Difference between revisions of "Hosting"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Mutantmonkey
(Digital Ocean)
imported>Mutantmonkey
(Digital Ocean)
Line 10: Line 10:
 
* For some reason, [http://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/2814988-give-option-to-use-the-droplet-s-own-bootloader-?page=1&per_page=20 the VPS's bootloader is not used] so users must explicitly prevent the Linux kernel from updating in their package manager. This is particularly concerning because users must wait for DigitalOcean to provide updated kernels after vulnerabilities are discovered. In the case of CVE-2013-2094, a new kernel was not available for over a week.
 
* For some reason, [http://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/2814988-give-option-to-use-the-droplet-s-own-bootloader-?page=1&per_page=20 the VPS's bootloader is not used] so users must explicitly prevent the Linux kernel from updating in their package manager. This is particularly concerning because users must wait for DigitalOcean to provide updated kernels after vulnerabilities are discovered. In the case of CVE-2013-2094, a new kernel was not available for over a week.
 
* Users are limited to the images provided by Digital Ocean and cannot upload their own ISO or use a custom kernel. BSD, Gentoo, and many other Linux distributions are not supported.
 
* Users are limited to the images provided by Digital Ocean and cannot upload their own ISO or use a custom kernel. BSD, Gentoo, and many other Linux distributions are not supported.
* Root passwords are emailed to users in plain text, and [http://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/3566070-add-a-checkbox-to-not-email-root-password there is currently no way to disable this feature]
+
* Root passwords are emailed to users in plain text unless you set up public key authentication.
* There appears to be no network isolation for at least some users, as determined by an IPv6 broadcast ping. ARP poisoning is likely possible.
+
* Initially, there was no network isolation and it was possible to ARP spoof users on the same LAN. This problem has now been resolved.
* There is currently no bandwidth measurement
+
* There is currently no bandwidth measurement (but you are not billed for bandwidth either)
 
* No IPv6 addresses are provided
 
* No IPv6 addresses are provided
 
* In the past, DigitalOcean reused disk images between customers without securely wiping data. This enabled one to extract sensitive information by running <code>cat /dev/vda1 | strings</code>
 
* In the past, DigitalOcean reused disk images between customers without securely wiping data. This enabled one to extract sensitive information by running <code>cat /dev/vda1 | strings</code>

Revision as of 16:37, 25 September 2013

This is an overview of the experiences VTLUUG users have had with various VPS providers.

Linode

Linode offers fairly good specs (1 GB memory, 8 cores, 24 GB storage, 2 TB transfer) for $20 a month, but do not have any cheaper plans. They have a robust management interface with load and bandwidth statistics, DNS management, and allow uploading of custom ISOs.

Linode has had a few security incidents in the past due to a ColdFusion 0-day, but responded reasonably.

Digital Ocean

DigitalOcean is a startup that offers cheap VPS instances, but lacks basic management and security features.

  • For some reason, the VPS's bootloader is not used so users must explicitly prevent the Linux kernel from updating in their package manager. This is particularly concerning because users must wait for DigitalOcean to provide updated kernels after vulnerabilities are discovered. In the case of CVE-2013-2094, a new kernel was not available for over a week.
  • Users are limited to the images provided by Digital Ocean and cannot upload their own ISO or use a custom kernel. BSD, Gentoo, and many other Linux distributions are not supported.
  • Root passwords are emailed to users in plain text unless you set up public key authentication.
  • Initially, there was no network isolation and it was possible to ARP spoof users on the same LAN. This problem has now been resolved.
  • There is currently no bandwidth measurement (but you are not billed for bandwidth either)
  • No IPv6 addresses are provided
  • In the past, DigitalOcean reused disk images between customers without securely wiping data. This enabled one to extract sensitive information by running cat /dev/vda1 | strings
  • DigitalOcean allows users to set rDNS to arbitrary FQDNs without searching for matching A records
  • After many abuse complaints, even if you handle them in a timely manner, they may still lock your account and power off your droplets. You will still be billed for this period.

Prgmr

Prgmr is a discount Xen host used by several VTLUUG members. After Linode's 2013 upgrades, Prgmr is not as competitive at higher price tiers.

OVH (Kimsufi)

The Kimsufi brand is a low cost, low power dedicated server service provided by OVH. It is comprable in cost to many vps providers but is dedicated hardware. OVH has extensive peering issues with the US resulting in poor connections to their France and EU based datacenters. A recently built DC in Canada should help with some of this but will not fully alleviate the issue most likely. They do provide many ISO's with the grsec set of kernel hardening compiled in and IPv6 subnets come with all kimsufi plans. They do have a habit of putting an SSH backdoor on to your server, "so they can help you in the event of a problem" but this just serves as another possible point of failure. US residents also will not have access to the same plans as residents of the EU, who often can recieve much more favorable pricing.