I have a strict personal rule: no matter what I buy a new VPS for — building websites, running projects, or anything else — I never rush into deploying my actual workload right away. The reason is simple: some providers’ pre-installed images are far from clean. A few even come with hidden monitoring tools or unwanted background processes. If you start using it without proper testing and later run into performance or network issues, you’ll never know whether it’s due to overselling or just bad configuration.
Spending one or two hours following this checklist can save you dozens of hours of painful troubleshooting later.
Step 1: Benchmark the Server — Know What You Actually Bought
Once you SSH into the server, don’t install anything yet. The first thing you should do is run a few test scripts. There are three main goals:
- Verify the specs: Check whether the CPU model, RAM amount, and disk performance match what the provider advertised. If the Geekbench 5 single-core score is suspiciously low, it’s very likely oversold. Disk read/write speeds below 100MB/s usually mean you’re getting a low-quality drive — not suitable for databases or high-load applications.
- Network inspection: Test the return route quality. Is it true CN2 GIA or just regular 163? Late-night packet loss tells you much more about real-world experience than the advertised bandwidth. Some providers hide their routing or treat small and large packets differently — good test scripts will expose this.
- Streaming unlock check: If you bought a residential or “unlocked” IP, you’ll want to confirm whether Netflix, Disney+, and other streaming services actually work.
I usually run one of these two scripts:
Option A (Quick & Clean): NQ test script — simple output, great for a fast hardware overview:
bash <(curl -sL https://run.NodeQuality.com)Option B (Most Comprehensive — my personal favorite): The “Fusion Monster” script, which includes CPU benchmarking, disk speed, streaming unlock detection, and more:
bash <(wget -qO- --no-check-certificate https://gitlab.com/spiritysdx/za/-/raw/main/ecs.sh)Benchmarks aren’t perfect, but they’re excellent at revealing obvious overselling or garbage hardware.
Step 2: Reinstall a Clean Operating System
Even if the provider offers a “Debian 12” image, I always reinstall it myself. The goal is to get a completely stock kernel and remove any pre-installed monitoring agents or junk processes. Some Chinese providers’ images come with all kinds of background services — you’ll never know what’s running unless you wipe it clean.
I usually use the popular Kejilion (科技Lion) reinstall script. It’s reliable, well-maintained, and supports most mainstream systems:
bash <(curl -sL kejilion.sh)Choose reinstall and select Debian 12.
Important: After reinstallation, SSH will disconnect. Wait 5–10 minutes, then reconnect. The very first thing you should do is change the default root password. The script usually sets a known default password (e.g. LeitboGi0). Leaving it unchanged is asking to get brute-forced:
passwdStep 3: Basic Security Hardening
The public internet is brutal. I’ve seen fresh servers get hit with hundreds of brute-force attempts within minutes if left unprotected. These three steps are non-negotiable on every machine I set up:
1. Change the SSH port (move it to a high port between 20000–65535 to avoid 99% of automated scans):
nano /etc/ssh/sshd_config
# Change #Port 22 to Port [your chosen port]
systemctl restart sshd2. Set up SSH key authentication and disable password login
Generate the key pair locally:
ssh-keygen -t ed25519 -C "[email protected]"Copy it to the server (using the new port):
ssh-copy-id -p [your_port] root@your_server_ipOnce key login works, disable password authentication:
nano /etc/ssh/sshd_config
# Change PasswordAuthentication yes → no
systemctl restart sshd3. Configure UFW firewall + Fail2Ban
# Allow necessary ports
ufw allow [your_ssh_port]/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
# Install Fail2Ban
apt install fail2ban -y
systemctl enable fail2ban
systemctl start fail2banStep 4: System Initialization
After securing the server, do some basic housekeeping:
Update packages and set timezone:
apt update && apt upgrade -y
timedatectl set-timezone Asia/ShanghaiAdd Swap (especially important on low-memory machines): I usually create 1.5–2× the RAM size.
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstabNote: Swap is slow — it’s only a last resort to prevent OOM crashes. On high-memory machines, it’s often unnecessary.
Change DNS (optional): Some overseas providers have slow DNS resolution for Chinese domains. I usually switch to Google and Cloudflare:
sudo tee /etc/resolv.conf <
Special note: If you bought a streaming-unlock VPS, do NOT change the DNS. The provider usually sets custom DNS for unlocking — changing it will break streaming access immediately.
Step 5: Kernel & Network Optimization (Optional but Worth Trying)
Debian 12 already enables BBR by default, but for high-latency international links, additional TCP tuning can improve throughput. Results vary — some see clear improvement, others don’t. It’s not mandatory, but worth testing.
Simple option: Neko’s TCP optimization script (just choose the recommended preset):
bash <(curl -L https://raw.githubusercontent.com/chiakge/Linux-NetSpeed/master/tcp.sh)
Advanced option: The tcp.xteko.com optimizer. It generates custom settings based on your memory and latency, automatically backs up the original config, and is easy to revert if it doesn’t help. I personally prefer this one for its flexibility.
Only After These Five Steps Is the Server Truly Yours
Step Purpose Must Do? Benchmarking Verify real specs and catch overselling ✅ Must do Reinstall OS Get a clean, trustworthy base system ✅ Strongly recommended Security Hardening Prevent being hacked or turned into a bot ✅ Must do System Initialization Set up a sane working environment ✅ Must do Network Tuning Maximize network performance ⚡ Optional / situational
Benchmarking gives you confidence in what you paid for. Reinstalling gives you a clean foundation. Hardening lets you sleep at night. Initialization and tuning help the machine reach its full potential.
After completing this workflow, whether I’m building sites, running automation tools, or deploying services, I feel much more at ease.