Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How secure is this VPS?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How secure is this VPS?

How secure is a KVM vps with an encrypted LVM installation with LUKS passphrase entry over a VNC console and ssh on a random high port with disabled root and only keyfile login.

What are the methods by which a host can access/snoop the data on this vps and what are the possible solutions to prevent this.

I can already think of two such methods:

  1. Keylog the VNC console - which can be tackled by using dropbear ssh: http://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ but dropbear ssh has it's own issues.

  2. Take a memory dump of the virtual machine and search it for encryption keys and passphrases.

How difficult is it for the hosting providers to implement the above methods? Can this be pulled off without customers being suspicious of anything?

Similar threads:

http://lowendtalk.com/discussion/13275/securing-your-unmanaged-vps-vps-provider-threats-and-mitigations

http://serverfault.com/questions/484707/is-it-possible-to-have-a-100-secure-virtual-private-server

I would like to take it from where they left.

Please note:

I am asking only about KVM vps and not about OpenVZ. I am not paranoid nor do I have any sensitive information to protect or something to hide. I trust my hosting providers and I know that they have no interest in customers data and have much better things to do than to snoop on their customers vps. I also know that I am not someone special out of hundreds or thousands of clients that my host will be interested in my data. I know that I should get a dedicated server (colo my own server, host it at my home, disconnect it from the internet, wipe out the hard disks, turn off the server) if I am so concerned about security. And I am also aware that there is nothing like 100% security.

All this aside, I want to know if it's possible to stop/make it difficult for hosts to access the data on the vps.

Please avoid Comments like:

"What do you have to hide"

"Don't use OpenVZ, use KVM vps"

"Don't use a vps, get a dedicated server"

"What makes you think you are so special that the hosts will be interested in you"

"Don't connect it to the internet, cut the ethernet cable"

"Don't be so paranoid and get a life"

"Remove your tinfoil hat"

"Turn off the vps, erase the hard drive"

"Host it at your home, protect your server with a gun"

"There is nothing like 100% security"

"Get a reliable host, trust your hosting provider"

"Colo your own hardware"

"Hosts have got better things to do than to look at your VPS"

"if someone else has physical access to a machine, then there is no security/privacy"

etc, etc ......

Any relevant and specific comments are appreciated.

Additional references:

http://lowendtalk.com/discussion/12381/openvz-vs-other-virtualization-offers-ratio

http://lowendtalk.com/discussion/9910/kvm-xen-privacy

http://lowendtalk.com/discussion/15222/what-do-you-think-of-vps-security

http://lowendtalk.com/discussion/2253/building-the-ultimately-secure-vps-add-to-this-list

http://lowendtalk.com/discussion/12942/avoid-openvz-snooping

Thanked by 1plumberg

Comments

  • A memory dump can be taken at any time from a KVM VM without you have an idea.

    Thanked by 1Atomic7
  • @serverian said:
    A memory dump can be taken at any time from a KVM VM without you have an idea.

    Can this be done without rebooting the vps and even if the vps is encrypted? How difficult is it to search the memory dump for the encryption keys and passphrases and decrypt the vps?

  • NeoonNeoon Community Contributor, Veteran

    @serverian also when you entcrypt memory?

  • serverianserverian Member
    edited November 2013

    @Atomic7 said:
    Can this be done without rebooting the vps and even if the vps is encrypted? How difficult is it to search the memory dump for the encryption keys and passphrases and decrypt the vps?

    It can get dumped without disturbing the VM. I don't know about searching for keys. I'd imagine that would be easy for someone who knows what they are doing.

    Edit: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.87.7761&rep=rep1&type=pdf

    Thanked by 1Atomic7
  • gsrdgrdghdgsrdgrdghd Member
    edited November 2013

    @Infinity580 said:
    serverian also when you entcrypt memory?

    How exactly would one "encrypt memory"?

    The obvious protection against memory dumps would be to only store the key in the CPU cache but i doubt that this can be done from inside a virtual machine

  • NeoonNeoon Community Contributor, Veteran

    When you want to entcrypt your drive, debian offers you also to entcrypt your memory or i am wrong?

  • @Infinity580 said:
    When you want to entcrypt your drive, debian offers you also to entcrypt your memory or i am wrong?

    Yeah, right before encrypting the IP address option.

  • @serverian said:
    It can get dumped without disturbing the VM. I don't know about searching for keys. I'd imagine that would be easy for someone who knows what they are doing.

    Edit: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.87.7761&rep=rep1&type=pdf

    @serverian Thanks a lot for the link. What are the other methods by which this VM can be accessed? How would you gain access to this VM?

  • MaouniqueMaounique Host Rep, Veteran
    edited November 2013

    serverian said: Yeah, right before encrypting the IP address option.

    LOL :P

    It can be that even your dedi is decrypted without you knowing.
    There are hardware tools that can be attached in various ways and intercept the bus, you will not even know they are there (of course, most require a reboot, but a power failure can be easily faked or they can be there from the start).
    Once the memory is dumped, all bets are off. For any encryption key to work, you need to have the keys stored some place and memory is the most convenient way. There can be complex schemes to change always the location, to use various "salts", but, eventually, it will be decrypted even if you run some in-house scheme, the decrypt program must also stay in the memory and can be determined the way it reads the key and from where.
    If you need safe data, dont keep it on internet. I keep my backups encrypted as containers and I mount them remotely if I ever need it. This way, the key is not stored outside my device and the traffic is only of encrypted blocks, also encrypted over ssh, so wont help anyone.
    Nothing is secure 100%, it all depends on how powerful and determined the adversary is, but you can make it unfeasible at this time.

    Thanked by 1Atomic7
  • It's called DMA and works on Firewire and Thunderbolt (as well as Hotswap PCIe and PCard/PCMCIA) - Allows full Read/Write to all memory and can dump keys from any server.

    Memory can be dumped from KVM/Xen/VMWare from the host at any time and copied for later search. You cannot encrypt the key/memory. CPU is virtual on QEMU/KVM, key can be read out there (and it has no secureity caps anyway, so you can't store any securely, that's high-end technology even in normal CPUs)

    Thanked by 2Atomic7 vRozenSch00n
  • gsrdgrdghdgsrdgrdghd Member
    edited November 2013

    TRESOR protects you against most of those cold-boot/memory dump attacks, although it's still experimental

    Thanked by 1Atomic7
  • NeoonNeoon Community Contributor, Veteran
  • @Maounique How difficult is it to extract the encryption keys from the memory dump? How difficult is it to keylog a VNC console? What are the merits and demerits of automatically unlocking LUKS encrypted drives with a keyfile: http://ubuntuforums.org/showthread.php?t=837416 ? How would you gain access to this machine?

    PS: I am asking all this just out of curiosity and I want to understand things. Any help is appreciated.

  • MaouniqueMaounique Host Rep, Veteran
    edited November 2013

    It is not that hard, to extract the key from memory, even if you use a homebrew scheme for which there is no available code to be referenced, the memory also contains the program that reads the key and that has to know where to get the key for the system to function. It will involve some trained technicians, not everyone can do it, but it has 100% success rate.

    As for the VNC console, that is easy, it is a software which fakes a keyboard and mouse, all those calls can be read at any time, recorded and played back. You are absolutely defenseless there.

    As for how secure is using a file on the disk to unlock the volume, it is like leaving the keys in the lock...

    Thanked by 1Atomic7
  • @Maounique said:
    It is not that hard, to extract the key from memory, even if you use a homebrew scheme for which there is no available code to be referenced, the memory also contains the program that reads the key and that has to know where to get the key for the system to function. It will involve some trained technicians, not everyone can do it, but it has 100% success rate.

    As for the VNC console, that is easy, it is a software which fakes a keyboard and mouse, all those calls can be read at any time, recorded and played back. You are absolutely defenseless there.

    As for how secure is using a file on the disk to unlock the volume, it is like leaving the keys in the lock...

    @Maounique Thanks a lot for answering my queries. For the VNC console, is it the same thing even if you are logging in from a desktop client? Yeah, and that's what I thought about unlocking the disks from a keyfile, thanks for making that clear. Are there any other methods by which this VM can be accessed?

  • MaouniqueMaounique Host Rep, Veteran

    Atomic7 said: For the VNC console, is it the same thing even if you are logging in from a desktop client?

    I do not understand the question.
    My answer above means that VNC console is a piece of software which communicates with the server and which can be intercepted because it sends mouse movements and key codes. Those are sent to the VM and can be intercepted before they are passed to the VM at least, considering all the other channels are secured which is doubtful. It can also be rigged so it sends a copy of all that to another recipient or even store that data in case it will be used later.

    Thanked by 1Atomic7
  • Very secure. =-D

    Thanked by 1Atomic7
  • @Maounique said:
    My answer above means that VNC console is a piece of software which communicates with the server and which can be intercepted because it sends mouse movements and key codes. Those are sent to the VM and can be intercepted before they are passed to the VM at least, considering all the other channels are secured which is doubtful. It can also be rigged so it sends a copy of all that to another recipient or even store that data in case it will be used later.

    What about TightVNC? Their faqs page says it encrypts the VNC passwords sent over the net: http://www.tightvnc.com/faq.php

  • TightVNC encrypts VNC passwords sent over the net, the rest of the traffic is sent as is, unencrypted

  • @gsrdgrdghd said:

    TightVNC encrypts VNC passwords sent over the net, the rest of the traffic is sent as is, unencrypted

    Yes, I get that. But does that mean it encrypts only the passwords sent between the desktop client and the tightvnc server or all the passwords sent over VNC from the client? I just want the passwords to be encrypted, I use VNC only to enter the LUKS passphrase, I don't use VNC for anything else.

  • Encrypt your data with true crypt hidden volume before uploading to your server. So in case you are brutally tortured you'll only spill the pass phrase to the hidden volume with bogus data. That's about the safest you'd be from your host or anyone else accessing your data on a remote server in a remote location that you yourself don't control.

  • So in case you are brutally tortured you'll only spill the pass phrase to the hidden volume with bogus data.

    Thanked by 2tchen vRozenSch00n
  • @Vpscraze said:
    Encrypt your data with true crypt hidden volume before uploading to your server. So in case you are brutally tortured you'll only spill the pass phrase to the hidden volume with bogus data. That's about the safest you'd be from your host or anyone else accessing your data on a remote server in a remote location that you yourself don't control.

    Did you atleast read the main post? This is just for the learning purpose. I am not trying to achieve anything here and I usually don't encrypt my boxes. I am aware of the limitations and shortcomings of remote VMs. I am just looking at the possibilities to make the vps as secure as possible.

    @gsrdgrdghd said:

    LOL! I was waiting to post this!

  • tchentchen Member
    edited November 2013

    @atomic7

    http://www.anfractuosity.com/2011/09/12/inspecting-memory-of-a-virtual-machine-kvm/

    'Volatility' (broken link) in blog post is in reference to the volatility framework.

    https://code.google.com/p/volatility

    Thanked by 1Atomic7
  • @tchen thanks a lot for the link. Really useful!

  • emgemg Veteran

    @Atomic7 - Capturing memory from a running VPS has been discussed above, but you also asked about locating the keys. Search for this academic paper: "Playing hide and seek with stored keys", written by Adi Shamir and Nicko van Someren. They are respected cryptographers. Adi Shamir is the "S" in the RSA algorithm. I remember this paper from when it was first published. Since then, there has been been subsequent work in this space. Attacks only get better over time.

    Thanked by 2tchen Atomic7
  • @emg Thanks for the reference. I'll definitely go through those papers. Since you're also interested in this subject, keep posted if you come across anything interesting and useful.

    Just something to think about: http://en.wikipedia.org/wiki/Homomorphic_encryption

  • SpeedyKVMSpeedyKVM Banned, Member
    edited November 2013

    It doesn't matter how secure your disk encryption is because any data that is going onto the vps has to traverse the Internet and any amount of encryption you can manage on your ~2ghz cpu can be cracked by the FBI in real time when they're mirroring your port. There is no such thing as a secure shared environment.

    Thanked by 1painfreepc
Sign In or Register to comment.