SafeServerSetup
Service How it works Pricing Case studies Providers About
Security checklist Contact
Sign in Get started
All case studies · Sample engagement · representative numbers

Hardened a Contabo Cloud VPS running a Discord bot at scale

A bot reaching 40k Discord servers, running as root, with the token in a world-readable config.

Customer
Discord bot operator
Team size
Solo, ~40k Discord servers
Provider
Contabo
OS
Ubuntu 24.04
Plan · Duration
Standard · 14 hours
Engagement summary

A solo operator running a Discord bot used in roughly 40,000 Discord servers. The bot kept the box busy and the operator hadn't had time to learn server admin properly. We tightened everything around the bot without changing the bot itself.

Why they came to us

A friend in their dev community had had their bot token leaked from a similar setup the previous month. They didn't want to be next.

Audit findings

What we found on the box.

First pass before changing anything. Severity ranges from critical (act immediately) to low (worth knowing).

  • Bot process running as root

    critical

  • Bot token stored in a world-readable config file

    critical

  • SSH on port 22 with password authentication

    high

  • No firewall configured

    high

  • Bot logs filling root partition (8% disk free, no rotation)

    medium

  • Outbound being silently rate-limited by Contabo (visible as Discord 429s)

    low
Hardening applied

What we changed, in order.

Each change is reversible and documented in the handover doc. Commands shown are illustrative.

  1. 1

    Created a dedicated bot user; bot service rewritten as a systemd unit running as that user.

  2. 2

    Moved bot token into a systemd EnvironmentFile with mode 600, owned by the bot user.

  3. 3

    SSH: keys-only, custom port, root locked.

  4. 4

    UFW: deny inbound except the custom SSH port (the bot needs no inbound traffic).

  5. 5

    fail2ban with an aggressive SSH jail (maxretry=2, bantime=24h).

  6. 6

    unattended-upgrades for security patches.

  7. 7

    logrotate on bot logs: 7 daily, 4 weekly, compressed.

  8. 8

    Discord webhook for service-down alerts via OnFailure= systemd hook.

Before / after

The numbers that moved.

Representative figures from this engagement. Real, named-customer studies will publish actual numbers with a link to verify.

Bot running as root
Before
yes
After
no
Token file world-readable
Before
yes
After
owner-only
SSH bot attempts / day
Before
6,300
After
~0
Disk free
Before
8%
After
71%
Service-down detection
Before
manual
After
automated

Other sample engagements

See all
Sample case study cover: Indie SaaS founder on DigitalOcean
DigitalOcean · Standard
Hardened a fresh DigitalOcean droplet for a Laravel SaaS launch
Indie SaaS founder
Sample case study cover: Boutique web agency on Hetzner
Hetzner · Pro
Locked down a Hetzner CX22 hosting 12 WordPress sites for a small agency
Boutique web agency
Sample case study cover: Discord bot operator on Vultr
Vultr · Premium
Rescued a compromised Vultr VPS from a cryptominer and rebuilt it clean
Discord bot operator
Ready to be the next one

Hand us your VPS, get an engagement like this one.

Pick a plan, send the credentials through the encrypted form, and we'll come back with the same kind of audit + hardening + handover the studies above describe.

View plans Or apply for case-study slot