Security is not simply a matter of stacking layers of protection. At ScalarX, we apply a pragmatic approach: reduce the attack surface, harden critical components, and keep operations running smoothly.
The model combines local StackX security, ScalarCloud infrastructure protections, decentralized monitoring, and 24/7 human response capability.
Every environment receives a standardized, verifiable, and operationally manageable technical baseline: access controls, network filtering, logging, continuous monitoring, local auditing, integrity checks, and remediation mechanisms.
Objective: improve security without creating unnecessary operational friction, including in multi-site, disaster recovery, hybrid, or multi-provider environments.
Applied Security Principles
Applied Security Principles
Principle
Application
Attack surface reduction
Disable unnecessary services, isolate access, and harden configuration
Defense in depth
Local firewall, system hardening, monitoring, auditing, backup, and incident response
Local-first
Critical checks can still be run locally, without depending on a single central platform
Prevention, detection, remediation
The stack aims to prevent, detect, and then correct operational deviations
Verifiable operations
Post-install audits, managed-file compliance, recurring checks, and usable logs
Security / productivity balance
Measures tailored to the context, without adding controls that obstruct day-to-day operations
Shared StackX Security BaselineShared access, isolation, and hardening
Shared StackX Security Baseline
Control
Description
Dedicated bastions
Administrative access, deployments, and operational work go through dedicated bastions
Local firewall
Filtering independent of external infrastructure, with structured rules and controlled reloads
Whitelists / blacklists
Smart atomic whitelists and blacklists (IPs, networks, AS, countries, zones)
SSH whitelist-only
SSH exposure limited to explicitly authorized IP addresses when the context requires it
Anti-brute-force protection
Fail2ban integrated into StackX profiles, with an ignore list consistent with the operator scope
Application isolation
Each environment runs its services and processes under its own dedicated user (PHP, Node.js, Python, Java, Bash, and others)
Per-user Node.js runtime
Node.js management through sxnode, with a dedicated tree, controlled activation, and state auditing
System hardening
Kernel/sysctl profiles, stronger permissions, component separation, and fewer exposed paths
SELinux confinement
Activation, mode changes, and AVC denial analysis based on the application scope and required isolation level
StackX Audit, Detection, and Recurring ChecksLocal tools, integrity, web scanning, and auditd
StackX Audit, Detection, and Recurring Checks
Tool / component
Role
sxpostcheck
Post-install and post-maintenance audit: services, access, firewall, SELinux, backups, monitoring, replication, and compliance checks
sxcfgcheck
Non-destructive local validation of a StackX configuration file before delivery
sxaudit
StackX auditd rules and local review of sensitive events: identity, sudo, SSH, cron, systemd, firewall, kernel, and modules
sxintegrity
Integrity baseline and local diff for critical system and StackX paths, including sensitive-file checks
sxwebscan
Non-destructive local scan of web roots for signs of web shells or post-exploitation activity
sxsecuritycron
Recurring security check orchestration: audit, integrity, web scanning, rkhunter, and optional reports
sxnetstat
Summary of network listeners, port/direction filters, and whitelist validation
sxselinux
SELinux denial review, diagnostics, summary, and draft rules without automatic policy installation
rkhunter / chkrootkit
Additional anomaly and rootkit signature detection
Advanced StackX HardeningKernel, SELinux, databases, and local services
Advanced StackX Hardening
Mechanism
Role
Kernel hardening
Neutralizes module families that are unnecessary or risky on a LAMP server
Strict sysctl profile
Restrictions for ptrace, unprivileged BPF, user namespaces, kernel leaks, perf, and system protections
/tmp hardening
Mount options applied when the application context allows them
StackX SELinux
Can be enabled, controlled, and disabled in an emergency, with relabeling after a sync, import, or restore
MariaDB encryption
Server-side protection when justified by the architecture and isolation requirements
Managed PostgreSQL
PGDG repository, explicit major version, dedicated application roles, and optional physical PRD/DRS replication
Redis local-only
Optional local service with authentication, memory limit, and no unnecessary network exposure
OpenSearch local-only
Optional service with the security plugin enabled, a controlled JVM heap, and no firewall opening by default
RabbitMQ local-only
Optional broker with a dedicated user and vhost, persistent secrets, and no public network listener
Security by StackX ProductLAMP, Bastion, Proxy, DNS, Backup, and Monitoring
Security by StackX Product
Product
Security Implemented
StackX LAMP
Isolated environments, multi-version PHP, per-user Node.js, dedicated databases, RabbitMQ local-only, per-vhost logs, and local FPM checks
StackX Bastion
Hardened SSH, local inventory, append-only session recording, notifications, and locked batch operations
StackX Proxy
Authenticated Squid proxy, optional source restrictions, controlled CONNECT ports, forwarded_for/via settings that can be disabled, and post-install validation
StackX DNS
Primary/secondary authoritative DNS, restricted AXFR transfers, transactional record changes with rollback, RRL, and explicit DNSSEC
StackX Backup
Dedicated backup accounts, forced rdiff-backup command, anti-enumeration datastore, and per-source SSH rules for backed-up servers
StackX Monitoring System
Local source of truth that can be exposed over HTTPS and verified by an independent third party or a manual check
Typical Local SMS ChecksServices, resources, backups, and replication
Typical Local SMS Checks
Check
What Is Checked
Critical processes
Apache, PHP-FPM, SSH, cron, fail2ban, RabbitMQ, and services specific to the server role
Local network and Internet
Local connectivity, DNS, public IP, endpoints, and exposed services
Storage
Filesystems, disk usage, inodes, software RAID, and ZFS pools when present
Load and memory
System load, RAM usage, and signs of local saturation
Databases and application services
MariaDB/MySQL, PostgreSQL, Redis, OpenSearch, RabbitMQ, and Memcached depending on the installed profile
Backups
Log presence, database/file backup execution, and freshness of the latest operations
PRD/DRS synchronization
Freshness of synchronization markers and detection of the latest error states
System updates
Age of the latest updates and local operational state reporting
ScalarCloud Anti-DDoS Protection & ResilienceNetwork mitigation, filtering, and resilient architecture
ScalarCloud Anti-DDoS Protection & Resilience
Layer
Protection
Volumetric protection
Multi-layer anti-DDoS protection (L3/L4) with upstream mitigation
Network prefiltering
Pre-firewall systems to absorb and filter traffic
Edge filtering
Dedicated vRouters controlling inbound and outbound traffic
Specialized mitigation
Protection against amplification attacks and targeted floods
Hardware processing
FPGA support for advanced attack scenarios
Resilient architecture
Design focused on service continuity and limiting failure points
Operational Response & Continuity
Operational Response & Continuity
Area
Operational Commitment
Support
24/7 technical support
Monitoring
Decentralized alerting independently validated by a third party
Ongoing operations
Preventive and corrective actions within the managed scope
Backups
External, PBS, or dedicated backup strategies depending on scope
Disaster recovery
Replication, spare capacity, VIP, and DR procedures depending on the architecture
Security maintenance
Recurring checks, updates, local audits, and correction of detected deviations
Need an audit of your current exposure? We can define a progressive security path tailored to your infrastructure and business constraints.
ScalarX designs and operates redundant, maintainable, and scalable architectures tailored to production constraints, the selected provider, and the required level of independence.
Monitoring
ScalarX combines StackX Monitoring System, decentralized monitoring, and an independent international third party to distinguish local server state, service state, and network path issues.
Managed Operations
ScalarX combines human expertise, conditional algorithms, and agentic AI systems to strengthen operational reliability, detect weak signals, accelerate response, and improve the quality of operations.