Disabling admin accounts
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Disabling admin accounts
I signed up for a dedicated hosting service...fully self managed except for requests tickets where their admin's might need access ot my server.
Like with most hosting companies, there are two or more accounts which are used internally by them...which they recommend keeping active incase of an emergency. If I disable the account it's not my fault if they cannot make nessecary repairs.
I don't really like the idea of any accounts existing outside of my own...should I disable their accounts? What kind of maintenance would they need to do which would require admin access? If I ever screw something up that badly software wise...I would likely just reinstall the OS and start from scratch.
How do I disable these admin accounts they have setup? Wise idea or no?
Like with most hosting companies, there are two or more accounts which are used internally by them...which they recommend keeping active incase of an emergency. If I disable the account it's not my fault if they cannot make nessecary repairs.
I don't really like the idea of any accounts existing outside of my own...should I disable their accounts? What kind of maintenance would they need to do which would require admin access? If I ever screw something up that badly software wise...I would likely just reinstall the OS and start from scratch.
How do I disable these admin accounts they have setup? Wise idea or no?
Re: Disabling admin accounts
To look for a root access:
Should return only
And
should not return anything in case you haven't setup SSH key authorization.
Keep in mind that there may be other ways to get root access (e.g. ordinary user account and "su").
Code: Select all
grep :0: /etc/passwdCode: Select all
root:x:0:0:root:/root:/bin/bashCode: Select all
cat /root/.ssh/authorized_keysKeep in mind that there may be other ways to get root access (e.g. ordinary user account and "su").
There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Disabling admin accounts
EDIT | I simply reset the passwords for their admin account and changed my own as well.
The first command returned two accounts:
root and admin (the latter of which is theirs). I should probably reset my own password for root as well. How do I disable their account?
The last command returns: No such file or directory.
Ideally I just don't want them to have access to my PHP scripts, but I'm thinking this is not possible as my PHP setup requires scripts to execute as readable by world (user: nobody). Short of executing PHP with suexec...I guess just disabling their accounts is probably easiest?
I'm curious though as to what exactly they would access for. If a hardware failure occurs could they not fix that without having to login and make root changes?
The first command returned two accounts:
root and admin (the latter of which is theirs). I should probably reset my own password for root as well. How do I disable their account?
The last command returns: No such file or directory.
Ideally I just don't want them to have access to my PHP scripts, but I'm thinking this is not possible as my PHP setup requires scripts to execute as readable by world (user: nobody). Short of executing PHP with suexec...I guess just disabling their accounts is probably easiest?
I'm curious though as to what exactly they would access for. If a hardware failure occurs could they not fix that without having to login and make root changes?
Re: Disabling admin accounts
Code: Select all
userdel adminMost of the times I have screwed up something with my servers was refusing SSH access to the machine - in most cases by bad firewall rules or changing network interface settings (e.g. "ifdown"
There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Disabling admin accounts
I don't anticipate screwing up the system...I don't really tinker with much outside of a typical LAMP stack...and recently with mail servers. Not sure I know enough to be "that" dangerous. 
Although, if I did happen to **** stuff up, could I not just send them an email with my root details? They could then login as root and do the exact same thing, no?
Although, if I did happen to **** stuff up, could I not just send them an email with my root details? They could then login as root and do the exact same thing, no?
Re: Disabling admin accounts
Don't bet on itHockey wrote:I don't anticipate screwing up the system...I don't really tinker with much outside of a typical LAMP stack...and recently with mail servers. Not sure I know enough to be "that" dangerous.
That's correctHockey wrote:Although, if I did happen to **** stuff up, could I not just send them an email with my root details? They could then login as root and do the exact same thing, no?
There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Disabling admin accounts
Hmmm...how does rebooting the system render ssh unusable?
In anycase, they have a web based control panel for restarting your server...I'll keep that in mind though so I always work like stepping on egg shells.
In anycase, they have a web based control panel for restarting your server...I'll keep that in mind though so I always work like stepping on egg shells.
Re: Disabling admin accounts
Hockey wrote:Hmmm...how does rebooting the system render ssh unusable?
Code: Select all
:~# cat /etc/rc.d/rc.firewall
#!/bin/bash
iptables -I INPUT -p tcp --dport 22 -j DROP
There are 10 types of people in this world, those who understand binary and those who don't