VPS Setup and Security Checklist: Complete Self-Hosting Guide for 2025 This comprehensive guide documents a step-by-step checklist for setting up a secure, production-ready VPS, based on real-world experience with Hetzner and Coolify. It includes commands, verification steps, and troubleshooting tips. --- Pre-Setup Checklist Before starting: Choose VPS provider (recommended: Hetzner for price/performance) Select server specs (min. 1GB RAM, 20GB storage) Note server IP and root credentials Prepare local machine with SSH client Have a strong password generator ready --- Picking the VPS Provider Hetzner Cloud chosen for: 2-3x cheaper than DigitalOcean (DO), AWS for similar specs Strong European datacenter presence (better latency) Transparent pricing, no surprise bills Alternatives considered: DigitalOcean: smoother onboarding, more expensive AWS Lightsail: good for small apps but complex for beginners Linode: reliable, pricier than Hetzner Render/Fly.io: Easier PaaS but more costly and opinionated --- Initial Server Setup Checklist First Login and System Updates --- Root Account Security Change root password: passwd (use strong password, store in password manager) Create secondary user: Test sudo access: --- SSH Key Authentication Setup On local machine: Generate SSH keys: Show public key: On server (as user, not root): Test SSH key login: --- Disable Password Authentication Edit SSH config: sudo nano /etc/ssh/sshdconfig Set: If cloud-init config exists, also edit /etc/ssh/sshdconfig.d/50-cloud-init.conf similarly. Test SSH config syntax: sudo sshd -t (no errors) Restart SSH service: Verify SSH service status: --- Disable Root Login Edit SSH config: Restart SSH: Test root login is blocked (from another terminal): --- Firewall Configuration Checklist UFW Setup Check UFW status: Set default policies: Allow SSH (before enabling): Allow HTTP/HTTPS: Enable UFW: Verify rules: Advanced Configuration (Optional) Restrict SSH to your IP: Change default SSH port (security by obscurity): Edit /etc/ssh/sshd_config: Update firewall, restart SSH accordingly. --- Automatic Updates Setup Checklist Unattended Upgrades Install: Enable automatic updates: