel-hardening config baseline. XMRHost's standard kernel applies the KSPP recommended-config plus selected grsec-style patches at build time. Tenants do not opt in — every plan ships the hardened kernel.

Notable settings included:

CONFIG_STACKPROTECTOR_STRONG — stack canaries on every function with a stack-allocated array.
CONFIG_RANDOMIZE_BASE — KASLR (Kernel Address Space Layout Randomization) on by default.
CONFIG_SLAB_FREELIST_RANDOM + CONFIG_SLAB_FREELIST_HARDENED — slab allocator hardening.
CONFIG_SECURITY_LOCKDOWN_LSM — kernel lockdown mode (confidentiality + integrity).
CONFIG_HARDENED_USERCOPY — bounds-checks on user/kernel-space copies.
kernel.kptr_restrict=2 — kernel pointer obfuscation in /proc.
kernel.yama.ptrace_scope=2 — restrict ptrace to processes that explicitly opt in.
kernel.dmesg_restrict=1 — root-only dmesg.

// the full sysctl + CONFIG list is at /docs/kernel-hardening-checklist; the upstream reference is kernsec.org/wiki/Kernel_Self_Protection_Project.

// SSHD

$ man sshd-baseline

The XMRHost standard sshd config disables the password-auth surface that accounts for the bulk of unauthorised-access attempts on a public-IP host.

# /etc/ssh/sshd_config — XMRHost baseline (excerpt)

PermitRootLogin                  no
PasswordAuthentication           no
ChallengeResponseAuthentication  no
KbdInteractiveAuthentication     no
UsePAM                           yes
PubkeyAuthentication             yes
AuthenticationMethods            publickey

# Algorithms — Ed25519-first, drop weak KEX / ciphers / MAC
HostKey                          /etc/ssh/ssh_host_ed25519_key
KexAlgorithms                    curve25519-sha256@libssh.org,curve25519-sha256
Ciphers                          chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs                             hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Operational hardening
LoginGraceTime                   30
MaxAuthTries                     3
MaxSessions                      4
AllowAgentForwarding             no
AllowTcpForwarding               no
X11Forwarding                    no
ClientAliveInterval              300
ClientAliveCountMax              2

# fail2ban + auditd cooperation
LogLevel                         VERBOSE

// the full discussion (incl. fail2ban ruleset, MaxAuthTries trade-offs, port choice) is at /docs/harden-sshd.

// SSH KEYS — ED25519 BASELINE

$ man ssh-keys

Ed25519 (RFC 8709) is the recommended algorithm for sshd public-key auth on every XMRHost plan. RSA-2048 is acceptable; RSA-1024 is not (the cost of a forged signature is now low enough that any long-running system using 1024-bit RSA should be migrated). Ed25519 keys are short, fast, and the algorithm primitives are not subject to the parameter-choice issues that complicated RSA hardening.

# generate Ed25519 with default options
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/xmrhost

# the -a 100 flag sets the KDF rounds for the on-disk private-key
# encryption — make a brute-force attack against a stolen private
# key materially expensive

// migration runbook for legacy RSA keys at /docs/ssh-key-migration.

// AUDIT — AUDITD BASELINE

$ man auditd

auditd records security-relevant kernel events: syscall entry/exit, file accesses, capability use, login/logout, privilege escalation. The default XMRHost ruleset captures the events that matter for post-incident forensics without flooding the log with kernel-housekeeping noise.

Identity-changing syscalls — setuid, setgid, setresuid, setresgid, capset.
File-permission changes — chmod, chown, fchmod, fchown, fchmodat, fchownat (-S filter on permission-relevant args).
Critical-path accesses — /etc/passwd, /etc/shadow, /etc/sudoers, /etc/ssh/, /var/log/.
Module load/unload — init_module, finit_module, delete_module.
Mount syscalls — mount, umount, umount2.

// NETWORK — NFTABLES BASELINE

$ man nftables-baseline

nftables is the modern packet-filter API; iptables is legacy (deprecated upstream). The XMRHost default policy is deny-by-default ingress, plus rate-limited sshd, plus per-protocol services as the tenant configures them.

# /etc/nftables.conf — XMRHost baseline (excerpt)

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    ct state established,related accept
    iif "lo" accept

    # icmp echo-request rate-limited (no full block)
    icmp type echo-request limit rate 5/second accept
    icmpv6 type echo-request limit rate 5/second accept

    # sshd — rate-limited
    tcp dport 22 ct state new limit rate 4/minute accept

    # tenant services routed here at provisioning
  }

  chain forward { type filter hook forward priority 0; policy drop; }
  chain output  { type filter hook output  priority 0; policy accept; }
}

// PACKAGE UPDATES — UNATTENDED

$ man unattended-upgrades

Debian's unattended-upgrades applies security updates without operator action, narrowing the CVE-exposure window between upstream-fix and tenant-action. The XMRHost default applies the Debian-Security pocket only (NOT the bookworm-updates pocket — that rolls non-security feature updates and is not appropriate for unattended application without operator review).

# /etc/apt/apt.conf.d/50unattended-upgrades — XMRHost baseline

Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Automatic-Reboot          "false";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Mail                       "";
Unattended-Upgrade::MailReport                 "on-change";

// Automatic-Reboot is off by default — tenants who run stateful services (matrix homeserver, postgres) need to schedule the reboot. Tenants whose service tolerates restart can flip it to "true".

// SEE ALSO

$ ls /usr/share/doc/xmrhost/hardening

/docs/harden-sshd — sshd hardening runbook (full discussion).
/docs/kernel-hardening-checklist — KSPP-cited kernel checklist.
/docs/ssh-key-migration — Ed25519 migration runbook.
/glossary — KSPP, auditd, onion-auth definitions.
Upstream — KSPP, RFC 8709 (Ed25519 SSH), RFC 4253 (SSH Transport).