Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How secure is data in a OpenVZ container?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How secure is data in a OpenVZ container?

I want to discuss data security/access from outside in OpenVZ containers.

Can the node admin access data that is inside a container? Is there any way to prevent this? Can the admin spy on data in ram from the container or is it encrypted (by OpenVZ) ?

Mounting an encrypted FS container is not really ideal because it has to be mounted manually after each restart, or is there a way to automount without storing the PW locally?

Any advise to secure / encrypt data is welcome.

Comments

  • jlayjlay Member
    edited January 2015

    They can indeed access the container data. Quite easily, might I add.

    cd /vz/$CTID/private/fs/root/

    Where $CTID is the container ID for your VPS. That's just an example path, it can be changed. Point is, it's basically just a directory on the node.

    VZ manages mounting the pseudo-filesystem, so chances are there's not much you can do there.

    Edit:
    There's no real advanced stuff going on as far as processes. They can all be seen and messed with on the node.

    If you're worried about security, use more "true" virtualization (ie: KVM), or go dedicated.

  • rm_rm_ IPv6 Advocate, Veteran

    said: Can the node admin access data that is inside a container?

    Absolutely and extremely easily.

    Is there any way to prevent this?

    Get a dedi.

    Can the admin spy on data in ram from the container

    You should assume that yes.

    or is it encrypted (by OpenVZ) ?

    Haha what.

    Thanked by 2jar vRozenSch00n
  • KuJoeKuJoe Member, Host Rep

    If you want to be 100% sure nobody else has access to your data. Build a server and bury it somewhere that only you know about.

    Short of that, colocating your own hardware (server and network gear) is the next best thing but if the data center wanted access there are plenty of methods out there.

    Renting a dedicated server is a cheaper alternative but the hardware isn't yours so there nothing stopping the data center from mirroring your network ports or cloning your hard drives.

    With a true VPS like Xen/KVM/VMware/etc... it takes a few steps for the server owner to access your data and even if you encrypt your drives they have access to the keys in RAM any time they want.

    With containers like OpenVZ then your data is basically accessible by anybody who had elevated access on the server.

    If your data is super critical and needs to remain private (as in you're going to jail or people will die if it's ever seen by anybody) then colocate your own hardware and run your own network, preferably in your own data center or in a locked cage that nobody else can get into.

    If you're just worried about somebody else viewing your search history or your crazy image collection, then hosting with a provider you trust will save you money and headaches. If you have any doubt in your mind about a provider, don't host sensitive information with them.

    Basically, any reputable provider will not go snooping through client's files just because they are bored.

  • jarjar Patron Provider, Top Host, Veteran

    rm_ said: Haha what.

    "A way to make it secure from curious admins? I'm sorry, we don't speak Chinese." - OpenVZ Development Team

  • KuJoeKuJoe Member, Host Rep

    @Jar is that an actual quote?

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran

    @KuJoe said:
    Jar is that an actual quote?

    In my mind it is ;)

  • Whoever has physcial access to your box can own it and see whatever he pleases (with very very rare exceptions). With a VPS, no matter what kind (though OpenVZ obviously being the worst) whoever has access to the node can access your data and see whatever he pleases (with very very rare exceptions).

    There are ways around. But they are not an available option to anyone who asks such questions. Sorry, no hurt feelings intended.

  • raindog308raindog308 Administrator, Veteran

    KuJoe said: With containers like OpenVZ then your data is basically accessible by anybody who had elevated access on the server.

    ...including anyone who might compromise the provider or hack into the physical server.

    Thus, I think it's important that you make sure the provider is both ethical and competent.

    Thanked by 3jar ucxo vRozenSch00n
  • This seems like an older thread and maybe I should open a new one. But this thread is on target already. I have been running Virtuozzo since 2007 and never had a hack. I was behind a very good enterprise level firewall. As a web host it has saved my butt. But I recently added a new dedicated server with another company. They really pushed CloudLinux and I refused. I wanted OpenVZ and Centos 7.x. Period.

    Fast forward - he server has been rooted. I have had the dedicated server company in the box doing many things and they never noticed that there have been 5 screens running since almost the beginning. I even mentioned in the beginning a file named -> shit <- in the /root but got no reply. Now that the b ox has been rooted I can see in history that content was downloaded files from the Virtuozzo repo (I know that OpenVZ is the test bed for Virtuozzo and run by Odin employees.) There are no clues that CloudLinux was downloaded but it is now the OS for the service container. There were some deletions so the files may have been downloaded. I know tat one can easily convert CentOS to CloudLinux.

    So where might the weakness be? I'm not behind a firewall now but all of the connections are running on port 80. I saw many attempts to SSH in but had a very strong password.

  • KuJoe said: If your data is super critical and needs to remain private (as in you're going to jail or people will die if it's ever seen by anybody) then colocate your own hardware and run your own network, preferably in your own data center or in a locked cage that nobody else can get into.

    Close. Get a business line to your garage and setup a GRE session in a datacenter over an encrypted link. Then just put it in a big vault I guess, with holes for cables...

  • exception0x876exception0x876 Member, Host Rep, LIR

    @radry said:
    Mounting an encrypted FS container is not really ideal because it has to be mounted manually after each restart, or is there a way to automount without storing the PW locally?

    Even then host node admin can access it while it is mounted. Get KVM.

  • With OpenVZ, you're safe from other VPS clients accessing your data (mostly). But node admin? Phah. It's so easy my grandma could do it.

    KVM on the other hand, that varies. VPS providers like GVH, ColoCrossing, et cetera, probably don't have the technical knowledge to break into your data except in the one dude who's well overqualified for the job. If it's encrypted, only a couple providers have the technical knowledge to access your data.

    A dedi, if it's encrypted, only a couple dozen people worldwide know how to access the data.

  • @krazybob said:
    So where might the weakness be? I'm not behind a firewall now but all of the connections are running on port 80. I saw many attempts to SSH in but had a very strong password.

    Nice necro there.

    Disable SSH password login and use SSH public key authentication instead.

  • KuJoeKuJoe Member, Host Rep

    @krazybob said:

    I wanted OpenVZ and Centos 7.x. Period.

    Running OpenVZ on CentOS 7 (i.e. beta)? You must be [krazy].

    I even mentioned in the beginning a file named -> shit <- in the /root but got no reply.

    You pay for management company that doesn't answer tickets? You must be [krazy].

    I saw many attempts to SSH in but had a very strong password.

    You use passwords for security? You must be [krazy].

    (I mean no offense, just poking fun at your name while pointing out obvious security issues with your server.)

    No firewall is needed to secure an OpenVZ node. In fact, a firewall can make you life a living hell if you need to track down why packets are being dropped for clients. Better for you and your clients if you don't have anything that can be dropping packets without you specifically telling it to. iptables and fail2ban/denyhosts are the only tools not included with the OS that you really need to secure an OpenVZ node and even then it's used very sparingly.

  • KuJoeKuJoe Member, Host Rep

    Rallias said: VPS providers like GVH, ColoCrossing, et cetera, probably don't have the technical knowledge to break into your data except in the one dude who's well overqualified for the job. If it's encrypted, only a couple providers have the technical knowledge to access your data.

    Unfortunately there are pretty detailed guides for both online (or at least there were at the time this thread was created, I used them for reference when typing my reply back in January which was the basis for this page I put together since this question was being asked so often). :(

  • That is why ladies and gentlemen, use only services from trusted providers. It's not easy to find one, but when you find yours, keep it.

    Frankly I am more comfortable to deal with people rather than a corporate face, people who we can rely on like @KuJoe, @Jarland, @Francisco, @AnthonySmith, @McPhill, @MitGib and many more (dang I forgot what his name - RamNode, RamHost, Uncle) etc.

    @MarkTurner would be an exception as he is a corporate face as well as a fellow Tech and I personally ask him for help on technical issues.

    When I need advice I'd rather rather ask @_rm, @raindog360, @Netomx, @Sleddog, @ehab, @Spirit and many more.

    Dang I get to exited! I have to lay down a bit my BP is rising. Sorry guys...

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Thanks.

    Generally if you fear your host is going to go through your data then you need to find a new host, or strictly use KVM's/dedicated servers where you can encrypt the drives.

    It's still (probably?) possible to dump your encryption keys out of a KVM's memory, though, if a host was really hungry for your data.

    Francisco

    Thanked by 1netomx
Sign In or Register to comment.