No-Logs VPS Configuration - Minimize Your Server's Data Footprint

Linux systems log extensively by default. Reduce system logging: **Systemd journal (most modern distros):** ```bash # /etc/systemd/journald.conf [Journal] Storage=none # Don't store to disk Compress=yes RateLimitIntervalSec=0 RateLimitBurst=0 ``` This disables persistent journal storage. Logs exist only in memory and are lost on reboot. **Auth logs (/var/log/auth.log):** ```bash # In /etc/rsyslog.conf, comment out or redirect to /dev/null: #auth,authpriv.* /var/log/auth.log auth,authpriv.* /dev/null ``` **Last login logs (/var/log/lastlog, /var/log/wtmp):** ```bash # Remove and replace with /dev/null: rm /var/log/lastlog /var/log/wtmp /var/log/btmp ln -s /dev/null /var/log/lastlog ln -s /dev/null /var/log/wtmp ln -s /dev/null /var/log/btmp ``` After this, "last" and "lastlog" commands show no history. No login records.

**Nginx - disable access logs globally:** ```nginx # /etc/nginx/nginx.conf, in http block: access_log off; error_log /dev/null emerg; # Only log emergencies to /dev/null ``` Or per-server block: ```nginx server { access_log off; error_log /dev/null; ... } ``` **Hash IPs in logs (if you need some logging):** ```nginx # Replace IP with HMAC-SHA256 of IP + secret # Use map directive to hash before logging: map $remote_addr $remote_addr_hashed { default $remote_addr; } ``` A more complete solution: log format that replaces IPs with /24 subnet (last octet removed). This preserves geographic data for analytics without identifying individual users: ```nginx log_format privacy '$remote_addr_anon - $remote_user [$time_local] "$request" $status'; # Define $remote_addr_anon via geo module to strip last octet ```

**WireGuard:** WireGuard kernel module does not log connection details by default. Confirm: ```bash # WireGuard does not log peer IPs or handshake times by default # To verify no custom logging is configured: cat /etc/wireguard/wg0.conf # Should contain no logging directives journalctl -u wg-quick@wg0 # Check for unexpected logging ``` **Shadowsocks:** configure log level to suppress access logs: ```json { "server": "0.0.0.0", "server_port": 8388, "password": "...", "method": "chacha20-ietf-poly1305", "timeout": 300, "log_file": "/dev/null" } ``` **SSH:** reduce sshd logging in /etc/ssh/sshd_config: ``` LogLevel QUIET ``` QUIET suppresses most SSH log entries. Authentication failures are still logged - to eliminate those entirely, redirect to /dev/null as shown above. **Tor relay:** in /etc/tor/torrc: ``` Log notice stderr ``` 'notice' logs important events only, not per-connection data.

**Disable kernel network logging:** ```bash # /etc/sysctl.conf - disable various network logging: net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 kernel.printk = 3 4 1 3 # Reduces kernel message verbosity ``` **UFW logging:** UFW (uncomplicated firewall) logs dropped packets by default: ```bash ufw logging off ``` **tcpdump and packet capture:** no persistent packet capture should be running on a privacy server. Verify: ```bash ps aux | grep tcpdump ps aux | grep wireshark ``` **RAM-only operation (advanced):** use tmpfs for /tmp and set other directories to temporary storage. For the highest privacy: operate the VPS in a way that all logs go to /dev/null or to tmpfs only. After reboot, nothing persists except deliberately stored application data. Note: completely removing all logging makes debugging difficult if issues arise. Consider a compromise: ephemeral logs kept for 24 hours in memory-backed storage, then discarded.