You're all doing it wrong.

Discussion in 'Tutorials and Guides' started by Aldryic C'boas, Feb 20, 2015.

  1. Aldryic C'boas

    Aldryic C'boas The Pony

    Apr 18, 2013
    What is wrong with you people. (Yes, that was rhetorical).  One looks at the VPS industry, and it's small wonder that people regard VPS providers as a joke; something just to utilize when you just have a couple bucks laying around.  Companies filled with kids that couldn't write their own code if their lives depended on it - dependant on shoddy, repeatedly compromised systems like Solus to do the work they have no clue how to perform on their own.

    Providers that continuously make asses of themselves publicly - basking in the attention of hate-filled drama threads, doing anything they can to make a sale; then having the audacity to cram clients onto overloaded, bargin-bin hardware and scream at them if they dare post any kind of public complaint.  Children that frequently 'employ' people that they have never met, and are oft school kids themselves, to be their directors and administrators.  Operators that can't even be bothered to vet their own orders and have to rely on unverified public input to make their decisions for them - if they even bother to do that.  Some of you clownshoes will accept any order that comes in if it means another payment.  It's absolutely embarrassing.  I don't even like to tell people that I work for a VPS company any more.  "Oh, you're one of 'those'." "No, no, we're actually a real establishment." "Sure, that's what they all say."

    Still with me?  Good, let's change up the tone a bit.

    Presentation / Professionalism

    If you're a provider, and you read through the last couple of paragraphs without getting upset, offended, or taking any of that personally?  Pat yourself on the back.  Seriously - you already have the thick skin and right attitude that so many people desperately need.  You can (and likely do) deal with clients that are far more obnoxious and scathing than my little routine there, and maintain a professional approach to handling them.

    And if you did get offended?  Don't beat yourself up over it - it's a natural reaction, and overcoming that can take an incredible amount of self control.  When you get obnoxious tickets, don't respond to them right away.  You'll default to wanting to be defensive, which leads to justification, which can very easily lead to saying something you will regret.  Take a short break, they're not going anywhere, and do something you enjoy.  Pour a drink, have a smoke, put a snake in a co-worker's desk - just take five minutes to 'reset' your mentality.  You'll find it much easier to come back to that ticket after and give a professional reply.  Not only will this satisfy most clients (let's face it, real jerks are rare, and most of these tickets are just people having a bad day), but it also protects you from any kind of public fallout should they decide to go run to here/WHT/LET and scream about how you bad-mouthed them.

    Software / Panels

    It's not easy to create in-house platforms (as an increasing number of people are finding out - the hard way).  Management systems like SolusVM and WHMCS are incredibly complex (often excessively so), and not everyone is going to have the time, patience, and aptitude to build in-house systems.  But at the very least, you should be comfortable with making minor modifications or addons to the systems you do use.  Hooks for WHMCS to automate some of your daily management; simple scripts to tie into SolusVM's API and take care of some clean up; even learning to setup and maintain your own database replication to ensure reliable backups.  Not only will this help in building your own programming skills, but will also greatly familiarize you with the platform's back end.  That knowledge is invaluable for troubleshooting problems on your own without having to rely on their support team, and also gives you a better understanding of what all you will need to consider if you do decide to create an in-house replacement.

    There's nothing inherently wrong with using third party software, you just have to be very cautious about what you trust.  We've all seen (and in some cases, experienced) the horror stories of vulnerabilities against WHMCS and SolusVM.  Having a strong familiarity with the systems you use will help you secure them properly.  These management panels are tools, not shortcuts - and in inexperienced hands, a nail gun is just as likely to cause a great deal of grief as it is to properly secure a fixture.

    Avoiding Fraud and Abuse

    Low cost of entry.  One of the biggest benefits of the VPS Market is also one of its greatest liabilities.  Whether it's a provider just starting out that can't afford to specialize in more costly services, or the folks that are forced to compete based on price alone, the typically low cost of a VPS service is irresistible to skids, spammers, and abusers.  Sure, some days you might really need the sales, but turning away a 5$ order is always preferable to having to give out 500$ in SLA credit for outages and people upset over their neighbours landing them on an SBL.

    You're going to see abuse of one kind or another no matter what you do, but there are a few things you can do to drastically limit just how much you get:

    Contact Information:  Take a few moments to review the information a client submitted when signing up before you accept their order.  Did they give you a fake address, mail-forwarding, or other non-residential location?  Likely worth looking into.  Fake name or initials?  They don't want their actions traced back to them.  Sure, some folks simply don't like putting their real information out there - but as I explain to our clients, trust is a two way street.  If they don't trust you to take appropriate measures to keep their information private, can they really expect that you trust them to not cause any trouble?

    Payment Information:  Accepting PayPal, or other gateways with a verbose IPN?  Take a moment to look at your transaction log.  If you're seeing a high amount of fraud or disputes, it's worth considering enacting a policy where payment must come from a verified PayPal account, and/or requiring that the name on said PayPal account match the information they registered with.

    Order Information:  A new registrant that rings up 300$ in service for his first order, especially if wanting to pay via Credit Card, will likely cause you some heartbreak.  At the very least get positive identification on the person to cover your own back for when the card issuer comes looking for blood over the stolen CC transaction.  Same applies to someone suddenly jumping in and ordering a bulk number of IPs.  Get some justification, find out what they're wanting to do with it before you turn them loose.  Pay attention to hostnames - there are plenty of skids stupid enough to sign up and name their service 'ccbooter' and such.

    Service Quality

    It's very easy to just throw up some OpenVZ nodes and start cramming them with '300TB BW' plans, overselling the resources several times over.  Overselling itself is a sensitive topic for many, and not one I'll get into - but just be aware of what your nodes can actually handle.  Get a feeling for just how much stress your nodes can comfortably bear - and then err on the side of caution and expect double that in live production.  You don't actually need to have abusive users on a node to see performance degradation - all it takes is a handful of moderate-usage clients having top of the hour cron jobs to bring a node to its knees if you're not careful.

    Quality over quantity should be your goal.  You want clients to sign up not because they heard that you sell more VPSes than anyone else, but because they've heard that the VPSes you sell are stable and offer steady, reliable performance.  Having more clients/nodes than everyone else counts for nothing when your churn rate is so high that you have to offer ridiculous yearly sales for quick cash to try and make ends meet.  Which leads us to:


    Yes, it's a competitive market.  But as we've all witnessed time and again, trying to use price as your competitive edge is a recipe for disaster.  Plan out your plan/node designations in advance, and ensure that even if your nodes are only half filled, you're still in the black at the end of the month.  Keep your pricing standardized and stable.  If you wish to offer coupons, do so with specific limitations in mind - don't just discount an already-available service with no restrictions, or you'll quickly find that many of your clients that already have that plan at normal cost have no problems with cancelling their current service to re-subscribe at the lower rate.

    Extended billing cycles can be appealing, but must be used in moderation.  Don't offer a ridiculous discount for paying a year+ up front - you may end up with a nice pocketbook for the month, but then you're back to not seeing recurring income from those sales again for a long time.  By all means, give minor benefits for paying annually - but not so nice that it would cause fiscal trouble should many of your clients decide to switch over.

    Set your pricing for what you feel is a fair cost for what you offer.  If you must use your competition as a guideline for pricing, start a little ways higher than the midpoint between highest and lowest costs.  One of the worst things you can do is start off at a low price point - while it's unlikely that you'll ever see cancellations should you decide to lower costs, starting low and then realizing you can't make ends meet will result in a punishing bleed once you try to raise existing costs.

    Security & Trust

    I already went over software security earlier in the post - this concerns more the people you choose to employ and work with.  You don't have to be best friends with your employees (and indeed, it is often better if you are not), but you must be cautious in whom you decide to hire on.  Ask yourself if you would be comfortable with the person house-sitting for you while you were away.  If you wouldn't trust them in your home, why would you ever trust them with explicit access to your clients' personal information, payment details, and essentially root access to their services with you?

    Even if you do trust them implicitly - are they the right person for the job?  Do you trust them because they are professional and have a solid reputation and work ethic?  Or do you trust them because they sell you weed and you need a ticket monkey?  It's not just your company at stake - it's your reputation, and more importantly, your clients' trust.  If you want to hire on a student because they have the enthusiasm, and perhaps even the technical know-how to get the job done - great.  I mean hey, everyone has to start somewhere, and helping someone gain the experience they need to make a foothold in their chosen career path is a noble thing.  But make no illusions about who they are - and under no circumstances have the audacity to tell your clients that your employee is an 'expert/professional'.

    Trust is a *major* deciding factor in this market; especially given the numerous compromises, scandals, providers allowing NSA data taps in exchange for amnesty, and so on.  Earn your client's trust, and you'll likely have a client for life.  Break that trust, and you might as well resign yourself to endless clean up from skid usage, who will be the only group still willing to use your services.

    Wrap Up

    At the end of the day, the decisions you make are what shape the quality of your service, and the reputation of your company.  There is no easy short cut to establishing and maintaining a successful VPS operation - you have to be willing to put in the time, effort, and dedication to stay afloat.  And what works for one company might not work for you - but what's important is that you know your limits, both in performance and in your pocketbook, and not get into something over your head.  Need help or advice?  Ask around.  There are plenty of folks that are more than happy to give advice.

    Just don't be that guy that keeps asking if you'll solve their problems for them.  Nobody likes that guy.
    Last edited by a moderator: Feb 20, 2015
    ChrisM, Jonathan, Geek and 36 others like this.
  2. Awmusic12635

    Awmusic12635 Active Member Verified Provider

    May 3, 2013
    Very well written.
    Francisco likes this.
  3. Mohammed H

    Mohammed H New Member

    Feb 18, 2015

    well I must say that your well written article just revived me from the desperation I see from all this 1$/mo VPS providers .

    thank you so much for this valuable info.

    Highest Regards

    Mohammed H
    Francisco likes this.
  4. tragic

    tragic Member Verified Provider

    Dec 14, 2013
    Great insight and helpful. Thanks.
    Francisco likes this.
  5. HalfEatenPie

    HalfEatenPie The Irrational One Retired Staff

    Mar 25, 2013
    Your words flow like beautiful water down a stream.

    tldr: sexy
    kcaj, k0nsl and Francisco like this.
  6. Nick_A

    Nick_A Provider of the year (2014)

    May 13, 2013
    Waiting to respond is a great piece of advice. I have learned to do that over time. I write out what I want to say initially, work on something else for a while, come back, and strip out all the potentially unprofessional bits. Assume that whatever you tell a client in a ticket will end up on WHT, and you'll keep an even keel.
    gordonrp likes this.
  7. drmike

    drmike 100% Tier-1 Gogent

    May 13, 2013
    I smiled at this post :)  Good one.

    My rule continues to be, anyone whom calls himself / herself / itself an expert needs a serious timeout.  Expert status is something given by the public at large over time, long after you are good at what you do.  Expert isn't some sales enhancer.  Quite the contrary.   That term strikes seasoned business folks as ego bloat, lies or simply deception.   Who truly wants to work with an expert?

    I regularly see the term EXPERT thrown about.  Way more than I recall in decades past.

    There are some talented folks out there in VPS and hosting land.  Some genuine bad ass ninja skill types.  Magicians behind the scenes.  But experts even there?  Only if they need to hawk some containers on ego push credit in their busted homemade marketing.

    Pricing part hits home with me.  Price is a custom thing based on what your spend is, on what your staff costs and on what end of accounting you find acceptable to live off of.   

    Too many, meh, almost every lowend company peeks at the competitions pricing matrix and self adjusts, barely.   This approach is a very bad one.  Work on justifying the right price with actual features, benefits, real resources.  This is to say your pricing should built backwards from the end profit goal.

    Software and development, yes big big hole in most shops.  They are left to buy prebuilt modules for everything.  It gets ugly and code insecurity and non-familiarity with things is high risk.  Development costs money and time cycles.  So it's pay someone to come on board, develop the skills yourself or continue to run blindly.

    Solid reference piece from Ald though.   Time to convert it into a checklist :)
    fm7 likes this.
  8. splitice

    splitice Just a little bit crazy... Verified Provider

    Jun 16, 2013
    Very well written as always. :)

    Just one point to add with Fraud and Abuse. There is much you can do in this area, never just accept loss. Try and think outside the box, you can often find patterns or methods to mitigate risk. Unfortunately this is a bit of a 'closed' strategy (only effective if others don't know what you are doing) but it can be very effective if you can afford the time to come up with an effective solution. Dont just do a standard WHMCS + Maxmind, or similar solution, you can trust people out there know the weaknesses of such solutions. Think it through based on the abuse you have seen in the past, and work out how to mitigate the risk (e.g as Aldryic said manual review, requirements for client details to be residential address).

    "It's not easy to create in-house platforms (as an increasing number of people are finding out - the hard way)"

    At X4B our billing & management systems are entirely in-house. Our primary motivation for this was security & secondarily flexibility (PAYG/Cloud style billing in WHMCS is a mess). Whenever I see a newish provider stating they have their own in-house billing system, or in house vps control panel I immediately cringe as the result (unless they are a large / established company they probably cant afford it). I know I am the pot calling the kettle black, but its a huge cost / risk - I would know.

    Developing such a system is not for the weak of heart. While I don't regret the approach we took (rarely even for a moment), I certainly have a lot more respect for what WHMCS does than what I did to begin with. For example, one of our biggest upgrades has been worked on for what is now 3 months. The upgrade is to implement an invoicing system (which WHMCS provides). That is the separation of service, from billing. Even invoicing is deceptively simple, there are many edge cases (upgrades, cancellations, overdue, payment when overdue).

    Any company who undertakes this while selling $4/1G VPS's is setting themselves up for a world of hurt. Software development is definitely a big cost (expecially if you don't have the expertise / cheap labour to do it in-house).

    Note for those curious - the code is complete testing is currently being performed with the intention of rolling out the (complete) system for the start of the financial year. Bits and pieces may be seen before then.
  9. Supicioso

    Supicioso New Member

    Jun 7, 2013
    I wouldn't say it's hard. More time consuming then anything else, at least in my experience. It requires skill obviously, it's going to take an extremely long time to finish complete in-house solutions. Specially if you're small and don't have an army of developers behind you. Most people don't have that kind of time and or money. A few years ago I made a lightweight whmcs clone out of in a span of a month because I had a lot of time on my hands. That was when I was just discovering programming. So the task in-itself isn't really difficult. Just out of reach for most due to lack of time or money, or both.
    Last edited by a moderator: Feb 22, 2015
    drmike likes this.
  10. zionvps

    zionvps Member Verified Provider

    Apr 27, 2014
    The problem with in-house platforms is vulnerabilities which would require a lot of security testing.

    Panels like Solus and Virtualizor also faced this when they were launched after security tests which was most probably more than what you can do on in-house platforms.

    Even if you are coding everything right, most likely there will be a few of them so i prefer to stick with third party apps with modifications to be on safe side.

    Nice thread by the way.
    host4go likes this.
  11. robbyhicks

    robbyhicks Member Verified Provider

    Jan 27, 2015
    Very well written. I completely agree with writing every response as it if were to be posted on WHT or other forums.  Professionalism is becoming harder to come-by these days!
  12. joepie91

    joepie91 New Member

    Jun 19, 2013
    No idea about Virtualizor, but the code quality of SolusVM is absolutely atrocious - easily some of the worst PHP I've ever seen. The issues with SolusVM largely stem from poor developer habits.

    If you use a reasonable platform (not PHP), abstract things correctly, are aware of the different (applicable) types of vulnerabilities, and follow strict code quality/cleanliness guidelines, there's no reason why your code would contain any of the usual types of vulnerabilities. See also defensive programming.
    drmike likes this.
  13. Mohammed H

    Mohammed H New Member

    Feb 18, 2015
    well I will have to disagree with you. sticking with 3rd party apps is dangerous too since its source code is available (even if its encrypted, it can be decrypted). and when the source code is available 0days will be too. while in-house platforms with good programming habits is more secure (at least when its source code is not disclosed).

    what happened with me and a lot of providers out there due to WHMCS exploits in the past years was all because of this sticking 3rd party sh*** encrypted apps (even though I still use them) but eventually I will develop my own.

    Highest Regards

    Mohammed H
    Last edited by a moderator: Feb 24, 2015
    Francisco likes this.
  14. Enterprisevpssolutions

    Enterprisevpssolutions Article Submitter Verified Provider

    May 22, 2013
    Even with in house developers you always have rogue employees or developers that can cause issues with security. Best way to lock down the system is with the network you know what ips need to access what data all else should be denied and the issue is resolved. Admin areas, billing portals, servers in general if you lock down the network, ie transparent filters, firewall, ACL, software programs that try to communicate will not be able to, unless allowed. One security issue is resolved with this method.

    Having developers to add your own skins or portal on top of whmcs or another control panel using an API is what some companies do to save money on developer cost and pci compliance licenses, if you are attempting to build your own billing portal from the ground up this can get very expensive. Everyone is becoming a VPS host, LOL I love some of the tickets and responses I see from shared hosting providers also. Best piece of advice I can give to anyone wanting to become a host regardless if its VPS hosting or some other kind of hosting. Learn the systems from the ground up. Break the system as many ways before making it live so you know what will happen. Always create backups of anything you want to keep. If your drive crashes or your site is hacked and you didn't setup backups guess what? Must not of been important. Always create a backup of a file or system before making changes and most important of all. If your not sure use Google or another search engine and do some research on it and keep documentation on it before committing to the changes you are attempting.

    Besides that the article is well written and I wish the best to any and all hosts.
    joepie91 likes this.
  15. wlanboy

    wlanboy Content Contributer

    May 16, 2013
    PCI-DSS can be quite an issue.

    I've done about 8 audits and they are quite peaky about every single requirement.

    But a lot of payment providers do handle payments PCI-DSS complient - so as long as you do not store credit card information but tokens or uids you are fine.

    But still a good example about things you easily forget when building your own stuff.
  16. joepie91

    joepie91 New Member

    Jun 19, 2013
    No, that's not how it works. That's a perfect example of security through obscurity, which isn't actually security.

    Your code should be secure from a purely technical point of view. If you need to hide your code to keep it 'secure', there is almost certainly something wrong with your code, and somebody will eventually find it, whether you're aware of that or not.
    DamienSB likes this.
  17. haloelite3

    haloelite3 New Member

    Mar 2, 2015
    Thanks for pointing things out that I have never considered.

    Overall it was very well written and everything was stated correctly.

    Thank you
  18. Chatahooch

    Chatahooch New Member

    Feb 13, 2015
    Good read, nice post :)
  19. estrompolos

    estrompolos New Member

    Mar 6, 2015
    This is a very informative thread. Thank you for the contribution!
  20. ndelaespada

    ndelaespada Member Verified Provider

    Aug 29, 2013
    very good read, feels good to let it off your chest, doesn't it?