vps-audit
vps-audit is a lightweight, dependency-free Bash script that performs automated security and performance checks on Linux VPS servers. It runs on Debian/Ubuntu systems, requires sudo access, and generates color-coded reports with specific remediation recommendations.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | vernu/vps-audit |
| Owner | vernu |
| Primary language | Shell |
| License | MIT — OSI-approved |
| Stars | 2k |
| Forks | 161 |
| Open issues | 13 |
| Latest release | Unknown |
| Last updated | 2026-01-12 |
| Source | https://github.com/vernu/vps-audit |
What vps-audit is
Single-file Bash utility that audits SSH config, firewall status, failed logins, open ports, SUID files, and system resource utilization against configurable thresholds. Outputs real-time console feedback (PASS/WARN/FAIL) and timestamped report files; no external dependencies beyond standard GNU utilities (grep, awk, netstat).
Get the vps-audit source
Clone the repository and explore it locally.
git clone https://github.com/vernu/vps-audit.gitcd vps-audit# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires root or passwordless sudo; plan sudoers configuration for automated execution (e.g., via Ansible, cron, or CI/CD pipelines).
- Thresholds for WARN/FAIL are hardcoded and generic; customize them in the script source for your infrastructure baseline (e.g., adjust service or port thresholds for legacy apps).
- Output parsing is human-readable and text-based; integrating programmatic consumption of results requires additional shell scripting or tooling.
- Script runs synchronously and may take 10–30 seconds on loaded systems; schedule during off-peak hours or as background tasks.
- Limited to checks detailed in the README; does not audit container runtimes, application-level configs, or compliance frameworks beyond basic OS hardening.
When to avoid it — and what to weigh
- Red Hat / CentOS / RHEL-based Systems — Script is explicitly designed for Debian/Ubuntu and relies on ufw and systemd conventions. Porting to dnf/firewalld requires non-trivial modifications.
- Containerized or Orchestrated Environments — vps-audit audits host OS configuration. In Kubernetes or container-heavy deployments, host-level checks offer limited value; use platform-native security scanning instead.
- Requirement for Real-time Alerting or Integration — Script generates reports but does not integrate with SIEM, ticketing, or alerting systems. If you need cross-VPS dashboards or automated incident creation, use dedicated monitoring platforms (Prometheus, DataDog, etc.).
- Compliance Audits Requiring Formal Evidence Chain — While the script identifies issues, it does not provide cryptographic attestation, audit logs suitable for legal discovery, or role-based access controls needed for SOC 2 or FedRAMP compliance.
License & commercial use
MIT License. Permits commercial use, modification, and distribution with no warranty. Attribution and license notice required. No patent grants or trademark usage permissions. Suitable for proprietary internal tooling or commercial products with proper attribution.
MIT is a permissive OSI license allowing commercial deployment and resale. Organizations may incorporate this script into commercial managed services offerings. However, no indemnification, SLA, or liability cap is provided; users assume all risk. Recommend legal review before bundling into revenue-critical products.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Script requires sudo and reads sensitive files (SSH config, sudoers logs, open ports, SUID files). No input validation or escaping is documented; review shell injection risks if chaining output. Checks for common misconfigurations (disabled firewall, root SSH, weak password policy) but does not perform cryptographic validation, rootkit detection, or intrusion forensics. Should not be your sole security control; supplement with log monitoring, intrusion detection, and professional audits. Report files may contain sensitive system details; restrict their permissions and storage.
Alternatives to consider
lynis (https://github.com/CISOfy/lynis)
Mature, audits 300+ checks, cross-platform (Linux, macOS, BSD), generates scored reports, professionally maintained. Heavier overhead and more opinionated remediation advice; better for compliance and detailed baselines.
Wazuh Agent + Manager
Distributed agent-based security monitoring with real-time alerting, SIEM integration, and compliance mapping. Requires central server and agent provisioning; overkill for simple ad-hoc audits but superior for fleet monitoring.
OpenSCAP / SCAP Workbench
Standards-based (NIST, CIS benchmarks), formal compliance reporting, automated remediation scripts. Steeper learning curve and more bureaucratic; best for regulated environments requiring formal audit trails.
Build on vps-audit with DEV.co software developers
vps-audit provides a fast, dependency-free baseline assessment for Debian/Ubuntu servers. Ideal for initial hardening checks, compliance verification, and scheduled security reviews. Contact our DevOps team to integrate auditing into your infrastructure automation or incident response workflows.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
vps-audit FAQ
Can I run vps-audit on CentOS/RHEL?
How do I integrate vps-audit output into my monitoring dashboard?
Is vps-audit a substitute for professional penetration testing?
Can I schedule vps-audit to run automatically and alert on failures?
Custom software development services
DEV.co helps companies turn open-source tools like vps-audit into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.
Ready to Audit Your VPS Security Posture?
vps-audit provides a fast, dependency-free baseline assessment for Debian/Ubuntu servers. Ideal for initial hardening checks, compliance verification, and scheduled security reviews. Contact our DevOps team to integrate auditing into your infrastructure automation or incident response workflows.