Running an app on a VPS?

Your server has gaps.
Find them before
someone else does.

Most VPS servers ship with security gaps from day one. One command tells you exactly which ones, and how to fix them.

  • Runs on your server. We never get SSH access.
  • Nothing installed permanently. The agent deletes itself.
  • Results in minutes. Nothing to configure.
or run it directly

Have the command? Paste it into your server terminal:

root@your-server
$curl -sSL audit.securecodehq.com/run/YOUR_CODE | bash
Connecting... audit ready
Detecting your server...
  OS: Ubuntu 22.04 • Docker: activo • Nginx: activo

[1/6] Admin login via SSH ........ CRITICAL
[2/6] SSH on default port .... OK
[3/6] Firewall configured ........ WARNING
[4/6] Automatic attack blocking ... OK
[5/6] Credentials exposed in Git  CRITICAL
[6/6] Security patches pending ........ WARNING

Report sent to your inbox.
The problem

Most VPS servers ship misconfigured.
Nobody checks.

You set up your server once, deploy your app, and move on. These four issues are sitting on hundreds of thousands of servers right now.

🔒
22%
of all analyzed breaches involve compromised credentials
The root password is the master key to the server

Most VPS are deployed with SSH admin access enabled. It is the default configuration from nearly every provider. Any attacker who gets your password gains full control. No need to exploit any vulnerability. A weak root password can be brute-forced in minutes.

Compromised credentials have been the number one attack vector for 10 consecutive years, according to the most cited breach report in the industry.

Verizon Data Breach Investigations Report 2025
📈
8,000+
Redis servers without a password exposed on the internet
Your users' data, readable by anyone

Trend Micro scanned the internet with Shodan and found over 8,000 Redis instances without a password or encryption, some on AWS, Azure, and Google Cloud. Any attacker can connect, read, or delete all data in seconds. No credentials needed. No warning from your hosting provider.

Redis was designed for trusted environments, not to be exposed to the internet. Its official documentation warns about this. Yet thousands of servers do it, with user sessions, cache, and temporary data from all their clients accessible to anyone.

Trend Micro Research + Shodan
📸
Thousands
of Docker hosts accessible from the internet detected by Shodan
Your firewall doesn't see the ports Docker opens

Docker modifies network rules directly, bypassing UFW. You can have port 5432 blocked in your firewall while your database is fully accessible because Docker opened it on the host. Palo Alto Unit 42 documented exposed Docker servers identifiable on Shodan in seconds.

This behavior is documented by Docker's own creators. Your database might be open to the internet even though you are sure you closed that port.

Docker: Packet filteringPalo Alto Unit 42: Misconfigured Container Services
📄
23.8M
credentials leaked in public GitHub commits in 2024 alone
Your passwords are in your source code

Database passwords, API keys, Stripe secrets. GitGuardian analyzed 1.4 billion commits in 2024 and found nearly 24 million exposed credentials, a 25% increase from the previous year. Pushed to a private repo, the repo goes public later, and the keys stay in Git history forever.

70% of secrets leaked in 2022 were still active in 2024. If the repo was public even for a minute, those credentials are already in search indexes, and they still work.

GitGuardian: State of Secrets Sprawl 2025
Before you start

Who is Server Audit for

We audit your server's security, not your code. If you manage a Linux VPS with services exposed to the internet, this is for you.

It works for you if...
  • You have a self-managed Linux VPS (Hetzner, DigitalOcean, Linode, AWS EC2, OVH...)
  • You are responsible for the server's security (no dedicated DevOps team)
  • You have at least one app, API, or service exposed to the internet
Not for you if...
  • You use shared hosting (cPanel, Plesk). You don't have root access
  • Your app runs on serverless (Vercel, Netlify, Lambda). There is no server to audit
  • You use a managed PaaS (Heroku, Railway, Render). Your provider manages the infrastructure
  • Your server runs Windows. The agent requires Linux with bash
It doesn't matter if you use...
  • PHP, Python, Node.js, Ruby, Go, Rust, Java...
  • WordPress, Laravel, Django, Express, Next.js...
  • Docker, Podman, or bare metal
  • PostgreSQL, MySQL, MongoDB, Redis, or no database at all

The audit adapts to your stack. If you use Docker, we check your containers. If you have Redis, we verify its configuration. If you don't have them, we focus on the other attack surfaces.

How it works

Three steps from zero to report

No agent to keep running. No persistent access to your server. Nothing to configure.

1
Enter your email

We email you the command to run on your server. No password, no account setup, no credit card.

2
Run one command

SSH into your server and paste the command we sent. It runs locally, collects findings, and exits cleanly. Nothing is installed permanently.

3
Read your report

A detailed report lands in your inbox. Every finding includes the specific command to fix it, not a generic recommendation.

Real output

This is what a paid report looks like

Every finding is specific to your server. Not a generic checklist. The report covers all 25 checks plus an external port scan, with exact fix commands for each finding.

  • Overall score with grade (A-F) and numeric score 0-100
  • Category breakdown: SSH, Secrets, Docker, System, External network, Logs
  • Prioritized action plan with complexity and improvement points
  • Exact terminal commands to fix each issue
Start your free audit
Screenshot of a real Server Audit security report
What we check

25 checks across 7 attack surfaces

The free audit covers the 6 most critical issues. The paid audit runs all 25 checks plus an external scan from our servers against your public IP.

Included in free
Paid only
CheckTierSeverity
SSH root login enabled
Direct root access enabled. Any attacker who guesses the password gains full control of the server.
FreeCritical
SSH on default port
Port 22 is the first one automated bots scan. Changing it reduces attack noise.
FreeWarning
Password login enabled
Passwords can be brute-forced. SSH key-only login prevents this entirely
Warning
Unknown SSH keys
Unexpected keys in authorized_keys could mean someone has access you didn't authorize
Info
Credentials exposed in Git
Database passwords and API keys committed to a repository, visible to anyone with repo access
FreeCritical
Pending security patches
Known vulnerabilities with public exploits that haven't been patched yet
FreeCritical
Config file permissions
Checks if configuration files with credentials are readable by other server users
Warning
Credentials in process list
Passwords visible in the running process list. Any server user can read them.
Critical
.git directory exposed via HTTP
.git directory is publicly accessible. Anyone can download the source code and repository credentials.
Critical
Firewall configured
Checks which ports are open to the internet and if the firewall is active
FreeCritical
IPv6 without firewall rules
IPv6 enabled but no firewall rules. Ports blocked by IPv4 may be accessible via IPv6.
Critical
Automatic attack blocking
Checks if repeated failed login attempts are automatically blocked
FreeCritical
Admin user accounts
Checks how many accounts have full admin access. More than needed increases risk.
Warning
System disk usage
Disk occupancy level. A full disk can cause service outages and log loss.
Info
SSL certificate expiry
When a certificate expires, your site shows a security warning and users can't connect
Warning
Apps running as admin
Containers running as root. If the app is compromised, the attacker gains full server access.
Warning
Docker bypasses firewall
Docker can open ports to the internet that your firewall never sees
Critical
Unprotected Docker API
An unprotected Docker API gives anyone on the network full control over all your containers
Critical
Docker socket mounted in container
docker.sock mounted inside a container. If that container is compromised, the attacker controls all of Docker.
Critical
Database open to internet
Your PostgreSQL database is accessible from the internet. No credentials needed to connect.
Critical
Cache database unprotected
Redis without a password. Any process on your network can read or flush your session data
Critical
MongoDB open to internet
MongoDB accessible without authentication from the internet
Critical
Login attack history
How many failed login attempts in the last 24 hours and from which IPs
Info
Top attacker IPs
The addresses most actively trying to access your server, with reputation data
Info
Active attack detected
Unusually high number of login failures in the last hour, possible brute-force attack in progress
Warning
What attackers see from outside
Scan from our servers against your public IP. Shows what's truly accessible from the internet, regardless of your local firewall
Critical if open
Pricing

One-time payment. No subscriptions.

No recurring charges. Pay once per server, get your report, fix your server.

Free
$0per server

The 6 checks that matter most. No credit card, no catch. Up to 3 servers free.

  • 6 essential security checks
  • SSH, firewall, attack blocking, Git secrets, SSH port, updates
  • Server-specific findings
  • Single use per token, one token per server
  • Token valid for 30 days
  • Nothing installed permanently
Start free audit →
Most complete
Full audit
$9per server

Every check, every attack surface. Full report with exact fix commands for each finding.

  • All 25 security checks
  • External port scan from our servers
  • Scored report with grade (A–F) and score (0–100)
  • Exact fix commands per finding
  • Docker, databases, IPv6, .git exposure, logs
  • Token valid for 90 days

Start with the free audit. If it finds issues, the full report is $9. One payment, no subscription.

FAQ

Questions we get asked

Does anything get installed on my server?

No. The script downloads a temporary file, runs the checks, sends the results to our API, and then deletes itself. After the audit completes, nothing remains on your server.

You need Node.js available on your server. If it is not installed, the script will tell you and exit without doing anything.

Does it analyze my application code?

No. Server Audit checks your server's security configuration: SSH, firewall, Docker, databases, SSL certificates, file permissions, and exposed ports. It does not review your application source code.

The language or framework you use (PHP, Python, Node.js, Go, Rust) does not matter. We audit the server your app runs on, not the app itself. If you need source code analysis, you need a SAST or DAST tool.

Do you get access to my server?

No. The audit runs entirely on your machine. You paste one command into your own terminal. We never receive SSH credentials, private keys, or any form of remote access.

The script sends only the check results (whether specific settings are enabled or disabled, which ports are open) to our API. It does not transmit file contents, passwords, or application data.

What exactly does the script send back?

Only the output of each security check: whether admin SSH login is enabled, which ports are open, whether automatic attack blocking is running, and similar yes/no or numeric values.

It does not send file contents, database contents, application code, or the values of any environment variables.

What Linux distributions are supported?

Ubuntu 20.04, 22.04, and 24.04. Debian 11 and 12. The script detects your OS at startup and adapts its checks accordingly. Requires systemd.

Running on a different distribution? Generic checks will still run. Anything distro-specific will be skipped with a note in the report.

What is the difference between the free and paid report?

The free audit runs 6 checks focused on the most common and highest-impact issues: admin SSH login, firewall state, automatic attack blocking, credentials in Git, pending updates, and SSH port. It shows a qualitative status without a numeric score.

The paid audit runs all 25 checks across SSH, filesystem, firewall, Docker, databases, system, and logs, plus an external port scan from our servers. It gives you a grade (A–F) with a numeric score (0–100), a full explanation of each finding, and exact terminal commands to fix each issue.

How does the token model work?

Each token is bound to a server (IP) on first use. One token = one server. Free tokens are single-use and expire after 30 days. You can create up to 3 free tokens.

Each paid credit ($9) lets you create a new token with access to all 25 checks and 90 days of validity.

Can I audit more than one server?

Yes. Each server needs its own token. With the free plan you can create up to 3 tokens (3 servers). For more servers or full audits, each one costs $9.

Each token is bound to the server's IP on first use and cannot be reused on another server.

Is the report safe to share with my team?

The report contains security findings specific to your server, including which vulnerabilities are present. Treat it like any security document: share it with people who need to act on it, do not post it publicly.

We do not publish reports. Each report is only accessible to the email address that requested the audit.

Do I need server experience to use this?

No. You just need to be able to SSH into your server. We explain how in the email we send you. Paste one command, wait 2 minutes, and get a report in your inbox with every issue explained in plain language and the exact command to fix it.

If anything in the report is unclear, you can open a support ticket directly from your dashboard.

Can the audit break anything on my server?

No. The audit only reads information from your server. It does not change configuration, restart services, or install anything. Think of it like a blood test for your server: it checks the state but does not touch anything.

The script deletes itself automatically when done. Your server stays exactly as it was.

Ready to check your server?

Free security audit.
One command. No strings attached.

Start with 6 essential checks at no cost. Upgrade to the full 25-check report if you find issues worth digging into.

No credit card. Nothing installed. Free for up to 3 servers.