What are the dangers of using a virtual private server (VPS) that I do not own?
Someone on a mail list offered to let me host my website on his Linux VPS for free, and gave me non-root ssh access through ssh key.
What is the worst case scenario? What steps can I take to avoid that?
So far, I only ssh into a Heroku app, and then ssh into the VPS from Heroku with the ssh key. I only view the files on the VPS with Lynx web browser on the VPS.
Thank you.
There is always a risk when connecting to a server with any client software. Suppose that the client (ie OpenSSH or PuTTY) holds data from the server in a buffer with poor bounds checking... it might then be possible for the server to remotely execute code on the client machine.
All software has errors, so it is not impossible to think that an exploitable vulnerability exists in your client. For this reason it is wise to be very careful connecting to machines that you actively distrust.
Sever software tends to be at a greater risk since anyone can try to attack it any time. Client software is still software though, and connecting outwards provides an opportunity for the server to attack the client.
Mitigations like using ASLR and the DEP on your SSH client and always keeping the client machine up to date on software patches are probably sufficient to prevent casual attacks. Disabling privacy eroding features like agent forwarding is pretty smart. X11 is disgustingly bloated and insecure... so do not use X forwarding under any circumstance.
PS. Regarding using a disposable middle man computer to connect to the VPS: maybe try using a different SSH client on each, like PuTTY to connect the Heroku app, then OpenSSH to the VPS. What are the odds both clients have an exploitable bug that the attacker knows about?
PSS. One of the answers to this question mentions a real attack on the OpenSSH cleint: Connecting to a compromised server
Here is what I found about ssh.
Are there any risks associated with SSH agent forwarding?
Risks of ssh to an untrusted host?
meh. It is a risk anyway, but I guess that server can't directly hack my laptop unless ssh get hacked or I use X11 forwarding.