From owner-freebsd-questions@freebsd.org Thu Aug 13 19:08:24 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1346C3A9B61 for ; Thu, 13 Aug 2020 19:08:24 +0000 (UTC) (envelope-from dr.klepp@gmx.at) Received: from vie01a-dmta-at50-2.mx.upcmail.net (vie01a-dmta-at50-2.mx.upcmail.net [62.179.121.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSGLb17hMz3S1q for ; Thu, 13 Aug 2020 19:08:22 +0000 (UTC) (envelope-from dr.klepp@gmx.at) Received: from [172.31.216.41] (helo=vie01a-pemc-psmtp-at50) by vie01a-dmta-at50.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1k6IaJ-0002N4-3g for freebsd-questions@freebsd.org; Thu, 13 Aug 2020 21:08:19 +0200 Received: from x61.lan ([85.126.97.210]) by vie01a-pemc-psmtp-at50 with SMTP @ mailcloud.upcmail.net id F78J230264YLlkt0B78JqH; Thu, 13 Aug 2020 21:08:19 +0200 X-SourceIP: 85.126.97.210 X-CNFS-Analysis: v=2.2 cv=O6RJhF1W c=1 sm=2 tr=0 cx=a_idp_f a=/Ac8Q0O/YFE5LOLfUiYZVw==:117 a=/Ac8Q0O/YFE5LOLfUiYZVw==:17 a=8nJEP1OIZ-IA:10 a=pGLkceISAAAA:8 a=MzQ3lrGnAAAA:8 a=rFsZZ5cwtXMhQdxiY8QA:9 a=wPNLvfGTeEIA:10 a=_Z4L-_9ngrfQnKB3E3tf:22 From: "Dr. Nikolaus Klepp" To: freebsd-questions@freebsd.org Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end Date: Thu, 13 Aug 2020 21:08:18 +0200 User-Agent: KMail/1.9.10 References: In-Reply-To: X-KMail-QuotePrefix: > MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <202008132108.18598.dr.klepp@gmx.at> X-Rspamd-Queue-Id: 4BSGLb17hMz3S1q X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=fail (mx1.freebsd.org: domain of dr.klepp@gmx.at does not designate 62.179.121.137 as permitted sender) smtp.mailfrom=dr.klepp@gmx.at X-Spamd-Result: default: False [4.26 / 15.00]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[gmx.at]; NEURAL_SPAM_MEDIUM(0.86)[0.862]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_SHORT(-0.27)[-0.265]; NEURAL_SPAM_LONG(0.86)[0.861]; MID_CONTAINS_FROM(1.00)[]; FROM_NAME_HAS_TITLE(1.00)[dr]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6830, ipnet:62.179.0.0/17, country:AT]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.at]; RCVD_IN_DNSWL_LOW(-0.10)[62.179.121.137:from] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2020 19:08:24 -0000 Anno domini 2020 Thu, 13 Aug 14:58:54 -0400 Aryeh Friedman scripsit: > Forgot to ask how common is such idiocy? And is it becoming more common? Speaking of Austria: Not common for hosting providers, but the bigger they get the less knowledge they have. But for software companies that sell anything based on MSSQL it's quite standard behavior. Usually the talk get's interesting when you demand a guarantee with penalty (contractor has to pay for lost service et.) if something goes wrong with their proposed superduper solution. Nik > > On Thu, Aug 13, 2020 at 2:56 PM Aryeh Friedman > wrote: > > > The hosting company for one of our clients sent the following reply to > > us/them when we asked them to setup end user accounts on a dedicated > > Windows Server, FreeBSD box and CentOS box (all VM's on the same physical > > machine with no other VM's on the physical machine) and being told we > > needed scriptable access (not web based non-scriptable) to the windows > > desktop and shell accounts (including the ability to sudo) and they agreed > > to provide it: > > > > "[Insert client name here], we do not allow RDP or SSH into our > > datacenter. They are the primary vehicles for ransomware and cryptolocker > > breaches. We utilize a secure access portal with multi-factor > > authentication to ensure you don't get breached." > > > > I kind of understand RDP (but we have had bad luck with VNC on the same > > hosting provider in the past so we prefer RDP), but SSH!?!?!?!?! Their > > idea of a "two factor" authentication is each connection will only be > > allowed via a web portal and must use a one-time password sent the users > > smartphone. Not only does this make automated deploy impossible it is a > > complete show stopper since our service is IoT and uses its own custom > > protocol. > > > > So how do we/the client tell the hosting company they are full of sh*t > > (the client has a 3 year contract with a pay in full to break clause with > > them which would be over $100k to break) > > > > -- > > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > > > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ...