New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Yes, they can to do that even in KVM or Xen and similar (VMWare...).
They can easily copy your disk file and add it to their VM. Boot it up with a live CD and mount the partitions inside to access your files. Or they can use the same live CD to reset the root password of their copy of your VM to access it while running all the services and etc.
If your VM is encrypted it still could be possible but this requires some knowledge because the provider would need to extract the cached decryption keys from RAM and so on to get the key to decrypt their copy of your VM disk.
So it is possible with a bit more work than usual. And it is actually illegal... Privacy laws and such.
A provider here just posted a screenshot from his customer's VPS a week or two ago. To prove he had torrent client installed.
Quite disturbing.
I assume they got KVM/noVNC access to it the same way a client would be able to do from his control panel and if they were running windows and left it unlocked via KVM, the provider would have easy access to it
What thread was that on? I'm going to try and find it
oh my god :O
If you're scared about this you could go with a big provider like OVH, Vultr, AmazonAWS Compute, Microsoft Azure, where their employees don't have that kind of access and the CEO probably isn't going through the billions of VPSs they have. Azure has a free $200 credit trial but it's like $60/month to renew on their lowest plan, and AmazonAWS compute is also pretty expensive too
The "Piohost is disgusting" thread. It was just a screenshot of the login prompt, as you would see it on the KVM console.
Quite complexing, but I got it.
https://www.lowendtalk.com/discussion/114823/customer-either-was-hacked-or-broke-tos-rant-etc/p1
Customer was violating TOS apparently, so no problem with terminating service. But I didn't expect providers to be lurking around people's VPS and files. It's probably not legal either.
I hope larger providers like OVH don't have time for this...
Yeah this
Yeah OVH just relies on their automated systems to catch mail, ddos out (udp floods, etc), and stuff like that
Thank you all for comments.
I already have a few dedicated servers for service. I try vps to expand my service. I would go with big providers.
Any good guide/tutorial to encrypt VPS? Or Distro comes with encryption during installation/by default? I understand they can still access our data. Thanks!
Dedicated server is not 100% safe either, even with encryption, as long as someone has physical acces to server there is no way to be sure...
Install from ISO and create a custom partition layout where you enable encryption for the partitions you need. Templates are no good on KVM/Xen unless you want it quick and dirty like on OpenVZ.
What distribution are you using?
This!
CentOS, Ubuntu. What would you recommend?
At least with a dedicated server they need to shut it down to clone the disk (and for a prolonged period too, disks are big nowadays! and not that fast at reading the entire disk, it may take hours), so you will get to notice that something has happened. Whereas with VMs they can snapshot and clone the disk completely stealthily, while the VM is running.
Don't b/s yourself, just because the dedicated server is "not perfectly safe" by some ridiculous reason that you just invented, it can't be an excuse to just give up and keep using VPSes (which are not safe at all).
Me being the Debian guy would recommend Debian or if really necessary Ubuntu would also work (based on Debian).
Try this guide in a local VM: https://www.tecmint.com/install-debian-8-with-luks-encrypted-home-var-lvm-partitions/
It should help you to understand how to setup encrypted volumes on Debian. For Ubuntu check: https://help.ubuntu.com/community/FullDiskEncryptionHowto
CentOS is similar to Debian basically as it allows you to encrypt the disks during installation.
Google has tons of tutorials listed from Digitalocean, Howtoforge and so on. Play around in local Virtualbox VMs or a spare VPS.
Yeah... Or not really. Remember that guy who had his servers cloned "during normal DC maintenance" in closed curtains for a police investigation? This can happen anytime to you.
Now if we're all being that paranoid we can go on and spin the wheel further and bla bla bla.
Nothing is safe?!
Basically, safe is a relative term. Sure, someone might cold boot your encrypted dedicated server, but your dedicated server is still a lot more secure than your average VPS.
If you have data that is so important and so sought after that you are afraid of people cold booting your encrypted dedicated server, I don't think you should trust some random people online in a forum called 'LowEndTalk'...
Once some data leaves the confines of your house, it is no longer secure. VPS can be snooped on by VPS provider, and NSA, CIA, GCHQ snoop too.
I bet many of these one man band VPS providers look through VMs to see whats on there for giggles!
No, not really?
If your DC regularly has "normal DC maintenances" lasting six hours, maybe you need to look into changing the DC.
I didn't even mention that if you use full-disk encryption at a dedi it won't be possible to figure out anything from the cloned disk at all -- and since the access involves a power-down/reboot, no RAM content to fish out keys from either.
(Even the "keylogged KVM" threat can be mitigated, as you don't have to enter the decryption key manually, it can be fetched over HTTPS from a link that you make available only very briefly and with an IP whitelist).
It's possible on all virtualization types and container systems, except with OpenVZ, it's as easy as
vzctl enter yourcontainerid
.There are a lot of things that can be done with physical access to machine, basically everything depends on how badly someone wants those data and how much time/effort he is willing to spend. If for some weird reason provider wants your data he will get it.
And yes, vps is even less secure, but it does not mean that someone buying dedicated server should consider it perfectly safe.
Also encrypted KVM is not that bad, getting key out of memory may be not that much easier than pulling single drive from raid1 (as an example) and reading it, or tampering with initrd (as another example) to get key.
You really have no way of knowing that. I expect someone has access...and some junior sysadmin is abusing it.
Agree. Simple flow monitor with thresholds or more advanced IP profiling.
So, what your imagination has in mind this time? Wiretapping SATA link (I mean really, using spliced wires and capturing stream data into some device for later decoding)? Useless if disk encryption is used.
Wiretapping DDR3 traces on the motherboard? (seriously? and expect no stability issues or corruption from the all the parasitic capacitance and reflections in the side connection? just laughable).
So cut the bullshit already, there are real physical limits to what can be done even with physical access. Your hand-waving of "they can do it anyway" (somehow), just go into a kindergarden with such level of discussion.
>
Are there any hand-holding tutorials from "you just got your IPMI access" to "yay, booted your fortress successfully"?
You invented two ludicrous examples and ignored the obvious:
This, of course, takes a little more effort than a simple
vzctl enter $CTID
but it's still kindergarTen-level and the customer has no idea she or he is compromised. (I'd imagine this is how law enforcement does it, in the specific situation of full disk encryption.)With that being said - I doubt any sysadmin will do this just to steal OP's sources code.