Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Email Provider VFEmail Suffers ‘Catastrophic’ Hack - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Email Provider VFEmail Suffers ‘Catastrophic’ Hack

2»

Comments

  • @eol said:

    @edfox said:

    @mailcheap said:

    1. Use SSH keys instead of passwords.
    2. Different key(s) for backup server(s)
    3. Pull from your servers to backup instead of pushing to it.
    4. Secure that backup like it is worth its weight in gold (because it is).

    This is what i do.

    I use two servers: one is the "backend", with all the actual stuff, the other is the "frontend", aka a haproxy just proxying some selected services that i need (pretty much only nginx).

    The main server has port 12039 open, with SSH on that port, accessible only from the wan interface, only from the subnet of the ISP i use at home. If you somehow succeed in having the same ISP as me and finding the SSH port, fail2ban will ban you for 12 hours as soon as you try logging in with something different than my own username.
    I get a notification (via a Telegram bot) so I can act accordingly, for example by changing port. There's nothing else opened there, so no risk of people finding out what the server is for.

    The front server has only port 80 and 443 open. Additionally, it has a wireguard VPN going to the main server, on which it exposes its SSH service. Of course the main server doesn't expose anything to the wireguard network that isn't the stuff i need to proxy.

    I recommend a third server.

    No.

  • @Letzien said:

    @eol said:

    @edfox said:

    @mailcheap said:

    1. Use SSH keys instead of passwords.
    2. Different key(s) for backup server(s)
    3. Pull from your servers to backup instead of pushing to it.
    4. Secure that backup like it is worth its weight in gold (because it is).

    This is what i do.

    I use two servers: one is the "backend", with all the actual stuff, the other is the "frontend", aka a haproxy just proxying some selected services that i need (pretty much only nginx).

    The main server has port 12039 open, with SSH on that port, accessible only from the wan interface, only from the subnet of the ISP i use at home. If you somehow succeed in having the same ISP as me and finding the SSH port, fail2ban will ban you for 12 hours as soon as you try logging in with something different than my own username.
    I get a notification (via a Telegram bot) so I can act accordingly, for example by changing port. There's nothing else opened there, so no risk of people finding out what the server is for.

    The front server has only port 80 and 443 open. Additionally, it has a wireguard VPN going to the main server, on which it exposes its SSH service. Of course the main server doesn't expose anything to the wireguard network that isn't the stuff i need to proxy.

    I recommend a third server.

    No.

    Yes.

  • Maybe.

  • Pick a target. Wait 18yrs.

  • @vimalware said:
    Pick a target. Wait 18yrs.

  • 18 years. Servers grew up and left the nest.

    Thanked by 2eol Plioser
  • It is because of events like this, security experts recommend to place your server behind seven proxies. Then the only way to hack is to trace IP address using Visual Basic and everyone knows only NSA has access to Visual Basic.

    Thanked by 4eol jar uptime FHR
  • Seventh son server of a seventh son server.

  • @desperand said:
    Oh, I don’t believe in it, something is wrong. It’s just that the level of preparation of the one who did this should be beyond the sky, it's should be just a Neo from Matrix.

    Neo never wiped emails. Hillary Clinton on the other hand...

    Thanked by 1eol
  • jarjar Patron Provider, Top Host, Veteran

    A moment of silence for our fallen comrade.

    Thanked by 2AuroraZ eol
  • Isn't Vfemail marketed as a privacy-oriented service?

    We cannot know from this information that the content of the servers weren't downloaded elsewhere, but if it was only deleted, I think that's a pretty good result as long as hacks go. I'd rather everything is deleted than stolen.

    I don't think it should be common-practice to make backups of email servers. Will you secure all HDDs and backup HDDs in the future? They could be inspected and recovered by 3rd-parties after disposal. You're just increasing points of infiltration by making multilpe backups.

    If you need retention of email due to business or legal reasons, that should be a seperate service for those who need it, but as far as privacy-minded users go, too much backing up is unnecessary.

    Also kudos on the stealth marketing with the sharing of this news by Mailcheap, LOL.

    Thanked by 1AlwaysSkint
  • mailcheapmailcheap Member, Host Rep

    Now that this thread has been resurrected I just want to add that VFEmail has pulled through and are still going strong. They made a mistake but they've overcome what I could only describe as a nightmarish scenario.

    I don't think it should be common-practice to make backups of email servers.

    A locked-down, secured backup machine would have a much lower attack surface than a mailserver. And backups are necessary if you value your email data, for a self hosted machine maybe you could skip it depending on your requirements, but for a provider its not an option to lose customer data that is entrusted to us. We keep rolling snapshots (7 daily + 4 weekly) at Mailcheap now and have a data restoration tool to recover deleted email data.

    but as far as privacy-minded users go, too much backing up is unnecessary.

    A privacy-minded user should use client side OpenPGP encryption. They're then covered against potentially any data leaks. If you prefer paper, we can offer PaperStorage™ (as a custom feature), so instead of storing mails on disk, each mail would be printed to paper. This is not a joke, we're a very flexible email provider.

    Kind regards,
    Pavin aka StealthMarketer™

Sign In or Register to comment.