Free resource · 2026 edition

VPS Security Checklist for Ubuntu & Debian

Forty-two practical items grouped into six layers. Print it, work through it, mark each box. Or send us the box and we'll do it for you.

Start the checklist Or hire us

Last reviewed: May 2026

Account & access

The most exploited surface on a fresh VPS is SSH on port 22 with password login. Fix that first.

Create a non-root user with sudo privileges.
Generate an SSH key pair locally (ssh-keygen -t ed25519) and put the public half in ~/.ssh/authorized_keys.
Set PermitRootLogin no in a drop-in file under /etc/ssh/sshd_config.d/.
Set PasswordAuthentication no and KbdInteractiveAuthentication no.
Set PubkeyAuthentication yes explicitly.
Restrict logins to specific users with AllowUsers or a group with AllowGroups.
Optionally move SSH off port 22 (security through reduced noise, not security through obscurity).
Reload sshd with systemctl reload sshd and test from a second terminal before closing the first.

Default-deny inbound, allow only what you actually serve.

Install ufw (or use iptables/nftables directly if you prefer).
Set defaults: ufw default deny incoming, ufw default allow outgoing.
Allow your SSH port (whichever you chose).
Allow application ports: 80/tcp, 443/tcp, plus anything else you actually need.
Enable IPv6 in /etc/default/ufw and confirm v6 rules are present.
Verify with ufw status verbose; verify externally with nmap -sT <ip> from a different host.
If your provider has a network-edge firewall (Lightsail, Hetzner Cloud, OVH Anti-DDoS), configure it too.

Bots will try thousands of SSH passwords per hour. Make them give up.

Install fail2ban (apt install fail2ban).
Enable the SSH jail in /etc/fail2ban/jail.local.
Tune findtime, maxretry and bantime for your tolerance.
Add an ignoreip entry for your office or VPN range so you cannot lock yourself out.
Verify with fail2ban-client status sshd.
Optionally enable jails for nginx-http-auth, nginx-botsearch and recidive.

A box that's patched two weeks behind is a box waiting to be in the news.

Run apt update && apt full-upgrade the moment the box boots.
Install and configure unattended-upgrades for security updates.
Enable 50unattended-upgrades auto-removal of unused dependencies.
Pick a maintenance window for automatic reboots, or wire reboots into your own runbook.
Optional: subscribe to your distribution's security mailing list so you know about high-severity patches early.

If you serve traffic on port 80/443, the application is now part of the security perimeter.

Enable HTTP/2 in NGINX or your reverse proxy.
Use a modern TLS profile (Mozilla Intermediate or Modern); disable TLSv1.0/1.1.
Issue a Let's Encrypt certificate with certbot and confirm auto-renewal works.
Set Strict-Transport-Security with a long max-age (and pre-load if you're ready).
Set X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
Define a Content-Security-Policy matching your application.
Hide server tokens (server_tokens off in NGINX).
Limit upload size (client_max_body_size) to what the app actually needs.
Configure logrotate for access & error logs.

Hardening once is a moment in time; staying hardened is a habit.

Disable services you don't use (systemctl disable --now).
Set sane sysctl defaults: disable IP redirects, ignore broadcast pings, enable SYN-cookies.
Configure swap sized to your RAM, with vm.swappiness=10.
Set the time zone (timedatectl set-timezone …) and confirm NTP is active.
Configure log rotation and ship critical logs off-box.
Schedule daily off-box backups of databases and config (test the restore!).
Document everything in a server runbook your future self can read.
Recheck the whole list once a quarter — especially after major OS upgrades.

Don't want to do this yourself?

Hand us a fresh VPS and we'll come back with a hardened box, new credentials, and a written audit report — usually within 24 hours.

View plans What we configure