Using Claude Code on your VPS, safely
What this is
Claude Code is Anthropic's AI agent that lives in a terminal: you tell it what you want in plain language, and it proposes and runs the commands, reads the output, and iterates, with you approving each action. On a VPS that makes it something like a junior sysadmin who never sleeps: excellent at diagnosis and legwork, and in need of exactly the supervision the title promises. This page covers both halves, the setup and the leash.
The general "AI as server helper" picture (chatbots included) is in our support scope guide; this is the hands-on version for the agent tier.
Installing it on the VPS
Run it as your everyday sudo user, not root, that's the first safety decision, made before anything else (an approved command then runs with your user's power, and escalates through sudo only when genuinely needed and visible):
curl -fsSL https://claude.ai/install.sh | bash
(Alternative, if you prefer npm and have Node installed: npm install -g @anthropic-ai/claude-code.) Then start it with claude and sign in when prompted, you'll need an Anthropic account (a paid plan, or an API key).
Two practical notes for server use: launch it inside tmux so a dropped SSH connection doesn't kill a session mid-task, and start it in a sensible working directory (your project or /etc service configs it should see), it works relative to where you launch it.
What it's genuinely good at on a server
- Diagnosis without the copy-paste loop: ask "why is the site slow?" and it runs the checks itself,
htop,ss,df, the logs, and interprets the results in context. - Configuration legwork: writing an nginx vhost, a systemd unit or timer, a restic backup script, a fail2ban jail, and explaining each line if you ask.
- Walking a multi-step job: a migration, a certificate mess, a permissions cleanup, work where the value is doing twenty small steps in the right order without losing the thread.
The control rules
This is the part that matters. An agent on a live server is power steering, not autopilot:
- Never give it unlimited power. Claude Code asks permission before each action by default, that prompt is the entire safety model, so keep it. It has a flag to skip permissions entirely; that flag has no business on a live server, full stop.
- Review every command before approving, and understand it. If you don't recognize a command or a flag, ask it to explain what it does and what could go wrong before you approve, it answers honestly and in detail, and the thirty seconds is the whole discipline.
- Be doubly suspicious of anything destructive:
rm,dd,mkfs,DROP,truncate, package removals, anything touching/var/lib/mysqlor other data directories, or edits to SSH and firewall config (the lockout classics). Approve those only when you'd have been willing to type them yourself. - Backups current before big sessions. The same rule as for any tool with write access, agents make mistakes confidently, and a restore point converts a disaster into an anecdote.
- Stay present. One task per session, watch it work, and don't leave it grinding unattended on a machine that matters.
- Mind the secrets. It reads files to do its job, and config files contain credentials; that's usually fine, but it's a thing to be conscious of, not surprised by.
Give it standing orders: CLAUDE.md
Claude Code reads a CLAUDE.md file in the working directory (and ~/.claude/CLAUDE.md globally) as persistent instructions, so write the safety rules down once and every future session starts with them. Run /init inside a session to scaffold it, then make sure it contains something like:
# Server rules
- This is a LIVE PRODUCTION server. Real users depend on it.
- NEVER run destructive commands (rm, dd, mkfs, DROP/TRUNCATE, package
removal, overwriting configs) without explicitly asking first and
receiving my confirmation, even if the task seems to require it.
- Explain what a command does and its risks BEFORE proposing to run it.
- Prefer read-only diagnostics first; change things only after diagnosis.
- Never modify SSH or firewall configuration without warning me that
lockout is possible and telling me the recovery path.
- Never touch database data directories directly; databases are dumped,
not file-copied.
- Before any risky change, check that a current backup exists and say so.
Adapt it to your setup (name your critical paths and services), the point is that "this machine is live and you ask before breaking things" is written policy, not something you re-explain every session.
When not to use it
Two situations where the right tool is this knowledge base and your own hands: a database that won't start (the safe order of operations forbids experimentation, and an eager agent loves to experiment), and a compromised server, where the box itself can't be trusted, agent included, and the answer is the rebuild routine, not cleverness.
Still need help?
You can open a support ticket. So we can help on the first reply, it's worth mentioning:
- the VPS hostname or IP,
- where the setup stops (install, sign-in, or the first session), with the exact message.
Related questions
- "Can I install Claude Code on my VPS?"
- "Is it safe to let an AI agent manage my server?"
- "How do I stop an AI agent from running dangerous commands?"
- "What should I put in CLAUDE.md for a production server?"
- "Should the agent run as root?"
- "What is Claude Code good at on a Linux server?"