- Ubuntu 22.04/24.04 and Debian 12 automated provisioning via Ansible
- SSH hardening: key-only auth, non-standard port, allowed user restriction
- fail2ban configuration for SSH and application-specific log paths
- UFW/nftables firewall setup with default-deny inbound policy
- Automatic security updates via unattended-upgrades with reboot scheduling
- Swap space configuration based on workload profile
- Kernel parameter tuning for network performance and security
- Logrotate configuration for application and system logs
- Monitoring agent installation (Prometheus node_exporter, Datadog agent)
- Server hardening validation checklist and documentation
Infrastructure
Server Setup
Linux server provisioning, hardening and configuration.
A freshly provisioned Linux server is not a production server. Hellenic Technologies follows a hardening checklist for every server we bring into service, ensuring that Ubuntu and Debian instances are secured against the most common attack vectors before any application code is deployed. This process is fully automated via Ansible and takes under five minutes per server — consistent, repeatable, and auditable.
SSH hardening is the first step: we disable password authentication, disable root login, move SSH to a non-standard port, restrict allowed users, and configure idle session timeouts. fail2ban is installed and configured to automatically ban IPs that fail SSH authentication repeatedly, and we integrate its logs with centralised monitoring. For environments requiring stricter access control, we configure SSH certificates via HashiCorp Vault or AWS Systems Manager Session Manager to eliminate static SSH keys entirely.
System hardening covers kernel parameters (sysctl), filesystem mount options (noexec, nosuid), automatic security updates via unattended-upgrades, and swap configuration for memory-constrained instances. We install and configure a host-based firewall (UFW or nftables) that denies all inbound traffic by default and explicitly allows only required ports. Chrony or timesyncd is configured for accurate NTP — critical for TLS certificate validation and distributed system coordination.
Linux server provisioning includes: