Do you ever give access to your servers to outsiders? [closed]

untagged

I'd have to say yes, it's unwise to give access to a complete stranger off the Internet, especially as a freelancer. A better idea would probably be to contact a local school or business and see what consultants are available in your area to work with.

You have to remember that security comes down to trust. You need to know that this person has complete access to your system and can easily place his own scripts, doctored binaries, etc. on your system without your knowledge, especially if you're not administration-savvy. Nothing is preventing this person from deciding you aren't paying him enough or on time and have a script that states if user XYZ hasn't logged in by a certain date or within X days, "rm -fr /".

If you find someone local, you at least have someone to hold accountable. You also should make sure you have backups of your work on a separate disk under your own control. You can't rely just on backups as the admin works of the system state...if they alter the configs and/or add a little "gift" to the binaries, you'll back them up along with everything else, then end up copying the trojan data along with your other data.

You need to find someone you can hold somewhat accountable or at least is operating a reputable business. Depending on how much you rely on your website for income or reputation or your own business needs, you need to decide how much to prioritize the trust level of your admin.

Have we given access to others? Yes, our school has contracted to an IU (kind of a state agency that supports public schools) but we know the guys that have them and we deal with them on a one-on-one basis. Can they mess us up? Sure they can. So can our own admins, if they're screwed over and treated like dirt and something happens where they leave on bad terms. Again, security comes down to how much you trust your users and how much you separate access to what they absolutely need.

Remote desktop doesn't really help block out a lot of security issues. For example, we have desktop control of our users...what is most valuable? information? If we were so inclined we can see them typing sensitive emails and get information passively, without knowing their passwords. We also have had remote techs operating things like a vendor for our point of sales cafeteria software handle things remotely, so they didn't have our admin password but they did have admin access since I was logged in as an admin. I was also watching what they were doing the whole time, and again we trusted them. Just not enough to work without supervision :-) I also generally know what they're doing. I know there's no reason for them to poke around our shares or install certain software on our server. If you have no idea what system administration entails, watching what they're doing isn't going to help you much. It really only helps if you have some idea of what is and isn't to be fiddled with while the other person is working, and if you're talking about SSH access it's very possible they can get back door access while you're watching something else going on.

I was just reading about an article in Worse Than Failure where a developer was working on a web site and there were disagreements about pay or some other issue and the developer threatened to delete the site, even after the owner changed passwords and information. The developer said he still could do it, so pay up...so the admin did a quick grep and found a stupid statement in the PHP that erased all the files if a certain keyword was in the URL submitted to the web app. It's that simple to have someone screw you over.

Backups, backups, archive and version info your application and data, and find someone you can hold accountable and trust. Your system admin should be someone you're going to form a good business relationship with, not a passing "let's try this" thing.


In my opinion the simple answer is if you don't give someone access, they can't help fix the issue. But it is unwise to use a company that you don't trust. Whether its the guy down the street or someone off the web you have to put your trust in someone in order to get the problem fixed.

Many company's like elance.com will have ratings and reviews available for all of their techs, if they don't then find a company that does. You can also find reviews for the company over all. Generally, techs who sign up for these sites are looking to make some extra money and will honestly try to help you. But there's no telling whether they will be able to or not until they get a look at the problem.

But make sure you have a backup... it doesn't hurt to be cautious.


What OS is this? Can you create a limited account for him that gives access to ONLY what he needs?

I've never given access to a random stranger from the Internet, and never would. I won't even give access to vendors until I have a face-to-face meeting with their technical staff.

Is there a reason why, for something this potentially harmful, you want to use elance instead of finding a local IT consultant who can sit at your desk with you, and let you watch every command they type?

Related

How SSD hard drive affected speed of your website (asp.net/linq/ms sql database)
What is the advantage of using openfiler or freenas over Ubuntu?
In Bash, file starts with a "-"
Run Time of a Process in windows XP
What are NS records?
Is there a "Run" command for "Offer Remote Assistance"?
NGINX deny IP wildcard?
Forefront TMG vs pfSense
What role does virtualization play in a network with a SAN?
I have a perl script that is supposed to run indefinitely. It's being killed... how do I determine who or what kills it?
What is wrong with following bash script?
sed insert from file.txt to multi files