ssh details of the server

zzz

Hi,

I've got a dedicated server. I found someone willing to install a few things for me. He needs ssh details of the server to do the work. What steps do I need to take to ensure I secure it back after the work is done?

laserlight

I think you pretty much have to trust him. You could try taking some typical security measures such as changing root password, disabling root login from ssh (thus having your own sudoer account), installing a firewall, chkrootkit and rkhunter... but these tend to be effective only when your server has not already been compromised, and in this case you have pretty much allowed it to be potentially compromised.

zzz

Oh, no. I am just considering. It appears that I can disable shell access via Plesk once I'm done. Clearly I can change username, but they probably need admin username and password, hah?

laserlight

It is not just about shell access, you need to check if something malicious has been installed. If you do find something, then your best bet is to start from scratch and blacklist that person.

etully

Disabling SSH after he leaves is not going to make the server secure after he leaves.

Once you let him in, he can do anything he wants. He can install PHP scripts, he can install software that will let him SSH in on a different port. He can install software that automatically erases your hard drive after a week. He can modify the operating system. He can modify PHP. He can write a script that sends an email to himself of your passwords.

No matter WHAT you do after he leaves, you can't change the fact that he was logged into your system. Pretty much the ONLY thing you can do to be truly safe is to format the hard drive and re-install everything after he leaves (which of course, defeats the purpose).

Actually, you could get MD5 checksums of every application on the box and then check to see if those checksums are the same (and that there are no new applications on the box) after he leaves. Even if you did this, though, you don't know whether or not the applications he installs for you are safe.

Does all this sound extreme? Yes - and it might be going a little overboard. But when you ask a security question, there's no fooling around with the answer. If you don't understand the truth of the risk, then you can't make good decisions. (Frankly, he's probably not going to do anything bad but that wasn't your question).

If he were to do something bad, you might not know about it for months or years. It's better to have an insecure server an know that it's insecure than to have an insecure server and not know. Disabling SSH after he leaves is not going to make the server secure after he leaves.

zzz

etully, rhis is exactly the kind of feedback I was looking for. Sometimes a short term cost effects are not worth the investment. I suppose I'll just have to learn how to install these aps myself. Slower method but I'd be able to sleep at night. 😉

etully

You can go to a site like www.rentacoder.com and hire someone to do the work for you. If you select a coder who has tons of positive feedback, then you can have some chance of finding someone who isn't going to install malicious code. Maybe. You could hire a local consulting firm to do the work. If they've been in business for years, they're probably not going to want to risk the negative PR that would come from hacking your server. (Of course, don't let them assign the task to the new guy they hired yesterday).

I suppose this is what "being bonded" is all about. I don't know if you can find a computer consultant who is bonded.

etully

What apps do you need to install?

laserlight

If they've been in business for years, they're probably not going to want to risk the negative PR that would come from hacking your server. (Of course, don't let them assign the task to the new guy they hired yesterday).

Yes, they would not want to be blacklisted. It may be possible to get legal recourse from a botched job with a contract, though I suspect that proving that a subsequent security breach was not your own fault might be difficult.