NexelyaNexelya
Get started
← Blog

VPS security hardening checklist for production workloads

A practical baseline for securing KVM VPS instances on Proxmox—SSH, firewalls, updates, and monitoring before you ship traffic.

When you move from shared hosting to a Nexelya VPS, you gain root access and full control—which also means you own the security boundary. This checklist is what we recommend to Nexelya customers before pointing production DNS at a new instance.

Start with access control

  • Disable password SSH and use Ed25519 keys only. Store keys in your team password manager, not in chat logs.
  • Create a non-root sudo user and disable direct root login over SSH.
  • Restrict SSH to known IPs when possible (office VPN, bastion, or Cloudflare Tunnel).
# Example: allow SSH only from your office / bastion
ufw allow from 203.0.113.10 to any port 22 proto tcp
ufw enable

Patch and automate updates

Unpatched kernels and packages are still the most common entry path. Enable unattended security updates on Debian/Ubuntu, or use dnf-automatic on Alma/Rocky. Schedule a monthly maintenance window to reboot after kernel updates—Nexelya gives you clean power controls and KVM console access when you need eyes on boot.

Network segmentation

  • Bind application services to private interfaces when traffic should only come from a load balancer or reverse proxy.
  • Use ufw or nftables with a default-deny policy; open only 80/443 (and admin ports from trusted sources).
  • If you run databases on the same VPS as the app for small workloads, never expose MySQL/Postgres to the public internet.

Application-layer basics

  • Terminate TLS at Caddy, nginx, or Traefik with auto-renewing certificates.
  • Run web apps as unprivileged users; containerize when it simplifies dependency isolation.
  • Rotate API keys and database passwords on the same cadence as employee offboarding.

Monitoring and backups

Security without visibility is guesswork. Ship logs to a central sink (Loki, CloudWatch, or your SIEM), alert on failed SSH bursts, and test restores—not just backups. Nexelya usage graphs help spot abnormal CPU or disk patterns early.

When dedicated makes more sense

High-traffic databases, compliance boundaries, or hardware crypto often push teams toward dedicated servers. VPS remains ideal for stateless app tiers, staging, and bursty workloads where you want fast reprovisioning via ISO reimage.

Next steps: Compare VPS plans or open a ticket from your dashboard if you want guidance migrating from another provider. Nexelya is powered by [Nexelya](https://nexelya.com.