On 6/03/2012 7:56 AM, Stayvoid wrote:
> Hello.
>
> "Before you install any operating system on your computer,
set up a
> BIOS password. After installation (once you have enabled
bootup from
> the hard disk) you should go back to the BIOS and change the
boot
> sequence to disable booting from floppy, CD-ROM and other
devices that
> shouldn't boot. Otherwise a cracker only needs physical
access and a
> boot disk to access your entire system." [1]
> Is there a way to prevent such actions while using a VPS?
>
> [1]
http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html
>
> Cheers
>
>
I probably going to say no but my experience with virtualisation has
only been with ESX/VSphere, OpenVZ and Virtuozzo (OpenVZ and
Virtuozzo are very similar). Do you have any particular
virtualisation software in mind?
With ESX/Vsphere anyone with the appropriate permissions is able to
force the VM into booting into the BIOS. This would be my preferred
option - with an encrypted file system it should be pretty safe as
the VM would need to be rebooted to change the root pass to get
access from the console. It would give the server admin root access
to the server but as long as your data is encrypted in a secure
manner it won't be easy to get it out even if the disk is just
mounted on another VM to browse around without changing passwords.
With OpenVZ and Virtuozzo you are able to enter the containers from
the hardware node and get root access ('vzctl enter id'). I can't
remember if this logged anything inside the container showing that
the administrator did this. The admin can also just browse the files
directly off the hardware node without "entering" the container. I
don't think you can do much to prevent this at all. I generally stay
away from paravirtualisation products for anything too important
with this being one of the reasons.
What level of security do you want to achieve at the end of the day?
It may turn out that going onto a shared platform out of your
control isn't the best option.