VPS checkup (Ubuntu + Docker)

Goal

• Produce a clear, read-only health/security/update report for an Ubuntu VPS running Docker.
• Propose safe, minimal fixes; do not apply changes or restart anything unless the user explicitly confirms.

Inputs to ask for (if missing)

• SSH target host alias (from

  ~/.ssh/config

  on Windows:

  $HOME\\.ssh\\config

  ) or

  user@ip

  .
• Confirm

  sudo

  access and whether running

  apt update

  is allowed (it modifies package lists).
• Required open ports (e.g.,

  22

  ,

  80

  ,

  443

  ) and any non-standard SSH port.
• Where deployments live: confirm if Docker Compose is used on the VPS (common), and whether compose files are in a known path.
• If the local

  ssh

  client or required tools are missing, tell the user and ask whether to install them or provide command output manually.

Workflow (checklist)

1. Connect safely
   • Keep a second SSH session open before any SSH/firewall changes.
   • Record identity/time/host:

     whoami

     ,

     hostname -f

     ,

     date -Is

     ,

     uptime

     .
2. Collect a read-only baseline (system)
   • OS/kernel:

     lsb_release -a

     (or

     cat /etc/os-release

     ),

     uname -a

     .
   • CPU/mem/disk:

     top

     snapshot,

     free -h

     ,

     df -hT

     ,

     lsblk

     .
   • Services:

     systemctl --failed

     ,

     journalctl -p 3 -xb --no-pager

     (use

     sudo

     if needed).
3. Check security posture (read-only)
   • SSH: prefer

     sudo sshd -T

     (fallback to

     sudo cat /etc/ssh/sshd_config

     +

     sshd_config.d/

     ).
   • Firewall:

     sudo ufw status verbose

     (and

     sudo ufw status numbered

     ).
   • Fail2ban:

     sudo fail2ban-client status

     (+

     status sshd

     if present).
   • Listening ports:

     ss -tulpn

     (use

     sudo

     if needed).
4. Check update posture (read-only by default)
   • If user allows: run

     sudo apt update

     to ensure accurate results.
   • Then collect:

     apt list --upgradable

     ,

     ubuntu-security-status

     (if available), and

     /var/run/reboot-required

     presence.
   • Check unattended upgrades:

     systemctl status unattended-upgrades --no-pager

     and

     /var/log/unattended-upgrades/

     .
5. Check Docker health (read-only)
   • Daemon status:

     systemctl status docker --no-pager

     ,

     docker info

     .
   • Containers:

     docker ps

     , unhealthy/restarting containers, recent restarts, and

     docker stats --no-stream

     .
   • Disk usage:

     docker system df

     and large log growth indicators.
   • Compose overview:

     docker compose ls

     (then inspect key projects as needed).
6. Produce the report + recommendations
   • Use

     references/report-template.md

     .
   • Use

     references/ubuntu-docker-checkup-commands.md

     for a copy/paste command set.
   • Rank findings by severity and explicitly list what requires confirmation (updates, firewall changes, SSH changes, restarts, pruning, reboot).
7. Apply fixes (ONLY with explicit confirmation)
   • Do not run

     apt upgrade

     , change UFW rules, change SSH auth, prune Docker, restart services/containers, or reboot unless the user says to.

Safety gates (non-negotiable)

• No restarts (Docker/system services) unless the user explicitly asks for restart.
• No SSH/firewall changes unless you have a backup access path (second session open) and the user confirms the plan.
• Never paste secrets (tokens, private keys) into chat or logs.

Deliverable

• A read-only report using

  references/report-template.md

  .
• A prioritized list of recommended fixes and which ones require explicit confirmation.
• The exact commands run (or requested if the user ran them manually).