From owner-freebsd-questions@freebsd.org Fri Aug 14 06:52:43 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBF383B6DE5 for ; Fri, 14 Aug 2020 06:52:43 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSYzH1YGCz4LTw for ; Fri, 14 Aug 2020 06:52:42 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-il1-x132.google.com with SMTP id p13so7627674ilh.4 for ; Thu, 13 Aug 2020 23:52:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hOo6jPISAxxCpQNPpxTC/aFpCnCTi4IwZKGCK3V5+DM=; b=BTNrqKrPKCoaN113iUv09ypaOPNQKGRxTprdzh5JNa75KX1eyTtihK/9oMSOK//iuA lYmdGYyXwgkH/kIg9onNYUz/PBo0wQNCaDtMraD8nAGUMWR3HWjgN6u0GitQv2zPTZwv N0rujUEjJ11WCbhOD2uhv1NwbLL+K6ISWwMeNL/Lt4LXZehD6RkBLbPciUfl98BZkigb mr8q/zkswFNHGGHKLJyG3JczLVWL8tLWeZhLd2n/mpz4/mrHLdYwUkPlxLrA2aWOmwOZ UWGJtPNllAdJrzrI/2XMduPyrAqS1+pvh1h26aZj58IvvdvZIFzFhoafqDYkHoz1WYi9 hW0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hOo6jPISAxxCpQNPpxTC/aFpCnCTi4IwZKGCK3V5+DM=; b=rcwqPPeJ/fRXMSSyF+KwGpDZSqw07pOnwz6vmYNP507bO2pbiDhWpKB0suoftrsJ99 jgqAV9EwArUKJlfjkZ2xA1I3j6oiK+5L1I/qcha/krn+j18u0WPEnMCGvC32xkll+Qho 4zM83esJd9a+MNJTguQRHiVVeCsW9tkxWpUAJ9nhdw8JWXvDkBSVbbnLASorwgdnELN/ /XkS4cbjYOSpRakA/ckiEXAoWPKYGbeOAQXBLEATc8niJGbBehEKnsOn5iMl1fbKOjsP Vh9vyTP+UwHz1XDxwBmfYl6qpWd/MqpUGsS70oeVliE6GgVl7mRPt0EjZyi+wte5BIac ttiw== X-Gm-Message-State: AOAM533nmWZvNNSCahobir6fFm6mZHQqS9w5niZbVbj1ayzlPRftCwIx fs6m0a0JAmHVFhqb5E5VqX06QXOrpp3SWZTvbEDn7w/hmQ6PNQ== X-Google-Smtp-Source: ABdhPJyH0GMOEAZS9hhS7OfxMivgwIFQPSZghDGWJpj5q2tkE/7hOO/LO1doFRU6hDiLa80iHz+nvhIE7axuNbUePN8= X-Received: by 2002:a92:cbd0:: with SMTP id s16mr1340609ilq.187.1597387961676; Thu, 13 Aug 2020 23:52:41 -0700 (PDT) MIME-Version: 1.0 References: <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family> <20200814004312.bb0dd9f1.freebsd@edvax.de> <20200814065701.2b390145ac6d189161bc31b4@sohara.org> <20200814082953.7647b2f6.freebsd@edvax.de> In-Reply-To: <20200814082953.7647b2f6.freebsd@edvax.de> From: Aryeh Friedman Date: Fri, 14 Aug 2020 02:52:29 -0400 Message-ID: Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end To: Polytropon Cc: "Steve O'Hara-Smith" , =?UTF-8?Q?Andr=C3=A9_Boon?= , FreeBSD Mailing List X-Rspamd-Queue-Id: 4BSYzH1YGCz4LTw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=BTNrqKrP; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of aryehfriedman@gmail.com designates 2607:f8b0:4864:20::132 as permitted sender) smtp.mailfrom=aryehfriedman@gmail.com X-Spamd-Result: default: False [-2.97 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.01)[-1.009]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_HAM_LONG(-1.01)[-1.009]; NEURAL_SPAM_SHORT(0.05)[0.046]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::132:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2020 06:52:44 -0000 On Fri, Aug 14, 2020 at 2:29 AM Polytropon wrote: > On Fri, 14 Aug 2020 06:57:01 +0100, Steve O'Hara-Smith wrote: > > On Fri, 14 Aug 2020 00:43:12 +0200 > > Polytropon wrote: > > > > > On Thu, 13 Aug 2020 16:12:18 -0400, Aryeh Friedman wrote: > > > > They have a whacko firewall config that will eat 443/decrypt > it/forward > > > > it on as plain http via a proxy on the firewall > > > > > > So what you're saying is: They don't care about security, > > > in fact, they're making things worse, by being the "man in > > > the middle"?! Wow... > > > > It is a very common corporate firewall technique, and appropriate > > in that context. But for a hosting company it seems odd. > > > > > "Boohoohoo! SSH is so insecure, we must not allow that!" > > > > Again many corporate firewalls don't allow ssh out (or in directly) > > because tunnelling bypasses the firewalls. And again it seems odd for a > > hosting company. > > Exactly my impression. For a regular "boring paper office", > such limitations are not a surprise, and seem to work fine, > eliminating a few of the most common attack vectors. Smear > a few gallons of snake oil on the whole IT infrastructure > and perform security theatre twice a month, and everyone > will be happy. And look at the shiny new ISO-9660 certificate > we have bought! > > Again, as a _hosting_ service, the decisions mentioned above, > especially with no usable workaround ("Due to security > considerations, we do offer a different way of doing this.") > is really strange. VPN can help to a certain degree, but > crippling the networking between VMs (and of the VMs to > the outside where the devices are located which needs to > be communicated with) looks quite contrary to what one would > assume a hosting company would be doing... but hey, what do > I know, I'm just a stupid old man... ;-) > 1. I should mention that firewall/VPN situation we mentioned is what they are attempting to force us to move towards but currently since we were customer before the Great Firewall of NewTek Hosting Services (I might as well name them by name so people know who to avoid for completeness the full name is "NewTek Hosting Services, a division of NewTek Business Solutions") we were grandfathered in with our current config. But we fear due to political factors (the new head of technical operations not only put this monstrosity in place but was described -- by our old tech when being informed that they where no longer authorized to talk to us -- as being "an asshole") they might "forget" we are grandfathered in. The new config they want us to use is even worse in that they will not even allow VPN access under it. Since we have medical IoT devices (using a custom port/protocol) forcing into their "correct (in)security" way of doing things will not only be a show stopper but life threatening to the patients of our clients own clients (mostly cardiologists but a few other doctors) who use the system to do long term cardiac diagnosis for deciding things like do you need a pacemaker/open heart surgery/etc. 2. There internal/infrastructure, which was decent in it's config using true server grade OS's [here I admit Linsucks is better than Window$, but it still much worse for a desktop] just got completely gutted and replaced (without any customers being told) by a complete monsterity as demostrated by the following comment when they finally added our reverse DNS (see other message in thread): "I have made the necessary adjustments to the rDNS/PTR records on your domain controller" (who the f*ck uses Windows to run a hosting service except for MicroSlut with Azure!... it should be noted that when they set the VPN it was via our Windows Server not a *nix based/dedicated firewall) -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org