Security Measures
This article describes the security measures that implemented in the system.
DOM Cloud is essentially a Linux VPS server that's shared for all users. While this maybe seems like a bad idea, when it done correctly it will work fine and save a lot of infra cost and simplify a lot deployment complexities. See Compare Servers To get better idea about our server specs.
No Sudo
Unlike standard cloud company, we don't give you sudo (aka. root access). Still, you will will be given a SSH access, which then you can used it to install additional software or libraries in order to make your app working correctly.
To aid in installing additional binaries and tools we have plenty of deployment scripts that install things in your $HOME
folder. Some action that requires sudo such as configuring NGINX or DNS records are also handled by deployment scripts or Webmin panel.
The deployment system can helps you install language compilers such as Node, Python, Rust, Go, Java and many more. Refer to deployment section. To install more linux tools and get to know what's included in OS-wide binaries read more in our linux tool features.
No matter your system requirement is, try to find a way to do it without sudo. Again, we will not giving you sudo access to our cloud servers because the shared hosting nature. Our system also has been designed to follow shared hosting best practices and everything that's dangerous are protected behind sudo. You almost can't broke our system whatever you're trying to do.
If you still insist wanting sudo, please put your system inside Docker, or set up a self-hosted server instead.
No Background Services
CPU and RAM are limited resources. To make room for everyone, server processes need to be shut down when it's no longer in use. For any websites that doesn't enable Docker services, the maximum runtime for any executables is 3 hours (also true for cronjobs). Don't worry though, as processes from NGINX is always respawn when such process has exited before.
We also has many security features such as address space limit set to 2GB, EarlyOOM background service, a cron to remove cron that's set to run more than once a hour and a weekly cron to clear caches.
To keep processes running all the time 24/7 we recommend you to leverage rootless Docker or SystemD. Do note that this requires subscribing as low as Kit plan. Also a kind of more complex setup and prone to memory leaks.
If you're not subscribing as low as Kit Plan, do not install cron or any third-parties such as Uptime Bots that pings all the time to keep your software awake! This will cause your account to be terminated as it is direct violation for Fair Use (forcing the process to always run 24/7).
No Chroot Jail
Chroot Jail are safety measurements commonly used by many web hosting providers to limit access to system. As these safety measurements is expensive and not providing critical security value compared to simply not giving sudo, we're leaving this off.
This also means anyone with SSH access can do ls /home
or cat /etc/passwd
and determine what's domain other users has. We encourage everyone to not assume all URLs are private, and taken security measurements properly as if anyone with internet can open your website.
Note that we still treats security very serious. Only you and us (server admins) can read your code. We have Fail2Ban in place to prevent random people guessing your server password.
Server passwords must be treaten as personal password, exposure on public can lead to anyone see and override your website internal data! Avoid managing your website in public devices. If you have to do that, make sure you do it in private browsing/incognito mode. If you believe have leaking your server password, please change it from Webmin UI or our Portal UI.
No Participation in Bad Faith
Many cloud servers offering free plans relies on actual credit card to make sure it's not evil person who tries to damage the whole system or reusing it to steal other people data by massive spam and phising.
We know it's hard to get credit card access for some people or some countries and we have to get creative to keep our system secure. We explain more additional security measures for free users here.
To enjoy most of our features you still have to spend some money by either have custom domain (don't have to be from us) or subscribe as low as Lite Plan. We only charge you little to gain trust, and more only by your infra usage.