Operational Security Guide

Security recommendations for running and using MoaV safely.

Table of Contents

• For Server Operators
• Server Security
• Domain Security
• Credential Management
• Monitoring
• If Server is Blocked
• For Users
• Device Security
• Connection Security
• App Security
• Behavior Security
• If You Suspect Compromise
• Distribution Security
• Legal Considerations
• Emergency Procedures
• Checklist

---

For Server Operators

Server Security

1. Keep system updated:

   apt update && apt upgrade -y
   # Enable automatic security updates
   apt install unattended-upgrades
   dpkg-reconfigure unattended-upgrades
   

2. Use SSH keys, disable password auth:

   # In /etc/ssh/sshd_config:
   PasswordAuthentication no
   PermitRootLogin prohibit-password
   

3. Enable firewall:

   ufw allow 22/tcp      # SSH (IMPORTANT: always allow SSH first!)
   ufw allow 443/tcp     # Reality (VLESS)
   ufw allow 443/udp     # Hysteria2
   ufw allow 8443/tcp    # Trojan
   ufw allow 51820/udp   # WireGuard
   ufw allow 51821/udp   # AmneziaWG
   ufw allow 8080/tcp    # wstunnel (WireGuard over WebSocket)
   ufw allow 4443/tcp    # TrustTunnel (HTTP/2)
   ufw allow 4443/udp    # TrustTunnel (HTTP/3 QUIC)
   ufw allow 993/tcp     # Telegram MTProxy (telemt)
   ufw allow 53/udp      # DNS tunnels (dnstt + Slipstream)
   ufw allow 2082/tcp    # CDN WebSocket (VLESS+WS via Cloudflare)
   ufw allow 9443/tcp    # Admin dashboard
   ufw allow 9444/tcp    # Grafana monitoring (if enabled)
   ufw allow 80/tcp      # Let's Encrypt certificate renewal
   ufw enable
   

   Only open ports for protocols you've enabled. At minimum: SSH (22) + your active protocols.

Warning: If you change your SSH port (see below), add a rule for the new port before running ufw enable, or you will lock yourself out.

1. Change SSH port (optional):

   # 1. Add firewall rule for new port FIRST
   ufw allow 2222/tcp
   
   # 2. Then change SSH config
   # In /etc/ssh/sshd_config:
   Port 2222  # or another port
   
   # 3. Restart SSH
   systemctl restart sshd
   
   # 4. Test new port works (from another terminal), then remove old rule
   ufw delete allow 22/tcp
   

Domain Security

1. Use WHOIS privacy - Hide your personal information
2. Use a neutral registrar - Avoid country-specific registrars
3. Keep registration info generic - Don't use real name if possible
4. Pay anonymously - Use crypto if available

Credential Management

1. Never share master credentials - Each user gets unique creds
2. Revoke compromised users immediately:

   ./scripts/user-revoke.sh compromised_user
   

3. Rotate server keys periodically - Re-bootstrap if concerned
4. Keep backups of state:

   tar czf moav-backup-$(date +%Y%m%d).tar.gz \
     configs/ outputs/ .env
   

Monitoring

1. Watch for unusual patterns:
2. Sudden traffic spikes
3. Connections from unexpected IPs

4. Failed authentication attempts

5. Check logs regularly:

   docker compose logs --tail=100 sing-box | grep -i error
   

6. Set up alerts (optional):

7. Use Uptime Kuma or similar for monitoring
8. Alert on service down or high resource usage

If Server is Blocked

1. Don't panic - Have a backup plan ready
2. Try different protocols first - Reality target change, Hysteria2
3. If IP is blocked:
4. Get a new VPS with fresh IP
5. Or use floating IP if provider supports
6. Migrate:

   # On old server
   tar czf moav-state.tar.gz configs/ outputs/ -v moav_state/_data/
   
   # On new server
   # Set up fresh, then restore user data
   

---

For Users

Device Security

1. Use a separate profile/user for circumvention apps on shared devices
2. Don't screenshot QR codes - Or delete immediately after import
3. Delete bundle files after importing to your apps
4. Use device encryption - Enable full disk encryption
5. Set strong device PIN/password

Connection Security

1. Verify you're connected:
2. Check your IP: https://whatismyip.com

3. Should show server IP, not your real IP

4. Use HTTPS everywhere even over tunnel:

5. The tunnel encrypts transport, HTTPS encrypts content

6. Protects against compromised tunnel endpoints

7. Don't trust public WiFi even with VPN:

8. Your device can still be attacked locally
9. Tunnel doesn't protect against local network attacks

App Security

1. Keep apps updated - Updates often fix detection bypasses
2. Download from official sources:
3. iOS: App Store
4. Android: GitHub releases or F-Droid

5. Avoid random APK sites

6. Backup your configs:

7. Export configs from apps
8. Store securely (encrypted)

Behavior Security

1. Don't share your credentials - Each person should have their own
2. Don't share screenshots showing server addresses or QR codes
3. Don't mention specific servers in public forums
4. Use secure messaging to receive configs (Signal, encrypted email)

If You Suspect Compromise

1. Stop using that config immediately
2. Contact admin for new credentials
3. Check your device for malware
4. Change passwords for any accounts accessed over that connection

---

Distribution Security

Sharing Bundles Safely

DO: - Use end-to-end encrypted messaging (Signal, Telegram secret chat) - Share in person when possible - Use encrypted file sharing (OnionShare, Keybase) - Delete messages after recipient confirms receipt

DON'T: - Email unencrypted configs - Post links in public channels - Share via unencrypted cloud storage - Send screenshots of QR codes to groups

Recommended Distribution Methods

1. In Person:
2. Safest method

3. Scan QR code directly from your screen

4. Signal:

5. Send configs as files
6. Enable disappearing messages

7. Verify recipient's safety number

8. Telegram (Secret Chat only):

9. NOT regular chats

10. Use self-destruct timer

11. Encrypted Email:

12. PGP/GPG encrypted
13. Or use ProtonMail-to-ProtonMail

---

Legal Considerations

Disclaimer: This is not legal advice.

Know Your Jurisdiction

• Laws vary by country
• Running circumvention tools may be illegal in some places
• Using them may also carry risks
• Assess your personal risk level

Plausible Deniability

The decoy website helps: - Server looks like a normal HTTPS site - No obvious "VPN" or "proxy" indicators - Valid TLS certificate - Generic content

Data Retention

MoaV is configured for minimal logging: - No URLs logged - No request content - Basic connection stats only (for admin)

To disable all logging:

# In .env
LOG_LEVEL=error

---

Emergency Procedures

If You Think You're Monitored

1. Stop using current credentials
2. Contact admin through alternate channel
3. Get fresh credentials
4. Consider using a different device
5. Assess whether to continue using service

If Server is Raided/Seized

User data exposure is limited: - Passwords are stored hashed - No content is logged - IP addresses are in memory only

But assume: - Server IP is known - User identifiers (not real names) are known - Active connections at time of seizure are known

If User is Compromised

As admin: 1. Revoke user immediately: ./scripts/user-revoke.sh username 2. Monitor for unusual activity 3. Consider rotating server if credentials were extracted 4. Do NOT contact compromised user through normal channels

---

Checklist

Server Operator

• [ ] SSH keys only, no password auth
• [ ] Firewall configured
• [ ] System auto-updates enabled
• [ ] Unique user credentials for everyone
• [ ] Backup plan if blocked (new IP ready)
• [ ] Secure distribution channel established

User

• [ ] Device encrypted
• [ ] App from official source
• [ ] Config imported securely
• [ ] Bundle files deleted after import
• [ ] Knows which protocol to try if one fails
• [ ] Knows how to contact admin securely