Friday, August 23, 2013

An unflattering commentary on Rackspace cloud server security

I recently needed a new server instance for some testing. Normally I would go back to AWS as I've had problems with Rackspace in the past. Being open minded and assuming things have changed in the last couple years I thought I'd go back and try out Rackspace cloud for my testing (for reasons I will not name here).

My first and most shocking revelation is that they have NOT fixed a key security problem. I'm going to outline this right now and hopefully somebody can fix it

Problem #1: Login as root via ssh

Guys...guys...guys(or gals)... It is baffling to me that you still allow this. Yes I get that you have a wonderful "Blacklist the my server ip when something goes wrong" and "then disable access to my console to fix" routine going on to protect your network if MY machine gets compromised due to your silly lackadaisical security. Wait, that's actually a negative thing too :) please stop, I'm not going to use you as a provider until you fix this. In the interest of fairness I'll say, you DO generate a nice, secure, random looking password... but that isn't really good enough in my book. At a minimum, generate a random password for a random (or hell even let me name a user) userid, disable remote root access, and I MIGHT consider using your service, except for the next problem.

Problem #2: No firewall protecting the machine by default

So let's ignore the root access problem... well, ok we won't... Now we have an aggravating problem... BEFORE I even have an opportunity to do ANY hardening of the server, it's spun up and connected to the internet listening on ssh. While I get that in your book this isn't probably the end of the world, I'm quite "not thrilled" by this. I suppose this problem is mitigated by the fact that I need to install all my services manually, but I'm still not happy. Why wouldn't I get access to firewall rules (Like I do in AWS) to limit the attack profile on my server (like to only allow ssh from my network)?

Rackspace, come on guys, I just can't believe you're still doing this, it's been a couple years now, you should learned by now! I can't imagine this is an expensive proposition, hell, problem #1 was already fixed by the ubuntu team by default, you actually had to do work to defeat their efforts.

If your philosophical stance is that "This is an acceptable risk for my customers" well then, good luck to you, glad you made that decision for me, I'll be moving on to other providers that care about my business.