Trusting your web host provider with root..

I take reasonably well precautions on our web server.  I only run services that are needed, keep the web server and PHP patched, and run SSH on a different port.  I also don’t allow root to SSH in remotely – the only way to get root is to login via a regular user who has sudo capabilities.  I also use an extremely long password that’s mixed case, includes special characters, numbers, spaces, and doesn’t include anything that would be in a wordlist (yea, I have the almighty John The Ripper wordlist, and use ‘grep’ to pattern match the letters in my password).  So, when my account was suspiciously rooted, I was a bit baffled.  How?  With all that security, how in the hell could I have been rooted?  

Well, it also turns out that I had asked for some help with my Parallel’s install, specifically some kernel module compile that kept failing, and since I’m no Parallels expert, I enlisted the help of my hosting provider, since they maintain racks and racks of Parallels installs, and surely they would have run into my issue.  Of course, I needed to give them root, so I used their support ticket system, connected via SSL, and posted my root password.  That was my mistake.  I should have temporarily change my root password.  I don’t know who’s at the other end of the support ticket system, nor do I know who has access to it.  It could be some frontline support script kiddie, right?

Lesson learned: before giving root to your web host provider, change the root password, and when they are done, change it back.  You never know who has access to their support ticket system, and if its shared  among departments.  Maybe someone in accounting had access, and was being offered a nice reward for root passwords.

Like Mulder and Scully would say:  “The truth is out there.  Trust no one”…

 

Posted via email from Bruce Garlock – bgarlock’s posterous

Leave a Reply