Talking Shit About Dreamhost.

I don't like disgruntled customer nonsense. You know – the rigamarole of someone screaming loudly into the ether, hoping that someone listens to their precious bile or scares their vendor into giving them something to avoid active detraction.

That's not what I'm doing here.

I want you to avoid this situation entirely, so I'm calling out my former VPS provider, Dreamhost. If you don't read any further, don't use them. Find someone better.

Strike One

About 6 months ago, 4 months into my regrettable purchase of a 1 year too-good-to-be-true VPS plan, I kept getting reboot notices from my monitoring software.

I'll step back and get into what their VPS really is. It's not what I expected which was... you know, a VM. One where I had root. But no, it's essentially a container with their homegrown UI to add users and roles. It's very website driven, and indiscernable from their shared hosting platform where everybody's shoved into a shell host and you hope nobody fucks up the box.

The reboots were caused by the machine running out of memory. Their solution to the problem, rather than doing an OOM kill on the task itself, is to reboot the entire fucking box. Since their shared IP space(1) gets swept by scanners a lot something was making a service bloat out. I don't know how they don't get how this is a bad idea. This is the low rent area where every noob who wants baby's first WordPress is going to have an easily ownable install. It's not a good neighborhood to host in based on that alone.

Their recomendation? Use less memory. That's it. Not, “Hey, we're going to put better protections around scans from disreputable IP addresses” or, “Hey, we're going to at least email you when your machine is getting restarted so you can act on it.” Just a, “Yeah, that happens. Don't use your machine so much.” This was in spite of me explaining that the memory bloat was due to a pray-and-spray attack on their IP space.

Strike Two

Last night I saw an indicator that someone was trying to use a known bug in PHP that involves breaking out of a directory and activating composer. While my security should have prevented it, I had no way to really analyze it. Since I have zero control over my PHP settings, much less my PHP version, and that there is no way that a highly jailed user could really do much for it, I deleted the VPS. I'd already moved the service elsewhere because of all this shit that happened in Strike One.

Strike Three

I've paid through April, and assumed that by removing the VPS from my plan that my other services attached to the account would remain working until then.

No.

Without any warning I started getting authentication errors on my email today. They shut the email accounts on all the domains I have there because there's no longer a VPS service. I can't even get into my old email and pull it out. It's as if it never existed.

Conclusions / TL;DR

So that's the story. Dreamhost has shitty VPS with limited security, apparently no DDOS protection, limited configurability, and that runs at an SLA of “oh well we tried, but it's probably your fault anyhow”. Their homegrown control panel serves to keep users from screwing up stuff Dreamhost cares about, but doesn't offer you any real protection from getting burnt by their odd sense of what services go to which thing. Deleting a VPS that has nothing to do with email delivery or DNS should not kill the email.

I've spent an hour writing this waiting to see if they'll at least restore my email long enough for me to get the fuck out for good.

UPDATE: 2021-01-08 14:12

The dreamhost business gets even funnier. I went to see if there was a backup of my email in their interface – no, of course not. There's nothing to back up.

I did, however, find backups from 7/2021 that the system warns will be deleted a month after request (8/2021).

They're still there. I have a huge problem with this, for so so many reasons.


  1. Did I mention your VPS doesn't get a fixed IP so you have to use their DNS to keep your shit pointed at their floating IP?

DrOS Logo
© 2021 Otto Skrzyk