The Prefork server model gets dismissed as “old school”. I think that’s wrong – especially on Linux.
With SO_REUSEPORT, the kernel distributes incoming connections across multiple pre-forked worker processes natively. No thread contention. No shared memory complexity. Each worker is an isolated process – a crash stays contained.

What you get:
– True process isolation per connection
– Kernel-level load balancing, no userspace overhead
– Predictable memory footprint
– Simpler security boundaries between workers

In a world obsessed with async event loops, we forget that prefork scales surprisingly well for workloads with high per-connection compute and where isolation actually matters – think security-sensitive services.
SO_REUSEPORT didn’t just fix the thundering herd problem. It quietly gave prefork a second life.
More on this soon.
#linux #infosec #networking #serversecurity #prefork

Two weeks ago we published our analysis of TURN security threats. Today: how to fix them.

New guides covering implementation-agnostic best practices (IP range blocking, protocol hardening, rate limiting, deployment patterns) and coturn-specific configuration with copy-paste templates at three security levels.

Best practices: https://www.enablesecurity.com/blog/turn-security-best-practices/
coturn guide: https://www.enablesecurity.com/blog/coturn-security-configuration-guide/
Config templates on GitHub: https://github.com/EnableSecurity/coturn-secure-config

coturn 4.9.0 dropped yesterday with fixes for CVE-2026-27624 (IPv4-mapped IPv6 bypass of deny rules) and an inverted web admin password check that had been broken since ~2019. The guides cover workarounds for older versions.

#infosec #webrtc #security #TURN #coturn #penetrationtesting #voip #serversecurity

🛡️ ESET schützt nicht nur PCs – sondern auch eure Server.
Ransomware greift immer die wichtigsten Systeme zuerst an.

ESET bietet:
• Schutz für Clients
• Schutz für Windows- & Linux-Server
• geringe Systemlast
• europäische Lösung

👉 Mehr Infos: smey-it.de/managed-antivirus

#ESET #ServerSecurity #EndpointSecurity #CyberSecurity #KMU #smeyIT
#ManagedServices #RansomwareProtection #ZeroDay

Chia sẻ bảo mật máy chủ: Sử dụng Ubuntu 24, các biện pháp gồm SSH chỉ bằng key, tắt root login, user riêng, fail2ban & ufw, cập nhật tự động, Plesk + gói bảo mật. Hỏi: Thiết lập này có đủ an toàn để host website không? #BảoMậtWebServer #ServerSecurity #UbuntuTips

https://www.reddit.com/r/selfhosted/comments/1qr1cxn/webserver_security_tips/

Cybersecurity cert prep: Lab 10 (Path Traversal) — retrieve the list of users from the server

https://peertube.eqver.se/w/aGi7ffemEKnCwjfGHsJGYn

Securing servers/services without VPN cần giải pháp nào? Dùng Cloudflare Tunnels + Traefik nhưng mTLS gặp vấn đề với app di động, đặc biệt là iOS. Cloudflare Zero Trust & NordVPN cũng bị xung đột. Tìm cách truy cập an toàn, dễ dùng cho client không dùng web browser. #securingServers #mTLS #Cloudflare #ServerSecurity #Android #iOS #Tailscale #NetworkSecurity

https://www.reddit.com/r/selfhosted/comments/1pof1x9/how_should_i_be_securing_my_serverservices_and/

Server Security Checklist — Essential Hardening Guide

Securing your servers isn’t optional — it’s your first line of defense against data breaches, ransomware, insider threats, and lateral movement. Use this checklist as a baseline for Linux, Windows, cloud, hybrid, or on-prem servers.

⸻

🔧 1. System & OS Hardening
• Keep OS & packages updated (apply security patches frequently).
• Remove / disable unused services & software.
• Enforce secure boot + BIOS/UEFI passwords.
• Disable auto-login and guest accounts.
• Use minimal OS images only (reduce attack surface).

⸻

🔐 2. Access Control
• Enforce strong passwords & MFA everywhere.
• Use RBAC & least privilege access.
• Disable root/Administrator login over SSH/RDP.
• Rotate credentials & keys regularly.
• Implement just-in-time access for privileged users.

⸻

🌐 3. Network Security
• Restrict inbound/outbound traffic via firewalls.
• Segment critical servers from general LANs/VLANs.
• Disable unused ports & protocols.
• Enable DoS/DDoS protection.
• Apply zero-trust network principles.

⸻

🔑 4. Secure Remote Access
• Use SSH key-based authentication (disable password login).
• Enforce VPN for admin access.
• Log & monitor all remote access sessions.
• Disable legacy protocols (Telnet, FTP, SMBv1).
• Require bastion/jump host for critical access.

⸻

📊 5. Logging & Monitoring
• Enable centralized logging (syslog / SIEM).
• Track failed login attempts & anomalies.
• Configure alerts for privilege escalation or config changes.
• Monitor log tampering.
• Retain logs securely for audits & forensics.

⸻

🔒 6. Data Protection
• Encrypt data at rest (LUKS, BitLocker, etc.).
• Encrypt data in transit (TLS 1.2+).
• Strict database access policies.
• Regular, offline, immutable backups.
• Test restore procedures (don’t assume backups work).

⸻

🔁 7. Application & Patch Management
• Keep middleware, frameworks, and apps patched.
• Delete default credentials & sample files.
• Enable code signing for software packages.
• Use secure coding practices (OWASP Top 10).
• Implement dependency scanning (Snyk, Trivy, etc.).

⸻

🛡️ 8. Malware & Intrusion Defense
• Deploy EDR/AV on endpoints.
• Enable IDS/IPS at network edge.
• Automatic vulnerability scans (schedule weekly/monthly).
• Monitor persistence techniques (cron, startup scripts).
• Block known malicious IP ranges & TLDs.

⸻

🏢 9. Physical & Cloud Security
• Restrict physical access to server racks/rooms.
• Enable provider security tools (AWS Security Groups, Azure NSG, IAM).
• Harden cloud images (CIS benchmarks).
• Review cloud logging & audit trails regularly.
• Disable unused cloud API keys / roles.

⸻

📜 10. Policy & Compliance
• Use CIS / NIST / ISO-27001 benchmarks.
• Track & document every access change.
• Force annual access reviews & key rotation.
• Perform regular security training for admins.
• Maintain disaster recovery & incident plans.

⸻

➕ Additional 5 Critical Controls (Advanced Hardening)

🧠 11. Privileged Access Management (PAM)
• Use jump hosts & session recording.
• Just-In-Time access for admins.
• Store keys in secure vaults (HashiCorp Vault, CyberArk).

🚨 12. Real-Time Threat Detection
• Use behavioral analytics → UEBA/XDR.
• AI-based anomaly detection recommended.
• Block suspicious IPs automatically.

🧪 13. Red Team & Pentesting
• Run regular internal pentests.
• Validate configuration weaknesses.
• Simulate phishing + lateral movement scenarios.

🧱 14. Container / VM Isolation
• Use AppArmor, SELinux, Seccomp profiles.
• Limit Docker socket access & root containers.
• Scan images before deployment.

📦 15. Automated Configuration Management
• Use IaC (Terraform, Ansible, Puppet) for repeatable and secure builds.
• Detect drift using compliance scanning.
• Version control all infrastructure.

⸻

🧠 Core Reminder

A server is only as secure as the team who maintains it.
Hardening isn’t one task — it’s an ongoing

#ServerSecurity #SystemHardening #InfoSec #CyberSecurity #BlueTeam
#DevSecOps #SysAdmin #ThreatDetection #AccessControl #NetworkSecurity
#LinuxSecurity #SecureArchitecture #RiskMitigation #SecurityChecklist
#CloudSecurity #InfrastructureSecurity #ZeroTrust #SecurityMonitoring

20,000 failed SSH logins in 2 days.
On a server hosting only a static webpage.

Recently, I was checking logs on a VM that I own. It has no backend, no database.
Just a static webpage served by NGINX.

Yet, I found 20k failed SSH login attempts.

A VM becomes a target the moment it’s online.

Fortunately, password logins were disabled. Here is my new server security routine (non-root user, SSH auth, fail2ban etc.):

https://nerdsid.com/posts/cyber-security/10-steps-to-make-a-new-linux-vm-safe/

#CyberSecurity #InfoSec #Linux #ServerSecurity

The Sony PlayStation hack of 2011 is considered the worst breach in gaming history. With 77 million users affected, this episode is often used as an example of the importance of timely patching of servers and firewall security.
Here's what happened and the lessons learnt.

#serverSecurity #patchDay #firewallSecurity #PSNhack #PlayStation #gaming

https://negativepid.blog/the-sony-playstation-network-hack/
https://negativepid.blog/the-sony-playstation-network-hack/

"Bạn đang dùng Cloudflare Tunnel để mở Jellyfin trên internet? Thiết lập Cloudflare Access với mã 1 lần gửi email. Không an toàn hay? #Cloudflare #Jellyfin #ServerSecurity #TruyCelInternet #MãMạo #AnT oneserver #MãMail"

https://www.reddit.com/r/selfhosted/comments/1oa1s8d/using_cloudflare_tunneling_for_accsess/