All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Security concerns with some of these providers?
Hello,
Long time lurker here and really enjoy all of the information that everyone shares on their experiences, setups, solutions, etc. This is a really great community.
I'm currently using Cloud9 for some Rails and Meteor development projects but the problem is that I'm an individual developer with many, many different projects. Even more so when I outsource different parts and thus have projects to evaluate and merge. This does not work well with Cloud9 because their fees are enormous (to an indie guy like me) once you start needing any reasonable number of private workspaces.
So I decided to get my own server (or VPS) where I can either load up the Cloud9 software (because its open source) or I can use Cloud9 and connect to my server via SSH.
I'm looking at Delimiter, Bolt, and OpenTerminals if it matters but fundamentally the question is about security. I'm not writing any apps that are earth shatteringly important but I also don't want to find my code/apps popping up because the data I stored in a VPS or even a dedicated server was swiped. This same thing applies even to Cloud9 or anywhere else that could be compromised of course but they have the luxury of scale, public transparency, etc so at least the concern of them swiping code is unlikely at best. These small and cheap hosting companies, I'm sure as sure of.
Just looking for some advice or additional info on some of these companies that might help me feel a little more comfortable that they have better things to do (like manage their infrastructures) than care about swiping my code. Or that they have policies, procedures, and/or auditing in place to help prevent such occurrences from nefarious employees.
Thanks!
Zookie
Comments
Even OVH and Hetzner were hacked once
it's probably a good idea to get a dedicated server and to use encryption so that when the server is turned off, all your stuff is safe.
If it's about employees.. well.. then I'd say the bigger the company the less likely someone is snooping on your server (= rules out every provider here :P ). But it's not easy to snoop on dedicated servers anyway and you hopefully also use encryption for your connections.
As a rule of thumb you are better with a dedicated server rather than a VPS. With a dedicated server you control access to the system, if you lock down the box then you'll see if anyone comes in.
With a VPS, a dubious hosting company can enter your VPS, mount your disk, replicate your disk without your knowledge because they have access to the underlying infrastructure through the host node.
Delimiter's employees are all based in our office in London, there are no teleworkers, third party contractors, outsourced support, etc. When they enter a host node, its done in an audited fashion, the session is logged and an event is generated for the access.
The larger the company the better, like the other two guys said it would be better to go with a dedicated server simple because you have more control over the security of your system and you can see who accesses your server and so on.
If you find any honest provider that has low prices in the lowend market that won't snatch your code you are lucky but I wouldn't steal your code being a developer myself it insults me when someone steals the code I have worked hard on and now I am a vps provider I still hold to that value and the value of being honest
We rarely know what our clients are using our services for. The only times we know are if we receive abuse reports or if they get suspended for abusing some resource/spamming/DoS. And that's only so we can help them diagnose what was the cause of the abuse. I mean, I've only ever popped into a VPS when asked, done whatever it is I was instructed, and left. If you're with any reputable provider, it'll be similar/the same.
There's not much you can do on an OVZ VPS to keep the provider out. With KVM, you can encrypt your data, and that will help under certain circumstances. Heck, even with a dedicated server, a provider could technically "break" into your server. It's really more about: your data isn't worth the potential lawsuit/loss of business and we're (we referring to most providers) not here to scam people.
If you're looking for some more security, go KVM or with a dedicated server.
@zookie one final question you aren't related to the sapdfr thing and palm Beach games are you? As I know that one of the support reps on there have the same username zookie
if you are worry get a dedi with encryption is minimal imo...
Thank you for the responses. The dedicated option seems like the route to go since, with encryption, that's about as far as I should probably need to care. Like I said, not like my code drives publicly traded companies or anything like that. And thanks to LEB it looks like I have some great options in the dedi area as well.
Can you tell me more about the encryption side of this? So I get a dedicated server and are we saying to enable encryption of some sort (package name?) within Ubuntu or CentOS or is there something I do in the control panel to encrypt the array or something like that? That's probably a ridiculously simple question and while I've done plenty of linux admin, I've never had to encrypt individual VMs. We've done it at the SAN level.
@timnboys nope, I'm not related to or even know what either of those people/companies are. But it sounds like I might need a new username!
Thanks!
https://wiki.centos.org/HowTos/EncryptedFilesystem
Basically, just Google "OS encrypt filesystem"
Thanks. At least I didn't get a LMGTFY link. Lol
Though if you are paranoid make sure you use encryption for all sensitive data (absolutely all data where possible). This way even if a bad agent in the DC physically accessed the drives the data would be no use to them.
Also make sure the keys are never stored at that end. This means you need to be "present" if the machine is ever rebooted so that you can provide the keys, which will preclude 100% encryption if you don't have remote KVM access.
The likelihood of someone knowing and caring about what you have stored on the server/VM is very very small though, and if the data/code/other you hold on a host is particularly valuable (and publicly known to be valuable) then you'll be paying for more explicitly secure hosts that you can audit. There are a limited number of things that a bad agent could scan for efficiently enough to be worth the effort though, like bitcoin wallets, so keep them safe (encryption, good passphrases, ...) just in case.
Standard rules apply of course: don't use the same credentials on all your servers and be careful to limit what can be accessed by key based auth where possible, just in case one is somehow hacked and could then be used to access others.