From owner-freebsd-questions@freebsd.org Thu Aug 13 18:56:58 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4B1FD3A8FD3 for ; Thu, 13 Aug 2020 18:56:58 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSG5P2npjz4fV4 for ; Thu, 13 Aug 2020 18:56:57 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-il1-x135.google.com with SMTP id p18so2623619ilm.7 for ; Thu, 13 Aug 2020 11:56:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=qPmEQp4nB9XajhoOXEPZMD83txEcWhh2PbG13B2uaFk=; b=ozUcLhdkQ7xOI6zJjLBpZAKyFvcP0rHDuuxfc4edli0x+0fNPA/qMG7hu653QiD2I2 0dEZBCD4Y4kGpTpivOxsSSfjNRhXkZzwg6oh3jMLmuQXkSr2SYkWzuBlPFmabM5Hxqf0 K2Rkkv793DZc6l76fP86Pge6JNPCkiBg16a2Qt2VqRuDIvYUyrvs/x1kjKsVjRHAuh32 oN15CaD2VD0NoVr6zzdSzp9DRxNbHiUGF23LKtKNYeJC2voqH30LdmGc5UIpCjhpQr2Y 1Xr6Xqyz541fgAPN3vW26WMsfCUMURLMXzmTq4MUgj8jWEercfzGgZkZssx11dgtls8D FMmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qPmEQp4nB9XajhoOXEPZMD83txEcWhh2PbG13B2uaFk=; b=tYDq0jyzD2WzQhX3GRfMcZgYQdy90/5LiHrPEhxlmaVVFj22vjLlD96+JU9vs3hZ/R C8jsxoQSpePuqn/5Rn7lmA78irjbGCQunanEaKJRXKw/kCaOX+gcGHZMAqjWAf4lW2YE z79qRRB3Or553N5WXLofRMCim0SXhJqsfsGDhfvkl8JG1PZeGKAtpO2yOupbvaaZnbdY oOgfX1JCiebAfv3FfgCPA51vpks0OBaTUphLta/4+lL94LkigcZnhzEt2smNI7Uc8rag XHqdGUf8k0UeWe3/oz8nd1EJVGWf4z0EXhiCCPPXBiowEZ8XzoFMeNjVRTOdVHqHI4U8 glGQ== X-Gm-Message-State: AOAM531LEkfkNVcB0DvTm3e6ErO4VlDHbFtVxnUet3Ja8s0Meutx+F4d IkNmhlILeeKe+zGgcfgPhrkr5BE97Say/6c8c7pDxsvYXlQ= X-Google-Smtp-Source: ABdhPJyqfyO+G8bNtOohKyiUDj4YfumVqMJepTQduLk8Er1/sGY59AUZEk2u2x4rfadIUPUjQX/+0qsDnMaxMxIVIow= X-Received: by 2002:a92:d20c:: with SMTP id y12mr6383466ily.81.1597345014507; Thu, 13 Aug 2020 11:56:54 -0700 (PDT) MIME-Version: 1.0 From: Aryeh Friedman Date: Thu, 13 Aug 2020 14:56:43 -0400 Message-ID: Subject: OT: Dealing with a hosting company with it's head up it's rear end To: FreeBSD Mailing List X-Rspamd-Queue-Id: 4BSG5P2npjz4fV4 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=ozUcLhdk; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of aryehfriedman@gmail.com designates 2607:f8b0:4864:20::135 as permitted sender) smtp.mailfrom=aryehfriedman@gmail.com X-Spamd-Result: default: False [-3.14 / 15.00]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-0.96)[-0.963]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.001]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::135:from]; NEURAL_HAM_SHORT(-0.18)[-0.180]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2020 18:56:58 -0000 The hosting company for one of our clients sent the following reply to us/them when we asked them to setup end user accounts on a dedicated Windows Server, FreeBSD box and CentOS box (all VM's on the same physical machine with no other VM's on the physical machine) and being told we needed scriptable access (not web based non-scriptable) to the windows desktop and shell accounts (including the ability to sudo) and they agreed to provide it: "[Insert client name here], we do not allow RDP or SSH into our datacenter. They are the primary vehicles for ransomware and cryptolocker breaches. We utilize a secure access portal with multi-factor authentication to ensure you don't get breached." I kind of understand RDP (but we have had bad luck with VNC on the same hosting provider in the past so we prefer RDP), but SSH!?!?!?!?! Their idea of a "two factor" authentication is each connection will only be allowed via a web portal and must use a one-time password sent the users smartphone. Not only does this make automated deploy impossible it is a complete show stopper since our service is IoT and uses its own custom protocol. So how do we/the client tell the hosting company they are full of sh*t (the client has a 3 year contract with a pay in full to break clause with them which would be over $100k to break) -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org