So you have installed and hardened your server. You protected SSH with ssh keys , and in your /etc/ssh/sshd_config, you set PasswordAuthentication to no. All security checks are green. Beware:

More often than not, access is still possible with a password, and without your knowing.

The reason lurks in an innocuous “sshd_config.d” subdirectory of /etc/ssh.

In that you might find another conf file, named “50-cloud-init.conf,” or somesuch. Any file name will do. If you found “PasswordAuthentication yes” in that file, then you caught the criminal.

With an entry in /etc/ssh/sshd_config.d /*.conf any corresponding setting in /etc/ssh/sshd_config will happily and quietly be overridden.

REMOVE, don’t edit these entries. Restart the ssh server. As long as there is a “PasswordAuthentication yes” in your /etc/ssh/sshd_config, nobody can get in without the proper ssh key.

Providers plant these SSH backdoors into the systems they deliver to customers. The ultra-moronic hen send the password via email, and all bets are off.

According to a Contabo representative, they are “experiencing routing issues in the data centers located in Asia. This issue is global, we are currently closely working with our ISP in that location to resolve the issue as soon as possible.”

In Contabo-speak, “as soon as possible” translates to “when we get around to it, maybe never.”

The message was the conclusion of a royally botched attempt to move my sole remaining Contabo server (I canceled a few last month) from their Munich dada center to a hopefully better climate in Tokyo. After 3 days, the server is back in Munich. More on that later.

Maybe its just another Contabo whopper to hide their ineptitude.

Maybe they have real routing issues with Asia. Others do not.

I bought a Dell Broadcom 57406 dual 10Gbe NIC off Amazon. When it arrived, it was fitted with a low profile bracket. No standard bracket was supplied. Seller could not provide the proper bracket, so the product was returned. The same item is listed many times on eBay at much lower prices than what I paid on Amazon. Sent messages to a few sellers, turned out they ALL have a low profile bracket only. Before you go for this deceptively low-priced dual NIC, make sure it has the proper bracket.

There is a letter floating around the Internet where the Cloudflare CEO complains that their sales-team is not doing their job, and that they “are now in the process of quickly rotating out those members of our team who have been underperforming.” Those still with a job at Cloudflare are put under high pressure, and they pass-on the pressure to customers.

There are posts on Reddit where customers are asked to fork over 120k$ within 24h, or be shut down. There are many complaints of pressure tactics trying to move customers up to the next Cloudflare tier.

While this mostly affects corporate customers, us homelabbers and selfhosters should keep a wary eye on these developments. We mostly use the free, or maybe the cheapo business tier. Cloudflare wants to make money, and they are not making enough to cover all those freebies. The company that allegedly controls 30% of the global Internet traffic just reported widening losses.

Its inevitable: Once you get hooked and dependent on their free stuff, prepare to eventually be asked for money, or be kicked out.

Therefore:

• Do not get dependent on Cloudflare. Always ask yourself what to do if they shut you down.
• Always keep your domain registration separate from Cloudflare. Register the domain elsewhere, delegate DNS to Cloudflare. If things get nasty, simply delegate your DNS away, and point it straight to your website.
• Without Cloudflare caching, your website would be a bit slower, but you are still up and running, and you can look for another CDN vendor.
• For those of us using the nifty cloudflared tunnel to run stuff at home without exposing our private parts to the Internet, being shut out from Cloudflare won’t be the end. There are alternatives (maybe.) Push comes to shove, we could go ghetto until a better solution is found, and stick one of those cheapo mini-PCs into the DMZ before the router/firewall, and treat&administer it like a VPS rented elsewhere.

Should Cloudflare ever kick you out of their free paradise, you shouldn’t be down for more than a few minutes. If you are down for hours, or days, you are not doing it right. Don’t get me wrong, I love Cloudflare, and I use it a lot. But we should be prepared for the love-affair turning sour.