ScalarX Security Security is not simply a matter of stacking layers of protection. At ScalarX, we apply a pragmatic approach: reduce the attack surface, harden critical components, and keep operations running smoothly.
 
The model combines local StackX security, ScalarCloud infrastructure protections, decentralized monitoring, and 24/7 human response capability.
 
Every environment receives a standardized, verifiable, and operationally manageable technical baseline: access controls, network filtering, logging, continuous monitoring, local auditing, integrity checks, and remediation mechanisms.
 
Objective: improve security without creating unnecessary operational friction, including in multi-site, disaster recovery, hybrid, or multi-provider environments.

Applied Security Principles

Applied Security Principles
PrincipleApplication
Attack surface reductionDisable unnecessary services, isolate access, and harden configuration
Defense in depthLocal firewall, system hardening, monitoring, auditing, backup, and incident response
Local-firstCritical checks can still be run locally, without depending on a single central platform
Prevention, detection, remediationThe stack aims to prevent, detect, and then correct operational deviations
Verifiable operationsPost-install audits, managed-file compliance, recurring checks, and usable logs
Security / productivity balanceMeasures tailored to the context, without adding controls that obstruct day-to-day operations

Shared StackX Security BaselineShared access, isolation, and hardening

Shared StackX Security Baseline
ControlDescription
Dedicated bastionsAdministrative access, deployments, and operational work go through dedicated bastions
Local firewallFiltering independent of external infrastructure, with structured rules and controlled reloads
Whitelists / blacklistsSmart atomic whitelists and blacklists (IPs, networks, AS, countries, zones)
SSH whitelist-onlySSH exposure limited to explicitly authorized IP addresses when the context requires it
Anti-brute-force protectionFail2ban integrated into StackX profiles, with an ignore list consistent with the operator scope
Application isolationEach environment runs its services and processes under its own dedicated user (PHP, Node.js, Python, Java, Bash, and others)
Per-user Node.js runtimeNode.js management through sxnode, with a dedicated tree, controlled activation, and state auditing
System hardeningKernel/sysctl profiles, stronger permissions, component separation, and fewer exposed paths
SELinux confinementActivation, mode changes, and AVC denial analysis based on the application scope and required isolation level

StackX Audit, Detection, and Recurring ChecksLocal tools, integrity, web scanning, and auditd

StackX Audit, Detection, and Recurring Checks
Tool / componentRole
sxpostcheckPost-install and post-maintenance audit: services, access, firewall, SELinux, backups, monitoring, replication, and compliance checks
sxcfgcheckNon-destructive local validation of a StackX configuration file before delivery
sxauditStackX auditd rules and local review of sensitive events: identity, sudo, SSH, cron, systemd, firewall, kernel, and modules
sxintegrityIntegrity baseline and local diff for critical system and StackX paths, including sensitive-file checks
sxwebscanNon-destructive local scan of web roots for signs of web shells or post-exploitation activity
sxsecuritycronRecurring security check orchestration: audit, integrity, web scanning, rkhunter, and optional reports
sxnetstatSummary of network listeners, port/direction filters, and whitelist validation
sxselinuxSELinux denial review, diagnostics, summary, and draft rules without automatic policy installation
rkhunter / chkrootkitAdditional anomaly and rootkit signature detection

Advanced StackX HardeningKernel, SELinux, databases, and local services

Advanced StackX Hardening
MechanismRole
Kernel hardeningNeutralizes module families that are unnecessary or risky on a LAMP server
Strict sysctl profileRestrictions for ptrace, unprivileged BPF, user namespaces, kernel leaks, perf, and system protections
/tmp hardeningMount options applied when the application context allows them
StackX SELinuxCan be enabled, controlled, and disabled in an emergency, with relabeling after a sync, import, or restore
MariaDB encryptionServer-side protection when justified by the architecture and isolation requirements
Managed PostgreSQLPGDG repository, explicit major version, dedicated application roles, and optional physical PRD/DRS replication
Redis local-onlyOptional local service with authentication, memory limit, and no unnecessary network exposure
OpenSearch local-onlyOptional service with the security plugin enabled, a controlled JVM heap, and no firewall opening by default
RabbitMQ local-onlyOptional broker with a dedicated user and vhost, persistent secrets, and no public network listener

Security by StackX ProductLAMP, Bastion, Proxy, DNS, Backup, and Monitoring

Security by StackX Product
ProductSecurity Implemented
StackX LAMPIsolated environments, multi-version PHP, per-user Node.js, dedicated databases, RabbitMQ local-only, per-vhost logs, and local FPM checks
StackX BastionHardened SSH, local inventory, append-only session recording, notifications, and locked batch operations
StackX ProxyAuthenticated Squid proxy, optional source restrictions, controlled CONNECT ports, forwarded_for/via settings that can be disabled, and post-install validation
StackX DNSPrimary/secondary authoritative DNS, restricted AXFR transfers, transactional record changes with rollback, RRL, and explicit DNSSEC
StackX BackupDedicated backup accounts, forced rdiff-backup command, anti-enumeration datastore, and per-source SSH rules for backed-up servers
StackX Monitoring SystemLocal source of truth that can be exposed over HTTPS and verified by an independent third party or a manual check

Typical Local SMS ChecksServices, resources, backups, and replication

Typical Local SMS Checks
CheckWhat Is Checked
Critical processesApache, PHP-FPM, SSH, cron, fail2ban, RabbitMQ, and services specific to the server role
Local network and InternetLocal connectivity, DNS, public IP, endpoints, and exposed services
StorageFilesystems, disk usage, inodes, software RAID, and ZFS pools when present
Load and memorySystem load, RAM usage, and signs of local saturation
Databases and application servicesMariaDB/MySQL, PostgreSQL, Redis, OpenSearch, RabbitMQ, and Memcached depending on the installed profile
BackupsLog presence, database/file backup execution, and freshness of the latest operations
PRD/DRS synchronizationFreshness of synchronization markers and detection of the latest error states
System updatesAge of the latest updates and local operational state reporting

ScalarCloud Anti-DDoS Protection & ResilienceNetwork mitigation, filtering, and resilient architecture

ScalarCloud Anti-DDoS Protection & Resilience
LayerProtection
Volumetric protectionMulti-layer anti-DDoS protection (L3/L4) with upstream mitigation
Network prefilteringPre-firewall systems to absorb and filter traffic
Edge filteringDedicated vRouters controlling inbound and outbound traffic
Specialized mitigationProtection against amplification attacks and targeted floods
Hardware processingFPGA support for advanced attack scenarios
Resilient architectureDesign focused on service continuity and limiting failure points

Operational Response & Continuity

Operational Response & Continuity
AreaOperational Commitment
Support24/7 technical support
MonitoringDecentralized alerting independently validated by a third party
Ongoing operationsPreventive and corrective actions within the managed scope
BackupsExternal, PBS, or dedicated backup strategies depending on scope
Disaster recoveryReplication, spare capacity, VIP, and DR procedures depending on the architecture
Security maintenanceRecurring checks, updates, local audits, and correction of detected deviations

Infrastructure

ScalarX designs and operates redundant, maintainable, and scalable architectures tailored to production constraints, the selected provider, and the required level of independence.

Monitoring

ScalarX combines StackX Monitoring System, decentralized monitoring, and an independent international third party to distinguish local server state, service state, and network path issues.

Managed Operations

ScalarX combines human expertise, conditional algorithms, and agentic AI systems to strengthen operational reliability, detect weak signals, accelerate response, and improve the quality of operations.