New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
BudgetNode's host system hit by ransomware / PSA: Secure your IPMIs
My VPS with BudgetNode went offline the other day and when I contacted them, I got the following response:
Unfortunately the host was compromised using a vulnerability/flaw in the IPMI and a ransomware encrypting all files was installed demanding a ransom. We then shut off the host to begin investigating.
I was quite surprised that this is still an issue... Malware like JungleSec came up about two years ago so I would expect providers to have their IPMIs secured somehow.
But since I have never rented a dedi, I'm curious what's the "industry standard" for IPMI access. Does one even have IPMI access by default? Is it a public IP? Does one have to connect to a VPN to get access to the IPMI network?
Comments
There should at least be some minimal security measures like connected to VPN (which belongs to the network where the IPMI is) first before accessing IPMI, or you need to whitelist your IP first before you can connect to the IPMI, otherwise, your connection will be refused. I'm not an expert on this so take this with a grain of salt.
Jesus!
If you colocate machina, you have to secure it, if you fuck it up, its on you.
If you rent a machina, they have to secure the IPMI or not even connect it to the dangerous interwebs.
Question here would be, did he colocate or rent it?
If you rent a machine with IPMI you have the responsibility to ensure its secured one way or another, regardless of how it was delivered.
There isn't really a standard. Some providers will provision IPMI over their private network and only allow access via their control panel. Some do port forwarding of a public address to private network accessible via their panel (I dislike this one, as it looks to the end user that IPMI is locked behind the panel, but actually it's accessible to anyone who finds the public address & port). Some do it on private network and provide shared VPN access (I dislike this one, as any of their customers can connect and attack your system, and it may be difficult to determine who was responsible). Some do it on public address with ACLs applied for you to limit it to their office + your endpoint - I think that's quite an effective solution especially for rented hardware, bonus points if you set up monitoring to ensure its never accessible. Some do it on public address without securing it.
Ultimately you need to be aware of what you're ordering (i.e. is there IPMI, idrac, etc) and ensure it gets secured one way or another.
You can't by 100%, since you don't have control over the Network neither have you an idea how the network is configured. Yes you can make obviously checks but that's it.
People expose IPMI on public IPs still?
Jesus Christus!
I still remember the PageClick fiasco.
My advice: get out from @Ishaq asap.
If you aren't sure, you should ask. Your provider will undoubtedly be happy to help ensure IPMI is secure.
Good luck with that, depending on your provider, they won't even check, you just get a canned response. Last time I asked OVH why my dedicated lost power, I ended up wasting my time.
Even if they state its secure, it may not.
So yada yada.
Wasn't me.
Sounds like a good idea. The server's down for a week now and I haven't received any update so far.
Restore your backups to another server from a more professionally managed operation, and don't look back.
Deadpooled?
Confirmed.
I already did. I've opened a ticket with their Billing dept. and requested a refund for the remaining 3.5 months I've already paid for. As expected, I got no response at all.
That's the third provider this year keeping my money while stopping to provide the service. The LowEndGame's not running well for me.
Don't think so...though the practical experience is apparently the same.
https://www.trustpilot.com/review/budgetnode.com
If you willing to play the game, you know the risks. Hold on till bf. We will rejoice.
Are these problems common for budget type VM hosters?
I don't think they are more or less common as other providers. Even large companies get hit with ransomware and don't utilize security for their IPMIs
Thanks