Security Monday #2: Auditing Our Server Infrastructure
Welcome back to Security Monday. Last time we shared how we approached hardening our new server infrastructure. This week we'd like to share some of the progress we've made since then.
Over the past week, we conducted a comprehensive security audit of our servers using Ubuntu Security Guide (USG). The goal was not to achieve a perfect score, but to identify areas where the systems could be improved while keeping them practical for our infrastructure.
After implementing a number of hardening measures, our servers now achieve an audit score of approximately 86%.
While there is still room for improvement, we're satisfied with this result. Most of the remaining recommendations are not practical for our environment because they would either reduce usability or conflict with the way certain services operate. Security always involves balancing protection with operational requirements.
Building an Integrity Monitoring Pipeline
One of the biggest improvements this week was the implementation of a complete file integrity monitoring pipeline based on AIDE (Advanced Intrusion Detection Environment).
The pipeline performs scheduled integrity scans of the operating system and compares the current file state against a trusted baseline. Whenever unexpected changes are detected, an email alert is generated automatically.
We also wanted to ensure that integrity reports themselves cannot easily be lost or modified. After every scan, the generated reports are uploaded to Cloudflare R2 while a second server maintains additional backups of those reports.
Having multiple independent copies of integrity reports gives us additional confidence when investigating changes and provides historical data that can be reviewed whenever necessary.
Continuous Improvements
Infrastructure security is not something that can be completed once and forgotten. New services, updates, and configuration changes all require continuous review.
Our goal is to automate as much of this process as possible while keeping manual reviews as part of our regular security workflow.
Highlights of the Week
- Completed a comprehensive security audit using Ubuntu Security Guide (USG).
- Improved our audit score to approximately 86%.
- Implemented a complete AIDE-based file integrity monitoring pipeline.
- Added automatic email alerts for integrity changes.
- Stored integrity reports in Cloudflare R2 and on a secondary backup server.
Looking Ahead
Over the coming weeks we'll continue reviewing our infrastructure, improving automation, and further strengthening our monitoring capabilities.
In an upcoming Security Monday article, we'll also take a closer look at several security issues we identified while developing ClickMigrate, how we discovered them, and what we changed to address them.
If you'd like to receive future Security Monday articles, consider subscribing to our newsletter.
See you next Monday,
The QueueForge Security Team
Top comments (0)