root password: am I being too picky?
I'm just moving all my Cpanel hosted sites to a new cloud server provider. My old provider seemed to have constant issues with not knowing my root password - if something went wrong and they needed to log into Cpanel to restart something. Even when I phoned it through to them, they often didn't seem to have a record of it so would send me emails asking for it. So, OK, new hosting provider (not only for that reason).
New hosting provider is doing the Cpanel migration for me, because I'm lazy (or at least busy).
New hosting provider sent me an email with the new root password for the new cloud server. OK, no problem, it's an empty clean account, I changed the password right away, and phoned new password through. They seemed a bit surprised I'd done this.
New hosting provider wanted me to type root password protecting all my live sites into their web support system - which OK, is SSL'd, but is also accessible by clicking on a link in the email they sent me, there is no separate password for the support thread, and a copy of the thread is sent by email.
Is it me, or is that a bit risky? I trust new hosting provider and old hosting provider to hold the root password - I'm a small business, I have to trust someone! But I'm not sure I trust everyone who might be able to get access to my email. I am not as careful with my email as I am with my root password!
Since the WHM root password gives access to everything, I've always been very very careful with it. I change it often. I store it in an encrypted archive locally only. I never email it to anyone, I don't save it in my web browser when I use the WHM web interface.
Am I stressing for no reason? Would this worry you?
-
Hello :) I would never say you can be too careful when it comes to protecting root access on your system. Here are some tips from cPanelJeff on another thread which you may also find helpful. [QUOTE]- Restrict which hosts can access sshd on your server - Disallow root logins to sshd - Use ssh keys instead of passwords for authentication - Use a wheel or sudo user that can escalate to root privileges after logging in - Use a temporary account with a unique password when providing login information to a third party, and remove the account when the task is complete
Thank you.0 -
Is your new provider a managed hosting company or unmanaged? If it's managed, if they are managing the server and providing security for the server, then they'll need the root password. However, if it's managed, I somewhat question why you would need root access to the server. The more people that have root level access the more likely things can go wrong. If it's unmanaged, if you are responsible for providing security to the server, then I'm not really sure why your provider would need the root password. But if it's unmanaged, then you shouldn't be going to them for any support related inquiries at all. If it is a managed provider and you are doing all of the managing, then you may want to contact the provider and tell them to turn off a lot of their monitoring or anything that requires them to have root access since you are not using them for management. If you both want to be managers to the server, then understand that there is some difficulties in this. The more people that have root access to your server, the more likely you are to run into issues or root compromises. Your provider cannot vouche for the security that you provide and how secure you keep the password, and likewise you cannot vouche for your provider and the security they provide for the root password. If the password is ever compromised both of you are going to point the finger at each other and say its the other's fault. 0
Please sign in to leave a comment.
Comments
2 comments