← Back to home

Security documentation

A complete breakdown of every security measure baked into your ShieldHost server. Nothing optional, nothing left to chance — these protections are active from the moment your server comes online.

8 security layers • Active from first boot • Zero manual configuration

Our security philosophy

Most VPS providers hand you a raw Linux image and wish you luck. You get root, a public IP, and an open SSH port — and from that point, security is your problem. You're expected to harden the OS, configure the firewall, set up key auth, install intrusion detection, keep packages updated, and do it all before someone finds your server on Shodan.

We think that's backwards. Security shouldn't be a post-deployment checklist. It should be the foundation you build on.

Every ShieldHost server ships with a hardened base image, a locked-down firewall, Tailscale mesh networking, ClamAV malware scanning, and automatic security updates — all configured before you ever log in. We don't offer these as add-ons or premium features. They're the default. They're non-negotiable.

This is what we mean by "opinionated." We made the security decisions so you can focus on what you're actually building.

Network architecture

Traditional VPS networking exposes your server to the entire internet. ShieldHost flips that model — your server lives on a private Tailscale mesh and has no public-facing ports.

Your device

Tailscale client installed

WireGuard tunnel

End-to-end encrypted

ShieldHost server

Private interface only

What's exposed

  • Tailscale mesh traffic (WireGuard encrypted)
  • Optional package ports on your private network only

What's blocked

  • All public inbound traffic (deny-all default)
  • Public SSH, HTTP, HTTPS — nothing open by default

Hardening layers

Every layer below is applied automatically when your server is provisioned. There's nothing to enable, nothing to configure. This is what's running on your server from minute one.

Private-first networking via Tailscale

Every ShieldHost server joins your Tailscale mesh network at boot. There are no public-facing admin ports — no SSH on port 22, no control panels exposed to the internet. The only way to reach your server is through your authenticated tailnet. This eliminates the single biggest attack vector on any VPS: the exposed management interface.

What this means for you
  • Server joins your tailnet automatically before any services start
  • Firewall allows traffic only on the Tailscale interface
  • No public IP required for management — server is invisible to port scanners
  • All management traffic encrypted end-to-end via WireGuard

Firewall with deny-all default

We configure the firewall with a deny-all inbound policy. The only exceptions are Tailscale mesh traffic and any ports explicitly opened for optional packages you install (like PostgreSQL). Every firewall rule is scoped to the Tailscale interface — nothing is exposed to the public network.

What this means for you
  • Default policy: deny all inbound, allow all outbound
  • Tailscale mesh traffic allowed in and out
  • Optional package ports (e.g., PostgreSQL 5432) only open on your private network
  • No public-facing ports by default — not even SSH

SSH key authentication

When you provide an SSH public key during server creation, it's configured on the server automatically. We strongly recommend key-based authentication over passwords. Key auth is cryptographically stronger, immune to brute-force, and eliminates the most common way attackers get into servers.

What this means for you
  • SSH keys configured at boot — ready when your server is
  • Password auth available as fallback but discouraged
  • Secure random admin passwords generated with high-entropy randomness
  • SSH only accessible through Tailscale — double layer of authentication

ClamAV malware scanning

ClamAV is installed and enabled on every server from the start. Virus definitions are kept up to date automatically, and the scanning daemon runs continuously for on-demand and scheduled malware detection. This gives you a baseline defense against malware that lands on your server through application code, uploads, or dependencies.

What this means for you
  • ClamAV scanning daemon active and running from first boot
  • Virus definitions updated immediately and refreshed daily
  • On-demand scanning available for any file or directory
  • Automatic definition updates — no manual maintenance required

Minimal attack surface

Our base image ships with the minimum packages needed to run a secure server. No web servers, no mail daemons, no monitoring agents, no package managers you didn't ask for. Every additional package is a potential vulnerability. We install what you need and nothing more.

What this means for you
  • Clean base image with only essential system packages
  • No pre-installed web servers, mail servers, or GUI components
  • Optional packages (PostgreSQL, OpenClaw) installed only when explicitly selected
  • No unnecessary services running — nothing to forget to disable

Full hardware isolation

Every ShieldHost server runs with full hardware-level virtualization — not a container, not a shared-kernel VPS. You get your own kernel, your own memory space, your own network stack. A compromise on one server cannot escape to affect another.

What this means for you
  • Dedicated kernel per server — no shared-kernel risk
  • Hardware-enforced memory isolation between tenants
  • Dedicated virtual network interfaces per server
  • Same isolation technology used by major cloud providers

Credential hygiene

Provisioning requires sensitive data like your Tailscale auth key. We automatically scrub provisioning data from disk after setup completes. Sensitive credentials aren't left sitting in plaintext waiting to be found.

What this means for you
  • Provisioning data removed from disk after first boot
  • Auth keys exist only in memory after cleanup
  • Admin credentials not logged or written to accessible files
  • Package credentials (e.g., database passwords) stored with root-only permissions

Automatic security updates

Your server is configured to apply security patches automatically. You don't need to SSH in at 2 AM to patch a kernel vulnerability. The system handles it, and if a reboot is needed, it happens during a safe maintenance window.

What this means for you
  • Automatic security patches enabled out of the box
  • Security repositories enabled by default
  • Critical CVE patches applied without manual intervention
  • Kernel updates applied automatically with configurable reboot windows

Shared responsibility model

We handle the infrastructure security — the base image, the network configuration, the firewall, the malware scanning, the automatic updates. That's our job, and we take it seriously.

You handle the application layer — what you deploy, how you configure it, who you give access to, and what your Tailscale ACL policies look like. We give you a clean, hardened substrate. What you build on it is up to you.

ShieldHost handles

  • Infrastructure security and patching
  • Base image hardening and updates
  • Tailscale installation and network config
  • Firewall with deny-all default policy
  • ClamAV malware scanning and definition updates
  • Automatic OS security patches
  • DDoS mitigation at the network layer
  • Credential cleanup after provisioning

You handle

  • Application code and dependencies
  • Application-level authentication
  • Tailscale ACL policies and access control
  • SSH key management and rotation
  • Any additional firewall rules you add
  • Database backups and application data
  • Third-party software you install manually
  • Monitoring and alerting for your workloads

Secure by default. Not by accident.

Every security measure on this page is active on your server from boot. No setup guides, no checklists, no hope-you-remembered.