Security and Ethical Use of VPS and Dedicated Servers: Prohibited Practices Explained

A Virtual Private Server (VPS) or dedicated server grants you root-level control over a virtualized or physical computing environment — but that control operates within a defined legal and operational boundary. AlexHost's acceptable use policy (AUP) codifies exactly where those boundaries lie, what constitutes a violation, and why each restriction exists from both a technical and legal standpoint. This article provides an exhaustive, engineer-level breakdown of every prohibited practice, the infrastructure risks each one creates, and how to remain fully compliant while extracting maximum value from your hosting environment.

If you are evaluating VPS Hosting or Dedicated Servers and need to understand what workloads are permissible before committing to a plan, this guide is your definitive reference.

Why Acceptable Use Policies Exist at the Infrastructure Level

Hosting providers are not passive conduits. Under frameworks such as the EU's Digital Services Act, the U.S. Computer Fraud and Abuse Act (CFAA), and Moldova's Law on Electronic Communications (AlexHost is headquartered in Chisinau, Moldova), providers bear partial liability for traffic that originates from their IP ranges. When a server on a shared network block engages in abusive behavior, the consequences propagate outward:

• IP reputation damage affects every other customer sharing the same /24 or /16 subnet, degrading email deliverability and access to third-party APIs.
• Upstream provider sanctions can result in null-routing entire IP blocks, causing collateral downtime for unrelated tenants.
• Legal exposure for the provider can translate into service interruptions, asset seizures, or forced data disclosure under court order.

Understanding this cascade is critical. Prohibited practices are not arbitrary corporate policy — they are engineering and legal necessities that protect the shared infrastructure every customer depends on.

Comprehensive Breakdown of Prohibited Practices

Illegal Online Pharmacies and Controlled Substance Distribution

Operating an online pharmacy that sells prescription medications without valid licensure, or distributing controlled substances in violation of national pharmaceutical law, is explicitly prohibited. This is not limited to obvious "dark web" storefronts. The prohibition covers:

• Websites that sell prescription drugs without requiring a valid prescription.
• Platforms that ship controlled substances across jurisdictions where they are classified as illegal.
• Affiliate marketing funnels that redirect traffic to unlicensed pharmaceutical vendors.

Technical enforcement context: Regulatory bodies including the U.S. FDA, the European Medicines Agency (EMA), and Interpol's Operation Pangea actively monitor hosting infrastructure associated with rogue pharmacy networks. Providers hosting such content face takedown notices, ICANN registrar actions, and in severe cases, direct law enforcement contact. The reputational damage to the provider's IP ranges is long-lasting and measurable in blocklist entries.

Unauthorized Public VPN Services

Offering a public-facing VPN service — one that accepts connections from arbitrary third parties to anonymize their traffic — without the appropriate telecommunications or data processing licenses is prohibited. This is distinct from running a private VPN for your own remote access or for a defined set of authenticated employees.

The distinction matters technically:

• A private VPN (WireGuard, OpenVPN) with a fixed list of authorized peers and no public advertising is generally permissible.
• A commercial or open public VPN that accepts anonymous connections, monetizes bandwidth, or advertises itself as a privacy tool for the general public requires licensing in most jurisdictions and creates significant abuse vectors.

Why this is a high-risk activity for providers: Public VPN exit nodes become the apparent origin of all traffic passing through them. When a user of that VPN engages in port scanning, credential stuffing, or content scraping, the abuse reports arrive at AlexHost's abuse desk pointing to your server's IP. This consumes abuse handling resources, risks IP blocklisting, and can trigger upstream provider intervention.

Cryptocurrency Mining Operations

Cryptocurrency mining — particularly Proof-of-Work algorithms such as those used by Monero (RandomX), Ethereum Classic (Ethash), or Bitcoin (SHA-256) — is prohibited on AlexHost infrastructure. The technical rationale is straightforward and worth quantifying:

• A single XMR mining process on a 4-core VPS will sustain 100% CPU utilization indefinitely, degrading performance for co-located tenants on the same physical host.
• Mining operations generate sustained, high-entropy I/O patterns that accelerate NVMe wear and can trigger thermal throttling on shared hardware.
• Power consumption spikes from mining workloads stress the physical datacenter's power delivery infrastructure in ways that normal web hosting workloads do not.

Edge case to be aware of: Running a blockchain node (e.g., a Bitcoin full node for wallet validation, or an Ethereum archive node for dApp development) is architecturally different from mining. Node operation does not perform Proof-of-Work computation. However, you should confirm with AlexHost support before deploying any blockchain-adjacent workload to ensure it falls within acceptable resource consumption parameters.

If your workload genuinely requires GPU-accelerated computation — for machine learning inference, rendering, or scientific computing — GPU Hosting is the architecturally appropriate solution, provisioned specifically for sustained high-compute workloads.

Unauthorized Port Scanning and Vulnerability Assessment

Conducting port scans, service fingerprinting, or vulnerability assessments against hosts you do not own or have explicit written authorization to test is prohibited. Tools in this category include Nmap, Masscan, Shodan-style crawlers, Nikto, OpenVAS, and similar network reconnaissance utilities.

The technical and legal boundary is precise:

• Scanning your own servers, your own IP ranges, or systems for which you hold a signed penetration testing agreement is legitimate and common practice.
• Scanning third-party IP addresses — even "just to see what's open" — constitutes unauthorized access under the CFAA, the UK Computer Misuse Act, and equivalent legislation in most jurisdictions.

Infrastructure-level impact: High-rate port scans from a single source IP generate massive volumes of SYN packets, RST responses, and ICMP unreachables. This traffic pattern is immediately detectable by upstream routers and intrusion detection systems. It triggers automated abuse reports from organizations like Spamhaus, AbuseIPDB, and ARIN, resulting in your IP being added to threat intelligence feeds within hours. Recovering an IP from these blocklists is a multi-week process that affects every service running on that address.

Legitimate security professionals running authorized red team engagements should provision dedicated, isolated infrastructure for offensive tooling and ensure all target scope documentation is retained and accessible.

Proxy Services and Traffic Laundering

Using a VPS or dedicated server as a proxy node — whether HTTP, SOCKS5, or at the TCP/IP layer — to relay third-party traffic without authorization is prohibited. This encompasses:

• Open proxy servers that accept connections from any source IP.
• Residential proxy networks that route commercial traffic through the server to make it appear to originate from a different network.
• Anonymization relay chains designed to obscure the true origin of traffic for purposes of circumventing geo-restrictions, rate limits, or access controls.

Why this creates systemic risk: Proxy abuse is one of the most common vectors for credential stuffing attacks, web scraping at scale, and ad fraud. When your server acts as a relay, every downstream action taken through it is attributed to your IP by the target system. The abuse reports, blocklist entries, and potential legal liability all land on the server operator — you.

A narrow but important distinction: reverse proxies that serve your own web applications (Nginx, HAProxy, Caddy in front of your own backend services) are entirely standard and expected. The prohibition targets forward proxies and relay services that handle third-party traffic.

Violation of Applicable Local Laws

Any content, application, or service hosted on AlexHost infrastructure must comply with the laws of the jurisdiction in which the server physically resides, as well as the laws of the jurisdictions in which the service's users are located. This is a layered legal obligation, not a simple single-country rule.

Practically, this means:

• Content laws: CSAM is universally prohibited and triggers mandatory reporting obligations. Hate speech laws vary significantly between the EU, U.S., and other jurisdictions.
• Data protection regulations: GDPR applies to any service processing personal data of EU residents, regardless of where the server is located. Hosting user data without a lawful basis, adequate security measures, or a valid privacy policy is a compliance violation.
• Export controls: Hosting software or cryptographic tools subject to U.S. Export Administration Regulations (EAR) or EU dual-use export controls may require specific licensing.
• Financial regulations: Hosting unlicensed financial services, payment processors, or securities trading platforms without appropriate regulatory authorization is prohibited.

Practical guidance: If your application collects any user data, implements authentication, or processes payments, a legal review of your hosting jurisdiction's requirements is not optional — it is a prerequisite for compliant operation.

Actions Causing Material or Reputational Harm

This is the catch-all provision, and it is broader than it might initially appear. It covers any activity that damages AlexHost's infrastructure, business relationships, or public reputation, including but not limited to:

• Distributed Denial of Service (DDoS) attacks originating from or amplified through AlexHost servers.
• Spam campaigns — bulk unsolicited email, SMS flooding, or comment spam — that result in AlexHost's IP ranges being listed on major blocklists (Spamhaus SBL, UCEPROTECT, Barracuda).
• Malware distribution — hosting command-and-control (C2) infrastructure, phishing pages, exploit kits, or drive-by download payloads.
• Botnet participation — allowing a compromised server to participate in a botnet, even if the compromise was unintentional, without taking immediate remediation action.
• Fraudulent services — phishing replicas of legitimate websites, fake support portals, or social engineering infrastructure.

The unintentional compromise scenario is a critical edge case: If your server is compromised and begins sending spam or participating in a DDoS, you are still responsible for remediation. AlexHost may suspend the server to protect the broader network. Maintaining current backups, monitoring outbound traffic with tools like netstat, ss, or iftop, and implementing egress firewall rules are not optional hardening steps — they are operational necessities.

Prohibited vs. Permitted Activities: A Technical Reference Matrix

Hardening Your Server to Prevent Unintentional Violations

Many AUP violations originate not from malicious intent but from inadequate server security. A compromised server can become an instrument of prohibited activity without the owner's knowledge. The following hardening measures are non-negotiable for any production environment:

Access control:

• Disable root SSH login (PermitRootLogin no in sshd_config).
• Enforce SSH key-based authentication; disable password authentication.
• Implement IP allowlisting for SSH access using ufw or firewalld.
• Deploy fail2ban or CrowdSec to automatically block brute-force attempts.

Outbound traffic monitoring:

• Use iftop, nethogs, or vnstat to establish baseline traffic patterns and detect anomalous outbound connections.
• Implement egress firewall rules that whitelist only required destination ports and IPs.
• Monitor for unexpected SMTP traffic (port 25 outbound) — a primary indicator of spam relay compromise.

Application security:

• Keep all installed software, CMS platforms, and dependencies current with security patches.
• Run web applications as non-privileged users with minimal filesystem permissions.
• Implement a Web Application Firewall (WAF) such as ModSecurity or Cloudflare's WAF in front of public-facing applications.

Monitoring and alerting:

• Deploy an intrusion detection system (IDS) such as Suricata or OSSEC/Wazuh.
• Configure log aggregation and set alerts for authentication failures, privilege escalation attempts, and unexpected cron job modifications.
• Maintain regular, tested, off-server backups — ideally to a geographically separate location.

For teams managing multiple applications or requiring a graphical management interface, VPS Control Panels provide centralized monitoring, firewall management, and user access controls that reduce the operational overhead of maintaining a hardened environment.

Email Infrastructure and Spam Compliance

Email is one of the most abuse-prone services on any hosting platform. If your application sends transactional email — account confirmations, password resets, notifications — you must implement the full authentication stack to remain compliant and avoid being classified as a spam source:

• SPF (Sender Policy Framework): Publish a DNS TXT record authorizing your server's IP to send mail for your domain.
• DKIM (DomainKeys Identified Mail): Sign all outgoing messages with a private key; publish the corresponding public key in DNS.
• DMARC: Publish a policy that instructs receiving mail servers how to handle messages that fail SPF or DKIM validation.
• Reverse DNS (PTR record): Ensure your server's IP has a matching PTR record that resolves to your mail hostname. Many receiving servers reject mail from IPs without valid PTR records.

For organizations that require a managed, compliant email environment without the complexity of self-hosting a mail server, Email Hosting provides a pre-configured, authenticated infrastructure that handles deliverability and compliance by default.

Additionally, all public-facing web applications should be secured with a valid TLS certificate. Beyond the security benefits, Google's ranking algorithms and modern browsers actively penalize unencrypted HTTP. SSL Certificates provide the cryptographic foundation for HTTPS, protecting data in transit and establishing trust with end users and search engines alike.

Decision Matrix: Is Your Workload Compliant?

Before deploying any application or service, run it through this checklist:

Legal compliance:

• [ ] Does the service comply with the laws of Moldova (AlexHost's hosting jurisdiction)?
• [ ] Does the service comply with the laws of all jurisdictions where your users are located?
• [ ] If you process personal data of EU residents, do you have a lawful basis under GDPR and a valid privacy policy?
• [ ] If you handle payments, do you hold the required financial services licenses?

Resource usage:

• [ ] Does your workload avoid sustained 100% CPU utilization from non-productive computation (mining, brute-forcing)?
• [ ] Is your outbound bandwidth usage consistent with legitimate application traffic patterns?

Network behavior:

• [ ] Does your application avoid scanning third-party IP addresses or networks?
• [ ] Is all outbound traffic attributable to your own application logic, not third-party relay requests?

Security posture:

• [ ] Is SSH hardened with key-based authentication and fail2ban?
• [ ] Are all software components patched to current security releases?
• [ ] Do you have outbound traffic monitoring in place to detect compromise?
• [ ] Do you maintain tested, off-server backups?

Email (if applicable):

• [ ] Are SPF, DKIM, and DMARC records published and validated?
• [ ] Does your server IP have a valid PTR record?
• [ ] Are you sending only to opted-in recipients?

FAQ

What is the difference between a private VPN and a prohibited public VPN service on AlexHost?

A private VPN serves a closed, authenticated group of users — such as a company's remote workforce — and does not accept connections from arbitrary third parties. A prohibited public VPN service accepts connections from any user, often anonymously, and relays their traffic through the server. The latter creates uncontrollable abuse vectors and typically requires telecommunications licensing that most server operators do not hold.

Can I run a cryptocurrency blockchain node (not mining) on an AlexHost VPS?

Running a read-only or validating blockchain node — such as a Bitcoin full node or an Ethereum archive node — is architecturally distinct from Proof-of-Work mining and does not perform the computationally abusive operations that mining does. However, archive nodes can consume substantial disk I/O and storage. You should contact AlexHost support before deployment to confirm that your specific resource consumption profile is within acceptable parameters for your chosen plan.

What happens if my server is compromised and begins sending spam or participating in a DDoS without my knowledge?

AlexHost may suspend the server automatically to protect the broader network, regardless of whether the activity was intentional. You remain responsible for remediating the compromise, cleaning the server, and demonstrating corrective action before service is restored. This is why proactive hardening — SSH key authentication, fail2ban, egress monitoring, and regular patching — is operationally essential, not optional.

Does GDPR apply to my application if my server is hosted outside the EU?

Yes. GDPR applies based on where your users are located, not where your server is hosted. If your application processes personal data of individuals in the European Economic Area, GDPR obligations apply regardless of your server's physical location. This includes requirements for a lawful basis for processing, data subject rights, breach notification, and adequate technical security measures.

What constitutes "material or reputational damage" under AlexHost's AUP, and how is it enforced?

This provision covers any activity that results in measurable harm to AlexHost's infrastructure, business relationships, or IP reputation — including DDoS origination, spam campaigns that trigger blocklist entries, malware distribution, phishing infrastructure, and fraudulent services. Enforcement is typically automated for high-confidence signals (e.g., outbound port 25 spam detected by network monitoring) and manual for more ambiguous cases. Repeated or severe violations result in permanent account termination without refund.