VPS Security on ByteGuard

If you ran apt install nginx on a fresh Ubuntu box and pointed your domain at it, the brute-force SSH bots noticed within four minutes. This page is the complete sequence I use to make that not be a problem.

TL;DR — the order matters. A perfect Docker config doesn't matter if your SSH is wide open. Follow the steps top-to-bottom on your next VPS and you'll be ahead of 90% of self-hosted boxes on the internet.

The first 30 minutes

These are the only things you should do before exposing a single service to the public internet.

1. Harden a Linux VPS in 10 minutes — unattended-upgrades, a non-root user, basic ufw. Don't skip; everything else assumes this.

2. SSH hardening, properly — key-only auth, AllowUsers, match blocks. *Don't change the port — it doesn't help and breaks tooling.*

3. Fail2ban that actually works — most fail2ban configs are decorative. Mine isn't.

Free download: the 47-step PDF version of the above lives behind the form at the bottom.

The first day

Now you can start running services without panic.

4. Reverse proxy choice: NPM vs Traefik vs Caddy — pick once, regret less.

5. Docker security: 2026 edition — the 80/20 of container security.

6. Monitor with Uptime Kuma — know when something falls over.

The first month

This is where most self-hosters quietly stop and accumulate risk.

7. OWASP Top 10 for self-hosters — the parts that apply to a 1-person stack.

8. WireGuard mesh VPN — keep admin panels off the public internet.

9. Vaultwarden for shared secrets — stop pasting SSH keys into Notion.

Ongoing

10. CVE tracking for a self-hosted stack — the weekly process

11. Live CVE feed: cve.byte-guard.net — filtered for self-host-relevant projects

What I run, end-to-end

If you want to see all of the above applied to one real production stack, the Building ByteGuard post is the full writeup. Hetzner CPX22 in Helsinki, Ghost + Uptime Kuma + 3 FastAPI services, Docker Compose, Nginx Proxy Manager.

Get the checklist + weekly tutorials

FREE PDFServer Hardening Checklist — 47 steps

Drop your email and I’ll send the PDF plus one practical tutorial each week.

Send me the checklist →

Related clusters

• Self-hosting guides — the full setup journey, broader scope
• CTF write-ups — the offensive side, useful for understanding what you're defending against