I'm curious, is there anything that could be put in place to make the SliceManager more secure?

I've read article after article about making my Ubuntu installation secure, but the SliceManager seems extremely vulnerable.

All someone has to do is get one password (the password to your SliceManager) and they then have access to basically just delete your entire slice...correct?

I bring this up because I had this very thing happen to me at a former dedicate server host of mine. A hacker was able to get my password to the admin area that managed all my servers and then he proceeded to reformat the servers.

If there were some way to make certain actions more secure or require an extra level of verification, that would be really nice.

I would really like it that no one be able to close an account or even reformat a slice without confirming they have access to the account email.
Or for a setting allowing only logins from specific IPs (which are confirmed via email) to execute such. I know it adds some stress to SliceHost and could probably result in more support requests than you'd like to deal with but I'm sure it would make everybody feel a lot safer.

Your requests are noted. We are definitely open for suggestions on this topic. We are formulating some ideas to potentially cover the concern areas, I’ll add to this thread when its fleshed out enough for discussion.

I personally like the Verisign PIP suggestion that requires a security key, but I understand that's not something easily implemented or scaled easily.

Really even just having security/verification questions for certain tasks would be a step in the right direction.

Examples:
* Verify your full credit card number on file to complete this task
* What are the last 4 digits of your drivers license (a question set on account creation...any question could be asked this way)

You could also maybe require email confirmation from two email addresses. When I had my problem before with the other host, the hacker had gained control of my email account (it was a gmail address) and so he was able to retrieve my password. But if you required 2 email addresses on file (one of which is NOT a free email account) you could send verification links to both addresses which would greatly reduce anyone's ability to perform damaging tasks.

First things first, pick a good password. Make it a passphrase, or a pass-sentence, or even a passnovel. Make it really super-long, and write it down. I know that's something you're not supposed to do, but if you do it, then you can have a super-long unique password. What're the chances some burglar's gonna know what some random sentence on a scrap of paper means?

For authentication, it'd be cool if I could get some other use out of this paypal security key I have, so I'll have to check out openid. I'll also throw a suggestion into the heap: SSL client authentication. Slicehost could set up a self-signed CA, and issue signed client certificates to users upon request. We'd take these keys (usually in .p12 format) and import them into firefox (or opera or ie or whatever). Slicehost's http server would be set up to have client authentication be optional, accepting client certificates signed by their CA. Then their backend scripts can just look at the SSL_ environment variables that the http server sets to see what the CN of the client certificate is. I can explain this better if need be.

This would mean that only someone who had access to the client certicate for an account AND provided the normal username/password could log in, if they turned on an option to require the certificate. I use this kind of authentication for my personal projects on my webserver, and it works great and is simple to use on the client side.

Good suggestions so far guys. Still rolling around some ideas here, the main two driving principles for us

1. As much as possible, all things should be completely automated (including the mechanisms for retrieving forgotten passwords)
2. New features should not add complexity for users that do not want them

There are a couple of easier to implement items that we’ve thought of, most of which could be simple check box options in an account security section of the SliceManager-

a. receive notifications via email of failed and/or successful login attempts to a SliceManager account (including source IP)
b. disable emailing of initial build/rebuild slice password (passwords are still displayed on the web page once after the request is made)
c. disable password based login to the slicemanager (allowing only openid login)

A potentially more sticky thing to implement would be some type of ‘enable mode’ for accounts. This could work similar to how switches/routers have a privileged mode that you need to enter in order to perform potentially destructive tasks. It would take the form of a secondary password/passphrase that needs to be entered after already logged in. We could set it up such that this password is not resettable as simply as the main account login password, perhaps via email to both primary and secondary addresses or verification of some facts about the account.

I do like the ideas brought up about IP login restriction and SSL based authentication, however, I do think the complexity level is a little high for the extra benefit. We definitely want to avoid support tickets over confusion regarding what IP you are trying to log in from and things of that nature. Its troublesome because you can’t exactly display an informational error to the person supplying correct credentials from the wrong IP, that would basically defeat the purpose of the restriction. Also SSL based methods will basically lock you out of your account if you are ever forced to use a different machine. Possibly not a problem for many, but I could see it creating issues for some. In addition the extra steps involved in making that work with your browser may be enough to filter out less savvy customers from being able to (or understanding how to) take advantage of the feature.

I wanted to get some rudimentary thoughts out while the thread was still somewhat alive, this isn’t near as fully thought out as I’d hoped, but please comment on the above ideas. In particular if you do like the ‘enable mode’ feature, I’m open for suggestions on a solid and secure way to reset a forgotten passphrase in an automated way. Keep in mind that billing details like address, last 4 digits of the card, etc are emailed to the account holder on invoices so that isn’t really a good shared secret.

to delete a slice, small charges are made to the credit card that have to be entered into slice manager (after checking out the amounts on internet banking). the amounts are credited to the balance of the account :) murder on your merchant costs, i'm sure :P

no way shpigford, the last we need is using CC#‘s as verification id. worst idea i have heard in a long time.

What is needed is something like, if you delete a slice, make an automatic 24 or 48hr wait period and require email token challenge/response verification.

ideally an rsa style keytag would be cool but there is a huge expense on the side of slicehost.

it would be easy to use/verify with gpg signatures. slicehost has theirs, and they have our pub key. they encrypt token/phrase/hash in email and we decrypt it.

that can be automaed on their side, and well protected on ours.

i still like the idea of tagging slices for callback verification to delete, except then the attacker just has to change the phone number before deleting anything :/

I think SSL client certificates are a good all-around solution. Are these portable? If so, I could carry my certificate with me on an encrypted USB thumb drive if I ever need to gain access from a different machine. Of course, if it is not my machine, the onus would be on me to uninstall it when I am finished. (This should be optional, so only those who really feel the need for the extra layer of security need deal with certificates.)

Other ideas I like in addition:

1) Don’t email passwords – especially root passwords – ever. I have asked for this before.

2) Receive notifications of login attempts.

And while this is a bit off-topic, I would love to see ssh-based console access with passwordless key-based authentication. The Ajax terminal is great, but nothing beats being able to log in via Terminal. A previous Xen-based VPS host I used (RimuHosting) had this feature and it was great.