Thread: attn: Reality Check Network
View Single Post
Old 10-17-2010, 06:03 PM  
directfiesta
Too lazy to set a custom title
 
directfiesta's Avatar
 
Industry Role:
Join Date: Oct 2002
Location: Punta Cana, DR
Posts: 29,586
[QUOTE=Spudstr;17616733]
Quote:
Originally Posted by directfiesta View Post
That excuse of rogue employee does not fly.

Each server hace their own user/pass, that user of said server should change once delivered to them.

In the case that the host creates an admin account on the server , it is never the same password for all boxes ... please, if it is , someone seriously screwed up .
[\QUOTE]

I am guessing you are not aware with exactly how a managed service works. Sure you can have a different/unique root password on each server, by all means you should.

However that would be a nightmare to manage and most large organizations utilize ssh keys. Now along with ssh keys the practice of rotating those keys daily should be part of operations to prevent things like rogue employees from doing things like this.
I agree with the managed issue.
But again, the ssh could be made accessible only from a certain range of IP addresses ( the one of the staff in the dc ... ) .

Quote:
Disabling remote root login
Once user logins are working, you want to deactivate direct login as root via network. This is generally a good idea as it makes it even harder for anyone to really exploit some possible vulnerabilites in the ssh daemon. While your instance is already quite secure with no password login and ssh keys, it is always better to be safe than sorry. First you have to give a password for the root account, if your Linux doesn't use the sudo mechanism, as Ubuntu does. In this case you don't have to give root a password. Just log into your user account and try "sudo -s". It asks for your password and then you should be root. For Linuxes which doesn't use sudo, like SuSE, give root a password, log in as user and try "su -" with root's password. If either su or sudo works, you can de-activate remote root access in /etc/ssh/sshd_config with setting "PermitRootLogin" to "no". Of course there's other means to secure your server even more -- which would go too far for this instalment, like preventing most users to gain root rights at all
http://blog.taggesell.de/index.php?/...instances.html


After a bad experience on one box, I now unmount automatically the backup drive, only to mount it before the next backup, preventing wjat happened, ie : all backup main.html, index.html.index.php to be changed...

Iam sure they are doing all they can and even moe to get their network bacxkup ... sucks hard for them .
__________________
I know that Asspimple is stoopid ... As he says, it is a FACT !

But I can't figure out how he can breathe or type , at the same time ....
directfiesta is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote