On 6/03/2012 7:56 AM, Stayvoid wrote:
> Hello.
>
> "Before you install any operating system on your computer, set up a
> BIOS password. After installation (once you have enabled bootup from
> the hard disk) you should go back to the BIOS and change the boot
> sequence to disable booting from floppy, CD-ROM and other devices that
> shouldn't boot. Otherwise a cracker only needs physical access and a
> boot disk to access your entire system." [1]
> Is there a way to prevent such actions while using a VPS?
>
> [1] http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html
>
> Cheers
>
>
I probably going to say no but my experience with virtualisation has
only been with ESX/VSphere, OpenVZ and Virtuozzo (OpenVZ and Virtuozzo
are very similar). Do you have any particular virtualisation software in
mind?
With ESX/Vsphere anyone with the appropriate permissions is able to
force the VM into booting into the BIOS. This would be my preferred
option - with an encrypted file system it should be pretty safe as the
VM would need to be rebooted to change the root pass to get access from
the console. It would give the server admin root access to the server
but as long as your data is encrypted in a secure manner it won't be
easy to get it out even if the disk is just mounted on another VM to
browse around without changing passwords.
With OpenVZ and Virtuozzo you are able to enter the containers from the
hardware node and get root access ('vzctl enter id'). I can't remember
if this logged anything inside the container showing that the
administrator did this. The admin can also just browse the files
directly off the hardware node without "entering" the container. I don't
think you can do much to prevent this at all. I generally stay away from
paravirtualisation products for anything too important with this being
one of the reasons.
What level of security do you want to achieve at the end of the day? It
may turn out that going onto a shared platform out of your control isn't
the best option.
