7

I am looking to buy a dedicated server for my web application.But I am concerned about security to my application code and who can access to my server even dedicated server.As hosting provider provides me pre-installed OS I have concern on hosting provider access to my server even I change password.

Is there an chance to access my server by hosting provider in any case?

Ashwin Mekala
  • 157
  • 1
  • 2
  • 8
  • 7
    Unless you own the physical hardware, and keep it in your own building / datacenter (or at the very least, keep it in a locked cage that only you have access to): Yes, there's always the chance that someone could get the data off of it. – David W Apr 18 '14 at 14:58
  • 9
    If an attacker gains physical access to your hardware, they will be able to do basically anything. Encryption can be rendered moot (as they could access memory and read out keys). If you **consider your hosting provider an attacker**, I'd suggest a different provider. – Nick T Apr 18 '14 at 15:53
  • 1
    `Is there an chance to access my server by hosting provider in any case?` - Yes. In every case. If you don't own or control the hardware then the entity that does has some level of access to it at all times. But just because they can doesn't mean they will. The difference is between can they and will they? Q: Can they access it at some level? A: Of course they can. Q: Will they take advantage of that for nefarious purposes? A: Probably not. – joeqwerty Apr 18 '14 at 22:47
  • Some providers install software which allows them 'management access' to the node. 'management access' can be used maliciously, in which case we call it by it's other name, a 'backdoor'. – Stefan Lasiewski Apr 18 '14 at 23:25
  • If you are this worried, seriously, get a server of your own, and buy Colocation space. It's likely to not be much more expensive than what you pay for a dedicated server. You can get a cheapy low-power server for a few hundred bucks, a mac mini for around the same, or a real server for several thousand, or a used real server off ebay or craigslist (usually someone getting new servers for their colo/dc). I've had success with all of the above. – SnakeDoc Apr 19 '14 at 18:05

7 Answers7

22

Yes, they will have access to your server. If virtual, they have access through the virtualization console or container root. If physical, IPMI and out-of-band management provide access. They may have access to your backups. They definitely have access to your disks...

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • is there any way to stop or at least make it harder? something like encryption but it costs performance with some issues. – Ashwin Mekala Apr 18 '14 at 18:13
  • 6
    Just because they DO have access doesn't mean that they will take advantage of it. – ewwhite Apr 18 '14 at 18:14
  • I know most of them don't take advantage of it.but as I looking at cheap hosting concerned of protection. – Ashwin Mekala Apr 18 '14 at 18:20
  • 10
    "If you want something in the worst way, that's generally the way you get it." Either you can trust your host or you can't. If you can't, ask yourself whether the money you're saving by using that host is worth the risk. Remember that these are the same people you're trusting to secure your site from outside attacks. – keshlam Apr 18 '14 at 18:55
  • 1
    All they need is access through something like KVM Over IP. Once they have that, they can reboot the server and have it boot into single user mode, or, boot from some live CD and they'll have access to the hard drive. Some providers also install operating systems with modified kernels which allow them to monitor/access the dedicated servers easier (I think HostGator does this). – SameOldNick Apr 18 '14 at 23:19
  • 7
    @ashwinreddy In business we handle this "problem" through contracts and other types of legal agreements. Check your contract with the service provider to ensure that your business data is sufficiently protected. – Michael Hampton Apr 19 '14 at 01:25
  • But do note that a service contract won't stop the NSA. It depends how sensitive the data is and how paranoid you are. – user253751 Apr 19 '14 at 05:08
  • 1
    @immibis This is a site for professionals. Such concerns are not that common in professional environments and the person asking the question should mention explicitly if this concern exists. – Michael Hampton Apr 19 '14 at 15:33
  • 2
    It should also be mentioned that sometimes your provider having access to your box **is** desired. Imagine the scenario where you apply a bad firewall rule and block yourself out?! If you don't have IMPI, then having local "helping hands" be able to assist in getting back up is almost priceless. – SnakeDoc Apr 19 '14 at 18:08
  • As others have mentioned, getting your own server and renting colocation space with a locked cabinet is about as secure as you will get in a data center. some colo resellers will sell you by the U, others will do a half cab, full cab, etc. If the DC is local, you may even get 24/7 access to the DC and your equipment, which is very nice to have -- if nothing else, only to geek out on all the cool equipment ;-P – SnakeDoc Apr 19 '14 at 18:11
7

In 2000 Microsoft published something very smart and is still (mostly) relevant today. The 10 Immutable Laws of Security http://technet.microsoft.com/library/cc722487.aspx

Rule number three is "If the bad guy has physical access to your computer it's not your computer anymore."

Fact is you should consider any computer you don't have COMPLETE physical and technical control over a potential target for compromise. Here's a link to think on: http://felipeferreira.net/?p=1259

user216984
  • 71
  • 1
6

Depends on the provider.
Usually if you change the password they don't have access anymore.

However: They have physical access.
They can just take out a disk from your RAID1 and have all your data.
They can reboot your server and reset your password, or boot from a CD and read it all, ...

faker
  • 17,326
  • 2
  • 60
  • 69
5

If you really need the best privacy you can get, just encrypt the data. As the other answers and comments say, if you don't do that, then there are methods to get the data out of your server.

Florin Asăvoaie
  • 6,932
  • 22
  • 35
  • any data encryption suggestions? – Ashwin Mekala Apr 18 '14 at 15:06
  • 4
    @ashwinreddy If the server's going to do anything it's going to need some way to decrypt the data. A determined host would be able to get at it. If you can't trust your host, don't host there. – ceejayoz Apr 18 '14 at 15:18
  • cryptosetup for Linux and Truecrypt for Windows. @ceejayoz The server can have the master key in RAM but if the server is physical and you reboot it then you do not have a key to decrypt it (unless you misuse data encryption techniques), not any easy or feasible way to read the data out of it while it is running. – Florin Asăvoaie Apr 18 '14 at 17:27
  • 2
    @FlorinAsavoaie Nope, wrong. Cold boot attacks, side-channel attacks, and so on. There are plenty of ways to extract a crypto key from a machine you have physical access to, and with only minimal technical skills, at that. – HopelessN00b Apr 18 '14 at 17:48
  • @HopelessN00b, while proof of such attacks exist, there are workarounds for them. I am not saying that there is no way on earth that such data could be decrypted but side channel attacks are not as common and easy as you say and cold boot attacks are a bit harder than you imagine if you correctly do encryption (by using TPM and other means). Saying that this is possible with minimal technical skills is an exageration. – Florin Asăvoaie Apr 18 '14 at 18:09
  • @FlorinAsavoaie A disreputable host may have rootkitted the entire server prior to giving it to you, logging your keys and doing anything they want with it. There's little to be done against a determined attacker with physical access. – ceejayoz Apr 18 '14 at 18:40
  • 1
    The only way encrypted data on a compromised machine would be secure (attacker must either brute-force or break the algorithm) is if you **never decrypt the data on that machine**, so you're basically left with a fileserver hosting encrypted files. Not very functional. – Nick T Apr 18 '14 at 19:55
4

Yes, they have access to your server.

You could mess around with encryption, a locked cage in a colo, etc. But they can break the locks on the cage, or use DRAC/KVM over IP/whatever. As others have said, if they have physical access to your server they can break into it.

Go with a reputable, high-quality provider, and don't think of it as them having access to your server (which they're backing up for you). Think of it as having minions who will replace bad hardware in the middle of the night for you. If your provider is PCI compliant, this is adequate to the needs of PCI (also HIPAA, FERPA), etc. If your security needs are greater than that, you probably need your own personal data center.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
1

Ignoring hardware for a moment, most dedicated hosting providers (on Linux) give you the credentials for the root account but when they install the OS they create a user in the wheel group for for them to login and perform maintenance when you request it, or for if you're inexperienced and forget your password.

I've yet to come across a provider that doesn't do this (my current one, iWeb, does), but I know with iWeb you can request they remove this.

You can use:

getent group root wheel adm admin

to list all users on the server in any kind of administrative role e.g. wheel (root permissions), admin etc.

Sam Heather
  • 113
  • 4
1

"Dedicated server" + "cheap hosting" means you are renting a virtual server, not your own hardware. Fully dedicated hardware is usually many hundreds of dollars a month.

Virtual servers are fully accessible through the hypervisor / virtualization software, you will never know it happened, and they don't need a local account. Encryption won't help here as the keys are also accessible, and the encryption just announces that you have something to hide.

Co-lo ( co-location ) service providers will give you rack space for your hardware, with the condition that you, not them, are responsible for the hardware service. They will push the power button, but that's about all. If the RAM goes, you drive over to the data center and change it. They still have access to the hardware but they will have to pull the tools out to get to it.

Ultimately, your server's security is a balance between how important/unique your process is, how valuable it is to you, and how valuable it is to others. Generally, data center staff couldn't care less what you are doing until something like excessive bandwidth or a subpoena make them care.

paul
  • 49
  • 1
  • I have never heard of anyone renting "dedicated servers" which are virtualized. Dedicated => the hardware is only used by you. Unless you are being scammed. – faker Apr 19 '14 at 15:06
  • That depends on what you call cheap. It isn't unusual to see dedicated server offers below $30/mo, sometimes below $20 (though usually with an upfront setup fee). It'll not be high spec (an atom or old core2, maybe only 80gb storage, and so fourth), but it'll be real hardware you are renting. For most uses a VPS will give better value, but if you need dedicated kit (to guarantee no IO contention perhaps, or to guarantee stable predictable a performance generally, or so you can encrypt your storage as securely as possible, and so fourth) – David Spillett Apr 19 '14 at 21:53