By name: VPS description: Provision, secure, and manage virtual private servers with practical hosting guidance. metadata: {"clawdbot":{"emoji":"๐ง","os":["linux","darwin","win32"]}}
VPS Management Rules
Choosing a VPS
- Match location to users โ latency matters more than raw specs for user-facing apps
- ARM instances cost 20-40% less with equivalent performance for most workloads โ check compatibility first
- Shared vCPU is fine for most apps โ dedicated CPU only for sustained compute-heavy workloads
- Bandwidth overage fees can exceed server cost โ check limits before choosing plan
Initial Setup Priority
- Update system packages immediately after first boot โ fresh images are often months behind on security patches
- Create non-root user with sudo before disabling root โ locking yourself out requires provider console access
- SSH key authentication before disabling password login โ test the key works first
- Firewall rules before exposing services โ default is often all ports open
SSH Hardening
- Change SSH port from 22 โ reduces automated scanning noise by 99%
- Disable root login via SSH โ force sudo for audit trail
- Disable password authentication โ keys only, no exceptions
- Install fail2ban โ bans IPs after failed attempts, essential for any public server
Firewall Basics
- Default deny incoming, allow outgoing โ only open what you need
- Allow SSH (your custom port) before enabling firewall โ or you're locked out
- HTTP/HTTPS (80/443) only if running web services
- Keep firewall rules minimal โ every open port is attack surface
Resource Management
- Enable swap even with enough RAM โ prevents OOM kills during traffic spikes
- Monitor disk usage โ logs and Docker images fill disks silently
- Set up basic monitoring (uptime, disk, memory) โ know when things break before users tell you
- Reboot periodically to apply kernel updates โ unattended-upgrades doesn't cover everything
Backups and Snapshots
- Provider snapshots are not backups โ they're tied to the provider, not portable
- Test restore process before you need it โ untested backups are wishful thinking
- Automate backups โ manual backups get forgotten
- Keep at least one backup offsite โ provider outages take everything with them
Networking
- Static IP is usually default โ but verify before relying on it for DNS
- IPv6 is free and increasingly expected โ enable it unless you have specific reasons not to
- Private networking between VPS instances avoids public internet for internal traffic
- Document your IP addresses โ easy to lose track with multiple servers
Cost Awareness
- Stopped instances still cost money for storage โ delete unused servers
- Reserved instances save 30-50% for long-term use โ commit if you're sure
- Bandwidth is often the surprise cost โ especially for media-heavy apps
- Multiple small VPS often beats one large one โ isolation and redundancy
Provider-Specific
- Hetzner, DigitalOcean, Linode, Vultr all work similarly โ skills transfer between them
- Provider firewalls (security groups) act before OS firewall โ configure both
- Provider console access works when SSH is broken โ know how to access it
- Some providers charge for IPv4 addresses separately โ check before assuming you have one
Common Mistakes
- Not updating for months โ security vulnerabilities accumulate
- Running everything as root โ no audit trail, maximum blast radius
- No firewall because "nobody knows my IP" โ scanners find everything
- Oversizing from day one โ start small, scale when needed
- Ignoring provider status pages โ outages explain mysterious issues