A bare or default-configured server is an easy target — visible and attackable within minutes.
VPS-Secure is not just an install script: it's an ultra-robust security foundation, designed to turn a bare VPS into a production-ready server with significantly stronger protection against attackers.
15 minutes, one single command to turn your server into a Fortress — ready to host your services with complete peace of mind.
Hey, I'm Fabrice. Entrepreneur, founder of multiple SaaS products, and Zero Trust advocate.
I built VPS-SECURE out of necessity: I wanted a tool capable of turning any bare server into an impenetrable fortress in minutes — without sacrificing service stability.
"Eat your own dog food": This is exactly the configuration I use to harden my production servers and confidently run n8n stacks, microservices, and AI agents in production.
| 1 | Creates `vpsadmin` user | No more root — impossible to make a fatal mistake |
| 2 | SSH on port 2222, key-only | Connection restricted to `vpsadmin` only. *GSSAPI disabled* (CVE-2026-3497) |
| 3 | System update + encrypted DNS + `/tmp`, `/var/tmp` and `/dev/shm` secured | Closes known vulnerabilities. DNS over TLS activated *before* any download — eliminates the DNS poisoning window. `/tmp`, `/var/tmp` and `/dev/shm` mounted `noexec` — malicious scripts cannot execute there |
| 4 | *CrowdSec* | Detects and bans malicious IPs. Installed via GPG-signed repository with hardcoded fingerprint verification — integrity guaranteed |
| 5 | *UFW* (firewall) | Everything blocked except ports 2222, 80 and 443. Docker forwarding is targeted — not global |
| 6 | *Docker* Engine + Compose v2 | Docker runs applications in isolated "boxes" (containers). Configured to *not* bypass UFW — exposed ports remain under firewall control. NAT rule added in UFW — containers have internet access |
| 7 | unattended-upgrades | Security patches installed automatically every night. *Docker CE* included in automatic updates. *snapd blacklisted* (CVE-2026-3888) |
| 11 | *rkhunter* | Scans for backdoors and rootkits. Daily automated scan at *00:00 UTC* — independent of Telegram |
| 12 | Unnecessary services disabled | avahi, cups, bluetooth, ModemManager disabled — every active service = attack surface (CIS 2.x). Ctrl-Alt-Delete masked (DISA STIG) |
| 13 | *Telegram* alerts | Daily security report + instant alert on every SSH login |
| 14 | *Endlessh* (honeypot port 22) | SSH is on port 2222 — port 22 is free. Endlessh captures it and keeps bots connected for hours by sending an infinite SSH banner. They can't attack elsewhere during that time |
| 15 | *AIDE* (integrity monitoring) | SHA512 hash of all system binaries at install time. Daily scan at 03:00 — any modification (replaced binary, backdoor, rootkit) triggers an alert in the Telegram report. After an OS update, manually re-run the baseline (command provided) |
15 minutes, one single command to turn your server into a Fortress — ready to host your services with complete peace of mind.
A bare or default-configured server is an easy target — visible and attackable within minutes.
VPS-Secure is not just an install script: it's an ultra-robust security foundation, designed to turn a bare VPS into a production-ready server with significantly stronger protection against attackers.
15 minutes, one single command to turn your server into a Fortress — ready to host your services with complete peace of mind.
Hey, I'm Fabrice. Entrepreneur, founder of multiple SaaS products, and Zero Trust advocate.
I built VPS-SECURE out of necessity: I wanted a tool capable of turning any bare server into an impenetrable fortress in minutes — without sacrificing service stability.
"Eat your own dog food": This is exactly the configuration I use to harden my production servers and confidently run n8n stacks, microservices, and AI agents in production.
## What VPS-SECURE does
1 command — 15 automatic steps — zero technical expertise required.
| # | What | Why | |---|---|---|
| 1 | Creates `vpsadmin` user | No more root — impossible to make a fatal mistake |
| 2 | SSH on port 2222, key-only | Connection restricted to `vpsadmin` only. *GSSAPI disabled* (CVE-2026-3497) |
| 3 | System update + encrypted DNS + `/tmp`, `/var/tmp` and `/dev/shm` secured | Closes known vulnerabilities. DNS over TLS activated *before* any download — eliminates the DNS poisoning window. `/tmp`, `/var/tmp` and `/dev/shm` mounted `noexec` — malicious scripts cannot execute there |
| 4 | *CrowdSec* | Detects and bans malicious IPs. Installed via GPG-signed repository with hardcoded fingerprint verification — integrity guaranteed |
| 5 | *UFW* (firewall) | Everything blocked except ports 2222, 80 and 443. Docker forwarding is targeted — not global |
| 6 | *Docker* Engine + Compose v2 | Docker runs applications in isolated "boxes" (containers). Configured to *not* bypass UFW — exposed ports remain under firewall control. NAT rule added in UFW — containers have internet access |
| 7 | unattended-upgrades | Security patches installed automatically every night. *Docker CE* included in automatic updates. *snapd blacklisted* (CVE-2026-3888) |
| 8 | Kernel hardening | *35 parameters*: network (spoofing, SYN flood, ICMP...) + ASLR + ptrace + core dumps + perf events + *AppArmor userns restriction (CIS compliance)* |
| 9 | *auditd* | Logs everything: SSH, sudo, Docker, sensitive files, crontabs, `/etc/hosts`. *Anti-rootkit monitoring* — daily `voidlink-detect` scan at 02:30 |
| 10 | 2 GB Swap | Emergency virtual memory — prevents crashes |
| 11 | *rkhunter* | Scans for backdoors and rootkits. Daily automated scan at *00:00 UTC* — independent of Telegram |
| 12 | Unnecessary services disabled | avahi, cups, bluetooth, ModemManager disabled — every active service = attack surface (CIS 2.x). Ctrl-Alt-Delete masked (DISA STIG) | | 13 | *Telegram* alerts | Daily security report + instant alert on every SSH login |
| 14 | *Endlessh* (honeypot port 22) | SSH is on port 2222 — port 22 is free. Endlessh captures it and keeps bots connected for hours by sending an infinite SSH banner. They can't attack elsewhere during that time |
| 15 | *AIDE* (integrity monitoring) | SHA512 hash of all system binaries at install time. Daily scan at 03:00 — any modification (replaced binary, backdoor, rootkit) triggers an alert in the Telegram report. After an OS update, manually re-run the baseline (command provided) |
15 minutes, one single command to turn your server into a Fortress — ready to host your services with complete peace of mind.