Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Avoid OpenVZ "snooping"
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Avoid OpenVZ "snooping"

lestilesti Member

I am worried about having an email server on some OpenVZ VPS. It is too easy to get your files checked and readed by the server admin.

My VPS uses exim4 as MTA, also it uses TLS/SSL to protect against MITM attack, however this all is futile when your service provider can access your private keys files, that are stored in the VPS.

Also, encrypt a disk partition with LUKS won't help, because the server admin could always search of dump throw the RAM memory of the server looking for the point where the information is about the get encrypted, and catch it before that happens.

So, in a general approach, how coul you protect your information on a virtualized platform?

P.S.: please avoid comments like "do you have something to hide?", "why do you want to do this?", "is your information so important?", etc.

«13

Comments

  • the smartest thing to do would probably be to not use an OpenVZ VPS.

    with KVM options so cheap, why bother with OVZ?

    Thanked by 3rm_ tux jar
  • Three options:

    1. If you don't trust the provider, find another one.
    2. Don't use OpenVZ.
    3. Remove your tinfoil hat.
  • Buy a homing pigeon.

  • The problem is the same; KVM can inspect the memory aswell.

    Also, it doesn't matter if I trust my provider or not, watch Lavabit, they can just force to raid the servers.

    Also, it was demostrated a long ago the tinfoil hat amplifies signals rather than stopping them.

  • @Jack said:
    Get a dedicated server then.

    The RAM modules can be physically removed

  • rm_rm_ IPv6 Advocate, Veteran
    edited August 2013

    1) Don't f---ing use f---ing OpenVZ.
    2) Spying on KVM is more complex, but if you're still concerned, get a dedi.

    Seriously, if you assume a random provider will go as far as dumping KVM RAM to get to your encryption key, but at the same time you are not even able to afford a 10 EUR dedi, then sorry but you're just a sad joke.
    Leaving OVH aside, there are at least two providers with 10 EUR/mo dedi offers: dedibox.fr digicube.fr and online.net.

    Thanked by 2mpkossen marrco
  • SpiritSpirit Member
    edited August 2013

    He's asking what's possible/not possible with certain type of virtualization, not what he can afford it and what can't. What makes you think that someone who ask something about OpenVZ doesn't have already some KVM or even dedi boxes?
    And if he does, what makes his question regarding certain type of virtualization less relevant? Some general opinion does not answer explicit question. So much about tinfoil hats.

    Thanked by 2Janevski trelawney
  • I really don't get why when you ask an entirely technical question you get flammed like this.

    Is not about do not having money to rent dedicated servers, myself owns some of them; the topic is about finding solutions to provide privacy on VPS servers, however it seems the people feels unconfortable talking about this.

    Back to the discussion stream, I also do not find secure to do this on a dedicated server. Datacenter staff can always shut down the machine at 4 AM, dump the hard disk and report a power failure. It doesn't matter what they do it for: court order, brive or gun on their head. However, hosting on a dedicated may saves you from being "RAM snooped."

    So, is there any secure way to host the private keys used in LUKS or similar encryption out of that box?

    Thanked by 1Janevski
  • I also do not find secure to do this on a dedicated server. Datacenter staff can always shut down the machine at 4 AM, dump the hard disk and report a power failure.

    Are you fucking serious? If you're going to be this paranoid, you'd might as well not bother.

  • @rm_ said:
    dedibox.fr and online.net.

    I was wondering why I hadnt heard of dedibox.fr. It seems to be just a pseudonym of online.net?

  • DroidzoneDroidzone Member
    edited August 2013

    @Jack said:
    Yes host it under your bed.

    I feel sad that you sleep in the DC. Such commitment..

  • rm_rm_ IPv6 Advocate, Veteran
    edited August 2013

    Yes host it under your bed.

    Indeed, the most secure option is to host a server at your own location, e.g. at home.
    And for example with E-Mail you can set up some VPSes or dedis to act as secondary MXes, those will provide a "safety net" when your home connection or electricity goes down.

    dedibox.fr. It seems to be just a pseudonym of online.net?

    Oh sorry! I meant http://digicube.fr/

  • netomxnetomx Moderator, Veteran

    Maybe a KVM with truecrypt ?

  • seriesnseriesn Member
    edited August 2013

    If you do not trust your provider, do not use them, can't be more simple than that. Also, remember, us as providers, we do not have any time to snoop around 1000's of active vps's for the heck of it. We have better things to do besides reading your emails and what not. Unless you ring sometype of alarm, no reputable provider will bother with you.

    Btw, remember this "Anything that can be encrypted, can very well be decrypted".

  • @seriesn said:
    If you do not trust your provider, do not use them, can't be more simple than that. Also, remember, us as providers, we do not have any time to snoop around 1000's of active vps's for the heck of it. We have better things to do besides reading your emails and what not. Unless you ring sometype of alarm, no reputable provider will bother with you.

    Btw, remember this "Anything that can be encrypted, can very well be decrypted".

    While you may not have time to snoop around files, other providers have made bots to do so. I've had issues with one of them. I find the best way to go about it is ask the provider what kind of monitoring they do and check to see if such monitoring complies with the laws of the country the server is hosted in.

    OpenVZ makes it way to easy for snooping as someone as said before if you care about privacy use KVM or OpenVZ with a provider that doesn't spy.

  • @spycrab101 said:
    OpenVZ makes it way to easy for snooping as someone as said before if you care about privacy use KVM or OpenVZ with a provider that doesn't spy.

    If a provider don't monitor malicious activity, you need to worry more than anything else. If provider wants, they can snoop into your kvm too ;)

  • How 'save' is xen?

  • TsumeTsume Member
    edited August 2013

    Chances are you're not the only person on any OpenVZ node at any given time. They probably have dozens of not at least a hundred others. Why would they single you out, out of everyone else, just to look at your emails? Unless what you're doing is malicious or illegal. There's nothing to worry about.

    I highly doubt providers go through the trouble of providing servers just to read everyone's email/documents.

    But if you're that paranoid. Then your best bet would be a dedicated server.

  • @Tsume said:

    But if you're that paranoid. Then your best bet would be a dedicated server.

    What if DC staffs decides to take a look into his dedi? He is better not even talking to anyone. You know, walls have ear too :P

  • @seriesn said:
    What if DC staffs decides to take a look into his dedi? He is better not even talking to anyone. You know, walls have ear too :P

    Haha, true enough.

  • Host the mail server at your house and tunnel to your VPS with SSH or OpenVPN. The DC/VPS provider would still be able to see your incoming/outgoing mail since SMTP is mostly unencrypted.

  • Unless you Colo your Dedi (better build one from scratch and colo it. Never know what them rented ones have in them!) at the NSA Datacenter, the chances of a Datacenter employee taking your server, managing to extract the encryption key from RAM (without losing power, thus cleaning out the RAM), and then decrypting your server's hard drives so they can dig through it is PRETTY DARN LOW. A smal degree of paranoia (like wondering why that guy has been following you for the past half mile) is okay. But there is a point where it gets a little... excessive.

  • I have a funny feeling that your worried a about being snooped on when really, You are referring to hosts being able to trace you are sending spam thus having justification to disable you, You won't hide that KVM/OPENVZ or any other virtualization you want, The traffic is routed via host node so host can always monitor that traffic an when reports flood in about a vps provider just watches it for traffic to work out spam its sending to justify disabling you.

    NO provider will waste time breaking private keys an exim just to find stuff out, Quite frankly they don't even need to look within VPS to find email abuse.

    An if your so paranoid to think a provider would want to go snoop on any data then 1 would be counter productive an unless your hosting some multi thousand pound company i wouldn't worry, An if you are then stick it on a dedi.

    The only logical reason behind being this paranoid, IS something is on your servers which is provider found you would be terminated for. Simple as. Otherwise it wouldn't be a concern for you to open Multiple topics regarding same reason.

  • krokro Member

    Everyone stop with the paranoid argument... Far out, bunch of sads lately.

    Thanked by 1VPSSimon
  • pylodepylode Member
    edited August 2013

    @seriesn said:
    If you do not trust your provider, do not use them, can't be more simple than that. Also, remember, us as providers, we do not have any time to snoop around 1000's of active vps's for the heck of it. We have better things to do besides reading your emails and what not. Unless you ring sometype of alarm, no reputable provider will bother with you.

    Btw, remember this "Anything that can be encrypted, can very well be decrypted".

    Wouldn't it make sense to trust a heavily over-sold provider then? Or a provider ran by kids who don't know what they're doing, haha.

    As everyone else has mentioned though, any data can be seen if you have access to the memory, disk etc.

  • @smooch1502 said:
    Wouldn't it make sense to trust a heavily over-sold provider then? Or a provider ran by kids who don't know what they're doing, haha.

    You are already trusting them with your personal and financial information ;)

  • @seriesn said:
    You are already trusting them with your personal and financial information ;)

    Unless you pay by bitcoin..

  • MaouniqueMaounique Host Rep, Veteran

    In this case, SMTP servers dont need to be breaking into, they can be monitored via the traffic analyzing. If you use SMTPS, then NSA will still be able to access the other end of the communication, for example, yahoo, hotmail or gmail boxes. The only way to keep it out is to use some kind of encrypted darknet like freenet where all traffic is inside the network. Even so, the particular node you run will be vulnerable due to keys being stored in the memory.

  • flyfly Member

    any provider will be able to look at your files. if you're really that concerned that your provider is gonna take the time to bother and look at your shit, you'll need to buy your own hardware and host it yourself. But then again, someone can just listen in on your network traffic.

  • Remove your tinfoil hat.

    This.

Sign In or Register to comment.