VPS Replicable: Nube Sin Miedo

Controla tu infraestructura, paga precio fijo, reconstruye en 30 minutos.

[DATO REAL]: El 70% de las pymes colombianas usan hosting compartido de USD $5/mes — el mismo servidor donde viven otros 200 sitios, ninguno bajo tu control. (Estimado DCM System, proyectos 2024-2026)

En este artículo vas a:

• Entender por qué “la nube se hackea” es casi siempre mentira y qué sí falla
• Comparar costos reales COP de cada opción de infraestructura
• Conocer las 6 capas de hardening que hacen seguro un VPS
• Saber si el VPS replicable es para tu empresa o no

01 EL PROBLEMA REAL

Cuando un dueño de pyme colombiana dice “la nube es insegura”, al minuto siguiente te muestra el servidor debajo del escritorio de contabilidad: prendido 24/7, sin UPS decente, sin backup offsite, con Windows Server 2012 sin actualizar desde 2019.

El miedo tiene sentido. Los titulares son reales: ransomware que tumba hospitales, datos colombianos en foros de hackers. Pero el miedo está mal dirigido.

La nube no es insegura. La nube mal montada sí lo es. Y nadie explica bien el punto medio: el VPS replicable. Seguro, soberano, costo predecible, y tú lo controlas.

PIÉNSALO ASÍ

El hosting compartido es como vivir en un apartamento donde el vecino del 302 dejó la puerta abierta: el ladrón entra por él y puede llegar a ti. El VPS replicable es tu propio apartamento, con tu propia cerradura, donde tú decides quién tiene llave.

Antes	El costo	Después
Servidor bajo el escritorio	Luz, UPS, fallas, tiempo de sysadmin	VPS en datacenter, $180k–$600k/mes fijo
Hosting compartido de $30k	El primer incidente — datos perdidos, sin forense	VPS con 6 capas de hardening, control total

02 POR QUÉ PASA

Las filtraciones masivas que salen en las noticias casi nunca son falla de AWS o Azure. Son errores de configuración encima de ellos:

• Buckets S3 públicos por error — permisos abiertos, datos descargables por cualquiera
• Llaves de acceso hardcodeadas en GitHub — bots las encuentran en segundos y montan crypto-miners que facturan USD $50.000 en una noche
• Bases de datos expuestas sin contraseña — “era solo temporal”
• Backups sin cifrar en la misma cuenta — ransomware entra, encripta todo, incluidos los respaldos

Ninguno de esos errores es culpa de la nube. Pasan igual en servidores físicos, y pasan más, porque nadie los monitorea.

El mercado ofrece dos extremos que no le sirven a la mayoría: AWS enterprise a COP $3M–$15M al mes, o hosting compartido a $30k–$100k sin control real. El VPS replicable vive en el punto medio que nadie te vende: $180k–$600k, con control total y costo predecible.

03 LA SOLUCIÓN

Un VPS replicable es un servidor virtual dedicado donde tú tienes root, ves los logs, aplicás los parches, y definís las reglas. La palabra clave es replicable: toda la configuración vive como código, los datos se respaldan cifrados en un segundo proveedor, y si algo falla, reconstruís en otro datacenter en 15–30 minutos.

Comparación con números reales — COP mensuales, precios 2026:

*No incluye electricidad, UPS, enfriamiento, fallas de hardware, y el “costo invisible” de que si se va la luz tres días, el negocio se para.

Una máquina de 4 vCPU, 8 GB RAM, 160 GB SSD cuesta entre $60k y $180k/mes según proveedor. No son los $30k del hosting barato, pero está a años luz de los $3M de enterprise — y con control total que el enterprise tampoco te da si no lo configurás bien.

Lo que más importa: si mañana el proveedor empieza a portarse mal, levantás todo en otro proveedor en media hora. Esa propiedad es lo que te libera de la dependencia tóxica con un solo vendor.

04 CÓMO IMPLEMENTARLO

El stack de hardening que montamos por defecto en cada cliente — no es magia, es disciplina:

Capa 1 — Acceso

• SSH solo con llaves criptográficas (contraseñas deshabilitadas)
• Puerto SSH cambiado del 22 (reduce ruido de bots en 99%)
• fail2ban: banea IPs tras 3 intentos fallidos
• Acceso administrativo solo por VPN (Wireguard o Tailscale) — el panel nunca queda expuesto a internet

Capa 2 — Red

• Firewall (ufw / nftables) con política de denegación por defecto
• HTTPS con Let’s Encrypt en todo lo público, auto-renovación cada 60 días
• Headers de seguridad: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
• BD separada de la capa web — nunca habla directo a internet

Capa 3 — Aplicación

• Actualizaciones de seguridad automáticas (unattended-upgrades en Debian/Ubuntu)
• Contenedores Docker: si un servicio se compromete, no toca a los demás
• Secretos en variables de entorno o vault local, nunca en el código

Capa 4 — Datos (política 3-2-1)

• Backups automáticos diarios con borg o restic, cifrados en el cliente antes de salir del servidor
• Respaldos en segundo proveedor geográficamente separado (VPS en Bogotá → backups en Hetzner Alemania o Backblaze US)
• 3 copias, en 2 medios, 1 offsite
• Pruebas de restauración mensuales automatizadas — un backup que nunca probaste no es un backup

Capa 5 — Monitoreo

• Uptime externo (UptimeRobot, Better Stack)
• Alertas automáticas a Telegram o email cuando algo cae, el disco se llena, o hay intrusión sospechosa
• Logs de seguridad auditables — quién entró, cuándo, qué hizo

Capa 6 — Infraestructura como código

• Toda la configuración en Ansible o Terraform, versionada en git
• Si el servidor se daña: nueva máquina, corres el playbook, restaurás el backup — 30 minutos y operando
• Cero dependencia de “lo que está en la cabeza del sysadmin”

05 ¿ES PARA TI?

Sí, si tu empresa:

• ✅ Maneja datos sensibles con obligaciones legales (clínicas, bufetes, fintech, logística — Ley 1581 de habeas data)
• ✅ Tiene una aplicación propia con backend (portal de clientes, app móvil, sistema interno) y necesita un servidor que sea suyo
• ✅ Tiene presupuesto TI entre COP $500k y $2M mensuales para infraestructura

No, si:

• ❌ Tu carga tiene picos de tráfico totalmente impredecibles (e-commerce en Black Friday con 10x) — necesitás auto-scaling real en nube
• ❌ No tenés ningún conocimiento técnico interno y no vas a contratar a nadie que lo administre — un VPS necesita mantenimiento; si nadie lo va a cuidar, quedáte en hosting gestionado

Preguntas frecuentes

¿Qué pasa si el proveedor VPS quiebra o me falla? Con infraestructura como código y backups cifrados en un segundo proveedor, levantás todo en otro datacenter en 30 minutos. Es exactamente la propiedad de “replicable” — la configuración no vive solo en un servidor, vive en git.

¿Tengo que saber Linux para esto? Para administrarlo solo, sí. Pero podés contratar a quien lo administre (nosotros lo hacemos). El punto es que alguien lo cuide — no que quede abandonado como el servidor bajo el escritorio.

¿Dónde viven los datos? ¿Puedo que se queden en Colombia? Sí. Si tu sector lo requiere (salud, legal, financiero), pagás un VPS en un datacenter en Bogotá. Si necesitás más performance, Miami. Cambiar es un script.

Acción inmediata: Mirá tu factura de hosting actual y calculá qué datos tenés ahí que no podés perder. Si no sabés responder “¿dónde están los backups y cuándo los restauraste por última vez?”, ese es tu problema #1 — antes de cualquier migración.

¿Quieres ayuda? → Habla con DCM — llevamos 12 años montando esta infraestructura para clientes en Colombia.

There’s a phrase we hear constantly from SMB owners in Colombia when they ask about infrastructure: “No, I don’t want anything in the cloud, that’s too insecure.” And a minute later, the same person shows us the server sitting under the accountant’s desk, running 24/7, without a decent UPS, no offsite backup, running Windows Server 2012 that hasn’t been updated since 2019.

We understand the fear. Really. It’s based on real headlines: massive breaches, ransomware taking down hospitals, Latin American data showing up on hacker forums. The fear makes sense. But it’s pointed in the wrong direction.

The cloud isn’t insecure. A poorly configured cloud is. And here’s the point almost nobody explains well: you also don’t have to choose between enterprise AWS at USD $2,000 a month and shared hosting at $5 a month. That false dilemma is why most Latin American SMBs end up with infrastructure that doesn’t serve them for either use case.

This article is about the middle ground that few people talk about and that we use with our clients: the replicable VPS. Secure, sovereign, predictable-cost, and —most importantly— something you actually control.

First, the truth about why the cloud “gets hacked”

When you see a headline saying “AWS was hacked,” it’s almost never true. AWS, Azure, and Google Cloud don’t get hacked. What gets hacked is somebody’s configuration on top of them. The distinction matters.

The massive breaches you see in the news are almost always the same things:

• Public S3 buckets by mistake — the developer left permissions open and anyone on the internet could download the data
• Access keys hardcoded in GitHub repos — a bot found them in seconds and spun up a crypto-miner that racked up a $50,000 bill overnight
• Databases exposed to the internet without a password — because “it was just temporary”
• Unencrypted backups living in the same account as the main system — ransomware enters, encrypts everything, including the backups

None of this is “the cloud’s fault.” These are human configuration errors, and they can happen just as easily on a physical server in your office. In fact, they happen more on physical servers, because nobody is monitoring them.

The right question isn’t cloud or not?. It’s who’s configuring this, and how seriously are they taking it?.

The false dilemma: “expensive and secure” vs “cheap and insecure”

The infrastructure market for Latin American SMBs is basically split into two extremes, and both are wrong for most businesses.

Extreme 1 — Enterprise AWS/Azure

It works. It’s secure if configured correctly. It’s also 4 to 10 times more expensive than what most SMBs actually need. We’re talking about monthly bills from USD $800 to $4,000 for workloads that could run comfortably on a machine costing $50.

The real problem isn’t the base price —it’s the billing model. AWS charges you for egress bandwidth, for DNS lookups, for S3 requests, for every GB you move between services, for every hour a resource exists whether you use it or not. An SMB doesn’t have a dedicated engineer watching that bill. We’ve seen companies whose bills doubled for no apparent reason because someone left a log-level at “debug” for three months.

Extreme 2 — Cheap shared hosting

USD $3 to $15 per month. It’s what 70% of SMBs use. And it’s where the ugly things happen.

On shared hosting, your site lives on the same physical machine as 200 other sites. If any one of those 200 has a vulnerability —an outdated WordPress, a malicious plugin, an admin panel with “admin/admin”— an attacker can pivot between accounts and reach you. Plus you don’t have real server access: you can’t audit what’s running, you can’t install the security tools you want, you can’t see full logs. When something breaks, you email the provider and wait for a technician on the other side of the continent to get back to you whenever they can.

The result: it’s not “cheap.” It’s cheap until something happens, and when it does, you have no control, no independent backups, no forensic capability, and often you don’t even find out.

The third option nobody sells you: the replicable VPS

A VPS (Virtual Private Server) is a dedicated virtual server. You don’t share it with anyone else. You have root. You decide what runs on it. You see the logs. You apply the patches.

The key word is replicable: it’s not a server you built by hand and pray doesn’t go down. It’s a server you can rebuild from scratch, at another provider, in another city, in another country, in a matter of minutes —because its entire configuration is defined as code and all its data is backed up automatically and encrypted.

That changes everything:

• Full data sovereignty: you decide where they physically live. If you need data to stay in Colombia for regulatory reasons (healthcare, legal, finance), you pay for a VPS in a Bogotá datacenter. If you need better performance, you move to one in Miami. Switching is a matter of running a script.
• Predictable cost: good VPS providers charge a flat monthly fee. No surprise charges. A machine with 4 vCPU, 8 GB of RAM, 160 GB SSD costs between USD $20 and $60 per month depending on the provider. That’s not shared-hosting cheap, but it’s light-years from enterprise AWS.
• Real control: you define the firewall rules, you decide what ports open, you run whatever security scans you want, you install whatever intrusion detection system you prefer.
• Rebuild in minutes: if something breaks or a provider starts misbehaving, with configuration-as-code and encrypted backups, you spin up the whole system at another provider in 15-30 minutes. This property is gold: it’s what frees you from toxic vendor lock-in.

What it really costs — comparison with real numbers

For an average SMB with a web app + database + backups + email + admin panel, here’s what each option costs per month (USD, 2026 prices):

*Doesn’t include the real cost: electricity, UPS, cooling, noise, space, hardware failures, and the “invisible cost” that if power goes out for three days, the business stops.

The table isn’t theory. These are the ranges we see in real projects with clients across Latin America.

The hardening stack: what makes a cloud “secure”

This is what actually separates a secure VPS from one that’ll get hacked in its first week. It’s not magic, it’s discipline. And it’s exactly what we deploy by default for every client.

Layer 1 — Access

• SSH with cryptographic keys only (passwords completely disabled)
• SSH port changed from default 22 (not real security, but it cuts bot noise by 99%)
• fail2ban banning IPs after 3 failed attempts
• Admin access only over VPN (Wireguard or Tailscale) —admin panels are never exposed to the public internet

Layer 2 — Network

• Firewall (ufw or nftables) with deny-by-default: only what explicitly needs to be open is open
• HTTPS with Let’s Encrypt on everything internet-facing, auto-renewed every 60 days
• HSTS, security headers (CSP, X-Frame-Options, X-Content-Type-Options) configured in the web server
• Network segmentation between the web layer and the database layer —the DB never talks directly to the internet

Layer 3 — Application

• Automatic security updates (unattended-upgrades on Debian/Ubuntu)
• Docker containers for isolation —if one service is compromised, it doesn’t touch the others
• Secrets out of the codebase, in environment variables or a local vault
• Centralized logs with automatic rotation so you can do forensics if something happens

Layer 4 — Data

• Daily automated backups with borg or restic, encrypted on the client before leaving the server
• Backups stored at a second provider, geographically separated (if the VPS is in Bogotá, backups go to Hetzner Germany or Backblaze US)
• 3-2-1 policy: 3 copies of the data, on 2 different media, 1 offsite
• Automated monthly restore tests —a backup you never tested isn’t a backup

Layer 5 — Monitoring

• External uptime monitoring (UptimeRobot, Better Stack)
• Automatic alerts to Telegram or email when something goes down, disk fills up, or there are suspicious intrusion attempts
• Auditable security logs —you can see who got in, when, what they did

Layer 6 — Infrastructure as code

• Every server configuration in Ansible or Terraform, versioned in git
• If tomorrow the server dies or the provider fails, you spin up a new machine, run the playbook, restore the backup, and in 30 minutes you’re operating again
• Zero dependency on “what’s in the sysadmin’s head”

This entire stack can be deployed in a weekend if you know what you’re doing. The problem isn’t technical complexity. It’s the discipline to implement and maintain it.

Who IS the replicable VPS for

This infrastructure is ideal if you’re:

• An SMB with sensitive data: clinics, law firms, accounting firms, logistics companies, small fintechs. Customer data that can’t leak, regulations like data protection laws that force you to have real controls.
• A company with its own application: if you developed an internal system, a customer portal, a mobile app with a backend, you need a place where it lives that’s actually yours, not half-rented.
• A business with a medium IT budget: between USD $200 and $800 per month for infrastructure. This is the zone where the replicable VPS is unbeatable.
• Anyone who’s been burned: a ransomware attack that took you down for three days, a hosting provider that disappeared your data, a breach you couldn’t explain to your clients. Once you live through it, you understand the value of being in control.

Who it’s NOT for

To be honest, it’s not for everyone:

• Massive workloads with unpredictable traffic (social networks, e-commerce with 10x Black Friday peaks): go with a real auto-scaling cloud.
• Companies with zero technical knowledge and no partner to manage it: a VPS needs someone maintaining it. If you’re not going to take care of it and don’t have anyone to hire for that, stay on managed hosting.
• Experimental “let’s see what happens” projects: for MVPs and prototypes, managed platforms (Vercel, Netlify, Railway) are faster. When the business validates the idea, that’s when you move to the VPS.

The point nobody’s willing to make

Most Latin American companies we know have one of two infrastructures: an old server plugged in at the office, or $5/month shared hosting. Both are bad. Both are equally insecure, just in different ways. And both cost more in the long run than a well-deployed replicable VPS.

The “cloud is insecure” conversation almost always hides a deeper one: “I don’t know how it works, I don’t know who to trust, and I’m scared of losing control”. That’s a completely valid concern. The correct answer isn’t staying with the server under the desk. It’s finding someone who does know, building the infrastructure in a replicable way, and regaining control.

At DCM we’ve spent 12 years doing exactly this for clients across Latin America. The hardening stack described above isn’t theory —it’s what runs in production every day. If your company is trapped between the fear of the cloud and the cost of doing things right, there’s a middle ground, and it works.

Real security isn’t expensive. Ignoring it is.