What happens to my brain the moment I realize I have broken my VPS and I cannot quite remember the exact sequence of commands that got me here in the first place?
This is the moment I am writing for—the moment when I am logged into a remote server, cursor blinking, fingers hovering over the keyboard, half-confident that I can fix things, and half-aware that I am probably about to make them worse. I am alone with a shell prompt, faint memories of Stack Overflow answers, and a brittle belief that I know what I am doing.
In other words, I am in the infinite loop of half‑remembered commands.
In this article, I walk through the most common VPS hosting errors I run into, what usually causes them, how I break them further, and—crucially—how I actually fix them. I am going to be excruciatingly explicit, almost to the point of tedium, because that is often what the command line really demands: no skipped steps, no magic, no “and then it just works.”
Understanding the Nature of VPS Errors
Before I try to fix anything, I force myself to understand what kind of problem I am facing. This is less philosophical than it sounds. A VPS has a finite set of failure modes, and my sanity improves dramatically when I mentally classify the error before I start typing random commands based on faint memories.
The Three Big Categories of VPS Pain
When I break my VPS, the issue tends to fall into one of three broad categories:
- Connectivity problems – I cannot reach the server at all, or only some ports are reachable.
- Service problems – The server is reachable, but the application or service (web server, database, etc.) is not working.
- Configuration and resource problems – Everything is technically “up,” but it is slow, misconfigured, or intermittently failing under load.
I keep these in mind because they guide the first commands I run. If I cannot even SSH into the server, that is very different from “site is throwing a 502 but SSH works.”
My Mental Debugging Loop
When something is wrong, I usually find myself in a mental loop that looks like this:
- Vaguely remember a command that once fixed something similar.
- Run a half‑correct version of that command.
- Make note of some cryptic output, tell myself I will “look into that later,” and then ignore it.
- Try another vaguely remembered command.
- Repeat until something appears to work, and I stop investigating.
This is not ideal. So I now try to consciously replace this fuzzy loop with a more structured one:
| Step | My Question | Concrete Action |
|---|---|---|
| 1 | Can I even reach the server? | Ping, SSH test, provider panel status |
| 2 | Are core services running? | systemctl status, service logs |
| 3 | Is the network/firewall blocking me? | Check firewall rules, security groups |
| 4 | Is it a resource exhaustion problem? | top, htop, df -h, free -m |
| 5 | Is it a configuration error? | Check config files, syntax tests, logs |
I still forget things, but at least the loop is intentional instead of panicked.
Error 1: “I Cannot SSH into My VPS”
This is the canonical nightmare: I used to be able to log in, and now I cannot. The error might be a simple timeout, a “Connection refused,” or an “Authentication failed.” My brain begins rummaging for that one ssh command with special flags I used six months ago.
Typical Symptoms
- The terminal sits for a while and then:
ssh: connect to host example.com port 22: Connection timed out - Or instantly:
ssh: connect to host example.com port 22: Connection refused - Or:
Permission denied (publickey).
I interpret these slightly differently.
- Timeout: Usually network or firewall issue.
- Connection refused: The port is reachable, but nothing is listening (or being blocked by something local).
- Permission denied: SSH service is up, but credentials or keys are wrong.
Step-by-Step: What I Actually Do First
I start with the least invasive, least clever approach:
-
Check if the VPS is even running
I log into my hosting provider’s control panel and see:- Is the VPS status “running” or “stopped”?
- Is there a recent reboot, crash, or maintenance event?
-
Ping the server IP (with caution)
ping -c 4 your.server.ip
If there is no response, that might be normal (ICMP disabled), but if this used to work and now does not, I suspect network or firewall rules.
-
Test port 22 reachability from my machine
nc -vz your.server.ip 22
or
telnet your.server.ip 22
- If this fails immediately, I suspect firewall/security group issues or SSH is not running.
- If it hangs, I suspect routing or drop rules.
At this point, if I still cannot log in but I have console access via the provider (often a web-based “serial console”), I use that. It feels like going back to the stone age, but it often saves me.
Scenario A: SSH Service Is Not Running
Once I am “inside” via console:
sudo systemctl status ssh
or on some distros:
sudo systemctl status sshd
If the service is inactive or failed:
sudo systemctl start ssh sudo systemctl enable ssh
I then check logs for why it died:
journalctl -u ssh -xe
or:
journalctl -u sshd -xe
Common culprits:
- Broken SSH configuration syntax.
- Port conflict.
- Host keys missing or corrupted.
Scenario B: I Messed Up My SSH Configuration
The most self-sabotaging error I make is editing /etc/ssh/sshd_config, feeling quite confident, and then restarting SSH—only to lock myself out.
To debug:
sudo sshd -t
This command tests the SSH daemon configuration for syntax errors without starting the service. If it outputs nothing, syntax is (usually) valid. If there is an error, I fix the line indicated.
Sample failure:
/etc/ssh/sshd_config line 87: Bad configuration option: PermitRootLogn
I correct the typo, run sshd -t again, and then:
sudo systemctl restart ssh
Scenario C: “Permission Denied (publickey)”
This one has a familiar flavor of doom. I check:
- Am I using the correct user? (
rootvsubuntuvsdebianvscentos) - Am I using the correct key file?
I try:
ssh -i /path/to/my_key -v user@your.server.ip
The -v adds verbose output—painfully verbose—but it lets me see if:
- My key is offered.
- The key is rejected.
- The server is refusing for some policy reason.
If I can get into the server through console, I verify:
-
My public key in
~/.ssh/authorized_keysof the target user. -
Permissions:
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
If I messed with PasswordAuthentication no and have no working key, I may need to temporarily re-enable password login in /etc/ssh/sshd_config:
PasswordAuthentication yes PubkeyAuthentication yes
Then:
sudo sshd -t sudo systemctl restart ssh
After I fix my keys, I set PasswordAuthentication no again, run the config test, and restart SSH one more time.
Error 2: Website Down, VPS Up
There is a distinct kind of dread when I can SSH into my VPS just fine, but the website is returning 502/503/504 errors, or worse, a browser “Cannot connect.” The server is alive; the app feels dead.
Common HTTP-Level Failures
- 502 Bad Gateway – Reverse proxy (like Nginx) cannot connect to the upstream (application server).
- 503 Service Unavailable – Service overloaded or temporarily offline.
- 504 Gateway Timeout – Upstream taking too long to respond.
- Connection refused on port 80/443 – Web server not running or firewall blocking.
My First Web-Service Check
Inside the server, I identify the HTTP stack:
ps aux | grep -E “nginx|apache|httpd|caddy”
Then I query the service status:
sudo systemctl status nginx sudo systemctl status apache2 sudo systemctl status httpd
Depending on what I find, I either:
-
Start the web server:
sudo systemctl start nginx sudo systemctl enable nginx
-
Or restart and watch closely:
sudo systemctl restart nginx
If the status shows “failed,” I look at logs:
journalctl -u nginx -xe
and/or
sudo tail -n 50 /var/log/nginx/error.log
Configuration Syntax Tests
I often half-remember that Nginx has a syntax test flag and then scramble to recall the exact form. It is:
sudo nginx -t
For Apache:
sudo apachectl configtest
or:
sudo apache2ctl configtest
If I get a syntax error, I know that some recent edit is responsible. I fix the problem file and re-run the test before touching the running service again. This keeps me from entering a loop of “restart, fail, restart, fail” without insight.
Upstream / Reverse Proxy Issues
When I see a 502 Bad Gateway from Nginx, the bug is usually in the upstream definition.
Example Nginx snippet:
upstream app_server { server 127.0.0.1:8000; }
server { listen 80; server_name example.com;
location / { proxy_pass http://app_server; } }
If my app server (say, Gunicorn, Node.js, or PHP-FPM) is not actually running on 127.0.0.1:8000, Nginx will gladly report “Bad Gateway.”
I check if the upstream service is listening:
ss -tulnp | grep 8000
or:
netstat -tulnp | grep 8000
If nothing is listening, I restart the app:
sudo systemctl status gunicorn sudo systemctl restart gunicorn
If it still fails, I go looking in the application’s own logs.
Comparing Symptoms and Likely Causes
I find it useful to mentally map symptom to probable root cause. I keep a sort of internal table like this:
| Symptom | Likely Cause | My First Check |
|---|---|---|
| 502 Bad Gateway (Nginx) | Upstream app down, wrong port, firewall | systemctl status of app; ss -tulnp |
| 503 Service Unavailable | Service overloaded, restarting, or disabled | Web server status and logs |
| 504 Gateway Timeout | App too slow, deadlocks, heavy queries | App logs, DB performance, timeouts in config |
| Browser “Connection refused” | Web server not running or firewall blocking | systemctl status nginx/apache; firewall rules |
| SSL error / certificate warnings | Expired or misconfigured certificate | openssl s_client, certificate paths, renew logs |
Once I get in the habit of matching the symptom to the likely cause, my panicked guesswork drops by a half-step.
Error 3: Firewall Rules That I Do Not Quite Remember Setting
The firewall is the archetypal source of infinite loops. I change a rule, test something, get distracted, then come back weeks later and cannot remember why port 8080 is open to the world or why I cannot reach port 22 from my home IP but can from my phone’s hotspot.
Identifying the Firewall Tool in Use
The first half-remembered command that I reach for is often the wrong one, because different distributions favor different tools:
-
ufw(Uncomplicated Firewall) on Ubuntu -
firewalldon CentOS/RHEL - Raw
iptables(older setups) ornftables
I check:
command -v ufw command -v firewall-cmd
Then see what is active:
sudo ufw status sudo systemctl status firewalld
Common Firewall Mistakes I Make
- Blocking SSH (
22/tcp) from my own IP range. - Opening HTTP/HTTPS on one interface but not another.
- Forgetting to allow traffic from the VPS’s private network to the database server.
- Mixing cloud provider security groups with OS-level firewalls and forgetting one of them exists.
Fixing UFW Rules
If ufw is my tool:
sudo ufw status verbose
Typical baseline rules for a web server:
sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable
To fix an overzealous block:
sudo ufw delete deny 22/tcp
Or to reset entirely if I truly cannot untangle it:
sudo ufw reset sudo ufw allow ssh sudo ufw allow http sudo ufw allow https sudo ufw enable
Resetting is blunt, but sometimes it is less dangerous than trying to mentally reconstruct a rule set I added piecemeal over months.
Firewalld and Zones
On CentOS/RHEL:
sudo firewall-cmd –list-all
I add rules like:
sudo firewall-cmd –permanent –add-service=http sudo firewall-cmd –permanent –add-service=https sudo firewall-cmd –permanent –add-service=ssh sudo firewall-cmd –reload
I remind myself: --permanent plus a --reload is often required, otherwise a fix appears to work, but disappears on reboot—one of those long, slow, confusing loops that look like reality glitching.
Cloud Security Groups vs OS Firewalls
A surprisingly large fraction of “VPS errors” live entirely outside the VPS. If I host on AWS, DigitalOcean, or similar, I double-check:
- Security group rules for the instance.
- Network ACLs or VPC firewalls, if present.
If the OS-level firewall looks fine, but packets are dying anyway, the cloud firewall is usually the missing piece of the mental puzzle.
Error 4: CPU Spikes, RAM Exhaustion, and the Swapping Death Spiral
Another class of errors is not strictly configuration mistakes; it is resource exhaustion. The VPS is, technically speaking, online, but in practice it is slow to the point of being functionally unavailable.
Recognizing Resource Issues
Typical signs:
- SSH login hangs for several seconds before prompt appears.
- Commands respond slowly or intermittently.
- The website alternates between working and timing out under load.
- Log files show processes being killed by the kernel.
I use:
top
or
htop
I look at:
- CPU usage: any single process stuck at 100%?
- Memory: have I hit swap heavily?
- Load average: rogue spikes relative to the number of vCPUs?
I also check disk:
df -h
If / is at 100%, almost nothing will behave predictably.
The OOM Killer and Its Cryptic Mercy
When memory runs out, the kernel’s Out-Of-Memory Killer starts terminating processes. I check:
dmesg | grep -i “killed process”
or:
journalctl -k | grep -i “killed process”
If I see my database or application server being killed repeatedly, my mental loop switches to “tuning and resizing mode.”
Mitigating Resource Overload
Strategies I use, roughly in order of disruption:
-
Identify the heaviest processes
Intop, sorted by memory or CPU, I find the worst offender. -
Restart or reconfigure the offending service
For example, if MySQL is consuming too much RAM, I review/etc/mysql/my.cnfor/etc/my.cnfand adjust buffer sizes. -
Add or resize swap (carefully)
On very low-memory VPS instances, having no swap can be fatal. To add a simple swap file:sudo fallocate -l 1G /swapfile sudo chmod 600 /swapfile sudo mkswap /swapfile sudo swapon /swapfile
Then I add to
/etc/fstab:/swapfile none swap sw 0 0
Swap is not a performance panacea, but it can prevent sudden catastrophic crashes.
-
Scale up the VPS plan
If I constantly hit limits under normal traffic, I consider increasing RAM/CPU with my provider, rather than endlessly tuning a machine that is too small by design. -
Introduce caching and rate limiting
- Configure HTTP caching (Nginx, Varnish).
- Use application-level caches (Redis, Memcached).
- Add rate limits to prevent burst traffic from overwhelming the app.
Resource Monitoring in a More Sane Way
To avoid the loop of “I notice high CPU when something breaks, and then I forget to follow up,” I try to install lightweight monitoring.
Examples:
-
atop,glances, or Netdata on the server. - Provider-level metrics and alerts (CPU > 90%, disk full, etc.).
- Simple cron job to send me
df -hsnapshots or key log excerpts when thresholds are exceeded.
This moves me from reactive “what just broke?” to semi-proactive “something is going wrong; I should fix it before it explodes.”
Error 5: DNS Problems and the Illusion of Network Failure
At least once every few months, I am convinced my VPS is down, but the actual culprit is DNS. The domain is not resolving correctly, or it is resolving to an old IP, or propagation is incomplete.
Quick DNS Sanity Checks
I use:
dig example.com dig example.com +short dig A example.com dig www.example.com
or:
nslookup example.com
I ask myself:
- Does the domain resolve to the correct IP?
- Are there multiple A records pointing to old servers?
- Is there a CNAME chain that I forgot about?
I also check reverse DNS (PTR) if email delivery is involved:
dig -x your.server.ip
Common DNS Misconfigurations
- DNS records still pointing to a staging or prior VPS.
- Missing
wwwrecord, but I only updated the bare domain. - Misaligned TTLs, so propagation is slow.
- Using a registrar’s default DNS but configuring records at a different provider.
Debugging DNS vs Firewall vs Service
I mentally separate:
- If
ping your.server.ipworks butping example.comdoes not, I suspect DNS. - If I can
curl http://your.server.ipand get content, butcurl http://example.comfails, again DNS or virtual host config in the web server.
I often test:
curl -v http://your.server.ip curl -v http://example.com
If the response from the IP works but the domain does not, I check the web server’s virtual host configuration—Nginx’s server_name or Apache’s ServerName/ServerAlias directives—to ensure the domain is correctly routed inside the server itself.
Error 6: Permissions, Ownership, and the Subtle Tyranny of chmod 777
File permissions are a quieter form of VPS error. I change something, and now uploads fail, logs are not written, processes cannot read config files. I only notice when my application silently refuses to work as expected.
Recognizing Permission-Related Symptoms
Typical signs:
-
Application logs contain “Permission denied.”
-
Web server error log contains lines like:
(13)Permission denied: access to /path denied
-
Deployment scripts fail when writing to specific directories.
Basic Ownership and Mode Checks
I frequently fall back on:
ls -l /path/to/file_or_dir
I pay attention to:
- Owner (
user:group) - Permission bits (
rwxr-xr-x, etc.)
If a web server (running as www-data, apache, or nginx) needs to read files in a directory, it must have execute permission on directories and read permission on files. For example:
sudo chown -R www-data:www-data /var/www/myapp sudo find /var/www/myapp -type d -exec chmod 755 {} ; sudo find /var/www/myapp -type f -exec chmod 644 {} ;
Never Defaulting to chmod 777
I have been tempted—more times than I like to admit—to “just make it work” with:
chmod -R 777 /var/www/myapp
It works, yes, but it is both insecure and prone to subtle future bugs, because I lose meaningful separation between different users and processes. My more disciplined approach:
- Identify which user actually needs access (e.g.,
www-data). - Set ownership properly with
chown. - Set directory permissions to 755 and file permissions to 644 for public web content, adjusting downward where appropriate.
This is slower in the moment, but it saves me from living in a permanent state of low-grade permission chaos.
Error 7: SSL/TLS Certificates That Expire While I Am Sleeping
SSL issues are like time bombs with visible countdowns that I ignore. My site works perfectly, until one day browsers start screaming about an insecure connection. The VPS did not crash; the certificate just expired.
Checking Certificate Status
I can query the certificate directly:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -subject
This prints notBefore and notAfter dates, so I know whether the certificate is expired or about to be.
Let’s Encrypt and Auto-Renewal Traps
If I use Certbot:
sudo certbot certificates sudo certbot renew –dry-run
I often discover that the cron job or systemd timer for renewal is either:
- Not installed.
- Misconfigured.
- Blocked by firewall or DNS misconfiguration.
On modern systems, I check:
systemctl list-timers | grep certbot
If there is no timer, I might need to enable it:
sudo systemctl enable certbot.timer sudo systemctl start certbot.timer
Or I create a simple cron entry:
sudo crontab -e
And add:
0 3 * * * certbot renew –quiet
Assuming Certbot is installed system-wide and in the root user’s PATH.
Mixed Content and HSTS
Even when SSL is valid, my site can appear broken because of:
- Mixed content (HTTP assets on HTTPS pages).
- Overly strict HSTS settings with invalid or misconfigured certificates.
I inspect the browser’s dev tools for mixed-content warnings and update asset URLs or reverse proxy rules accordingly. This is more of an application-level correction than a VPS-level one, but I still mentally tie it into “SSL/TLS errors” when I am diagnosing.
Building a Safer Workflow to Escape the Loop
Up to this point, I have walked through specific errors. Underneath all of them is a shared pattern: I make a change, forget I made it, rely on my vague recollection of commands, and get stuck in recursive guesswork when something goes wrong.
Principle 1: Never Edit Blindly Without a Backup
Whenever I change a critical configuration file, I create a timestamped backup first:
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak.$(date +%F-%H%M)
I do this before I touch it, not after. That way, if a midnight configuration experiment goes badly, I can revert quickly instead of trying to undo half-remembered edits.
Principle 2: Validate Before Restarting
Most major services provide a config test:
- Nginx:
nginx -t - Apache:
apachectl configtestorapache2ctl configtest - SSH:
sshd -t - PHP-FPM:
php-fpm -t(varies by distro)
I make a personal rule: if a service has a config test, I run it every single time before restarting that service.
Principle 3: Document My Changes (Even Briefly)
I keep a tiny text log on the server itself, something like /root/CHANGELOG.txt, where I note:
- Date and time.
- What I changed.
- Why I changed it.
Example:
2025-12-11 14:23 UTC
- Modified /etc/nginx/sites-available/my_site
- Switched upstream from 127.0.0.1:8000 to unix:/run/gunicorn.sock
- Added proxy_set_header X-Forwarded-Proto
It feels excessive in the moment, but when something breaks two weeks later, this file becomes a cheat sheet of my own past mischief.
Principle 4: Use Version Control for Configuration
Where possible, I store configuration files in a Git repository:
-
/etc/nginx/ -
/etc/ssh/ -
/etc/my.cnfor/etc/mysql/ - Application configs.
This allows me to:
- See differences (
git diff) between working and broken states. - Roll back to known-good commits.
- Avoid guessing which line changed.
I am careful with secrets, either excluding them from Git or using a private repo with encryption or access controls.
Principle 5: Separate Staging from Production
A lot of weird VPS behaviors arise from testing things directly on production servers. I now try to:
- Maintain a small, cheaper staging VPS that mirrors production as closely as possible.
- Test configuration changes there.
- Only then replicate on production.
This habit alone eliminates entire classes of “I changed something live and forgot to revert it” errors.
A Short, Honest Command Recap
I find it oddly calming to collect a few of the commands I most often half-remember and re-write them explicitly. This becomes my personal mini-cheat sheet.
| Purpose | Command (Skeleton) |
|---|---|
| Test SSH config | sudo sshd -t |
| Check Nginx config | sudo nginx -t |
| Check Apache config | sudo apachectl configtest or sudo apache2ctl configtest |
| List open ports | ss -tulnp |
| View service status | sudo systemctl status |
| View latest logs for a service | journalctl -u |
| Check disk space | df -h |
| Check memory / swap | free -m |
| Show processes by resource usage | top or htop |
| Show firewall (UFW) status | sudo ufw status verbose |
| Show firewalld rules | sudo firewall-cmd --list-all |
| Test DNS | dig example.com |
| Test SSL certificate | `echo |
I keep this sort of table in my own notes so I do not need to reinvent it each time a server misbehaves.
Closing the Loop Without Breaking the Server
When I am stuck on a VPS problem, it is rarely because the system is inscrutable. Usually, the problem is that I am trapped in my own habits: half-recalling commands, running them out of order, ignoring logs that make me uncomfortable, or editing configurations without a safety net.
By turning the infinite loop of half-remembered commands into a more deliberate, documented sequence of checks, I regain some control:
- Clarify the category of error: connectivity, services, or configuration/resources.
- Start with basic reachability: SSH, ping, ports.
- Use service status and logs rather than guesswork.
- Validate configurations before restarts.
- Track changes and back them up.
- Respect the firewall and DNS as first-class participants in failure.
I still forget commands. I still occasionally type something like nginx -T when I meant nginx -t and then watch a full configuration dump flood my terminal. But over time, the loop feels less like a panicked spin in my own memory and more like a predictable, even somewhat boring, process.
And on a VPS, boring is not an insult. Boring is what lets my sites stay up, my services run, and my 3 a.m. emergencies slowly shrink into routine maintenance I can handle in the light of day.