Table of Contents
AI Inference Threat Landscape
Running AI inference on a dedicated GPU server exposes attack surfaces that traditional web servers do not have. Your inference endpoint handles sensitive prompts, serves model outputs that could be manipulated, and runs on expensive hardware that attackers may target for cryptomining. Securing the entire stack is not optional for production deployments.
The main threats include: unauthorised API access consuming GPU resources, prompt injection attacks against your model, data exfiltration of prompts or model weights, and server compromise for cryptomining. For more on securing inference specifically, see our secure AI inference API guide. More security-focused content is in our tutorials section.
Network Hardening
Start with the network perimeter. Most inference servers should not be directly exposed to the public internet.
# UFW firewall: allow only SSH and your API port
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp # SSH
sudo ufw allow 443/tcp # HTTPS API
sudo ufw enable
# Block direct access to vLLM port (use reverse proxy)
sudo ufw deny 8000/tcp
# Optional: restrict SSH to specific IPs
sudo ufw allow from 203.0.113.0/24 to any port 22
Use a reverse proxy. Place nginx or Caddy in front of your vLLM or Ollama endpoint. The proxy handles TLS termination, request filtering, and rate limiting. Never expose the inference engine directly.
Enable TLS everywhere. Use Let’s Encrypt for free certificates. All API traffic should be encrypted in transit. This protects prompt data from network interception.
Private networking. If your application server and GPU server are in the same data centre, use a private network interface for inference traffic. Only expose the public-facing API endpoint through the reverse proxy.
API Authentication and Rate Limiting
An unauthenticated inference endpoint is an open invitation for abuse. Implement multiple layers of API protection.
# Nginx rate limiting and API key authentication
# /etc/nginx/conf.d/inference.conf
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
listen 443 ssl;
server_name api.example.com;
ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
location /v1/ {
# API key validation
if ($http_authorization = "") { return 401; }
# Rate limiting
limit_req zone=api burst=20 nodelay;
# Request size limit (prevent massive prompts)
client_max_body_size 1m;
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
}
}
Per-key rate limits. Implement different rate limits per API key to prevent any single client from monopolising GPU resources. This is critical for API hosting setups serving multiple consumers.
Request validation. Validate incoming requests before they reach the model. Check prompt length, reject malformed JSON, and enforce maximum token limits. This prevents memory exhaustion attacks that could crash your inference engine.
Model and Data Security
Model weight protection. Store model weights on encrypted volumes. If you are serving proprietary fine-tuned models on private AI hosting, the weights represent significant intellectual property. Restrict file permissions to the inference service user only.
# Restrict model file access
sudo chown -R vllm-service:vllm-service /models/
sudo chmod -R 750 /models/
# Encrypt the model storage volume (setup during provisioning)
# Use LUKS for full-disk encryption on Linux
Prompt data handling. Do not log full prompts in production unless required for debugging. If logging is necessary, ensure logs are encrypted at rest and access-controlled. Prompts may contain sensitive business data, personal information, or proprietary content.
Output filtering. Implement output guardrails to prevent your model from generating harmful or sensitive content. Lightweight classification models can screen outputs before returning them to clients.
Runtime and OS Hardening
Run inference as a non-root user. Create a dedicated service account for vLLM or your inference engine. Never run GPU workloads as root.
# Create service user
sudo useradd -r -s /bin/false vllm-service
# Systemd service file with security directives
[Service]
User=vllm-service
Group=vllm-service
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/vllm
PrivateTmp=true
Keep software updated. NVIDIA drivers, CUDA, PyTorch, and vLLM all receive security patches. Subscribe to security advisories for your stack. Update during scheduled maintenance windows.
Disable unused services. A GPU server running inference does not need a web server, mail server, or other services. Disable everything except SSH, your reverse proxy, and the inference engine. Fewer services means fewer attack vectors.
Monitoring and Threat Detection
Security monitoring for GPU servers includes standard server monitoring plus AI-specific concerns.
GPU usage anomalies. Sudden spikes in GPU utilisation when traffic is low may indicate cryptomining malware. Monitor GPU utilisation alongside request counts. If the GPU is at 100% but your API shows zero requests, investigate immediately. Set up monitoring using our GPU monitoring guide.
API abuse detection. Monitor for patterns that indicate abuse: unusually long prompts (prompt injection attempts), high-frequency requests from single IPs, requests with known jailbreak patterns, and requests generating maximum-length outputs consistently.
Log aggregation. Centralise logs from nginx, the inference engine, and system logs. Use tools like Fail2ban to automatically block IPs showing attack patterns. Set up alerts for failed authentication attempts, rate limit breaches, and out-of-memory errors.
A well-secured GPU server protects both your infrastructure investment and your users’ data. Combine these hardening steps with the right dedicated GPU hosting provider, and your inference stack is production-ready. For performance optimisation alongside security, see our vLLM memory optimisation guide and our self-hosted LLM guide.
Secure, Dedicated GPU Hosting
GigaGPU provides dedicated GPU servers with full root access for complete security control. UK data centres, bare-metal hardware, no shared tenancy.
Browse GPU Servers