A Chat With Slicehost Support

An interesting chat with slicehost support, about security and responsibility on their slices. Also a great example of what modern IT support can look like.

You walk into https://chat.slicehost.com/ and within seconds, you have a support person answering you.

I contacted them to hear about

  • who takes responsibility for what on a slice
  • firewalls / port restrictions on their slices

The short summary is:

  • As the user of a slice, you are fully responsible for your systems security - by default, the slices are fully open and unprotected.

Here s the chat:

sebastian has entered the room
10:45:33 AM  sebastian  hello @ slicehost
10:45:41 AM  *Sulo  hi
10:46:46 AM  sebastian  i d like to ask a question regarding firewalls and ports - many of my colleagues here at university are using slices, and i was wondering:
10:47:18 AM  sebastian  when you get a default linux slice, are there firewalls / port restrictions in front of that, or is such a slice fully open?
10:51:26 AM  *Jon  When you first sign up, your slice is fully open. You get a fairly bare, simple image. We highly recommend you set up a firewall once you get your slice up.
10:52:03 AM  *Jon  We have some guides to help walk you through that set up here: https://support.slicehost.com/admin.php?pg=request&reqid=472479
10:52:32 AM  *Nate  sebastian: certain distro's such as RHEL and CentOS have a pre-configured firewall
10:52:47 AM  *Jon  http://articles.slicehost.com/
10:53:07 AM  sebastian  But. in any case - it s the users responsibility, yes?
10:53:25 AM  *Nate  sebastian: check out - http://articles.slicehost.com/2011/2/21/introducing-iptables-part-1 and http://articles.slicehost.com/2011/2/21/introducing-iptables-part-2 and http://articles.slicehost.com/2011/2/21/introducing-iptables-part-3
10:53:32 AM  sebastian  i m asking cos in that case i d wanna educate my colleagues a bit :)
10:53:44 AM  *Nate  sebastian: you don't have to setup a firewall.
10:54:07 AM  *Nate  sebastian: it can help prevent compromises though
10:55:01 AM  sebastian  get it. that s my point. so, i should educate colleagues to not have a user "test/test" :)
10:55:17 AM  *Nate  yeah, exactly
10:56:16 AM  sebastian  because, if they do and find a nice little rootkit installed on their slice - it s their own responsibility
10:56:57 AM  sebastian  there s no slicehost infrastructure around the slices that ll protect them much
10:58:00 AM  *Nate  sebastian: not so much. We do network maintenance regarding DDOS and those types of attacks. You can use fail2ban and similar to fight off forced entry etc
10:59:59 AM  sebastian  right, yes that s the kinda tools i recommend to folks - fail2ban, denyhosts, etc
11:00:51 AM  sebastian  thanks - got all my Qs answered :)
11:01:09 AM  *Nate  sebastian: no problem. Let us know if you need anything else
11:03:37 AM  sebastian  thanks - good support mode btw - beats mail n phone.
11:03:57 AM  *Nate  sebastian: heh, I hear that