1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is your stuff really safe at VPS servers? NO!

Discussion in 'Web Hosting' started by SafeSEO, Mar 31, 2010.

  1. SafeSEO

    SafeSEO Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 10, 2010
    Messages:
    100
    Likes Received:
    6
    Hey guys.

    I started this topic, becuase many of us use VPS hosting solutions and we keep there many "private/exclusive" things.... scripts, software, content...
    I have in my mind question, how do you keep your files secure?
    Why I am asking? I talked with one of offshore hosting admin(friend chat).
    Who says how its easy to grab all stuff from his customers...
    (so you should know what kind of stuff we are talking about
    really worth BH stuff and private tools).

    So what solutions is the best to keep your files secure on VPS, TrueCrypt?

    Any ideas?


    Cheers,
    SafeSEO
     
    Last edited: Mar 31, 2010
  2. kryptocrap

    kryptocrap Registered Member

    Joined:
    Mar 15, 2008
    Messages:
    73
    Likes Received:
    5
    Home Page:
    they must be using virtuozzo, an OS level virtualization... on that setup, your files are not safe at all :p

    you should go for VPS that is based on Xen
     
  3. SafeSEO

    SafeSEO Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 10, 2010
    Messages:
    100
    Likes Received:
    6
    thanks for your answer, could you explain it more?
    I guess many BHW members would like to understand how to secure their business :)

    Cheers!
    SafeSEO
     
  4. homenet

    homenet Power Member

    Joined:
    Jan 5, 2009
    Messages:
    790
    Likes Received:
    338
    Location:
    Dimension X
    Virtualised servers are usually big blade servers segmented into 5,10 or more virtual servers. System admins for VPS hosting companies have exclusive access to the entire blade server, usually they hire one from a data center, then virtualise it and sell each virtual for $xx/month (making a profit on what they pay for at the data center)

    The problem is, in most virtualised environments you have full file access to each of the virtualised servers and therefore you stuff ISNT secure. Like krypto said, I dont think this is the case with XEN.

    Alternatively you can rent a server that isnt virtualised but you can expect to pay a lot more.
     
  5. SafeSEO

    SafeSEO Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 10, 2010
    Messages:
    100
    Likes Received:
    6
    Okey but lets said I will make TrueCrypt container.
    Unmounted container is safe for 100%
    What happen when I mount container?
    Admin of server will have access to these files, or they are
    avilable only for my session?
     
  6. homenet

    homenet Power Member

    Joined:
    Jan 5, 2009
    Messages:
    790
    Likes Received:
    338
    Location:
    Dimension X
    A truecrypt container is going to be safe, all data within one is encrypted whether you are in or out of the operating system.
     
  7. SafeSEO

    SafeSEO Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 10, 2010
    Messages:
    100
    Likes Received:
    6
    But when you mount container to some dir then I guess admin of server can check it?
     
    Last edited: Mar 31, 2010
  8. homenet

    homenet Power Member

    Joined:
    Jan 5, 2009
    Messages:
    790
    Likes Received:
    338
    Location:
    Dimension X
    that directory then becomes encrypted though does it not? in which case no I dont think I can.. maybe some else has a definate answer?
     
  9. thxflash

    thxflash Power Member

    Joined:
    Jan 20, 2009
    Messages:
    786
    Likes Received:
    131
    Location:
    Newport Beach, CA
    Home Page:
    I would just purchase the VPS from a reputable company that you don't have to worry about. If you can't do that, then either encrypt the data or monitor the VPS to ensure they aren't snooping.
     
  10. voyevoda

    voyevoda Regular Member Premium Member

    Joined:
    Mar 21, 2010
    Messages:
    217
    Likes Received:
    97
    Location:
    Eastern Front
    Yes. It becomes just like any other directory.

    Unless you set up the box yourself and can prevent physical access to it, you can never be 100% sure that other people don't have access to it. I believe that most VPS shops have backdoors in their kernels that allow their sysadmins to access your VPS without any ssh keypair/password while it's still running.

    Even if that isn't the case, they can still snapshot the disk while it's running and examine it "offline". :)
     
  11. kryptocrap

    kryptocrap Registered Member

    Joined:
    Mar 15, 2008
    Messages:
    73
    Likes Received:
    5
    Home Page:
    to make it simple.. if you are paranoid because you are hosting some stuff which you think aren't legal, then go for offshore hosting. :p
     
    • Thanks Thanks x 1
  12. tajmahal

    tajmahal Regular Member

    Joined:
    Nov 28, 2009
    Messages:
    294
    Likes Received:
    53
    i think that most of you didn't realized that hosting services not matter if you have shared, vps or dedicated is service based on trust. You have to trust to the sys admin from where you buy any kind of hosting from. I believe that very few of you know personally the sys admin that is setting your hosting account. So in good hosting companies that have good company culture your data is safe with them and do not worry about your scripts, blogs, web sites etc..
     
  13. wannabie

    wannabie Elite Member

    Joined:
    Mar 11, 2009
    Messages:
    3,807
    Likes Received:
    2,958
    Occupation:
    Seo and Marketing Suprisingly
    Location:
    Your bedroom window
    Home Page:
    Agree with above - Surely any host where you have never seen or have access to the box could used for there own use?
     
  14. slacker

    slacker Newbie

    Joined:
    Sep 21, 2008
    Messages:
    24
    Likes Received:
    8
    Occupation:
    Fuck corporate america!
    For storage purposes you may zip the file and encrypt it with a password.
     
  15. nana_m

    nana_m Newbie

    Joined:
    Apr 18, 2010
    Messages:
    1
    Likes Received:
    0
    thanx y0000000000u:fingersx:
     
  16. A-Intelligence

    A-Intelligence Registered Member

    Joined:
    Apr 4, 2010
    Messages:
    63
    Likes Received:
    12
    Occupation:
    A.I.
    Location:
    DC / NYC / ARGENTINA
    Home Page:
    Actually i think the main concern is that 99.5% of people here have "their own methods" of doing things. And if these offshore "black hat" fly by night companies wanted to snoop on a server, all they have to do is hook a monitor up to the server & watch what your doing (On a windows OS, I'll explain a possible Unix/PHP type snoop in a moment)

    I would say going with a reputable company & operating in plain site is the best course of action for most people. Actually "knowing" your hosting provider and their reputation would be an even better solution.

    For instance if a website for VPS/Dedicated was setup 1-3 months ago by a member here that maybe registered even 1 year ago (that he could have easily bought off another shady member)....You'd be insane to use their services. It could be a setup on 100 different levels.

    I would look for the guy with a +30 itrader, with multiple big hitters vouching for his/her service.

    You may be able to encrypt your data 1,000 diff ways, that doesn't mean they can't still catch your "method" with some simple misdirection.

    I.E. setting up a virtual router, logging all of your outgoing http header data, which sites your using & in which order, could all expose your "method". (And this could not be detected even with full root capabilities)


    Why did I bother disclosing all of this information?
    I actually care about my fellow webmasters, who find a good idea & hope that it ends up putting food on their plate.

    Why go offshore instead of hosting in the U.S.?
    I would say most people (residing in the U.S. & Canada) are not breaking any criminal statute laws, however some sites are overzealous about not allowing a user to simply even mention a product of any type, that's not being paid for (And that goes against the 1st amendment). This has forced people to resort to making multiple pages/accounts/emails etc.
    So many users have simply moved offshore to try & avoid these companies overzealous civil lawyers. That's right CIVIL....because 99.5% (I guesstimate) of the BHW community are involved no actual criminal activities.

    I mean look at us, we're already walking advertisements for Nike, any time we leave the house. Why am I allowed to post about my Nike's (I could post a thousand ads to Nike.com from 1,000 accounts anywhere, 1,000 times each & not have a single one die, even if Nike wasn't a paid advertiser!), but the minute i rock BO$$ brand tennis shoes, i get my account killed & slapped with a potential law suit?

    Of course none of it will stand up in court, but who has $10,000,000 to spend on a civil trial lawyer? Shit if you do.....host all your domains on your own personal DS-3 line running into your garage. Set up a rack, a couple of air conditioners & go all out homie!

    What can you do to better the overall situation?
    Please read this part. If you can program something good, or buy something good, don't go on over-kill mode. Don't set up 20,000,000 accounts. Show some self control & be responsible. Just because 20,000,000 accounts (or blog posts etc) would give you essentially a 5% stake in a particular sites view count. Do you really want to do that? Is that fair to the other users? Time & Time again, i see sites ruined, methods ruined, lawsuits flying, all because of the 0.01% of assholes out there, that said "fuck everyone, i want it all." Well look back at history my friends, at those types of characters, in the end, what was the result?


    Disclaimer for the retarded douche bags reading this:
    If you're just some dick bag out there stealing cc's/selling fake pills (rip off pharmas to sick people/phishing peoples personal information (i.e. identity fraud) etc. I hope you GET FUCKED, there's nothing brilliant, or tactical about what you do. There is no host that is safe, you will get caught!
     
    • Thanks Thanks x 1