Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Help] General security advice for file server on VPS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Help] General security advice for file server on VPS

Hi - I was wondering whether anyone had any advice for a file server on VPS. I know it's impossible to have 100% security because they have hardware access, but what advice do you have to make it difficult enough to host your own files (say, passport photos and backup keys etc.).

I was thinking dm-crypt, but I'm not sure if even that is secure?

Comments

  • Might be better to just host it on a ultra low end dedi

  • jamtholee said: I was thinking dm-crypt, but I'm not sure if even that is secure?

    DM-Crypt is secure (as is Truecrypt and for most usage cases even Apples/Microsofts encryption, unless you piss off the CIA/NSA/$3letteragency) - On a VPS it makes no sense though, on OVZ you can't mount it (easily) and on KVM/Xen i just run "virsh dump --memory-only" or "virsh save" and then have all time of the world to extract your private keys/encryption keys from the RAM.

    If you are concerned run it on a dedicated server, if you are paranoid run it on a colo server and glue the RAM in, disable Firewire/Thunderbolt and glue the PCIe slots shut (as you can get memory dump via DMA on this interfaces).

  • MaouniqueMaounique Host Rep, Veteran
    edited August 2015

    William said: on KVM/Xen i just run "virsh dump --memory-only" or "virsh save" and then have all time of the world to extract your private keys/encryption keys from the RAM.

    If the container is mounted locally, that is, if remote, no dice, it will act like a block device and memory of the storage server or the packets exchanged will contain no key, even on a non-encrypted connection. Only his devices will know the keys.
    How to do it:
    -Export some space (iSCSI my favourite, but NFS, CIFs work too, depends on your requirements and backup copies you have);
    -Mount the space on your computer and create an encrypted container on your computer to store it there only. Then you can mount it on anything that supports the method (CIFS works on everything, albeit is a bit less secure) and encryption/decryption tool;
    -Make sure you never mount it on any remote server and you unmount on your devices as soon as you no longer need it.

    That's about it.

  • William said: $3letteragency

    What?

  • joepie91joepie91 Member, Patron Provider

    jamtholee said: I know it's impossible to have 100% security because they have hardware access

    You should be aware that this is no different for a dedicated server in a datacenter. A rogue device into a DMA-capable port (eg. PCI, Firewire, ...) and somebody can happily dump your memory.

  • MaouniqueMaounique Host Rep, Veteran

    @joepie91 said:
    You should be aware that this is no different for a dedicated server in a datacenter. A rogue device into a DMA-capable port (eg. PCI, Firewire, ...) and somebody can happily dump your memory.

    Yeah, and, I am sure that, if someone went through the trouble of getting a warrant, raid the facility, etc, will not be deterred by some glue, there are good solvents, for example, some even nonconducting, not to mention it can be done simply by connecting to some soldering points on the MB.

  • This thread takes the security paranoia to whole new level.

    Thanked by 1sleddog
  • WilliamWilliam Member
    edited August 2015

    Maounique said: not to mention it can be done simply by connecting to some soldering points on the MB

    eh, show me a modern MB with a pinout/header for RAM or any DMA port except Firewire/Thunderbolt (which both can be disabled in BIOS) - Modern PCBs are 4layer+ and have no pins on the bottom anymore either. Further you'd need to remove the mobo to get there (which is next to impossible without shutdown, due to weight and cabling and you'll likely short it) unlike with a PCIe port that is accesible from top easily.

    Solvent will also not really help you, the glue will then run into the slot and make it very hard still to access any pin outs. You could also glue in some shitty PCIe cards (SATA or USB controllers for example) instead, then this is not possible at all anymore.

    There is no 100% security but this would make it extremely hard, up to "almost impossible".

  • WilliamWilliam Member
    edited August 2015

    jackhackett said: @William you know nothing about vps, go get a godaddy shared hosting package, it's more your level

    Yep, i totally didnt work 5 years for various datacenters and VPS providers and ran my own for 3 years, nope, i clearly have no idea :)

    What about you shut up, the logout button is up there somewhere ^^^

  • hostnoobhostnoob Member
    edited August 2015

    on the other hand $7agency = LEB/LET

  • I know how to keep your data secure!

    Go to your local electronic parts store, buy a few switches, tape it on your server and voila!

    You now have 1 byte of 100% secure storage!

  • @Jonchun said:
    Might be better to just host it on a ultra low end dedi

    LOL... does that even exist?

  • @doghouch said:

    yea lots of people doing rpi hosting and colos. pricing on atoms can be as low as some vps

  • @Jonchun said:
    yea lots of people doing rpi hosting and colos. pricing on atoms can be as low as some vps

    Still, if someone really wanted that data, they could go to the DC and steal the SSD/HDDs :)


    On the side note, it would still be safer to use a safe with your data written on paper.

  • doghouch said: Still, if someone really wanted that data, they could go to the DC and steal the SSD/HDDs :)

    They've got security guards there. Better to just go to the guy's house and force it out of him.

    Pwner said: This thread takes the security paranoia to whole new level.

    Did I do OK?

  • draziloxdrazilox Member
    edited August 2015

    Ole_Juul said: They've got security guards there. Better to just go to the guy's house and force it out of him.


    Thanked by 1immanis
Sign In or Register to comment.