# How to stop webhost frome entering vps without permission?



## Minmeo (Nov 12, 2014)

I read that it is easy to enter vps without permission with openvz if you are the host. Is there anyway to stop this so they must ask first?


----------



## perennate (Nov 12, 2014)

Hi, are you saying that you want to sell webhosting on your VM but don't want to be able to enter your VM?

More seriously, there's no way to 100% stop someone who has control over the physical server (host node) where your virtual machine is residing from accessing the virtual machine, simply because the virtualization is being performed by the host node. Every instruction, every object in memory is visible to the host node. You can think about encrypting your memory or filesystem, but you have to store the encryption keys somewhere, so those keys are going to be visible too.

With OpenVZ it's especially difficult since every process in your VM actually corresponds to a separate process on the host node. It's just one level above chroot, where host could just chroot into your directory.

If you are using KVM, you can make it harder by encrypting filesystem and such (there's almost ZERO REASON not to take do these kinds of things as they give you some level of security/privacy with minimal performance impact), but it's still possible for someone with control over host node to peer in.

Solution is to run the instance inside a host node fully under your control. You may want to ensure no connection to the Internet to ensure that an attacker cannot maliciously take control of host node.

Anyway, this has been asked in tens of topics -- for example http://lowendtalk.com/discussion/9921/privacy-on-vps-providers-how-reliable-is-to-host-private-data


----------



## raj (Nov 12, 2014)

Any time host wants to they can issue the command vzctl enter yourContainerID.   There is no way for you to stop that at the host level.


----------



## Serveo (Nov 12, 2014)

Move up to dedicated if your budget allows it? If its not openvz, then check your ~./ssh/autorized_keys


----------



## lbft (Nov 12, 2014)

No. You have to ultimately trust your host.

It's possible to make it more difficult (e.g. IIRC a modified /bin/bash could log/prevent vzctl enter) but with OpenVZ simfs your filesystem is literally a directory on the host node's filesystem, so they still have complete visibility of all your data.

Even if OpenVZ wasn't as transparent as it is, you are running your stuff on someone else's hardware - the host can pretty much do what they want (e.g. with KVM, they can just copy your disk and mount it, or read your RAM).

It's yet another reason not to buy from shitty hosts.


----------



## Minmeo (Nov 12, 2014)

lbft said:


> Even if OpenVZ wasn't as transparent as it is, you are running your stuff on someone else's hardware - the host can pretty much do what they want (e.g. with KVM, they can just copy your disk and mount it, or read your RAM).


What about xen?

I do not think my hosts will have reason to do this but found it interesting and worrisome to as I did not know previously.


----------



## mojeda (Nov 12, 2014)

Ultimately you will always have to trust your provider regardless if it's Xen, OVZ, KVM, VMWARE. Your host will always retain some ability to do what they want with your VM, however some technologies may make it harder however not necessarily impossible.

If you're having to find a way to keep a provider out of your hosted VM, then you should look into other providers who are trustworthy, or rethink your strategy (think dedicated servers).


----------



## Francisco (Nov 12, 2014)

Minmeo said:


> What about xen?
> 
> I do not think my hosts will have reason to do this but found it interesting and worrisome to as I did not know previously.


On XEN/KVM you could run CryptFS if you have a CPU that has AES features. A host could still dig through your memory to find your hashing key but that's going pretty HAM to get at your stuff.

For OpenVZ it's purely a trust thing. I can't speak for other hosts, but for us, whenever we need to access a customers container we ask for written permission in the form of a ticket. We could just as easily 'enter' into a customers VM, but we do our best to return just as much respect as our customers put on us.

Francisco


----------



## DomainBop (Nov 12, 2014)

If you're using the VPS/cloud server to host important business data and are really concerned about privacy then look for a host whose business has been audited for security practices and passed with flying colors (i.e.SSAE 16 certification in the US-example Atlantic.net and FireHost, ISO27001 in the EU-example CloudVPS and LeaseWeb, and many others), and also make sure the data centers they use have similar security certifications.  Security certifications won't eliminate all of the risk but they'll reduce it significantly (i.e. hosts that hire skids they met on Skype/LET/during recess, or give admin access to poorly vetted outsourced workers aren't going to get certified).



> , whenever we need to access a customers container we ask for written permission in the form of a ticket.


+1 to that. 

On the other end of the scale there are openvz hosts like GVH who have made public comments (on LET) like these

"_"There is no privacy warranted due to OpenVZ virtualization not being full virtualization."_

_"Hosting providers utilizing OpenVZ virtualization technology to provide "virtual private server" web hosting services are under no obligation to abide by data privacy laws as due to the nature of OpenVZ virtualization, the data within OpenVZ containers is sandboxed as a part of the host node, which belongs to the host."_

"_"After confirming suspicion from a process scan we vzctl into the container and run ls commands. Usually after the 2nd or 3rd command we find a massive directory filled with the illegally obtained content + the source, and that's when the termination button is hit and that's all done within like 30 seconds."_

http://www.webhostingtalk.com/showpost.php?p=9242552&postcount=4

Bottom line: if you're using openvz and care about data privacy you're taking a risk and to decrease that risk you really need to do your research to be sure you can trust your host and the people it employs (check reviews,  check their business history and if applicable their personal history , their company's hiring practices, etc , etc.)


----------



## TurnkeyInternet (Nov 12, 2014)

Minmeo said:


> I read that it is easy to enter vps without permission with openvz if you are the host. Is there anyway to stop this so they must ask first?


In short, yes - the vps provider can enter and view the 'content' of their client's vps's in most cases.  OpenVZ is one that is far easier for the admins (or sadly, hackers how may break into the master node) to then jump in and view your data.

How do you avoid having a legit vps provider from wanting/needing to go into your VPS?  Don't violate their ToS, don't do things like torrents, spamming, or attract DDoS attacks - and your provider will never have need to go in and investigate an abuse/issue complaint. 

If you want to protect your content- you can go with a more strict virtualization technology like Xen (or Vmware) that uses special file system/block-level systems to hold your data, it requires a bit more for someone to remotely enter (but still they can get in if they are willing to take your server offline, and mount it to view things - but you would notice it in most cases).   If you use Xen or another virtualization technology with real kernel level access like Xen/KVM or Vmware, but not openVZ) you could create an encrypted file system, or even install something like TrueCrypt to make a secondary volume/disk drive inside your VPS that is fully encrypted only accessible by you.

Even if you have a dedicated server, if someone has physical access to the device (just like a VPS node) - its possible with enough effort to get to your data.  So encryption is the next level to help maintain (*but still no guarantee*) privacy.


----------



## TurnkeyInternet (Nov 12, 2014)

oh.. p.s.  if you really don't trust your provider, and think they are snooping around - you already got a problem you need to solve.  So if you are hiding data with encryption because you think they are snooping around for no reason, you may want to find a new home promptly.


----------



## AndrewM (Nov 12, 2014)

To be fair, I'm sure your host has better things to do then vzctl into your container to look at your wordpress files, or beyond that dig through memory. Prying eyes will always be in the back of your mind, but I'm sure your host has better things to do. If not, then you should reconsider what kind of hosts you sign up with.

I'm not going to offer a suggestion here because ultimately, any suggestion is moot if a dedicated box isn't in your budget.


----------



## Francisco (Nov 12, 2014)

AndrewM said:


> To be fair, I'm sure your host has better things to do then vzctl into your container


You should really read the horror stories more often.

You have more than a few on WHT where admins start to browse peoples data for reasons to boot them.

The sz1 guy got busted going into someones container as well and was why the whole 'DDOS LE into the ground' war started.

Francisco


----------



## HalfEatenPie (Nov 12, 2014)

Francisco said:


> You should really read the horror stories more often.
> 
> You have more than a few on WHT where admins start to browse peoples data for reasons to boot them.
> 
> ...


Wasn't this the same with ChrisK and Avante?

Or was that simply limited to Minecraft servers?


----------



## Francisco (Nov 12, 2014)

HalfEatenPie said:


> Wasn't this the same with ChrisK and Avante?
> 
> Or was that simply limited to Minecraft servers?


I'm not sure if he went into anyones server/etc, the only mix up i've seen with him was with the whole clamhost story.

Francisco


----------



## HalfEatenPie (Nov 12, 2014)

Francisco said:


> I'm not sure if he went into anyones server/etc, the only mix up i've seen with him was with the whole clamhost story.
> 
> Francisco


Ahh found one.

http://i.imgur.com/hhne2jz.jpg

http://i.imgur.com/D3WNY5w.jpg

Ehh that was 2012 though. Who knows.

Anyways, basically the summary of the topic is "lolno"


----------



## Francisco (Nov 12, 2014)

HalfEatenPie said:


> Ahh found one.
> 
> http://i.imgur.com/hhne2jz.jpg
> 
> ...


I'll give him the 'young & dumb' benefit since the amount of complaints we hear these days is minimal and his companies keep on the right track.

Francisco


----------



## mojeda (Nov 13, 2014)

Ahhh, Avante... now that's a company I have not heard of in a long time...


----------



## AndrewM (Nov 13, 2014)

Francisco said:


> You should really read the horror stories more often.
> 
> 
> You have more than a few on WHT where admins start to browse peoples data for reasons to boot them.
> ...


Fair enough, although if they are utilizing their time to pry open client's dark and intimate secrets files instead of say.. improving service, marketing, all that jazz? Then I find this to be in direct violation of the laws of logic.


----------



## MartinD (Nov 13, 2014)

mojeda said:


> If you're having to find a way to keep a provider out of your hosted VM, then you should look into other providers who are trustworthy, or rethink your strategy (think dedicated servers).


This above all else. If you flip the coin and look at it from the providers point of view; what are you doing on/with your VM that makes you want to hide from me (the provider) so badly? Will the police be knocking on my door and at the DC's door simultaneously wanting to confiscate equipment?


----------



## AlphaNine_Vini (Nov 13, 2014)

The administrator who have the access over a physical server is verified by web hosting companies. There is no way you can stop them to access your Openvz VPS. Just in case you have issues on your VPS. The administrator can help you to resolve the issue from the backend. Many a times customer damage there SSH config or network config. Then a adminstrator can resolve the issue from backend.


----------



## Francisco (Nov 13, 2014)

MartinD said:


> This above all else. If you flip the coin and look at it from the providers point of view; what are you doing on/with your VM that makes you want to hide from me (the provider) so badly? Will the police be knocking on my door and at the DC's door simultaneously wanting to confiscate equipment?


Then they knock.

To date we've had a half dozen in-person visits from the RCMP, 4 visits to a DC and, & multiple talks with FBI agents. One chat got extremely heated since they were being unreasonable in their demands but they finally backed down and were far more co-operative.

Up until it has been proven that the customer in question has broken federal laws, it's your due diligence to protect them to the best of your ability, as well as your other clients. Even once proof is provided (or a court order is issued so it becomes irreverent), you should still understand what's a reasonable request and what isn't.

They require the details you have on file for the client, transactions, etc? OK. They want a copy of your whole billing database? Not OK.

They want a snapshot of the VPS/etc in question? OK. They want to snapshot the whole box? Generally not OK.

For us we have a public record for being hard asses on people about client details but it's because we *do* stick our necks out and protect our users. I'm not going to be very happy if i'm sticking my neck out for 'Aa Zz' and his supposed CP ring with a side of botnet.

Francisco


----------



## vRozenSch00n (Nov 13, 2014)

Francisco said:


> Up until it has been proven that the customer in question has broken federal laws, it's your due diligence to protect them to the best of your ability, as well as your other clients. Even once proof is provided (or a court order is issued so it becomes irreverent), you should still understand what's a reasonable request and what isn't.


Given that, by all means Fran, you may browse my container anytime you like without having to have my permission


----------



## drmike (Nov 13, 2014)

AndrewM said:


> To be fair, I'm sure your host has better things to do then vzctl into your container to look at your wordpress files, or beyond that dig through memory. Prying eyes will always be in the back of your mind, but I'm sure your host has better things to do. If not, then you should reconsider what kind of hosts you sign up with.


I am not an admin.  I have however helped a bunch of companies in the VPS spectrum and been exposed to shoddy biz practices many of they engage in.

I have seen staff in multiple lowend companies wholesale rifling through containers and peeking at folks stuff.

The basis for such?  Shady.  Oh the container is using resources, using disk space, etc.  Really most of the time, bullshit boredom rummaging.

Some of the rifling would start based on a process that would show up in entire service monitoring.  Maybe they see rtorrent running, while the provider in fact allows such.

It's all this sort of behavior that is VERY RAMPANT among the lowend VPS companies that has soured me to using VPS services in general.  I am down to a handful of accounts with what I deem trustworthy companies.


----------



## drmike (Nov 13, 2014)

Francisco said:


> Then they knock.
> 
> 
> To date we've had a half dozen in-person visits from the RCMP, 4 visits to a DC and, & multiple talks with FBI agents. One chat got extremely heated since they were being unreasonable in their demands but they finally backed down and were far more co-operative.
> ...


And ... ^ THIS IS WHY I RECOMMEND BUYVM.  They are the real deal and do the right thing all said.


----------



## DomainBop (Nov 13, 2014)

MartinD said:


> This above all else. If you flip the coin and look at it from the providers point of view; *what are you doing on/with your VM that makes you want to hide from me (the provider) so badly? *Will the police be knocking on my door and at the DC's door simultaneously wanting to confiscate equipment?


I'm assuming that providers who don't understand why some customers (e.g. a business customer) don't want the provider to access their data probably have a customer base that is primarily comprised of hobbyists, illegal torrenters, VPN users, skids,  and other low paying customers (and I'm also assuming that the provider probably draws a blank when things like PCI compliance are mentioned).  If the hosting provider's customer is a business then "_what they are trying to hide"_ from the prying eyes of the provider and his staff is more than likely their sensitive business information, their business's customers records/info, etc.

The proliferation of hosting providers who put a low value on a customer's need for data privacy and security is the reason why businesses who are really concerned about data privacy should ask prospective virtualization providers the following set of questions (in particular, the ones in the_ "privacy and access to data"_ , _"legal process"_  and _"connecting to the service"_ sections) before they entrust their data to the provider. > questions to ask your provider (_and yes, I've linked to these questions before when the subject of data privacy and hosting provider policies on accessing customer data came up_)


----------



## vRozenSch00n (Nov 13, 2014)

This might be strange, but when I choose a service I tend to look who's who behind that. 

To me it is important as I know any provider could easily access my containers, leak my personal Information, CC, etc., therefore I appreciate certain qualities from my providers.

*Trust* - Not simply blind trust of a desert dweller to his leader, but more to how they run their services as well as handling and protecting my data.

*Helpfulness* - Most of my services are unsupported. Some providers simply ignore my tickets, some who also offer managed services reply and explain that my request is not included in my package, some are willing to help then or at least they point me to the right direction i.e. "O.K. we'll help you this once, but please read this tutorial in our Knowledge Base or at this url" or "Your service is not supported, but you can read tutorials in our Knowledge Base or at this url".

*Openness* - some providers hide incident that happened to their gear or network, some openly inform customers of what happened and provide some directives of what customer should do in such situation, and keep the customers up to date.

*Common Sense* - related to TOS/AUP & incident. i.e. some ignorant customers uses unsafe application, got hacked and sending DDoS attak or unsolicited email. Some providers directly terminate the service, but some are willing to help the customer pointing them into the right direction and mark the specific customer to know whether the incident is on purpose or simply out of customer ignorance. At this point providers have full right to probe what is in customer's container using automated means or manually.


----------



## KuJoe (Nov 13, 2014)

Francisco said:


> Then they knock.


But sometimes they don't knock. While we've been lucky to not have experienced this first hand, I've also been lucky enough to be privy to some details of data centers that get regular visits from multiple agencies sometimes weekly. The staff say that most of the time it's just a drive pull or a network port mirror, but on some occasions they just pull the power and walk out with the whole server based on a single IP on the server (and the client won't know why it was taken until days or weeks later). Most of the time the techs are told to blame hardware failure until a lawyer tells them otherwise as to not tip off the users.


----------



## Aldryic C'boas (Nov 13, 2014)

KuJoe said:


> But sometimes they don't knock. While we've been lucky to not have experienced this first hand, I've also been lucky enough to be privy to some details of data centers that get regular visits from multiple agencies sometimes weekly. The staff say that most of the time it's just a drive pull or a network port mirror, but on some occasions they just pull the power and walk out with the whole server based on a single IP on the server (and the client won't know why it was taken until days or weeks later). Most of the time the techs are told to blame hardware failure until a lawyer tells them otherwise as to not tip off the users.


And this is why I will recommend FiberHub to anyone needing colocation/etc.  Rob absolutely won't tolerate that kind of theft - even when the feds have paperwork, if there's so much as a single typo he'll send them packing.  I can't begin to describe how nice it is to not be constantly stressed over the security of our gear there, especially compared to some of our prior upstreams.


----------



## Francisco (Nov 13, 2014)

KuJoe said:


> But sometimes they don't knock. While we've been lucky to not have experienced this first hand, I've also been lucky enough to be privy to some details of data centers that get regular visits from multiple agencies sometimes weekly. The staff say that most of the time it's just a drive pull or a network port mirror, but on some occasions they just pull the power and walk out with the whole server based on a single IP on the server (and the client won't know why it was taken until days or weeks later). Most of the time the techs are told to blame hardware failure until a lawyer tells them otherwise as to not tip off the users.


Then that means you need to find a new datacenter that does their due diligence by you. The feds don't just have the badges to the datacenter floor to just walk off with gear. Every datacenter that wasn't run by a conartist that we've been with has *always* called us when there's a visit. Fiberhub, EGIHosting, etc, have all called me when there's people for me to talk to.

At this point I'd like to think that we're earning ourselves a reputation with the federal agencies of not screwing around when they do right by us. Do you think they want to be stuck in an extremely sketchy situation where there could be Canadian Federal data on that equipment? Health records? Christ, that'd be asking for badges right there.

Just like everyone tells the LE penny pinchers: When picking a host, know how they will react when the shit hits the fan because that's when the company shows their true knowledge, skill, & dedication. This applies just as much to node outages as it does (un)lawful visits.

Francisco


----------



## IntegralHost (Nov 16, 2014)

Minmeo said:


> I read that it is easy to enter vps without permission with openvz if you are the host. Is there anyway to stop this so they must ask first?


It wont possible with OpenVZ. You may choose Hyper-V vps, there host cant access customer server without correct password.


----------



## serverian (Nov 16, 2014)

L. E. Pennypincher

Sounds like a real name!


----------

