{"id":93,"date":"2025-08-09T17:30:30","date_gmt":"2025-08-09T17:30:30","guid":{"rendered":"https:\/\/server.ua\/en\/blog\/?p=93"},"modified":"2025-08-09T17:30:30","modified_gmt":"2025-08-09T17:30:30","slug":"vps-security-how-to-protect-your-server-when-deploying-ci-cd-via-gitops","status":"publish","type":"post","link":"https:\/\/server.ua\/en\/blog\/vps-security-how-to-protect-your-server-when-deploying-ci-cd-via-gitops","title":{"rendered":"VPS Security. How to Protect Your Server When Deploying CI\/CD via GitOps"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfs9TBMIuNb4a0kOLBJavARC6gXwO9FFMhyrvmu1IO05xd2dL-kHCM9oOshYEibiUcnnSL5N3owR-gHqWeBWwwliMBL5ZevUFdivZ9Pvtf1VWIfqT9xUEKITIrZJ2UhIz9a2Lus?key=y-eFZgmK6Uhc1JiqYzU1CA\" alt=\"\"\/><\/figure>\n\n\n\n<p>Modern companies are increasingly adopting automation for software deployment processes. Combining CI\/CD and the GitOps approach makes it possible to update infrastructure quickly and without manual intervention. However, the more automation you have, the higher the risks if security is not properly configured.<br>This is especially critical when an application or infrastructure is deployed on a VPS connected to a public network. In such a scenario, a supply chain attack can lead to full server compromise and leakage of confidential data.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>In this article, we will look at a set of measures that will help protect a VPS when using the GitOps methodology in CI\/CD processes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What is GitOps and Why It\u2019s Vulnerable<\/strong><\/h2>\n\n\n\n<p>GitOps is an approach in which all infrastructure and application configurations are stored in a Git repository. Any change to the configuration (through a pull request or merge) automatically updates the working environment via a CI\/CD process.<br>This greatly simplifies management but at the same time creates a single point of potential attack \u2014 the configuration repository.<\/p>\n\n\n\n<p>If compromised or accessed without authorization, an attacker can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>modify the deployment configuration;<br><\/li>\n\n\n\n<li>insert malicious code into the pipeline;<br><\/li>\n\n\n\n<li>obtain secrets (passwords, API keys);<br><\/li>\n\n\n\n<li>install backdoors on the VPS.<br><\/li>\n<\/ul>\n\n\n\n<p>That\u2019s why security starts at the code repository level and is not limited to the server itself.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. Protecting the Git Repository<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1.1. Access Restrictions and the Principle of Least Privilege<\/strong><\/h3>\n\n\n\n<p>Grant each user only the permissions they truly need. For example, a developer may have access to a specific branch but not to the production branch.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1.2. Two-Factor Authentication<\/strong><\/h3>\n\n\n\n<p>Enable 2FA for all accounts in GitHub, GitLab, or Bitbucket. This reduces the risk of compromise through a stolen password.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1.3. Commit Signing<\/strong><\/h3>\n\n\n\n<p>Use GPG signatures for commits and tags. This ensures that changes are made by an authorized user, not by an outsider.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1.4. Secret Scanning<\/strong><\/h3>\n\n\n\n<p>Use tools like <em>Gitleaks<\/em> or <em>TruffleHog<\/em> to automatically check the repository for accidentally committed passwords, tokens, or SSH keys.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Building a Secure CI\/CD Process<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2.1. Environment Isolation<\/strong><\/h3>\n\n\n\n<p>Testing and production environments must have different credentials and be physically or logically isolated. This prevents test experiments from affecting live services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2.2. Secret Management<\/strong><\/h3>\n\n\n\n<p>Do not store passwords and keys in code or in open environment variables. Use <em>Vault<\/em>, <em>AWS Secrets Manager<\/em>, <em>HashiCorp Vault<\/em>, or <em>Kubernetes Secrets<\/em>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2.3. Code Checks Before Deployment<\/strong><\/h3>\n\n\n\n<p>Implement automated checks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Linting \u2014 detecting syntax errors.<br><\/li>\n\n\n\n<li>Static Application Security Testing (SAST) \u2014 finding vulnerabilities in code.<br><\/li>\n\n\n\n<li>Dependency scanning \u2014 checking libraries for known security issues.<br><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2.4. Controlling Access to Runners<\/strong><\/h3>\n\n\n\n<p>Use private CI\/CD Runners to avoid the risk of compromise through shared public agents.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. VPS Security in a GitOps Infrastructure<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.1. Timely Updates<\/strong><\/h3>\n\n\n\n<p>Update the OS kernel, packages, and services. Outdated software is the main entry point for exploiting vulnerabilities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.2. Firewall Configuration<\/strong><\/h3>\n\n\n\n<p>Restrict port access using UFW or iptables. Only necessary services should remain open.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.3. SSH Protection<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable password authentication \u2014 use keys only.<br><\/li>\n\n\n\n<li>Change the default port 22 to a non-standard one.<br><\/li>\n\n\n\n<li>Allow SSH access only from specific IP addresses.<br><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.4. Monitoring and Logging<\/strong><\/h3>\n\n\n\n<p>Integrate <em>Prometheus<\/em> and <em>Grafana<\/em> for VPS monitoring and <em>ELK Stack<\/em> for real-time log analysis.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.5. Backups<\/strong><\/h3>\n\n\n\n<p>Perform regular backups of critical data. For additional security, use colocation or remote data centers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. SSL and Securing Data Transmission<\/strong><\/h2>\n\n\n\n<p>The transfer of configurations, code, and secrets should take place only through encrypted channels.<br>Using <a href=\"https:\/\/server.ua\/en\/ssl\">SSL certificates<\/a>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>protects data from interception;<br><\/li>\n\n\n\n<li>guarantees server authenticity;<br><\/li>\n\n\n\n<li>reduces the risk of \u201cman-in-the-middle\u201d (MITM) attacks.<br><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. Automated Security Auditing<\/strong><\/h2>\n\n\n\n<p>Integrate the following checks into your pipeline:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SAST \u2014 static code analysis.<br><\/li>\n\n\n\n<li>DAST \u2014 dynamic testing during application runtime.<br><\/li>\n\n\n\n<li>IaC Scanning \u2014 checking Terraform\/Ansible\/Helm configurations.<br><\/li>\n<\/ul>\n\n\n\n<p>It is recommended to automatically generate reports and send them to the DevSecOps team after each deployment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p>Securing a VPS when using GitOps in CI\/CD is a multi-step process:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>from a secure repository and a controlled pipeline;<br><\/li>\n\n\n\n<li>to a properly configured firewall and monitoring;<br><\/li>\n\n\n\n<li>with mandatory encryption and regular backups.<br><\/li>\n<\/ul>\n\n\n\n<p>By choosing a <a href=\"https:\/\/server.ua\/en\/vps\">reliable VPS<\/a> with modern security features, you gain stability and control, while proper GitOps configuration ensures fast and secure updates to your infrastructure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Modern companies are increasingly adopting automation for software deployment processes. Combining CI\/CD and the GitOps approach makes it possible to update infrastructure quickly and without manual intervention. However, the more automation you have, the higher the risks if security is not properly configured.This is especially critical when an application or infrastructure is deployed on a [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[82,109,108,22],"class_list":["post-93","post","type-post","status-publish","format-standard","hentry","category-security","tag-ci-cd","tag-gitops","tag-server-protection","tag-vps-security"],"_links":{"self":[{"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/posts\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/comments?post=93"}],"version-history":[{"count":1,"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/posts\/93\/revisions"}],"predecessor-version":[{"id":94,"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/posts\/93\/revisions\/94"}],"wp:attachment":[{"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/media?parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/categories?post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/server.ua\/en\/blog\/wp-json\/wp\/v2\/tags?post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}