CIO
Back to Projects
Project

Zero Trust Infrastructure

Production server hardened with Zero Trust Network Access using Netbird and WireGuard. Port 22 closed on the public internet. SSH and internal services accessible only through an encrypted private overlay network.

Zero TrustNetbirdWireGuardLinuxSecurityInfrastructure
GitHub
Zero Trust Infrastructure

Overview

Every server with a public IP address gets scanned. Automated tools crawl the entire IPv4 space continuously looking for open ports. If SSH is open, someone is trying to get in constantly, from everywhere.

The standard response is key-based authentication and a good firewall. That is reasonable. But it still leaves port 22 reachable by anyone who can find your IP. The question is whether it needs to be.

This project implements Zero Trust Network Access on a production VPS so that SSH and all internal services are completely invisible from the public internet, while remaining fully accessible from authorized devices through an encrypted private overlay network.

What Zero Trust Means Here

Zero Trust is not a product. It is a principle: nothing is trusted by default, and every connection must prove its identity before it gets through.

For a production server, this translates to one structural decision. Instead of having internal services open to the internet and protecting them with credentials, make them unreachable from the internet entirely. Access is granted only to enrolled devices, through an encrypted tunnel, based on explicit policy.

The result is that an attacker who discovers your server's public IP can reach exactly one thing: the HTTPS API on port 443. SSH does not exist. The monitoring dashboard does not exist. The database port does not exist. There is nothing to brute force.

What Was Built

Netbird overlay network — Netbird is deployed on the server and on authorized developer devices. Each peer gets a private IP address on a WireGuard encrypted overlay network. The server's Netbird interface is assigned 100.117.7.3 on the private network.

SSH restriction — SSH is configured to listen only on the Netbird interface, not on the public IP. The public firewall blocks port 22 entirely. SSH connections only succeed from enrolled devices with an active WireGuard tunnel.

Internal service protection — the Wazuh security monitoring dashboard runs on port 8443 bound to the Netbird interface only. PostgreSQL is bound to localhost. From the public internet, neither service exists.

CI/CD through the tunnel — GitHub Actions deployments connect to the server through the Netbird network using a service account setup key, so automated deployments work through the same Zero Trust path as manual SSH access.

External verification — port access is verified using portchecker.co, an external tool that tests whether a given port is reachable from outside the network. Ports 22, 8443, and 5432 all return closed on the public IP.

Before and After

SSH (port 22):

  • Before Netbird: Open on public IP
  • After Netbird: Closed — Netbird only

Wazuh dashboard (port 8443):

  • Before Netbird: Not yet deployed
  • After Netbird: Closed — Netbird only

PostgreSQL (port 5432):

  • Before Netbird: Localhost only
  • After Netbird: Localhost only

HTTPS API (port 443):

  • Before Netbird: Open
  • After Netbird: Open

Infrastructure Stack

  • VPS: Hetzner VPS (Ubuntu 24.04)
  • Zero Trust: Netbird
  • Tunneling protocol: WireGuard
  • Web server: Nginx
  • SSL: Let's Encrypt (certbot)
  • Process manager: PM2
  • Firewall: UFW
  • Verification: portchecker.co
Related Projects

More projects

More systems and experiments connected to security, infrastructure, backend development, and AI.

Security Monitoring with Wazuh SIEM

Security Monitoring with Wazuh SIEM

Open-source SIEM deployed on a production VPS with custom decoders, application-level detection rules, and MITRE ATT&CK threat classification. Real attack data from day one.

WazuhSIEMSecurityMITRE ATT&CKLinuxMonitoring
View Project
Reusable Secure Auth System

Reusable Secure Auth System

A production-deployed authentication and authorization backend built under Secure SDLC principles. Supports hybrid authentication for browser and API clients, role-based access control, and a full security documentation suite.

Node.jsTypeScriptPostgreSQLExpressJWTRBACSecurity
View Project
Web Security Scanner

Web Security Scanner

An automated web security scanner that checks HTTP security headers, SSL certificates, DMARC records, and exposed sensitive files. Returns a weighted score and grade from A to F with plain-language findings.

TypeScriptNode.jsExpressPostgreSQLDrizzleSecurityDockerOWASP
View Project
All Projects Get in touch