Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Securing Your Unmanaged VPS - VPS Provider Threats and Mitigations
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Securing Your Unmanaged VPS - VPS Provider Threats and Mitigations

emgemg Veteran
edited September 2013 in General

For a long time, I have been thinking about the trust relationship between the VPS customer and the VPS provider. In theory, the VPS provider has access to everything - the files on the virtual disk that the VPS boots from and uses, the RAM where temporary data are stored, the CPU, and the network.

Obviously, the VPS customer must trust the VPS provider not to peek. I have been thinking for a long time about the problem of how best to secure a VPS from outsider threats, including the VPS provider.

A related thread started recently. I don't want to hijack it, because it is somewhat off-topic from my interests, but it does get the ball rolling. You can read it here:
http://lowendtalk.com/discussion/13231/encryption-isn-t-secure-anymore

I would like to use THIS thread to discus tools and techniques to best secure a customer VPS from the hosting provider, and learn what tools are available to the hosting provider to counter those mitigations.

Has anyone successfully encrypted their customer VPS drive using LVM, TrueCrypt, or PGP WDE? If so, how do they manage password entry when rebooting the VPS?

I am a relatively inexperienced VPS end user. I have no specific concerns, only a desire to gain a better understanding of various complex security issues. Here is a hypothetical scenario to get the ball rolling:

Hypothetical scenario:
I invented the next big idea (tm) in stock market trading and implemented it on my VPS. Sensitive files on my VPS are encrypted. (I may be using whole disk encryption on a KVM or Xen HPV VPS, for example.)

Threat:
My VPS hosting provider wants to steal the stock market trading secrets from my running VPS. They may have tried to copy the VPS image or examine the contents of the disk itself, but without success, because the sensitive information is encrypted. They may have tried to sniff my network traffic, but it is encrypted.

Questions:
What tools exist to examine a running VPS?
Can a hosting provider easily examine RAM memory from a running VPS to identify and extract encryption keys?
Can a hosting provider gain easy access to plaintext network I/O?
Can a hosting provider gain easy access to plaintext disk I/O?

(The questions above address the obvious and relatively easy attacks on my VPS. I realize that there are subtle threats that I am deliberately ignoring, such as traffic analysis, timing attacks, or attacks on systems that connect to the VPS.)

Comments

  • Has anyone installed a Linux distro on their VPS and enabled LVM (full disk encryption) during the installation? (I am thinking about trying it on a KVM VPS.) Did (would?) the VPS provider object to the CPU and disk I/O consumption at installation time, while the virtual drive is being encrypted?

    After installation, how do you secure password entry at boot time?

  • TsumeTsume Member
    edited September 2013

    I've probably said this before, but what makes you or any single person so special as to make their provider choose them specifically out of probably hundreds of customers?

    But to answer a few of your questions. If you're running on openvz it's as easy as browsing to the directory. KVM and otherwise, it's not as easy, but still very possible. It's also possible to look at the contents of a dedicated server if they really wanted to. Encryption would probably be the best choice.

    But I think people are simply being paranoid for no real reason. Because to put it plain and simple, you are a no body in the grand scheme of things. If you had stock market trade secrets your "sensitive" information wouldn't be on a VPS in the first place. It would be on a dedicated server. Probably owned by you and collocated nearby.

  • rm_rm_ IPv6 Advocate, Veteran
    edited September 2013

    There's also this thread: http://lowendtalk.com/discussion/13215/quick-rookie-q-are-vps-s-inherently-insecure-relative-to-dedicated-servers/p1

    Short summary: if you care about privacy of your data, don't use a f--king VPS in the first place.

    You probably spent much more time even typing all of this out (and perhaps even more thinking about it), if you convert to billable hours you could already easily afford some 8-12 EUR/mo dedicated server.

  • DomainBopDomainBop Member
    edited September 2013

    I've probably said this before, but what makes you or any single person so special as to make their provider choose them specifically out of probably hundreds of customers?

    To reverse that question, why should customers trust your hosting service not to look at their files when the host they're using isn't a registered business, there's no LinkedIn profile for the owner so customers can know who they're dealing with (the lack of a LinkedIn profile usually means, to use your own words, they're dealing with "a nobody in the grand scheme of things"), and the WHOIS lists the business address as a cheap residential home?

    I think people have a legitimate reason "to be paranoid" when dealing with some hosts when there is little verifiable info about the host and the hosting "company" is not a registered legal entity (and the host is renting "throwaway" servers at some cheap datacenter).

    Of course the best solution (other than renting a dedicated server) is to do your research before signing up with any host and avoid those hosts whose info can't be verified...it won't guarantee the security of your data but it will decrease the risks involved. :)

    Thanked by 1typh0n
  • Please - Let us keep this thread on target. It is not about whether we are paranoid or not, or whether we trust the VPS hosting provider or not. This is a security engineering discussion about the tools and techniques to secure VPSs:

    What tools are available for the VPS customer to secure their VPS from the hosting provider? What threats remain after those tools are implemented? What tools are available for the VPS provider to analyze a well-secured VPS? What counter-measures can a VPS customer use to mitigate or at least detect these attacks?

    I agree that a dedicated server is more secure than a VPS, and I am willing to include a discussion of related threats in this thread. (Example questions: How do you securely enter the decryption key from a remote location when you boot a dedicated server that uses full disk encryption? What type of physical attacks are available to the hosting facility to extract keys and data from your running dedicated server?) Dedicated servers are much more difficult to attack, yes, but not impossible.

    To repeat myself, I get it that VPSs are less secure than dedicated servers, which are less secure than a laptop physically in my possession. I am interested in learning tools and techniques to secure VPSs from hosting providers (and the residual risks involved), and techniques that hosting providers may use to gain access to VPSs and methods to detect them.

    This is a security engineering discussion. As far as I can tell, there is very little published research in this area, and I suspect that not much research has been done on this topic in the public space.

  • Master_BoMaster_Bo Member
    edited September 2013

    You must trust your system administrator. Whatever techniques you use, it's always possible to gain access to protected data.

    It's possible to analyze every aspect of VM - RAM, disk, etc.

    It's still possible to store/transmit data over insecure media, but when it comes to decoding it, there's always possibility of unauthorized access. The only question is whether it's worth efforts required to gain access.

    There are special OS distributions such as Astra Linux, where extra measures are taken to ensure data (in RAM/on disk) are destroyed as soon as possible when they are not assumed to stay available. But regardless of measures, if there's physical/administrative access to server, there's no way to guarantee data won't be accessed by those not expected to.

  • emgemg Veteran
    edited September 2013

    @Master_Bo said:
    You must trust your system administrator. Whatever techniques you use, it's always possible to gain access to protected data.
    ...
    It's possible to analyze every aspect of VM - RAM, disk, etc.

    Let's assume that what you say is a given. Let us also assume that the hard drive is strongly encrypted.

    • If the VPS is shutdown, then it is safe, provided that the administrator does not have a recording of previous activity.

    • If the VPS is running, then the encryption key(s) are in RAM, and potentially exposed, along with whatever processing and network operations are going on.

    Question: What real-world tools are available to administrators to analyze a running VPS?

    I have found a few open source and private tools (mostly expensive forensics tools) to capture running systems, including Linux systems, but none of them seem to anticipate the additional complexity of VPS hosting - a system-within-a-system, in other words, the running VPS.

    Do tools exist for VPS administrators to logon to the host node and capture RAM snapshots from a specific VPS, divert plaintext network streams (after inbound decryption or before outbound encryption), or otherwise control a running VPS?

  • Maybe Metasploit and another memory sniffer in the hacker tools can be used for it

  • VPSSimonVPSSimon Member
    edited September 2013

    Out of experiance, I'd say biggest risk to data encryption, Is not backing up that exact encrypted data in multiple sources, Cos likelyhood of something corrupting an Being undecryptable is high, Meaning loose alot of senstive files.

    I know thats true for me, My work pc is encrypted with three levels of encryption, When i had power issues during decryption boot up seqence it broke boot loader, Replaced that an then data was fried, - Only solution = Format for me :(

    VPS Wise tho encrypting data would be meaningless unless your also encrypting traffic in an out the vps otherwise its still monitorable, Although I love the tin hat people who assume a VPS company will 1 stake there rep an 2 waste time fiddling through a customers vps, If you had top secret security papers or tools on it which your scared people would want, You wouldn't be putting it on a vps you'd be hosting on a dedi at home. 99% of vps users are those who can't afford dedicated servers or cant go to monthly expense of such thing, Or purely for ease of backups on a vps compared to a dedi; But there is noone using vps to hide top secret data. Its just tin hat kids who are paranoid (OMG my host will look at my vps) Why would you be singled out, Out of hundreds of vps if not thousands for most providers.

    p.s take your tin hats off an relax, Ok granted you go to a provider who has such a bad rep they have 10-20 vps max, Then yeah ok they have time to go hunting through em all, what for dunno, But if its a provider which is got an ok rep they wont spoil that by breaching a vps. Just stay away from really bad hosts such as those using unlicenced whmcs or other panels.

  • @emg said:
    Question: What real-world tools are available to administrators to analyze a running VPS?

    I can't name any of advanced tools that could so smart RAM sniffing to beat whatever security precautions are used (RAM encryption; making OS using arbitrary memory regions for kernel/modules; cleaning RAM with garbage once it's of no use etc).

    The mere fact that host has full control over guest resources makes making a proper forensics/spying tool only a matter of time.

    So the correct question is how much time would it need to break your defense lines to get all the data.

    Storing and reliably hiding important data over insecure media isn't much problem. Decrypting without giving chance to intercept decrypted data is a real challenge. Other than using one-time resources approach, I can't find theoretical ways to get safe enough.

Sign In or Register to comment.