15 essential security checks every VPS needs — whether you run on DigitalOcean, Hetzner, or any other provider. Each step includes the priority level, manual command, and whether it can be automated. Bookmark this page and work through it on every new server.
Work through this list top to bottom. Critical items should be done immediately after deploying your VPS. Important items within the first day. Nice-to-have items when you have time. For detailed explanations of each step, see our full guide on how to secure a Linux server.
| # | Security check | Priority | Defensia |
|---|---|---|---|
| 1 | Disable root SSH login | ✓ | |
| 2 | Use SSH keys only | - | |
| 3 | Enable firewall (UFW/firewalld) | - | |
| 4 | Update all packages | - | |
| 5 | Enable automatic security updates | - | |
| 6 | Install intrusion detection | ✓ | |
| 7 | Configure WAF for web servers | ✓ | |
| 8 | Scan for malware | ✓ | |
| 9 | Check for CVE vulnerabilities | ✓ | |
| 10 | Set security headers on web server | - | |
| 11 | Secure database ports | ✓ | |
| 12 | Enable geoblocking if applicable | ✓ | |
| 13 | Set up monitoring and alerts | ✓ | |
| 14 | Review file permissions | - | |
| 15 | Run a security audit | ✓ |
Root is the most targeted username. Disabling root login forces attackers to guess both a username and a password, effectively doubling the difficulty of a brute force attack.
SSH keys are cryptographically stronger than any password. A 4096-bit RSA key would take billions of years to brute force. Once keys are set up, disable password authentication entirely.
A firewall blocks access to all ports except the ones you explicitly need (typically 22, 80, 443). Without a firewall, every service on your server is exposed to the internet.
Unpatched software is one of the top attack vectors. Exploit code for critical CVEs often appears within hours of disclosure. Update everything before doing anything else.
Manual updates are forgotten. Automatic security updates ensure critical patches are applied even when you are not watching. The risk of a broken update is far lower than the risk of an unpatched CVE.
Even with SSH keys, attackers still attempt brute force attacks that fill your logs and consume resources. Intrusion detection blocks attackers after repeated failures, stopping them at the network level.
A firewall allows traffic on ports 80/443 but cannot inspect HTTP content. SQL injection, XSS, and path traversal attacks arrive as valid HTTP requests. A WAF detects and blocks these application-level attacks.
Web application vulnerabilities can lead to uploaded web shells, cryptominers, and backdoors. Regular scanning catches what preventive measures miss. Focus on upload directories and /tmp.
Your installed packages may contain known vulnerabilities even after updating, especially for third-party software. CVE scanning matches installed versions against the NVD database.
Security headers like X-Frame-Options, X-Content-Type-Options, HSTS, and CSP protect against clickjacking, MIME sniffing, protocol downgrade, and cross-site scripting. They cost nothing and prevent entire classes of attacks.
MySQL (3306), PostgreSQL (5432), MongoDB (27017), and Redis (6379) should never be accessible from the internet. Bind to localhost and block the ports in your firewall.
If your users are all in one region, blocking entire countries at the firewall level eliminates a large percentage of automated attacks. Most SSH brute force originates from a handful of countries.
Without monitoring, you will not know about attacks until the damage is done. Real-time alerts via Slack, email, or Discord ensure you are notified of critical security events immediately.
World-readable .env files, writable web directories, and incorrect SSH key permissions are common misconfigurations. A permissions audit catches issues that standard security tools overlook.
Security auditing tools check hundreds of configuration points: kernel parameters, file permissions, service configurations, and compliance benchmarks. Run monthly to catch configuration drift.
SSH config, firewall setup, update configuration, WAF installation (ModSecurity + CRS), malware scanner setup, log monitoring, database hardening, security audit tools. Requires ongoing maintenance: rule updates, log reviews, regular scans.
One command covers items 1, 6, 7, 8, 9, 10, 11, 12, 13, and 15 from the checklist. You still need to do items 2-5 (SSH keys, firewall, updates) manually — those are one-time server configuration tasks.
If you only have 15 minutes, do the critical items. They block the most common attack vectors.
Bookmark this page and revisit it every time you deploy a new VPS or perform a quarterly security review. The checklist covers both the initial hardening and the ongoing checks you need to repeat.
For automated checking, Defensia's security posture score (0-100, A-F grade) continuously evaluates your server against these criteria and surfaces issues in the dashboard. No manual scans needed.
Start with the 6 critical items in this checklist: disable root SSH login, switch to SSH keys, enable a firewall, update all packages, install intrusion detection, and restart SSH. These can be done in 15 minutes and block the majority of automated attacks. Then work through the important items within the first day.
If you can only do one thing: enable a firewall and block all ports except the ones you need. A close second is installing intrusion detection for SSH brute force protection. Together, these two steps eliminate over 90% of your attack surface.
Run the full checklist on every new VPS deployment. Then revisit quarterly: re-run security audits (Lynis), verify configurations have not drifted, check for new CVEs, and review firewall rules. If you use Defensia, the security posture score tracks most of this continuously.
Yes. The principles apply to Ubuntu, Debian, CentOS, RHEL, Rocky Linux, AlmaLinux, Fedora, and Amazon Linux. The specific commands vary slightly (apt vs dnf, UFW vs firewalld), but the security checks are universal. Each step in the expanded details shows the appropriate command.
Partially. Items 1-5 (SSH config, firewall, updates) are one-time server configuration tasks that you should do manually and verify. Items 6-15 (intrusion detection, WAF, malware scanning, CVE scanning, monitoring, audits) can be automated with Defensia — a single install command covers 10 of the 15 checks in this list.
Complete 3000+ word guide with real commands.
15 detection patterns, ipset blocking.
OWASP attack detection from server logs.
Full comparison: fail2ban vs Defensia.
Automated protection for all Linux distros.
Ubuntu-specific hardening guide.
Debian-specific hardening guide.
RHEL-family distribution guide.
Protect MySQL, PostgreSQL, MongoDB, Redis.
Docker, Swarm, and Kubernetes native.
Droplet and DOKS hardening guide.
CrowdSec vs Defensia comparison.
One command. Under 30 seconds. Free for one server.
No credit card required.