I recently started helping a less technical friend and had my first chance to see/use Contabo VPS. I’ve been really surprised at their default security practices so far.Contabo’s default VPS creation seems to be root user and password? If you go to “Advanced” the default is to create a user called “admin” (good!) and has the option for a public SSH key. Why is that bad? Our new server, that barely any bot knows exists, already gets 350 failed password login attempts an hour. Worse, these bots can see that password login is enabled on our server, meaning they know they should keep trying. 350 password requests an hour on a strong password isn’t much, but eventually more bots will realize our IP is using passwords and try more. Eventually after copy pasting around a password enough some compromised browser plugin / discord plugin etc will capture the password and put it in a list. Contabo “knows” this, even if they don’t practice it:https://contabo.com/blog/how-to-use-ssh-keys-with-your-server Conatabo is bad that they encourage you via their defaults when setting up the VPS to use SSH password. They went out of their way to do that, likely to not put roadblocks up for new users, but it’s bad security. Contabo Support asks you to email them your password so they can help? When we hit an issue we contacted Contabo support. They asked us to copy paste our password so they could help troubleshoot an issue. While I appreciate that level of support, assuming users have a SSH password and asking them to email it seems crazy to me. Now there is a record on both our email providers of that password and IP. The fix? 1) Use pub/private SSH keys. We can copy/paste public keys anywhere we want, super safe.2) Make future servers with a user other than root and disable login with root. Root user has special login privileges (allowing SSH to get hammered).And in the future, I’ll complain a bit less about DigitalOcean/AWS/GCP.
First seen: 2025-09-12 01:23
Last seen: 2025-09-12 01:23