Using VPS for Bug Bounty, comparing VPS providers
Reading Time: 5 Minutes
Introduction
A VPS, or a virtual private server, acts as an isolated, virtual environment on a physical server, which in many occasions is owned by a cloud or web hosting provider. The virtualized server resources are made available to an end user over the Internet.
VPSs are commonly used for hosting websites online.
When you purchase a subscription for a VPS from a provider, you essentially rent a partition on a physical server that houses many virtual servers. Each VPS grants the ability to use different operating systems while giving full root access. It is essentially, a computer that can be controlled remotely at any time.
Why choose to use VPS for Bug Bounty or Pentesting
You get various benefits upon performing tests from a cloud VPS instead of a home network. The benefits are different depending on the hardware and network configuration of the VPS provider.
- No IP Blacklisting
Performing penetration testing or bug bounty will eventually cause your IP to get blacklisted by WAFs. The VPS allows you to perform all that work from a different IP than your home IP. This avoids your home IP from being blacklisted (usually until your ISP changes your IP).
The VPS’s IP could still get blacklisted, but most VPS providers change your public IP address upon restarting your VPS machine.
- Easier Scalability
Unlike a normal server, a VSP makes it easy to scale up without interfering with the functionality of the server. In case of a configuration change, either to get a more powerful or less powerful machine, it can be easily done by just upgrading your hosting plan, which does not require any downtime and does not affect any of the already installed OS or software.
- Reverse Shells
Leaving ports open on your home setup can introduce unnecessary problems. A reverse shell on your VPS can be easily configured in your provider’s dashboard, and you can have any port open without worrying about the negative effects such as when legitimate services get exploited through security
vulnerabilities and in conjunction with open ports, it might lead a threat actor to gain unauthorized access to your home network machines.
- Increased Performance
A VPS server could be or not be more powerful than a normal device in your home. It solely depends on the configuration. But here comes the real power of a VPS. If you need to use power-hungry tools (that require more RAM and/or CPU) you create your own VPS setup and do not worry about your machine that you may use for normal, day-to-day tasks. Even if you need more power for a certain job or project you can get a configuration that satisfies your needs for a month and then downgrade to a cheaper VPS. (More power comes at a cost, but you can downgrade the next month to a cheaper solution)
- Greater Bandwidth
This is probably the most important reason to use a VPS. Bandwidth is country depended and where you live might or might not have enough bandwidth for your purposes. Most countries do not provide the bandwidth needed for faster network scanning. Network-hungry tools like Amass, Nmap, etc., can consume your bandwidth and left you, or any other connected to your Network without the necessary bandwidth to perform even normal Internet browsing.
The other major benefit of a greater and extra bandwidth is the time that a heavy scan needs, it could take minutes to do it using a VPS instead of hours when using your machine with low bandwidth.
- Always Running – 24/7
If you have a pen testing job to be done in time or you have a bug bounty process that involves heavy recon, then, a VPS is all you need. If your process takes hours or days to finish, you can free yourself from keeping your machine up and running all day. Your VPS will continue to work nonstop and you can go anywhere and still have access to it without worrying about power or internet outrages.
Another important thing is the fixed monthly cost or upper limit. But there is a way to spend less. If you want to get discounts, you may avail of coupons at different websites, such as VPS.Coupons.
See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course
Choosing a VPS provider for your needs
One of the most important criteria to choose when selecting a VPS provider is their tolerance when it comes to “offensive” security testing. Many providers have their servers for hosting web applications and not performing tests on their servers. The last thing you need is your contract to get terminated once they detect aggressive outbound traffic after you configure, install your tools, and start your tests on your VPS.
Another important thing is the fixed monthly cost or upper limit. Most bug bounty hunters prefer having a fixed amount each month to having a surprise at
the end of each month and the worry of getting a huge bill. Providers like Amazon, charge based on your monthly usage, not only the time you use the machine, but also the data transfers, the occasional backups, etc.
Saying all that, you should do your own research and read everything on their FAQ, documentation, reviews, etc., better to be sure than sorry.
Comparison between Providers:
After researching and having some kind of a personal experience with the providers that tolerate offensive security tests, the most widely known and used among bug bounty hunters are Contabo, DigitalOcean, Linode, and Vultr.
Amazon AWS and Google Cloud, also seem to be used by some pen-testers but they both have hourly rates (and even costs when you don’t even use the machine) rather than a fixed cost, thus, we exclude them in the comparison.
Below is a comparison of VPSs providers.
*Please note that the table shows the most used packages from Contabo, DigitalOcean, Linode, and Vultr, since all the providers have multiple packages for either shared or dedicated servers (included are only the shared servers).
Trending: Offensive Security Tool: Monkey365
Provider Name | Package Name | Monthly Price ($USD) * | CPU cores | RAM | Storage | Bandwidth |
Contabo | CLOUD VPS S | 6.99 | 4 | 8 | 50GB NVMe | 32TB |
Contabo | CLOUD VPS M | 11.99 | 6 | 16 | 100GB NVMe | 32TB |
Contabo | CLOUD VPS L | 19.99 | 8 | 30 | 200GB NVMe | 32TB |
Contabo | CLOUD VPS XL | 34.99 | 10 | 60 | 400GB NVMe | 32TB |
Vultr | – | 12 | 1 | 2 | 50GB | 3TB |
Vultr | – | 24 | 2 | 4 | 100GB | 4TB |
Vultr | – | 72 | 4 | 12 | 260GB | 7TB |
DigitalOcean | Basic Droplet | 6 | 1 | 1 | 25GB SSD | 1TB |
DigitalOcean | Basic Droplet | 18 | 2 | 2 | 60GB SSD | 3TB |
DigitalOcean | Basic Droplet | 48 | 4 | 8 | 160GB SSD | 4TB |
Linode | Linode 2GB | 10 | 1 | 2 | 50GB | 2TB |
Linode | Linode 4GB | 20 | 2 | 4 | 80GB | 4TB |
Linode | Linode 8GB | 40 | 4 | 8 | 160GB | 5TB |
Prices may be subject to change by the provider without notice*
Trending: Offensive Security Tool: LAZYPARIAH
General Recommendations:
- The providers above are considered “pen-tester friendly” and only issue warnings for excessive use of system resources, please read the terms of use and FAQ for every provider before deciding which one to use.
- From the list, it seems that only Vultr charges for non-working VPSs, just like Amazon Aws which is not included in the list. It’s recommended to use the “Destroy” button in the customer portal to no longer accumulate charges for the virtual server.
- Many of the VPS providers give free trial credits when you register for the first time, consider that if you want to test multiple providers in order to choose what is right for you without being charged.
- Contabo VPSs seem to be the best option for individuals on a low budget, and in need of higher specs. They provide much more power, storage, bandwidth, and RAM than the other providers while charging less.
- DigitalOcean seems to be the most widely used VPS provider among the Penetration Testers/Bug Bounty Hunters.
Verdict
Nowadays, the use of VPS is considered a must for every Pentester/Bug Bounty Hunter for the various benefits you get exposed to at a low cost. Implementing a VPS could increase the speed of your workflow or even completely automate it to give the best results possible.
As VPS providers are getting more widespread, penetration testers and bug bounty hunters have many options to choose from.
Depending on your personal needs, pick the provider that best suits your workflow and your demands. Make sure to check their terms of use to avoid being suspended and losing time migrating to another VPS provider.
We hope that this article provided a good picture of why to use a VPS and what VPS providers you should consider.
See Also: A primer on OS Command Injection Attacks
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to Information Security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]