← Graph

Layer security in depth on your Kamal VM

takeaway 4 connections

Even when features overlap (cloud firewall + UFW + Tailscale + fail2ban + non-root user), keep them all. Security works in layers and redundancy is cheap. Concretely: cloud firewall exposes only HTTP/HTTPS publicly, SSH via port 22 or Tailscale UDP, intra-VPC restricted to the private subnet; UFW mirrors the same policy inside the VM; fail2ban protects SSH; a non-root 'pass_admin' user with sudo and root login disabled reduces blast radius.

type
recommendation
takeaway Layer security in depth on your Kamal VM
about
fail2ban tool
Named as part of the defense-in-depth stack.
takeaway Layer security in depth on your Kamal VM
about
UFW tool
Named as part of the defense-in-depth stack.
takeaway Layer security in depth on your Kamal VM
about
Tailscale tool
Named as part of the defense-in-depth stack.
takeaway Layer security in depth on your Kamal VM
from_talk
Kamal is not harder than your PaaS talk
Security posture Strzibny argues for.

Provenance

Created in
Kamal is not harder than your PaaS — Josef Strzibny at wr... 2026-04-22 08:41