I have a strict personal rule: no matter what I buy a new VPS for โ building websites, running projects, or anything else โ I never rush into deploying my actual workload right away. The reason is simple: some providersโ pre-installed images are far from clean. A few even come with hidden monitoring tools or unwanted background processes. If you start using it without proper testing and later run into performance or network issues, youโll never know whether itโs due to overselling or just bad configuration.
Spending one or two hours following this checklist can save you dozens of hours of painful troubleshooting later.
Step 1: Benchmark the Server โ Know What You Actually Bought
Once you SSH into the server, donโt install anything yet. The first thing you should do is run a few test scripts. There are three main goals:
- Verify the specs: Check whether the CPU model, RAM amount, and disk performance match what the provider advertised. If the Geekbench 5 single-core score is suspiciously low, itโs very likely oversold. Disk read/write speeds below 100MB/s usually mean youโre getting a low-quality drive โ not suitable for databases or high-load applications.
- Network inspection: Test the return route quality. Is it true CN2 GIA or just regular 163? Late-night packet loss tells you much more about real-world experience than the advertised bandwidth. Some providers hide their routing or treat small and large packets differently โ good test scripts will expose this.
- Streaming unlock check: If you bought a residential or โunlockedโ IP, youโll want to confirm whether Netflix, Disney+, and other streaming services actually work.
I usually run one of these two scripts:
Option A (Quick & Clean): NQ test script โ simple output, great for a fast hardware overview:
bash <(curl -sL https://run.NodeQuality.com)Option B (Most Comprehensive โ my personal favorite): The โFusion Monsterโ script, which includes CPU benchmarking, disk speed, streaming unlock detection, and more:
bash <(wget -qO- --no-check-certificate https://gitlab.com/spiritysdx/za/-/raw/main/ecs.sh)Benchmarks arenโt perfect, but theyโre excellent at revealing obvious overselling or garbage hardware.
Step 2: Reinstall a Clean Operating System
Even if the provider offers a โDebian 12โ image, I always reinstall it myself. The goal is to get a completely stock kernel and remove any pre-installed monitoring agents or junk processes. Some Chinese providersโ images come with all kinds of background services โ youโll never know whatโs running unless you wipe it clean.
I usually use the popular Kejilion (็งๆLion) reinstall script. Itโs reliable, well-maintained, and supports most mainstream systems:
bash <(curl -sL kejilion.sh)Choose reinstall and select Debian 12.
Important: After reinstallation, SSH will disconnect. Wait 5โ10 minutes, then reconnect. The very first thing you should do is change the default root password. The script usually sets a known default password (e.g. LeitboGi0). Leaving it unchanged is asking to get brute-forced:
passwdStep 3: Basic Security Hardening
The public internet is brutal. Iโve seen fresh servers get hit with hundreds of brute-force attempts within minutes if left unprotected. These three steps are non-negotiable on every machine I set up:
1. Change the SSH port (move it to a high port between 20000โ65535 to avoid 99% of automated scans):
nano /etc/ssh/sshd_config
# Change #Port 22 to Port [your chosen port]
systemctl restart sshd2. Set up SSH key authentication and disable password login
Generate the key pair locally:
ssh-keygen -t ed25519 -C "[email protected]"Copy it to the server (using the new port):
ssh-copy-id -p [your_port] root@your_server_ipOnce key login works, disable password authentication:
nano /etc/ssh/sshd_config
# Change PasswordAuthentication yes โ no
systemctl restart sshd3. Configure UFW firewall + Fail2Ban
# Allow necessary ports
ufw allow [your_ssh_port]/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
# Install Fail2Ban
apt install fail2ban -y
systemctl enable fail2ban
systemctl start fail2banStep 4: System Initialization
After securing the server, do some basic housekeeping:
Update packages and set timezone:
apt update && apt upgrade -y
timedatectl set-timezone Asia/ShanghaiAdd Swap (especially important on low-memory machines): I usually create 1.5โ2ร the RAM size.
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstabNote: Swap is slow โ itโs only a last resort to prevent OOM crashes. On high-memory machines, itโs often unnecessary.
Change DNS (optional): Some overseas providers have slow DNS resolution for Chinese domains. I usually switch to Google and Cloudflare:
sudo tee /etc/resolv.conf <
Special note: If you bought a streaming-unlock VPS, do NOT change the DNS. The provider usually sets custom DNS for unlocking โ changing it will break streaming access immediately.
Step 5: Kernel & Network Optimization (Optional but Worth Trying)
Debian 12 already enables BBR by default, but for high-latency international links, additional TCP tuning can improve throughput. Results vary โ some see clear improvement, others donโt. Itโs not mandatory, but worth testing.
Simple option: Nekoโs TCP optimization script (just choose the recommended preset):
bash <(curl -L https://raw.githubusercontent.com/chiakge/Linux-NetSpeed/master/tcp.sh)
Advanced option: The tcp.xteko.com optimizer. It generates custom settings based on your memory and latency, automatically backs up the original config, and is easy to revert if it doesnโt help. I personally prefer this one for its flexibility.
Only After These Five Steps Is the Server Truly Yours
Step Purpose Must Do? Benchmarking Verify real specs and catch overselling โ
Must do Reinstall OS Get a clean, trustworthy base system โ
Strongly recommended Security Hardening Prevent being hacked or turned into a bot โ
Must do System Initialization Set up a sane working environment โ
Must do Network Tuning Maximize network performance โก Optional / situational
Benchmarking gives you confidence in what you paid for. Reinstalling gives you a clean foundation. Hardening lets you sleep at night. Initialization and tuning help the machine reach its full potential.
After completing this workflow, whether Iโm building sites, running automation tools, or deploying services, I feel much more at ease.