Carpathian Logo

๐Ÿ›ก๏ธ Carpathian Security Roadmap

2024-04-15

A phased security plan for Carpathian's cloud platform โ€” from early beta through production.

See this article for the lessons learned and the practical explanation of how I've been building Carpathian.

โœ… Phase 1: Beta Testing (Current)

Goal: Lock down the host, protect internal access, and trust your testers.

๐Ÿ” Hypervisor Hardening

  • [ ] Disable password-based SSH (PasswordAuthentication no)
  • [ ] Restrict SSH to known IPs (via ufw or router ACLs)
  • [ ] Enable automatic security updates (e.g., unattended-upgrades)
  • [ ] (Optional) Install and configure fail2ban

๐ŸŒ Network Controls

  • [x] Route all inbound traffic through a central NGINX reverse proxy
  • [x] Block unsolicited inbound traffic via firewall
  • [ ] Limit outbound traffic from VMs (optional, future)
  • [ ] Begin transition to vmnetX per-user isolation

๐Ÿงช VM Behavior Monitoring

  • [ ] Use nmap or tcpdump to monitor vmnetX activity
  • [ ] Detect and log unexpected DHCP, ARP spoofing, or rogue services

๐Ÿ‘ค Account-Level Security

  • [ ] Enforce 2FA on all web-based logins
  • [ ] Enforce long, randomly generated passwords
  • [ ] Rotate admin credentials regularly

๐Ÿ” Phase 2: Scaling to 10+ Users

Goal: Ensure tenant isolation, tighten visibility, and prepare for paid users.

๐Ÿ” Per-Tenant Network Isolation

  • [ ] Create vmnetX per plan/user
  • [ ] Automate:
    • vmnetX creation
    • NAT + DHCP setup
    • Network registration in the DB

๐Ÿง  Monitoring & Observability

  • [ ] Centralize logs for:
    • NGINX access
    • Firewall/NAT usage
    • Port assignments
  • [ ] Track bandwidth per VM or vmnetX
  • [ ] (Optional) Add Netdata or Grafana for metrics

๐Ÿงฑ Phase 3: Production-Ready (Monetization Stage)

Goal: Zero-trust architecture, user visibility, and infrastructure resilience.

๐Ÿ›‚ Identity & Access Management

  • [ ] Rotate SSH keys and API tokens automatically
  • [ ] Allow per-user SSH key upload
  • [ ] Audit all access events by user and VM

โš™๏ธ Infrastructure Automation

  • [ ] Auto-isolate VMs by network upon provisioning
  • [ ] Track and enforce port exposure rules
  • [ ] Verify firewall/NAT rule correctness on deploy

๐ŸŒ Overlay Network (Optional Future Step)

  • [ ] Build VXLAN or WireGuard mesh between hypervisors
  • [ ] Allow cross-hypervisor plans to remain connected

Powered by Carpathian
Open Technology. Limitless Possibilities.