Need Help Please - VPS & Data Centre safety?

U

umamankandla

Senior Member
Joined
Oct 28, 2018
Messages
704
Reaction score
404
Location
Nkandla
How safe is it to host on a VPS? I recently used a Cloud service provider and got an email from the same company that they like the password I made for the server. If support staff can see my passwords, cant they just copy it down and go home and do what they want? They can also see the IP. Is this normal?
 
It could be that they can see it in their order management system somehow.

Best thing would be to log into the VPS and reset the password directly on the VPS, then nobody but you will know what the password is.
 
A good rule of thumb is if you can recover the password it isn't fully secure.
If you can recover a password there is access somewhere, in true secure hosting, back up etc if you lose the password it should be locked forever.
 
Web Telecom Services said:
It could be that they can see it in their order management system somehow.

Best thing would be to log into the VPS and reset the password directly on the VPS, then nobody but you will know what the password is.
Click to expand...
Thanks, I understand that. The thing is, they can also reset the root user password with a click of a button from the control panel. Yes, I can disable root login, but if they can reset root login, can't they just reset any user login?

This was the most unprofessional experience ever and when I complained they blocked my VPS
 
Jade @ Absolute Hosting said:
I'm curios to know as to how the conversation steered in the direction that they liked your password.
Click to expand...
Oh, the answer is very simple. I needed a very unique password that was easy to remember that had uppercase, lowercase, numbers and special characters. It wasnt a nice password, but it was secure. And the support staff which had no business accessing my password in the first place fell hard when I asked why the system wasnt working.
 
To be honest, this isnt the first time my password was accessible by support staff. A telecoms company (based in Midrand) once shared all our passwords with a call centre they use....in India!!!! "Hello this is Microsoft Security your computer has virus give me Google gift cards" is all that shows up in YouTube when you search for good Indian call centre.

I am actually considering submitting a complaint to the Information Regulator, not only about the host(s) but also about the customers the host(s) have as all their customer data may be at risk. This is why brand new emails you only use for one thing get spammed.

But, is Amazon any different than the local ones? Azure makes the news daily about one hack or the other. Amazon's owner owns a newspaper so he can control the narrative.
 
DStvNothingOn said:
A good rule of thumb is if you can recover the password it isn't fully secure.
If you can recover a password there is access somewhere, in true secure hosting, back up etc if you lose the password it should be locked forever.
Click to expand...
Do you use a VPS/cloud hosting and if yes, may I ask which provider?
 
umamankandla said:
How safe is it to host on a VPS? I recently used a Cloud service provider and got an email from the same company that they like the password I made for the server. If support staff can see my passwords, cant they just copy it down and go home and do what they want? They can also see the IP. Is this normal?
Click to expand...
No web application worth R2.50 or more should be using unhashed passwords. EVER. NEVER. Granted they may need it plain-text while a script adds it to whatever updates the OS (they could just run it through the crypt function and copy+paste it with its salt etc at least on *nix). But even then, once its used it should never be stored as plaintext in any database.

I would run a mile from a VPS provider with a front-end thats storing plaintext passwords in a database.

As for your other question, I use primarily OVH if not the usual suspects like AWS, Azure etc.
 
neoprema said:
No web application worth R2.50 or more should be using unhashed passwords. EVER. NEVER. Granted they may need it plain-text while a script adds it to whatever updates the OS (they could just run it through the crypt function and copy+paste it with its salt etc at least on *nix). But even then, once its used it should never be stored as plaintext in any database.

I would run a mile from a VPS provider with a front-end thats storing plaintext passwords in a database.

As for your other question, I use primarily OVH if not the usual suspects like AWS, Azure etc.
Click to expand...
By the response (and then lack thereof) of the company reps, it seems to be common practice. But like I said, its the second time a very prominent IT company has not only stored my password in plain text, but shared it internally with their support staff without any need to do so and without me requesting it. By my estimation, the host which is storing customer server passwords in plain text, has at least over a thousand current and paying customers (not all hosting customers) based on their financial info. This can be more, but I can confirm their annual turnover was at least R25m two years back.

Never heard of OVH, but they seem to be priced well. What are the locations of their data centres?
 
umamankandla said:
Do you use a VPS/cloud hosting and if yes, may I ask which provider?
Click to expand...
I have always used EliteHost and am very happy with them.
But I must prefaces I fully accept anything hosted by anyone will not be 100% private and secure.
Some are just better than others.

My main "interest" has always been data back up security.
I did experiment with a double blind cloud service recommendation from Michael Bazzell podcast, worth a listen if you are in OSINT and privacy, but can't remember the name of the service, I gave up own it due to the cost.
you pay a hang of a lot more for privacy and security.

I now have a pretty waxed system, the bulk is my important documents so not massive amounts of data in terms of volume.
I have a local network name with an encrypted back copy that auto runs.
I do a weekly back up to google drive of an encrypted archive folder. - the reason I choose to do it on google drive is they have the muscle and resources to keep there cloud secure and actively protect it, plus its cheap. In the same breath I do a secure archive folder because they do scan and have access if required.
I then do a monthly cold storage unencrypted back ie an external drive hidden "under the bed"

What is of interest to me but I have done the deep dive on yet is I believe Synology now allows you to sync two Nas over the net, I think that could be quite cool for a remote back up and then mange via adding the CloudFlare tunnels docker application on to the remote unit.
or using the CloudFlare Tunnels to do the sync.
 
Last edited:
umamankandla said:
But, is Amazon any different than the local ones? Azure makes the news daily about one hack or the other. Amazon's owner owns a newspaper so he can control the narrative.
Click to expand...

Yes true cloud computing is very different from shared hosting type setups.

It’s your entire thing and there’s no support staff who have access to it or can help you…which is it’s own problem if you don’t know what you are doing because YOU are accountable for all access and security not the provider.
 
SauRoNZA said:
Yes true cloud computing is very different from shared hosting type setups.

It’s your entire thing and there’s no support staff who have access to it or can help you…which is it’s own problem if you don’t know what you are doing because YOU are accountable for all access and security not the provider.
Click to expand...
Do you think our local providers would take any responsibility for breaches? Lol, they can't even handle a bit of criticism for their lacking security an idiot like me saw a mile away, what about Werksmans knocking with a summons...
 
umamankandla said:
Are you confirming that Absolute Hosting can access your customers' passwords as well?
Click to expand...
I took a look into this late last night and by default WHMCS does not provide a mechanism to hide or remove the password from the services page which is visible to support, the only option is to deny the support operator with access to that page.

There was a feature request sent through to the vendor about similar (redacting or hiding service passwords) and it seems that despite the feature receiving quite a few votes they have not addressed the issue.

I understand your concerns in this case and they are valid, which is why I have made the decision to revoke access to the services page for support operators on our end until the below is resolved.

Our customers’ security and privacy is a top priority for us and it is for this reason that I have already requested a quotation from one of software vendors to resolve the issue presented in WHMCS.
umamankandla said:
By the response (and then lack thereof) of the company reps, it seems to be common practice. But like I said, its the second time a very prominent IT company has not only stored my password in plain text, but shared it internally with their support staff without any need to do so and without me requesting it. By my estimation, the host which is storing customer server passwords in plain text, has at least over a thousand current and paying customers (not all hosting customers) based on their financial info. This can be more, but I can confirm their annual turnover was at least R25m two years back.

Never heard of OVH, but they seem to be priced well. What are the locations of their data centres?
Click to expand...
The lack or delay of response from my part was due to :
I left to fetch my kid from school shortly after my post, catching up on lack of internet on Wednesday, end of month VAT submissions etc etc etc. Only managed to look into this last night as per above.

I've confirmed that WHMCS does not store service passwords in clear text, so any other host using whmcs is in the same position
 
Last edited:
Jade @ Absolute Hosting said:
I took a look into this late last night and by default WHMCS does not provide a mechanism to hide or remove the password from the services page which is visible to support, the only option is to deny the support operator with access to that page.

There was a feature request sent through to the vendor about similar (redacting or hiding service passwords) and it seems that despite the feature receiving quite a few votes they have not addressed the issue.

I understand your concerns in this case and they are valid, which is why I have made the decision to revoke access to the services page for support operators on our end until the below is resolved.

Our customers’ security and privacy is a top priority for us and it is for this reason that I have already requested a quotation from one of software vendors to resolve the issue presented in WHMCS.

The lack or delay of response from my part was due to :
I left to fetch my kid from school shortly after my post, catching up on lack of internet on Wednesday, end of month VAT submissions etc etc etc. Only managed to look into this last night as per above.

I've confirmed that WHMCS does not store service passwords in clear text, so any other host using whmcs is in the same position
Click to expand...
I actually wasn't using Absolute Hosting and was actually joking about your "confirmation"...I was using another provider where this came up and I was truly shocked. One thing I can respect is your transparency, but it is shocking that this seems to be industry standard.

I guess what added fuel to the fire was the fact that there's articles about DoD being hacked, but hacking any service provider seems just as easy - bribe a support agent to get the root login because seemingly very few people know how unsecure servers are when hosted by another company.

You may be one of the exceptions when it comes to making security "top priority" but I find it hard to believe other companies share that enthusiasm or maybe even know how.

So please accept my apology if it seems I was attacking you, you weren't the provider(s) I was using.
 
Jade @ Absolute Hosting said:
I took a look into this late last night and by default WHMCS does not provide a mechanism to hide or remove the password from the services page which is visible to support, the only option is to deny the support operator with access to that page.

There was a feature request sent through to the vendor about similar (redacting or hiding service passwords) and it seems that despite the feature receiving quite a few votes they have not addressed the issue.

I understand your concerns in this case and they are valid, which is why I have made the decision to revoke access to the services page for support operators on our end until the below is resolved.

Our customers’ security and privacy is a top priority for us and it is for this reason that I have already requested a quotation from one of software vendors to resolve the issue presented in WHMCS.

The lack or delay of response from my part was due to :
I left to fetch my kid from school shortly after my post, catching up on lack of internet on Wednesday, end of month VAT submissions etc etc etc. Only managed to look into this last night as per above.

I've confirmed that WHMCS does not store service passwords in clear text, so any other host using whmcs is in the same position
Click to expand...
Did you do the provisional tax as well BTW?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X