Tag: hardening

An open-source NGINX module that bakes a full ACME client into the server itself. Write autocert on; and NGINX gets, serves and renews its own Let’s Encrypt certificates — no certbot, no cron, no reload.

Coraza is the memory-safe, Go-written WAF that speaks ModSecurity’s language and runs the OWASP CRS unchanged. Here is what libcoraza and the nginx-coraza module are, why we package them, and the fork-deadlock gotcha nobody warns you about.

JA3 and JA4 TLS fingerprinting read the bytes of the ClientHello to spot the software behind a connection, even when it lies about its User-Agent. Here is how it works on nginx with ngx_ssl_fingerprint_module, and why blocking on a fingerprint is riskier than it looks.

A single misbehaving scraper can fire 40,000 requests an hour at a 404 it will never stop hitting, and your access log…

Half of all web traffic is bots, and a growing slice are vibe-coded AI scanners written by a chatbot prompt. Here is the five-layer defense in depth that stops them: rate limiting, WAF, TLS hardening, request validation, access control, PHP and Docker hardening, plus the patching that does the most work.

WordPress XSS and SQL injection CVEs are exploding because AI now finds them faster than you can patch. This ModSecurity CRS plugin is the last wall: 40+ rules, typed-parameter SQLi blocking, rate limiting and GeoIP — before PHP ever boots.

Our hardened Roundcube Docker image runs as nobody, can chown nothing, and treats every request as hostile. Here is the full unprivileged + WAF security model — and why default webmail containers are a liability.

Your mailbox table deserves better than raw SQL at 02:00. ViMbAdmin — modernised for PHP 8.5 — manages Postfix + Dovecot virtual domains, mailboxes and aliases via web UI or JSON-RPC API, with TOTP, brute-force protection and a hardened Docker image.

The myguard OpenSSH 10.3 package rebuilds sshd for production servers: post-quantum key exchange, AEAD-only ciphers, an AppArmor profile, a fail2ban jail, monthly moduli regeneration, three switchable sshd flavours (default / gssapi / minimal), and compiler hardening beyond Debian’s default. Includes a 2026 SSH key-generation walkthrough and a stack of server-hardening tips.

Default Docker is barely a container at all — root, mutable, all caps, shared kernel. This is the ten-flag hardening checklist that turns it into something a real attacker has to work to break: rootless, read-only, cap-drop, no-new-privileges, distroless, secrets, segmentation, scanning. With a worked NGINX + PHP-FPM compose example.

Rspamd is the modern spam filter that runs Bayesian classifiers, neural networks, greylisting, DNS blacklists, Pyzor, Razor, OLEFY and DCC — all at once. Here is what rspamd does, how spam evolved, and why it crushes the inbox war.

Valkey is the BSD-licensed, Linux Foundation-backed fork of Redis — and as of 2026 it has overtaken Redis itself. Here is what Valkey is, why it exists, and why our hardened deb.myguard.nl build is the smartest way to install it on Debian or Ubuntu.

BREACH is a compression side-channel attack that can leak CSRF tokens and other secrets over HTTPS. Here is how the BREACH attack works, why padding is weak protection, and how to prevent it properly.

A beginner-friendly, step-by-step guide to installing ModSecurity and the OWASP Core Rule Set on NGINX for Debian and Ubuntu — from zero to a live WAF without taking your site down.