Many hosts provide KVM over IP with their default dedicated server packages. It also isn't exceptionally rare to have two servers at a data center with one hooked up to the other on a LAN, some websites have dedicated database servers that have no reason to be directly connected to the internet. A quick google search reveals this host, although there are several others like them: http://www.svwh.net/kvmoverip.php So they have two standard packages, one includes KVM over IP for dedicated servers, and the other includes a server on their LAN to be used as a database server that is not connected to the internet (of course you don't need to actually use it as a database server). So that right there is exactly what you need pretty much, although I am not sure how to configure the KVM to be accessed as a hidden service I am pretty sure it can indeed be done. Pretty much the only advantage I see to doing colocation is that you can set the chassis intrusion detection system yourself, and also you can be sure that everything is how you think it is from the get go instead of having to have any initial trust in the hosting provider. However KVM significantly reduces how much you need to trust the host, since you can remotely install the entire OS yourself etc etc. Don't get me wrong, there are some clear cut benefits to doing colocation or even running the hardware in your own house, but I just do not think those benefits outweigh the major advantages of using a server that has no way of being tied to your real identity even if it is totally compromised. Having the server registered with fake info and unlinkable to you is a last line of defense that I personally would not feel comfortable without. Also it doesn't look like this host offers chassis intrusion detection, but plenty do. You need to keep in mind that legitimate corporations use servers in data centers, and sometimes they have quite valuable information in the data center. There are many non-criminal reasons for wanting your server to immediately encrypt all of its persistent data / wipe its RAM if the case is breached without authorization...and thus the service is provided by plenty of hosts. The thing is though you sort of need to trust that they have properly configured things in the first place if you do not use colocation and configure it yourself, but another thing to keep in mind is that if the hosting provider is legitimate there is a high chance they are going to have things configured properly simply because they will expect that you are running a legitimate business, not a criminal website that they may someday want to assist law enforcement in attacking.