Archive for category technology
Backup user on Dreamhost? BE CAREFUL!
Posted by scott in dreamhost, linux, security, technology, ubuntu, webhosting on 2010.03.10
Dreamhost offers the rather sweet deal of 50GB storage for backups accessible by FTP/SFTP/RSYNC on top of their unlimited storage for serving purposes only. There’s just a small problem with that: MY HOME DIRECTORY WAS CREATED WITH PERMISSIONS 755!
That’s a serious breach of security. A quick look quickly showed that I wasn’t the only one; I saw file listings for what appeared to be private encryption keys and even financial data! So a word of caution to anyone considering using their backup user account to store anything even remotely private: DON’T!
That word of caution even extends to backing up up your web sites! Remember that .htpasswd and .htaccess files could be included! A backup of your PHP+MySQL website will give full access to your database! And if you’re not mixing it up with respect to your other passwords, you’re putting yourself even further at risk. So remember, play safe octal (the pun works better with hexadecimal) and put a 700 or 750 on that baby!
So if you want your data safe and are still going to use this service… read on!
Take responsibility of your data. Nobody’s perfect, and an admin can easily do a chmod in the wrong directory. So if you’re going to put anything even remotely private into your backup user account, encrypt it! Either deliver it encrypted (GPG?) or encrypt the filesystem.
Since Dreamhost offers SFTP, take advantage of it and use sshfs+encfs for an added layer of security. The package sshfs will allow for encrypted transport (with local filesystem mounting) and encfs will allow for encrypted storage. Win-win.
In Ubuntu, install the packages:
mortimer$ sudo apt-get install sshfs encfs
Add yourself to the fuse group.
mortimer$ sudo adduser $USER fuse
Make a local directories for your sshfs mountpoint and your encfs mountpoint:
mortimer$ mkdir ~/webhosting; mkdir ~/webhosting/dreamhost; mkdir ~/webhosting/dreamhost/sshfs.dreamhost.mountpoint; mkdir ~/webhosting/dreamhost/encfs.dreamhost.mountpoint
Login to your backup account. Find your absolute directory for later. Do a chmod 750 on your directory! Make the directories ~/files and ~/files/encfs in your Dreamhost backup account.
Connect using sshfs to your dreamhost account:
mortimer$ sshfs -ouid=$(id -u) -ogid=$(id -g) <YOUR-DREAMHOST-BACKUP-USER>@<YOUR-DREAMHOST-BACKUP-SERVER>.dreamhost.com:/<YOUR-ABSOLUTE-PATH-ON-YOUR-DREAMHOST-BACKUP-SERVER>/files/encfs /home/${USER}/webhosting/dreamhost/sshfs.dreamhost.mountpoint
Connect using encfs to your mounted sshfs partition:
mortimer$ encfs ~/webhosting/dreamhost/sshfs.dreamhost.mountpoint/ ~/webhosting/dreamhost/encfs.dreamhost.mountpoint
(The first time you do this:)
Creating new encrypted volume.
Please choose from one of the following options:
enter “x” for expert configuration mode,
enter “p” for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p
Choose a decent password for your files!
To unmount: unmount the encfs filesystem first and then unmount the sshfs filesystem.
milo$ fusermount -u ~/webhosting/dreamhost/encfs.dreamhost.mountpoint
milo$ fusermount -u ~/webhosting/dreamhost/sshfs.dreamhost.mountpoint
I’ve let Dreamhost know. By the time this gets crawled, Dreamhost should have this fixed hopefully.