Difference between revisions of "Hosting"
imported>Uncurlhalo (Added OVH stuff) |
(Undo revision 5321 by [[Special:Contributions/imported>Pew|imported>Pew]] ([[User talk:imported>Pew|talk]])) (Tag: Undo) |
||
(19 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
− | This is an overview of the experiences VTLUUG users have had with various | + | This is an overview of the experiences VTLUUG users have had with various hosting providers. |
+ | |||
+ | == Virtual Private Servers == | ||
=== Linode === | === Linode === | ||
− | Linode offers fairly good specs (1 GB | + | Linode offers fairly good specs (1 GB RAM, 1 CPU, 20 GB storage, 1 TB transfer) for $5 a month. They have a robust management interface with load and bandwidth statistics, DNS management, and allow uploading of custom ISOs. |
− | Linode has had | + | Linode has had multiple security-related incidents in the past, one of which was due to a ColdFusion zero-day and resulted in passwords and the last 4 digits of credit card numbers being leaked. Another resulted in $71,000 in BTC being stolen. |
=== Digital Ocean === | === Digital Ocean === | ||
− | DigitalOcean is a startup that offers cheap VPS instances, but lacks basic management and security features. | + | DigitalOcean is a startup that offers cheap VPS instances $5/mo (512MB RAM, 1 core, 1TB transfer, 20GB storage), but lacks basic management and security features. |
* For some reason, [http://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/2814988-give-option-to-use-the-droplet-s-own-bootloader-?page=1&per_page=20 the VPS's bootloader is not used] so users must explicitly prevent the Linux kernel from updating in their package manager. This is particularly concerning because users must wait for DigitalOcean to provide updated kernels after vulnerabilities are discovered. In the case of CVE-2013-2094, a new kernel was not available for over a week. | * For some reason, [http://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/2814988-give-option-to-use-the-droplet-s-own-bootloader-?page=1&per_page=20 the VPS's bootloader is not used] so users must explicitly prevent the Linux kernel from updating in their package manager. This is particularly concerning because users must wait for DigitalOcean to provide updated kernels after vulnerabilities are discovered. In the case of CVE-2013-2094, a new kernel was not available for over a week. | ||
* Users are limited to the images provided by Digital Ocean and cannot upload their own ISO or use a custom kernel. BSD, Gentoo, and many other Linux distributions are not supported. | * Users are limited to the images provided by Digital Ocean and cannot upload their own ISO or use a custom kernel. BSD, Gentoo, and many other Linux distributions are not supported. | ||
− | * Root passwords are emailed to users in plain text | + | * Root passwords are emailed to users in plain text unless you set up public key authentication. |
− | * | + | * Initially, there was no network isolation and it was possible to ARP spoof users on the same LAN. This problem has now been resolved. |
− | * There is currently no bandwidth measurement | + | * There is currently no bandwidth measurement (but you are not billed for bandwidth either) |
− | * No IPv6 addresses are provided | + | * No IPv6 addresses are provided. |
− | * In the past, DigitalOcean reused disk images between customers without securely wiping data. This enabled one to extract sensitive information by running <code>cat /dev/vda1 | strings</code> | + | * In the past, DigitalOcean reused disk images between customers without securely wiping data. This enabled one to extract sensitive information by running <code>cat /dev/vda1 | strings</code>. This problem has now been resolved. |
* DigitalOcean allows users to set rDNS to arbitrary FQDNs without searching for matching A records | * DigitalOcean allows users to set rDNS to arbitrary FQDNs without searching for matching A records | ||
+ | * After many abuse complaints, even if you handle them in a timely manner, they will lock your account permanently, including VPS instances that are were unrelated to the incident. Unless you ask them to disable your account, you will continue to be billed for the time your account is locked. | ||
=== Prgmr === | === Prgmr === | ||
− | Prgmr is a discount Xen host used by several VTLUUG members. | + | [https://prgmr.com/xen/ Prgmr] is a discount Xen host used by several VTLUUG members. Prgmr was originally viewed as very inexpensive, however |
+ | they have not made significant upgrades to their plans in recent years. Hosts like DigitalOcean and Linode that have have | ||
+ | made Prgmr a poor choice for all but their cheapest plans. | ||
+ | |||
+ | Since they are Xen-based, it is possible to use whatever ISO you would like, as well. Recovery options are a debian | ||
+ | Live ISO or a netbsd netboot. Management is only over SSH or a serial console. | ||
+ | === Vultr === | ||
+ | [https://www.vultr.com/ vultr] has pricing comparable to other options, but actually allows you to use your own ISO images, while | ||
+ | Digital Ocean (and others) only allows you to use their existing kvm images. | ||
+ | == Dedicated Servers == | ||
=== OVH (Kimsufi) === | === OVH (Kimsufi) === | ||
− | The Kimsufi brand is a low cost, low power dedicated server service provided by OVH. It is | + | The Kimsufi brand is a low cost, low power dedicated server service provided by OVH. It is comparable in cost to many VPS providers but is dedicated hardware. OVH has extensive peering issues with the US resulting in poor connections to their France and EU based datacenters. A recently built DC in Canada should help with some of this but will not fully alleviate the issue most likely. They do provide many ISO's with the grsec set of kernel hardening compiled in and IPv6 subnets come with all kimsufi plans. They do have a habit of putting an SSH backdoor on to your server, "so they can help you in the event of a problem" but this just serves as another possible point of failure. US residents also will not have access to the same plans as residents of the EU, who often can receive much more favorable pricing. |
+ | |||
+ | === Online.net Dedibox=== | ||
+ | |||
+ | Dediboxes | ||
+ | |||
+ | |||
+ | === Nforce Entertainment (nforce.nl) === | ||
+ | |||
+ | == Colocation == | ||
+ | === Hurricane Electric === | ||
[[Category:Featured content]] | [[Category:Featured content]] | ||
− | [[Category: | + | [[Category:Software]] |
Latest revision as of 20:47, 3 January 2019
This is an overview of the experiences VTLUUG users have had with various hosting providers.
Contents
Virtual Private Servers
Linode
Linode offers fairly good specs (1 GB RAM, 1 CPU, 20 GB storage, 1 TB transfer) for $5 a month. They have a robust management interface with load and bandwidth statistics, DNS management, and allow uploading of custom ISOs.
Linode has had multiple security-related incidents in the past, one of which was due to a ColdFusion zero-day and resulted in passwords and the last 4 digits of credit card numbers being leaked. Another resulted in $71,000 in BTC being stolen.
Digital Ocean
DigitalOcean is a startup that offers cheap VPS instances $5/mo (512MB RAM, 1 core, 1TB transfer, 20GB storage), but lacks basic management and security features.
- For some reason, the VPS's bootloader is not used so users must explicitly prevent the Linux kernel from updating in their package manager. This is particularly concerning because users must wait for DigitalOcean to provide updated kernels after vulnerabilities are discovered. In the case of CVE-2013-2094, a new kernel was not available for over a week.
- Users are limited to the images provided by Digital Ocean and cannot upload their own ISO or use a custom kernel. BSD, Gentoo, and many other Linux distributions are not supported.
- Root passwords are emailed to users in plain text unless you set up public key authentication.
- Initially, there was no network isolation and it was possible to ARP spoof users on the same LAN. This problem has now been resolved.
- There is currently no bandwidth measurement (but you are not billed for bandwidth either)
- No IPv6 addresses are provided.
- In the past, DigitalOcean reused disk images between customers without securely wiping data. This enabled one to extract sensitive information by running
cat /dev/vda1 | strings
. This problem has now been resolved. - DigitalOcean allows users to set rDNS to arbitrary FQDNs without searching for matching A records
- After many abuse complaints, even if you handle them in a timely manner, they will lock your account permanently, including VPS instances that are were unrelated to the incident. Unless you ask them to disable your account, you will continue to be billed for the time your account is locked.
Prgmr
Prgmr is a discount Xen host used by several VTLUUG members. Prgmr was originally viewed as very inexpensive, however they have not made significant upgrades to their plans in recent years. Hosts like DigitalOcean and Linode that have have made Prgmr a poor choice for all but their cheapest plans.
Since they are Xen-based, it is possible to use whatever ISO you would like, as well. Recovery options are a debian Live ISO or a netbsd netboot. Management is only over SSH or a serial console.
Vultr
vultr has pricing comparable to other options, but actually allows you to use your own ISO images, while Digital Ocean (and others) only allows you to use their existing kvm images.
Dedicated Servers
OVH (Kimsufi)
The Kimsufi brand is a low cost, low power dedicated server service provided by OVH. It is comparable in cost to many VPS providers but is dedicated hardware. OVH has extensive peering issues with the US resulting in poor connections to their France and EU based datacenters. A recently built DC in Canada should help with some of this but will not fully alleviate the issue most likely. They do provide many ISO's with the grsec set of kernel hardening compiled in and IPv6 subnets come with all kimsufi plans. They do have a habit of putting an SSH backdoor on to your server, "so they can help you in the event of a problem" but this just serves as another possible point of failure. US residents also will not have access to the same plans as residents of the EU, who often can receive much more favorable pricing.
Online.net Dedibox
Dediboxes