

How I got hacked in 10 hours on Google Cloud Platform - kidsil
http://www.kidsil.net/2014/12/hacked-in-10-hours-google-cloud/

======
smt88
"Google Compute Engine should be a lot more secured out of the box"

Most modern server instances _are_ secure out of the box. It's the user who
makes them insecure.

I like AWS because it lets you manage firewall settings of EC2 instances
through the console. I obviously open port 443 to the public, but nothing
else. If I need to get in for some reason, I whitelist my current IP, log in,
and then remove the IP.

That decreases the points of failure quite a bit. I'm not sure if there's a GC
version of the same thing.

Did you use a password to log into this instance? For a production server like
that, you should be using SSH keys with secure passphrases.

In case you have a root password and were logging in as root, that's another
thing you shouldn't do.

~~~
kidsil
As mentioned in the article, I've simply used the click-to-deploy feature to
create my instance.

SSH Keys were with passphrases, and the Console's SSH client logs you in as
your account name's user (not root), I never logged in as root myself
actually.

~~~
smt88
Well, definitely use 2FA on your GC account, then.

Ubuntu-based EC2 instances aren't "more secure", but they set you up as a user
of better security practices. Like any set of tools, though, you have to
understand them and use them properly.

Is something like Heroku not an option for you?

~~~
kidsil
_Is something like Heroku not an option for you?_

It is now.

------
JCJoverTCP
Doesnt really go into "how" enough for my own clickage.

