[_Lemon_]

I just fired off an e-mail to OVH to see their response (and to probably make them more aware of this).

OVH pre-install a number of things by default on their Debian image including monitoring software (it integrates into their manager) and this key.

The only way to make sure things like this are a non-issue is to do a clean install yourself, e.g., via debootstrap in "rescue pro mode".

You can then install the key on their request if required giving you more control.

[_Lemon_]

I have a response from OVH:

We are aware of this and are currently investigating it. Our initial thoughts were that it was indeed a compromise but after further review it seems that this is actually a bug with Debian and certain versions of RedHat.

We've tested it with different keys and have suffered the same results. I'll let you know if anything changes and we'll be announcing this shortly.

Thank you in any case, but rest assured it's not a serious issue.

[jawr]

I was introduced to OVH when they had a promotion where they gave 100 kimsufi servers away (free for a year). I was really impressed with the prices that they were selling real hardware at (and still do).

However, I have grown a great distaste to them in the last few years, namely because of this behaviour and it's implications; when I buy a dedicated server that I am going to manage myself it would be nice to at least have the option to install a clean distribution and not have to go the extra mile of bootstraping.

[_Lemon_]

That's the only reason you've found so far? That's pretty good.

They have much worse things in place:- their anti-dos measures make it near impossible to put anything of value on their without a LOT of work. For example, once they detect a DoS (just 50 Mbps was enough but it varies) they will take down your server (not just its IP) for 4-12 hours at a time.

With that said, there are some great things about OVH: they drive down the costs and make everything quite efficient (e.g., hardware prices, support costs) but then seem to just forget that they need to reduce the costs for the customer as well (their anti-dos measures being an example of how they increase the cost).

[giulianob]

I wonder if that DOS policy will be the same for the new North America data center. I have a beta server with them and am enjoying their service but taking someone's service offline for a small scale DOS attack may be a game changer.

[_Lemon_]

It probably won't change. Their US routers do not appear to be any different to the EU ones (e.g., they both intentionally rate limit ping to them so you'll see a lot of timeouts).

[giulianob]

Interesting does this affect monitor apps (e.g. pingdom) ? Also have any recommendations of something competitive but with better quality?

[_Lemon_]

No it does not, it's only when you ping their edge routers do you see packet loss, they still pass all traffic (and thus ping) over them just fine. You can see this in traceroutes or running mtr.

I believe (not 100% sure) they put their anti-dos on these routers which is why I think the US servers will have the same anti-dos measures.

Have you tried asking them? I do not believe they would hide this fact (it would be interesting to know whether they mark it as a selling point or not).