EH-Net

Hi there,

I received a request from a colleague to run some vulnerability scans on a public-facing box he's about to go live with. He is 100% willing to write me a formal letter of request to perform the scans, and specify the extent of the testing authorized. However, I'm wondering what the best practice is when doing this over from residential ISP. Are there friendly cloud/VPS providers you'd suggest? Is this type of thing allowed by ISPs without violating the ToS? My fear is that I'll start some basic scanning and have my internet access shut off, and have it take a while to sort out by presenting the proper authorization documents to the ISP. Any help is appreciated!

Once you have obtained written permission from the explicit owner of the box, consult with your ISP. Ultimately, they are the only ones who will be able to tell you if you are violating their ToS.

I agree with m0wgli. Most of the providers have a "compliance with all laws" part in their ToS which basically says that you have to take care of all applicable laws and regulations from the country of your provider and your country. So your best bet would be to ask your provider directly.

Thanks folks. I spoke with a representative with Time Warner Cable; he told me that this is NOT a violation of ToS and is "absolutely okay" as long as its done with consent, and isn't being done maliciously. He was even nice enough to email me a summary of our discussion "just in case."

You might want to also check if they block any traffic on their residential connections (you may not get an entirely honest answer here though).

For example, an ISP may only allow 80 and 443 inbound for business accounts. Was a service not vulnerable to an exploit, or did your reverse shell fail because that traffic was silently blocked by your ISP?

If you don't want to go the business account route, check out http://www.arpnetworks.com/ for an affordable VPS.

I agree with the above comments.

You may also want to check VPSCOLO for cheap VPS options. I pay about $50/year with them. They didn't have any problem with me doing any sort of testing.

I really am not a fan of VNC for any systems I am storing sensitive data on ... :(

I do like their prices though, am currently using https://www.linode.com/ 1024 w/backup now and that winds up running me about $15 more a month than arpnetworks. I've been very happy with their service but this discussion prompted me to look for some other cheaper options. I used the hackingmachines BT5 VPS for awhile and am technically still a customer but theres no management and its really expensive.

Was that a typo for VPS, or are you referring to the VNC management? You can upload SSH keys over HTTPS and use VNC over an SSH tunnel.

Regarding VPSes in general, you can implement disk encryption, change root passwords, and implement any other control or hardening procedure. With that level of control, I don't see it being any less secure than collocating a server.

Also, aside from network-intensive activities like nmap scans, I primarily use it as a proxy. This is especially true for GUI tools like Burp that I'd rather run locally.

I've got the same without back up. one thing I have been really impressed with is their security responses. I've had a few automated SSH Brute force attacks hit my server from other linode customers. They have been very prompt to respond.

Yeah I was referring to VNC for console access. Have not used their service so was not sure how much control you had over the console (assumed was shared) to lockdown VNC but not sure why they wouldn't use something like nxserver to shovel X11 over SSH. It's a much more secure config in my opinion. It's not free but neatx or freenx implement the GPL'd libraries from the commercial version and work just as well. I use FOSS nxserver versions (usually freenx) with the commercial client (also free) and find it to be a much better way to manage via GUI.

VNC is used for out-of-band management, so you can get into the BIOS, etc. As I mentioned before, you can tunnel that over SSH.

Whether you install the OS yourself, or go with one of their default builds, you can install whatever software you want and use that. You're not required to use VNC for remote administration.