Kernel

• Dedicated servers running custom hardened kernel
• We follow advanced security practices - KSPP, CLIP OS, grsecurity
• Peripherals turned off (USB, CD drives, PCI hotplugging, serial ports, displays, keyboards & mouses, etc)

OS

• Running Debian Stable, known for stability, reliability and commitment to free software
• Reduced the attack surface by using OVH’s debian-cis scripts
• Tripwire automatically alerts us to potential intrusions, and we manually verify file system integrity after unexpected or suspicious reboots to prevent offline backdoor attacks on our infrastructure

Software

• MAC reduces the impact of vulnerabilities
• We follow principle of least privilege
• We run only open source software

OPSEC

• We use clean non-KYCed crypto and XMR, Tor, virtual phone numbers, unique email per service, etc