I was wondering if guys plan on improving your login security in the near future. It's pretty noticeable that two way authentication and/or IP address white-lists are not present. This is a really bad thing which distinguishes NFO from other hosting providers. Security is something really important, I would score you guys a 6/10 on.
Personally, I don't feel like my NFO account is as secure as it should be, with all the passwords and server wipe buttons it's holding. Even with, a 40+ digit password with lowercase, capitals, numbers and special characters. It's open to multiple more simplistic exploits, I cannot share at this point for the security of my account.
If I didn't disable broadcasting my root login over ssh (which is enabled by default surprisingly), there would be a backdoor to both files on my VPS AND full access to the operating system, to do whatever a hacker would like.
Furthermore, the randomly generated root and FTP passwords are far more crude than they should be. I had to go through and change them all so a) there's not all stored in my insecure account and b) they use a high enough encryption standard with special characters and somewhere in the ballpark of 30+ digits. I wouldn't even want to know how long it would take your highest VPS offering to brute-force into randomly generated default passwords.
Insecurities in NFO's System
Re: Insecurities in NFO's System
Adding two-factor authentication is something we want to do, yes. It is definitely planned and a bit higher on the to-do list then most things. Though, I wouldn't say that sets us apart from anyone. I don't really know of any GSP, or server provider that offers two-factor, but I'm sure a few do.
As for the stock passwords. I wouldn't go as far as to call them insecure, but yes, they are randomly generated passwords by our system. You should change these, often. The nature of these passwords in general is less secure since they must be displayed to users in plain-text. Most customers don't keep the stock passwords.
As for the stock passwords. I wouldn't go as far as to call them insecure, but yes, they are randomly generated passwords by our system. You should change these, often. The nature of these passwords in general is less secure since they must be displayed to users in plain-text. Most customers don't keep the stock passwords.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
Re: Insecurities in NFO's System
I certainly want two-step authentication for our control panel myself and it is planned, along with some other security enhancements.
In terms of passwords, brute-forcing isn't a problem with the random 12+ digit passwords that we create by default, since attackers are severely limited in how many tries they can make per second through SSH, RDP, the control panel, or other mechanisms. But, customers should certainly change the root password from the one we give, and should consider turning on authentication by keys only, if it makes sense for them (root login using a password is enabled by default for obvious reasons, and does not represent a significant security risk).
In terms of passwords, brute-forcing isn't a problem with the random 12+ digit passwords that we create by default, since attackers are severely limited in how many tries they can make per second through SSH, RDP, the control panel, or other mechanisms. But, customers should certainly change the root password from the one we give, and should consider turning on authentication by keys only, if it makes sense for them (root login using a password is enabled by default for obvious reasons, and does not represent a significant security risk).
Re: Insecurities in NFO's System
Have you guys thought about adding a steam badge? This is a pretty simplistic method to get two way authentication. And useful information could be gathered from it like a steam-id, to automatically setup permissions for some newly created servers.
Re: Insecurities in NFO's System
You can also set up the firewall to block RDP access to anyone but yourself through the control panel.