By 2026, AI will have completely transformed the security landscape: Vulnerabilities will be found, analyzed, and exploited faster than before. Thanks to AI, attackers can more quickly identify vulnerable software, modify exploit code, and scan large numbers of systems.
Due to the use of AI, the period between a vulnerability becoming known and active exploitation has become very short: increasingly often, a vulnerability is exploited within just a few minutes of disclosure. An important question, therefore, is: how do you keep your server(s) secure? In this article, we explain the most important measures to protect your server(s) against attacks involving the exploitation of software vulnerabilities.
TL;DR: Update and restart your VPS weekly, make backups, apply hardening (turn off what is not needed, use SSH keys, etc.).
The most important security rule: update and restart
The most important security rule for server management is simple: install updates regularly and restart your server when updates require it. For Linux servers, this is especially important after a kernel update. The kernel is the heart of the operating system. When a new kernel is installed, it usually only becomes active after the server has been restarted.
The same principle applies to Windows Server. Many Windows updates replace components that are in use while the system is running. A restart is then necessary to complete the update fully and ensure that the patched components are actually active.
A server on which updates have been installed but which has not been restarted afterwards may therefore still use vulnerable code. Therefore, schedule not only the installation of updates, but also the moment when you can safely reboot the server.
Our advice: update at least once a week
We recommend checking Linux, BSD, and Windows servers for updates at least once a week, installing them, and then restarting when necessary. Choose a fixed maintenance window for this, for example outside office hours or at a time when the impact on your users is limited.
In the case of critical vulnerabilities, active exploitation, or Remote Code Execution, do not wait until the regular maintenance window. In those cases, it is wise to update as soon as possible.
Updating Linux and BSD systems
Below you will find examples for commonly used Linux and BSD systems. Execute these commands with a user who has sudo privileges. If you are using a custom configuration or a production environment, test updates first or schedule them within a maintenance window.
Debian and Ubuntu
sudo apt update
sudo apt full-upgrade -y
sudo rebootOn Debian and Ubuntu systems, you can check if a restart is required with:
test -f /var/run/reboot-required && echo "Restart required" || echo "No restart required reported"AlmaLinux, Rocky Linux, CentOS Stream, RHEL and Fedora
sudo dnf upgrade --refresh -y
sudo rebootIf you want to check if a reboot is needed, you can use needs-restarting on many RPM-based systems:
sudo dnf install -y dnf-utils
sudo needs-restarting -r
openSUSE and SUSE Linux Enterprise
sudo zypper refresh
sudo zypper update -y
sudo rebootYou can check which processes are still using old files with:
sudo zypper ps -s
Arch Linux
sudo pacman -Syu
sudo reboot
FreeBSD
Update the base system and then the installed packages:
sudo freebsd update fetch install
sudo pkg update
sudo pkg upgrade
sudo reboot
OpenBSD
Install available system patches and update packages:
sudo syspatch
sudo pkg_add -u
sudo rebootUpdate and restart Windows Server
For Windows Server, we recommend using Windows Update or Windows Server Update Services (WSUS), depending on how your environment is configured. Install security updates at least weekly and then schedule a restart when Windows indicates that this is necessary.
Microsoft releases patches every second Tuesday of the month to patch bugs in Microsoft systems ("Patch Tuesday"). For critical vulnerabilities, Microsoft also releases patches outside of this cycle ("Out-of-bound").
If you are using PowerShell and the PSWindowsUpdate module is available, you can install updates as follows, for example:
Install-WindowsUpdate -AcceptAll -AutoRebootUse -AutoReboot only when you are certain that an automatic restart will not have an unwanted impact at that moment. In production environments, it is usually better to perform updates and restarts within a scheduled maintenance window, for example, shortly after the Patch Tuesday updates.
Check after the reboot if everything works correctly
After restarting, check if the server has started correctly and if the most important services are available again. Think, for example, of web servers, databases, mail services, monitoring agents, backup tools, and business-critical applications.
On Linux, for example, you can check the active kernel version with:
uname -rAdditionally, check the status of services:
systemctl --failed
systemctl status nginx
systemctl status apache2
systemctl status mariadbAdjust service names such as nginx to the names of the software you actually use.
Don't forget applications outside the operating system
Updating the operating system is important, but not always sufficient. Many attacks target applications managed separately from the package manager, such as CMSs, plugins, themes, frameworks, control panels, Docker images, and manually installed software.
Therefore, also regularly check if these components are up to date. Consider, for example, WordPress, Joomla, Drupal, Magento, PHP applications, Node.js projects, Python environments, containers, and database management tools.
Many of these systems, for example WordPress, have a built-in option to automatically install important security updates.
Create backups and/or snapshots
Updates usually proceed without problems, but it remains wise to have a restore point beforehand. Therefore, especially in production environments, first create a backup or snapshot before performing major updates or kernel updates. You can find an overview of our documentation for using backups and snapshots here:
Finally, check that you know how to restore the server when an update causes unexpected problems. Think of access via the console, restoring recent backups, etc.
Apply security hardening
Security hardening simply means reducing the attack surface. The fewer doors that are open, the smaller the chance that an attacker will get in, or even consider attacking you in the first place. In essence, security hardening comes down to:
-
Turn off what is not needed: in Linux you can easily disable software with the command
sudo systemctl disable softwarenaam(replace softwarenaam with the actual name of the software in question). - Use secure settings: consider disabling root login on SSH, using SSH keys, MFA on web applications, etc. Tip: see the overview of our security documentation for more information on these topics.
Make vulnerabilities visible with monitoring and alerts
A good update process consists not only of patching, but also of flagging. Set up monitoring for pending updates, required restarts, and vulnerabilities in the software you use. Additionally, subscribe to security mailing lists or vulnerability alerts for the products running on your server.
Where possible, also use reliable sources such as vendor advisories, vulnerability databases, and lists of actively exploited vulnerabilities. This allows you to better determine which updates cannot wait until the next weekly maintenance window.
How do you stay informed about important new vulnerabilities?
New vulnerabilities appear daily in operating systems, libraries, web servers, databases, CMSs, control panels, and other software. Therefore, we primarily inform customers about vulnerabilities with a major impact, such as Remote Code Execution (RCE), and about vulnerabilities that are so significant that we are also accelerating the updating of our own infrastructure for them, and for which we estimate the potential impact on our customers is substantial.
In other cases, we recommend that you actively stay informed yourself about vulnerabilities in software you use on your server. For example, you can use vulnerability databases and alerts, such as mail alerts from VulDB, or similar services that send notifications based on vendors, products, or software versions.
When is a managed server sensible?
Securely managing a server takes time, knowledge, and discipline. You must assess updates, schedule maintenance, check backups, track vulnerabilities, and know how to act when something goes wrong.
Is server management too complex, is the knowledge lacking within your organization, or do you have insufficient time to keep up with security updates systematically? Then we recommend choosing a managed server solution. This allows you to outsource a significant part of the technical management and reduce the chance that critical updates will be left unresolved for too long.
That brings us to the end of this article on keeping your servers secure via updates and restarts. Would you like to know more about various aspects of server security? Then also check out our additional documentation on VPS security.