VPS Attack Surface Reduction Checklist

halfbrain_logo512adminJune 16, 2026
0 lượt xem

VPS Attack Surface Reduction Checklist

Attack surface is everything an attacker can reach, test or abuse from the outside. A secure VPS is not only a server with strong passwords. It is a system where unnecessary ports, services, users, files and dashboards are removed or protected.

Core principle

You cannot secure what you do not know is exposed. First list what is reachable, then close what does not need to be public.

Checklist

  1. List all listening ports.
  2. Identify which services are public.
  3. Identify which services should be private.
  4. Check provider firewall rules.
  5. Check UFW or server firewall rules.
  6. Close unused ports.
  7. Protect admin dashboards behind login, VPN, IP restriction or reverse proxy rules.
  8. Remove unused services.
  9. Review Docker published ports.
  10. Document the final exposure map.

Reusable lesson

This applies to WordPress, Nginx, MySQL, Redis, Docker, n8n, monitoring dashboards, API workers and internal admin tools.

Checklist Type Security
Level Intermediate
Risk Level High Risk
Estimated Time 45–90 minutes

When to Use This Checklist

Use this checklist when hardening a VPS before or after deploying websites, Docker apps, automation tools or admin dashboards.

Required Tools

SSH access, UFW, provider firewall, Nginx, Docker if used, service list, domain map

Before You Start

Do not expose a service publicly just because it works. Decide whether each service must be reachable from the internet.

Structured Checklist Steps

  1. List listening ports.
  2. Classify public services.
  3. Classify private services.
  4. Review provider firewall.
  5. Review UFW.
  6. Close unused ports.
  7. Protect dashboards.
  8. Remove unused services.
  9. Review Docker ports.
  10. Document exposure map.

Verification Steps

  1. Only required ports are public.
  2. Database ports are private.
  3. Admin dashboards are protected.
  4. Docker published ports are intentional.
  5. Firewall rules match the exposure map.
See also  New VPS Setup Checklist for Website Operators

Rollback Plan

If closing a port breaks a required service, restore the previous firewall rule temporarily, then redesign access using a safer method such as reverse proxy, VPN or IP restriction.

Common Mistakes

  • Opening all ports.
  • Leaving test dashboards public.
  • Forgetting Docker published ports.
  • Relying only on application passwords.
  • No written exposure map.

Related Commands

sudo ss -tulpn
sudo ufw status numbered
docker ps
systemctl list-units --type=service --state=running
curl -I https://example.com

Share:

Disclaimer: The guides, checklists, commands, and examples on HalfBrain.net are provided for educational and operational reference only. Server environments, hosting providers, software versions, security settings, and WordPress configurations can vary, so you should always review commands before running them on your own system. We do our best to keep the content accurate and useful, but we cannot guarantee that every command, configuration, or recommendation will fit every environment. Always back up your website, database, and server configuration before making changes. HalfBrain.net is not responsible for data loss, downtime, security incidents, misconfiguration, or other issues that may result from applying the information on this website. Use the material at your own discretion.

halfbrain_logo512
admin

HalfBrain.net is a practical field notebook for people who want to self-operate websites, VPS servers, Linux systems, Docker stacks, Nginx configurations, DNS records, SSL certificates, and AI automation workflows. Our goal is simple: turn messy infrastructure problems into clear, repeatable checklists, commands, and operating procedures. We focus on practical execution, not theory for theory’s sake.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related articles: