Skip to content
[ PIER ]

Server hardening

Basic hardening

Section titled “Basic hardening”
  • Disable password SSH login; allow key-based only.
  • Run ufw allow 22,80,443/tcp && ufw enable to close everything else.
  • Keep the dashboard port (8443) firewalled off from the public internet. Access via SSH tunnel or a WireGuard/AmneziaWG VPN.
  • Enable automatic security updates: apt install unattended-upgrades.
  • Run the Pier systemd unit with the shipped hardening flags (NoNewPrivileges=yes, ProtectSystem=strict, ProtectHome=yes, PrivateTmp=yes).

Filesystem permissions

Section titled “Filesystem permissions”

Pier installs with sensible defaults:

/opt/pier/bin/pier       root:root 0755
/opt/pier/.env           pier:pier 0600
/opt/pier/data/pier.db   pier:pier 0600
/opt/pier/data/backups   pier:pier 0700

If you run install.sh yourself, preserve those modes.

Docker daemon

Section titled “Docker daemon”
  • Keep Docker up to date — apt update && apt upgrade docker-ce.
  • Avoid mounting /var/run/docker.sock into containers you don’t fully trust.
  • Do not run containers with --privileged unless a template specifically requires it. None of Pier’s first-party templates need it.

Inbound secrets

Section titled “Inbound secrets”

When you paste secrets into the Pier UI, they travel over HTTPS to the Pier API, are encrypted with AES-256-GCM, and written to SQLite. They never leave the server.