SafeServerSetup
Service How it works Pricing Case studies Providers About
Security checklist Contact
Sign in Get started
All case studies · Sample engagement · representative numbers

Locked down an OVH VPS hosting a privacy-focused self-hosted stack

A self-hosted analytics + recipes stack about to be pointed at customer-facing subdomains.

Customer
Privacy-focused product team
Team size
5 people
Provider
OVH
OS
Debian 12
Plan · Duration
Standard · 16 hours
Engagement summary

A five-person product team self-hosting Plausible Analytics, a recipe manager, and a few internal tools on a single OVH VPS. They wanted the box locked down before they pointed customer-facing subdomains at it — and before they trusted it with anything sensitive.

Why they came to us

They'd set the box up themselves and "thought it was fine." Their lead engineer had a strong instinct that something was off but couldn't find time to dig in. They wanted a fresh, methodical pass with a written report they could file with their compliance docs.

Audit findings

What we found on the box.

First pass before changing anything. Severity ranges from critical (act immediately) to low (worth knowing).

  • Default OVH root password unchanged

    critical

  • Docker daemon listening on tcp://0.0.0.0:2375 with no TLS or auth

    critical

  • OVH firewall in monitoring-only mode (rules existed but were not enforced)

    high

  • No SSH keys configured — password auth only

    high

  • No swap; 1GB RAM box hit OOM ~4 times per week under normal load

    medium

  • 22 days of unapplied security patches

    medium
Hardening applied

What we changed, in order.

Each change is reversible and documented in the handover doc. Commands shown are illustrative.

  1. 1

    Disabled the Docker TCP socket entirely; switched all clients to the local Unix socket.

  2. 2

    Created an ops user, installed the three team members' SSH keys.

  3. 3

    SSH: keys-only, root locked, custom port, MaxAuthTries 3.

  4. 4

    Provisioned a 2GB swap file with swappiness=10.

  5. 5

    UFW with iptables=false handling for Docker, plus explicit allow rules for 22 (custom), 80, 443.

  6. 6

    Promoted the OVH network firewall from monitor mode to enforcing.

  7. 7

    unattended-upgrades configured for security patches.

  8. 8

    Replaced watchtower auto-pull (responsible for two prior outages) with a manual update procedure documented in their runbook.

Before / after

The numbers that moved.

Representative figures from this engagement. Real, named-customer studies will publish actual numbers with a link to verify.

Docker TCP socket exposed
Before
yes
After
no
Unauthenticated container API
Before
yes
After
no
OVH firewall mode
Before
monitor
After
enforce
OOM kills / week
Before
4
After
0
Patch lag
Before
22 days
After
0 days

Other sample engagements

See all
Sample case study cover: Indie SaaS founder on DigitalOcean
DigitalOcean · Standard
Hardened a fresh DigitalOcean droplet for a Laravel SaaS launch
Indie SaaS founder
Sample case study cover: Boutique web agency on Hetzner
Hetzner · Pro
Locked down a Hetzner CX22 hosting 12 WordPress sites for a small agency
Boutique web agency
Sample case study cover: Discord bot operator on Vultr
Vultr · Premium
Rescued a compromised Vultr VPS from a cryptominer and rebuilt it clean
Discord bot operator
Ready to be the next one

Hand us your VPS, get an engagement like this one.

Pick a plan, send the credentials through the encrypted form, and we'll come back with the same kind of audit + hardening + handover the studies above describe.

View plans Or apply for case-study slot