PSA for people who rent dedicated servers
Heya,
Recently, I was diagnosing something on a client's server, and it came to my notice that both the disks were failing. So, I asked the DC to get 1 replaced asap, and planned to get the other one later, when the RAID was rebuilt. After waiting for around 2.5 days, they replaced the disk, and on booting the server I see that the replaced disk has LVMs in it. I was curious if the DC formatted it like that (which is very unusual and doesn't make sense since it would be added to a RAID anyway), and apparently not. It was a CloudLinux installation. I didn't go any further, and formatted the drive and added it to my array.
tl;dr: Before you ask the DC to replace a disk, make sure you remove the data that's already present on the disk (overwrite it multiple times, with zeroes, or whatever).
PS: The provider is based out of ColoCrossing, has a super old LET Flash Sales Thread and it's name sounds like a VPS Hosting company. :P
Comments
Brings the question of where the responsibility lies I suppose.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Personally, I feel it's the responsibility of the provider to erase all data on a drive before re assigning it to another customer. Also I believe this is violating their Privacy Policy. ?
I nuke my drives before handing them back, and for any dedicated clients, I lock out their IPMI while I then format any drives associated, and only then hand it back to them. If a drive is unsable and can't be safely wiped, it goes into the shred bin. Not worth the headache trying to save generally useless parts.
My pronouns are like/subscribe.
Sounds fishy... any reliable and trusted datacenter will wipe and test the drive(s) after replacing. Not only to wipe customer data, but to simply validate that the drive really is bad and needs to be RMA'd or tossed.
But this is one of the many reasons why we use LUKS on all of our disks.
Universal Layer LLC, a privacy conscious hosting provider
Check us out @ ulayer.net / twitter.com/ulayer_net
+1
Yeah, it costs virtually nothing today.
Does that mean you have to put in the passphrase everytime you reboot a server?
I don't know to be honest.
If I leased a dedicated server, did not erase data that was sensitive properly before handing it back and the DC then reused the drive and someone got hold of the data, I would blame myself.
Unless that is I was paying for a secure erase as part of the service.
That said, if I was running a DC, I would for sure have a disk reuse policy which would include a process for at least 0'ing rented drives after pull.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Assuming you won't encrypt /boot, with a dracut module or a dropbear initramfs (depending on the distro) you may input a passphrase via SSH before boot or auto-fetch a remote key you make available online or, better, unlock using clevis+tang
I agree
As of now, we unlock our disks via dropbear (SSH daemon) that starts up in initramfs. But, in the future we'll have everything automatically unlock on boot with Clevis and Tang. I just have to automate its deployment and do a bunch of testing https://wiki.inf.ed.ac.uk/DICE/MPUTangAndClevisTrial
I thought of writing a shell script that would check all servers to see if a LUKS passphrase needed to be entered (i.e. a server rebooted randomly and came back up waiting on passphrase) although this could be fooled by someone with enough dedication to capture our LUKS passphrases.
Universal Layer LLC, a privacy conscious hosting provider
Check us out @ ulayer.net / twitter.com/ulayer_net
Spot on, you beat me to it!
Universal Layer LLC, a privacy conscious hosting provider
Check us out @ ulayer.net / twitter.com/ulayer_net
If you wait 2.5 Days to get a disk replaced, take your data and move along.
I pay Ikoula 4.99 on a dedicated, I got the mainboard replaced and diagnosed within 4 hours.
Free NAT KVM | Free NAT LXC
Yeah it sucks, not my server, so I can't do much unfortunately, apart from suggesting the client to switch. There aren't many value options in US either, from what I've seen.
The provider should make sure it's done, however does this fall on CC? Or the other company depends on who the hardware came from. If they just resell from another company might not have known.
Always wipe anything you can on your dedicated servers that's for sure.
PureVoltage - Custom Dedicated Servers Dual E5-2680v3 64gb ram 1TB nvme 100TB/10g $145
New York Colocation - Amazing pricing 1U-48U+
The pre-Internet example of this is renting a porn VHS and not only is tape not rewound to the beginning (even worse, past the last interesting bit), but shows who last rented it.
Love the username reference.
Update: Got the other disk replaced on the server (both disks were dying, so got them replaced one by one), and guess what, it directly booted from their "new" disk into another system that was on the disk lol.
You do realize that the public library system "National Geographic" specials are not generally considered to be pornography, right?
My pronouns are like/subscribe.
YAU (yet another update): Their new replaced disk has reallocated sectors.
This is too much to deal with lol, for a $50/mo server. The company is Virmach, if you want to buy a dedicated server from them, be careful. On a side note, their DDoS protection does absolutely nothing.
You must have really creeped out your local librarian.
Why only creep them out? I like to cosplay as a homeless man and bathe in the public restroom sinks one limb at a time.
My pronouns are like/subscribe.
That's a little too real here. The central library is next to the bus stop, and they should have modelled the restrooms after truck stop showers.