Insecurities in NFO's System

This is used for general discussion that is not necessarily server-related.
Post Reply
stickz
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA

Insecurities in NFO's System

Post by stickz »

I was wondering if guys plan on improving your login security in the near future. It's pretty noticeable that two way authentication and/or IP address white-lists are not present. This is a really bad thing which distinguishes NFO from other hosting providers. Security is something really important, I would score you guys a 6/10 on.

Personally, I don't feel like my NFO account is as secure as it should be, with all the passwords and server wipe buttons it's holding. Even with, a 40+ digit password with lowercase, capitals, numbers and special characters. It's open to multiple more simplistic exploits, I cannot share at this point for the security of my account.

If I didn't disable broadcasting my root login over ssh (which is enabled by default surprisingly), there would be a backdoor to both files on my VPS AND full access to the operating system, to do whatever a hacker would like.

Furthermore, the randomly generated root and FTP passwords are far more crude than they should be. I had to go through and change them all so a) there's not all stored in my insecure account and b) they use a high enough encryption standard with special characters and somewhere in the ballpark of 30+ digits. I wouldn't even want to know how long it would take your highest VPS offering to brute-force into randomly generated default passwords.
User avatar
kraze
Former staff
Former staff
Posts: 4362
Joined: Fri Sep 17, 2010 9:06 am
Location: California

Re: Insecurities in NFO's System

Post by kraze »

Adding two-factor authentication is something we want to do, yes. It is definitely planned and a bit higher on the to-do list then most things. Though, I wouldn't say that sets us apart from anyone. I don't really know of any GSP, or server provider that offers two-factor, but I'm sure a few do.

As for the stock passwords. I wouldn't go as far as to call them insecure, but yes, they are randomly generated passwords by our system. You should change these, often. The nature of these passwords in general is less secure since they must be displayed to users in plain-text. Most customers don't keep the stock passwords.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Insecurities in NFO's System

Post by Edge100x »

I certainly want two-step authentication for our control panel myself and it is planned, along with some other security enhancements.

In terms of passwords, brute-forcing isn't a problem with the random 12+ digit passwords that we create by default, since attackers are severely limited in how many tries they can make per second through SSH, RDP, the control panel, or other mechanisms. But, customers should certainly change the root password from the one we give, and should consider turning on authentication by keys only, if it makes sense for them (root login using a password is enabled by default for obvious reasons, and does not represent a significant security risk).
stickz

Re: Insecurities in NFO's System

Post by stickz »

Have you guys thought about adding a steam badge? This is a pretty simplistic method to get two way authentication. And useful information could be gathered from it like a steam-id, to automatically setup permissions for some newly created servers.
barhund
This is my homepage
This is my homepage
Posts: 124
Joined: Fri May 16, 2014 7:37 am

Re: Insecurities in NFO's System

Post by barhund »

You can also set up the firewall to block RDP access to anyone but yourself through the control panel.
Image
Post Reply