The Myth of VPS Hosting: Reasons to Avoid It! Part 2
When a person suggests a VPS blindly to others, odds are that they’re also the kind of person that ends up hacked. Do you really want advice from somebody like that? I’d hope not! Do yourself a favor and ignore that person.
Seasoned server admins — folks that use dedicated servers and VPS daily — would never make such a blind suggestion. They know how expensive, how time consuming, and how hard it all is.
Like an adult that pines for the simpler days of childhood, most VPS users pine for the simpler days when they had a smaller and simpler website. But just like being a kid, those days are gone. Yet the sage wisdom is the same — enjoy those days while you can!
Sure, you can attempt to stubbornly forge ahead, and insist that Google is all you need. This editorial was written for other dumber people, right? Well, let’s see how you really know about server admin tasks!
Before We Begin: The Quick Advice
If you just want some quick advice on which host to use, then here it is:
- Better shared hosting: (1) Siteground (2) Inmotion Hosting, (3) Veerotech
- Semi-dedicated (enterprise) hosting, as powerful as VPS: (1) Stablehost, (2) MDD Hosting
- Managed VPS: (1) EuroVPS, (2) LiquidWeb, (3) WiredTree
- Unmanaged VPS: (1) Namecheap, (2) I/O Zoom
But before picking anything, I would highly suggest reading this editorial. Most people simply need a better shared web host, not a VPS. For those that need more power, a VPS still isn’t required — use semi-dedicated hosting (as powerful as VPS, with none of the server management needs). And if VPS really is required, then opt for managed VPS, not unmanaged; it’s cheaper in the long-term.
Security (Hacking) Basics
Within minutes of deploying a VPS, the IP addresses are get attacked. (What? Minutes? Yep.)
- Hackers from Ukraine are trying to get in to root,
- Email spammers from China are looking for open mail servers,
- Blog comment spammers from India are looking for WordPress installs, and
- Script kiddies from Turkey are trying to deface your PHP sites.
You’ve barely even logged onto the server, and some a-hole is already trying to ruin your stuff. Welcome to the internet.
When your server was deployed, it likely came with SSH already enabled — often accessed via the command-line interface shown above (PuTTY in Windows). The would-be hacker uses malicious tools that attempts to login every second. I’ve seen login attempts in excess of 40,000 attempts in a row — almost 12 hours non-stop! If the hacker doesn’t get in, he’ll at least slow down your server quite a bit as it responds to the DoS-like behavior (denial of service, the little brother of DDoS).
Don’t believe me? The server logs from one of our dev servers shows dozens of unique attempts that were made in a few days time.
No offense, but I bet you have no clue what to do in this situation. (And that’s okay!) Googling for help may show you some tips, but it won’t show you how to truly harden the server.
And that’s just SSH, when there’s nothing even on the VPS yet!
Let me help you cheat: You (1) change the SSH port, (2) disable SSH root logins, (3) blacklist certain IP ranges from sshd access, which is easy to do in WHM, and (4) have a good firewall, with good settings, to catch anything else. If you want to really be aggressive, you can disable passwords entirely and use keys. And all of that is done by the command line. There is no point-and-click for Linux.
VPS Are a Time Vampire!
Even a seasoned server admin has a hard time managing a server. In a way, it’s almost like trying to herd cats. You have to make sure that:
- the server is up, and all services running — basic monitoring
- that the resources are not being exceeded, thus slowing down the server, and jeopardizing the VPS being suspended by the host — advanced monitors like Nagios
- that all server software is up to date …. but ONLY if it’s not going to cause conflicts with other server software or sites — meaning you have to understand what an update does before applying it
- that it’s backed up
- that the backup is backed up — because sometimes backups fail too!
- you check the logs — and there are lots of logs — to look for unusual traffic for http, smtp email, pop3 email, MySQL, etc
- you check the firewall activity
And that’s just the server! You’ve not had time to do anything with your sites yet!
None of this stuff is fun. You have to run through a checklist of tasks every day. It’s not something you do once, monthly or even weekly. Every day, you need to look after these things — assuming you care one iota about the content on that server.
There’s a reason companies have to hire IT folks — it’s time consuming work. All they do is fart around with computers and servers (and related tech) all day, everyday. Those aren’t the folks that make the sites. They don’t have any time for it.
So ask yourself, do you want to be an IT tech, or a website owner?
The Joy of Troubleshooting
One of the biggest chores is keeping yourself current on the newest exploits, hacks, trends, and updates. You have to subscribe to email lists and follow vendors on Facebook and Twitter. You’ll fill up your inbox and clutter up your social media walls. But it’s better than the alternative.
It’s almost a two-way tie between which is more annoying — (1) the hackers and script kiddies, or (2) the server software updates that are incompatible with your sites. cPanel, for example, just released 11.40.x of its control panel. And anybody using the suggested auto-update function was updated. Well, guess what? Some of the updates might screw up your server. How fun! (Ugh.)
Hacking is mostly a question of when — not if. As hard as setting up server monitors may seem (example: Nagios), cleaning up after an exploit is worse. You may have to:
- restore the site from the backup — and the larger the backup, the longer it takes.
- clean up hacked sites on the server
- clean up the server itself
- send requests to be removed from email blacklists (RBL, DNSBL)
- contact anyone that was affected by this, reset all passwords, etc
And it’s very, very time consuming — hours, days, even weeks. Having a site hit is bad enough, but a whole server is like a groin kick.
Just Say No to
If you want to learn how servers work, that’s great! I wish you well. We’re glad to teach you what we know here in The Digital FAQ forum, as well as point you towards other resources that will help you. Just realize it’s not going be something you can learn in a weekend, a month, or even a year. Even seasoned admins are constantly learning.
It’s not as easy as TheGuruNinjaRockstar at someforum.com claimed it was. To be blunt, guys like that are idiots. Morons. Know-nothings. You’re making a huge gamble and taking a huge risk by listening to people like this.
There’s really only four ways that a person should have a VPS:
- You’re server admin, and know what to do.
- You’re a novice server admin, and can fortify your own skills with managed VPS hosting.
- You’re not a server admin at all, but can hire one. Admin services start at $30/monthly, in addition to the other VPS costs (host, panel, security software, etc). Or use a managed host.
- The VPS is just for learning.
You should never, ever use a VPS for actual live sites (production) if you have zero management experience. It will backfire on you. We see this all the time on forums (WHT, especially). Somebody that didn’t know what he/she was doing messed up, or was attacked, and now has lost data or time or both. It’s so sad, and could have been avoided. To add insult to injury, most of these people never needed a VPS to begin with.
Conclusion (and Who To Use For VPS Hosting)
If you’ve made it all the way through both pages, and are still gung-ho about getting a VPS, then at least go with a good company.
We’ve been with EuroVPS for more than 10 years now, and it’s our yardstick by which to measure all other hosts. Yes, they’re that good. Whether it’s support, or costs, or the hardware and network, they’ve literally the best online experience we’ve ever had here at The Digital FAQ. Their VMware-based servers are in Amsterdam, on the AMS-IX, often called the “center of the world” for the internet. They focus solely on managed hosting, using high-end cloud (real cloud!) enterprise-grade architecture.
Namecheap also has an advanced managed VPS plans using Xen. Their managed plans are unique, and more like semi-dedicated times two! There’s no root access, and the host manages it as they would their own servers. You get FTP and cPanel information like a standard shared/reseller host, but it’s your own virtual server (i.e, guaranteed RAM and CPU). So no management needed! They also have unmanaged plans.
And if you just want to learn, then grab yourself a low-cost unmanaged VPS plan from I/O Zoom.
I’ve just suggested a few VPS hosts here. There’s quite a few decent VPS hosts, and we’ve covered them on our list of the best web hosts in the forum.
- The Myth of VPS Hosting: Reasons to Avoid It! – Part 1: Hidden Costs
- The Myth of VPS Hosting: Reasons to Avoid It! – Part 2: Management Woes
Have comments or feedback? — Be sure to share your thoughts in this forum post.
Copyright Notice: All guides, articles and editorials found on digitalFAQ.com are copyright by The Digital FAQ and/or the respective authors. Articles may not be copied, borrowed, full-quoted or reproduced in any manner, online or in print, which includes blogs and forums, without the written email consent of Site Staff (which may or may not be given, for free or fee). Know that digitalFAQ.com staff does routinely monitor online plagiarism, and we do send takedown notices to site admins and/or web hosts (DMCA et al legal actions) as is necessary. If you would like for others to read articles found on The Digital FAQ, simply link to our content. (Note: Printouts for personal use is specifically allowed.)
And if VPS really is required, but you’re not a Linux expert, then opt for managed VPS — not unmanaged.