VPS 有哪些加强安全/隐私保护方式?
如题,希望能够抛砖引玉
1. 仔细审查 cloud-init 内容
cloud-init 负责网络/ssh 密钥设置......,但有些服务商可能会在 user-data 里设置 runcmd ,安装监控服务。推荐关闭 cloud-init ,静态配置 IP
2. 尽可能关闭 qemu-guest-agent
vps 开启 qemu-guest-agent 可以方便关机/获取基本操作系统信息。但是可能很多人没有注意到,服务商是可以执行任何命令的。
socat unix-connect:/tmp/qga.sock readline
{"execute":"guest-get-osinfo"}
{"return": {"name": "Debian GNU/Linux", "kernel-release": "6.12.63+deb13-arm64", "version": "13 (trixie)", "pretty-name": "Debian GNU/Linux 13 (trixie)", "version-id": "13", "kernel-version": "#1 SMP Debian 6.12.63-1 (2025-12-30)", "machine": "aarch64", "id": "debian"}}
{"execute": "guest-info"}
{"return": {"version": "10.0.7", "supported_commands": [{"enabled": true, "name": "guest-network-get-route", "success-response": true}, {"enabled": true, "name": "guest-get-load", "success-response": true}, {"enabled": true, "name": "guest-get-cpustats", "success-response": true}, {"enabled": true, "name": "guest-get-diskstats", "success-response": true}, {"enabled": true, "name": "guest-ssh-remove-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-ssh-add-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-ssh-get-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-get-osinfo", "success-response": true}, {"enabled": true, "name": "guest-get-timezone", "success-response": true}, {"enabled": true, "name": "guest-get-users", "success-response": true}, {"enabled": true, "name": "guest-get-host-name", "success-response": true}, {"enabled": true, "name": "guest-exec", "success-response": true}, {"enabled": true, "name": "guest-exec-status", "success-response": true}, {"enabled": true, "name": "guest-get-memory-block-info", "success-response": true}, {"enabled": true, "name": "guest-set-memory-blocks", "success-response": true}, {"enabled": true, "name": "guest-get-memory-blocks", "success-response": true}, {"enabled": true, "name": "guest-set-user-password", "success-response": true}, {"enabled": true, "name": "guest-get-fsinfo", "success-response": true}, {"enabled": true, "name": "guest-get-disks", "success-response": true}, {"enabled": true, "name": "guest-set-vcpus", "success-response": true}, {"enabled": true, "name": "guest-get-vcpus", "success-response": true}, {"enabled": true, "name": "guest-network-get-interfaces", "success-response": true}, {"enabled": true, "name": "guest-suspend-hybrid", "success-response": false}, {"enabled": true, "name": "guest-suspend-ram", "success-response": false}, {"enabled": true, "name": "guest-suspend-disk", "success-response": false}, {"enabled": true, "name": "guest-fstrim", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-thaw", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-freeze-list", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-freeze", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-status", "success-response": true}, {"enabled": true, "name": "guest-file-flush", "success-response": true}, {"enabled": true, "name": "guest-file-seek", "success-response": true}, {"enabled": true, "name": "guest-file-write", "success-response": true}, {"enabled": true, "name": "guest-file-read", "success-response": true}, {"enabled": true, "name": "guest-file-close", "success-response": true}, {"enabled": true, "name": "guest-file-open", "success-response": true}, {"enabled": true, "name": "guest-shutdown", "success-response": false}, {"enabled": true, "name": "guest-info", "success-response": true}, {"enabled": true, "name": "guest-set-time", "success-response": true}, {"enabled": true, "name": "guest-get-time", "success-response": true}, {"enabled": true, "name": "guest-ping", "success-response": true}, {"enabled": true, "name": "guest-sync", "success-response": true}, {"enabled": true, "name": "guest-sync-delimited", "success-response": true}]}}
{
"execute":"guest-exec",
"arguments":{
"path":"/bin/sh",
"arg":["-c","echo hacked > /root/pwned"],
"capture-output":false
}
}
{"return": {"pid": 912}}
3. 全盘加密
VPS 服务商可以复制和挂载用户的磁盘,所以磁盘加密是必要的。但全盘加密会降低磁盘性能,折中的方案是分一个专门放密钥的区,仅加密此分区。
听说 VPS 服务商还可以打快照,读取内存?这个应该防不胜防
3 条回复
aminobody
1 天前
这么在意的话,到手先 dd
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
https://www.v2ex.com/t/1191203
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.