A generic hardening run
- Treats every server the same
- Cannot separate needed services from accidental exposure
- May change access before recovery is proven
We make administrator access private, map what is exposed to the internet, and safely restrict what should not be public. We then configure high-signal Telegram alerts and security logging, and hand over a clear report of what changed, what remains, and what to do next.
$700 per eligible server · Most core work in 3–5 business days · Final report and handoff on day 14
WireGuard, key-only SSH and a recovery path
Every public port mapped to a service and decision
High-signal Telegram alerts
14-day review and next actions
Report, registers and update plan
A checklist does not know which services your business needs, which ports were opened on purpose, which update requires a maintenance window, or how to recover if an access change goes wrong.
We record expected logins, administrators, public ports, services and security controls. We review real deployments and restarts, approve expected behavior and tune obvious noise. After the baseline is agreed, meaningful changes are easier to see and can trigger a focused Telegram alert.
A public port is a door from the internet into your server. Your website needs some doors open; an accidental one can expose an admin panel, database or test service.
We record which ports should be public, which service and system user should be behind each one, and who approved it.
Which ports should be public, what should use them and who approved them.
A new public port, a new firewall rule, broader admin access or a different service or user behind an approved port.
What changed, why it matters and what to check first.
nginx / approvedpython3 / root / unexpectedAttackers automatically probe public services. A new port—or a different process behind an approved port—creates a new place to attack. Seeing the change quickly lets you confirm it, restrict it or close it.
Expected changes can be approved. Unexpected access, keys, listeners or control failures remain visible for review.
Each alert shows what changed, why it matters and what to check first. Related repeats are grouped, and compatible rules are enabled only after a clean, validated baseline.
Validated signals can cover unexpected administrator access, new SSH keys, public-port or service changes, firewall drift, and failures in Fail2Ban or security logging.
Open the full alert capture Separate controlled validation · marketing-server · No customer impact
We restrict public SSH only after private WireGuard access and an independent recovery path have both been tested.
WireGuard and private key-only SSH for the owner or administrator.
An approved owner or trusted Telegram ID can open key-only SSH for one exact public IP for 15 or 30 minutes.
Provider console or rescue access remains available for rollback or repair.
The requester uses /access and enters one exact public IPv4 or IPv6 address plus a reason.
The approved owner or trusted decision-maker receives the request in a private Telegram chat.
The server opens key-only SSH only for that IP, records the grant and closes the firewall rule automatically on expiry or revoke.
If the production host cannot safely run WireGuard, we agree a compatible external VPN design before changing public SSH. Temporary recovery access always remains exact-IP, key-only and time-limited.
We confirm eligibility, the recovery path, workload health check and written scope. A 50% deposit reserves the engagement.
Private access, exposure, protections, logging and eligible alerts—with production validation after each stage.
We review access, ports, services and logs across the 14-day window and tune obvious noise.
Final report, update/reboot plan, remaining risks and removal of our operator access.
Application, database, container changes and risky reboots are handled only under a separately approved scope.
The report does not pretend that everything is fixed. It shows what was completed, what remains, why it remains and what should happen next.



Server Security & Access Control Specialist
Independent service provider based in Indonesia
We work under a written scope, use revocable access, never ask you to send a private SSH key or root password, and remove our operator access at handoff.
A fixed-scope 14-day engagement covering private administrator access, public-exposure review, server-level protections, high-signal alerts, security-log analysis and an evidence-backed handoff.
Private WireGuard access for up to seven named employees to selected internal services and website admin panels on one compatible server. Each person receives an individual connection that can be tested and revoked. Application authentication and hardening remain separate.
Docker Exposure Cleanup · Backup Restore Drill · Safe Update/Reboot Window · Provider Firewall Alignment · Additional Server.
Every change is planned and validated in stages. We verify recovery, record workload health and prepare rollback. Zero downtime is not promised; risky updates and reboots require a separately approved maintenance window.
Private WireGuard access and provider recovery are tested before public SSH is restricted. The agreed recovery model can also include owner-approved, exact-IP Telegram access for 15 or 30 minutes.
You are not paying for two free packages. We review real access and exposure, preserve recovery, apply only approved changes, validate production after each stage, analyze 14 days of behavior, and leave evidence and a next-step plan.
We record expected administrator access, public ports, services and security controls; review real deployments and restarts; tune obvious noise; and finalize the approved reference. This is bounded observation, not 24/7 monitoring.
No. It means the approved baseline changed or a high-risk signal appeared. The alert shows the evidence and first check; the change may be expected, accidental or malicious.
The owner or trusted administrator receives the signal, local evidence and recommended first action. Continuous investigation, incident response and 24/7 SOC coverage are not included.
Your private access, local security logging and validated alerts remain on the server. We deliver the final report and remove our operator VPN peer and SSH key. Ongoing review and response are separate.
No. We use a revocable public SSH key and never ask you to send private keys or server passwords.
We include Docker-published ports in the exposure review. Container or network redesign is quoted separately when it cannot be changed safely inside the fixed scope.
We stop routine baseline work and recommend incident response or recovery. Hardening is not a safe substitute for investigating an active incident.
Yes, where a selected endpoint can be safely restricted on the same compatible server. Up to seven named employees receive individual WireGuard access. This does not replace application authentication, authorization, updates or security hardening.
We stop before unsafe changes, explain the blocker and do not proceed outside the agreed scope. Any reschedule, reduced scope or cancellation is confirmed in writing.
No credentials are needed. Tell us how the server is used and what worries you. We will check whether it fits the fixed scope and contact you through your preferred channel before any payment or server access.
Your submission sends a private notification to the operator. It never goes into analytics events.