SafeServerSetup
Service How it works Pricing Case studies Providers About
Security checklist Contact
Sign in Get started
Service · VPS Setup & Hardening

A production-ready VPS, hardened by hand and documented in plain English.

You spin up a fresh Ubuntu or Debian server with any major provider; we log in, apply a careful security baseline, install your basic web stack if you need it, and hand the box back with new credentials and a written audit report.

See pricing What gets configured
Hardened VPS illustration showing SSH, UFW, fail2ban, NGINX, and audit report
Configuration

What we actually configure

A reasonable, well-tested baseline you'd build for yourself if you had the time. Every change ends up in your handover document with the exact command to verify it.

UFW firewall

Default-deny on inbound traffic with explicit allow rules for SSH plus the ports your application actually needs. IPv4 and IPv6.

Default policy IPv4 and IPv6 rules Logging level for triage

SSH hardening

Public-key authentication only. Root login disabled. Optional non-default port. Idle session timeout. Limited AllowUsers list.

Pubkey-only auth PermitRootLogin no AllowUsers whitelist Optional port change

fail2ban

SSH jail enabled with sensible defaults; configurable ban times and an allowlist for your office or VPN ranges so you never lock yourself out.

SSH jail enabled Configurable ban window Allowlist your IPs

NGINX baseline

Standard plan and up. Hardened defaults: HTTP/2, sensible TLS ciphers, security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy), gzip/brotli.

Hardened server block Security headers TLS-ready vhost Logrotate tuned

Auto security updates

unattended-upgrades configured for security patches only by default. Optional email notifications to an address you choose.

Security-only by default Optional reboot window Email notifications

Non-root user

A sudo-enabled user you actually log in as, with your SSH key installed. Root password no longer needed in your password manager.

Sudo group access SSH key installed Login banner

Swap + tuning

Swap file sized to your RAM, sensible sysctl defaults, time zone and NTP configured.

Right-sized swap sysctl baseline NTP / time zone

Optional language runtime & database

Pro plan and up: one runtime (Node, PHP-FPM or Python) plus one database (MySQL or PostgreSQL) installed with a least-privilege application user.

Runtime of your choice DB with app user Systemd service template
Supported providers

Any VPS with SSH access.

We work with every major provider. We do not need a special integration — just SSH credentials and an IP address.

DigitalOcean
Linode
Hetzner
Vultr
AWS Lightsail
OVH
Contabo
UpCloud
Scaleway

Using something else? We almost certainly support it — ask.

Supported OS

Ubuntu & Debian.

We focus on the two most-deployed Linux server distributions so we can offer the same quality across every order.

  • U
    Ubuntu 20.04, 22.04, 24.04 LTS
    Recommended for new servers.
  • D
    Debian 11, 12
    Stable, minimal, great for production.
Delivery

From order to handover in five steps.

Credentials in transit are encrypted and wiped 7 days after delivery. The hardened box returns with new credentials and full documentation.

Encrypted handover illustration: your credentials enter a vault, the hardened VPS comes back
  1. 1
    You order

    Pay once, no subscription.

  2. 2
    You send creds

    Encrypted form on your order page.

  3. 3
    We audit

    Quick scan to baseline the box.

  4. 4
    We harden

    Manual configuration, reviewed.

  5. 5
    We hand over

    Doc, new credentials, audit report.

See the full delivery walkthrough
Deliverables

What you receive at the end.

Three plain-English artefacts you can share with your team — no proprietary tooling, no agents, no lock-in.

Three deliverables: a handover document, a security audit report, and a credentials terminal mockup

Handover document

A plain-English write-up of every change we made, with the verification command for each piece. Suitable to share with your team.

New credentials

A new sudo user with your SSH key installed, and the new SSH port if you opted to change it. Old root login no longer works.

Security audit report

A short report listing what we found, what we fixed, and a few recommendations for things you can address later.

Ready to harden your box?

From $9.99, one-time. Pick a plan, send your credentials, get a hardened server.

View plans Talk to us