Can someone please provide details about the sbadmin process running on the SB Debian servers? It listens on port 225.

Can we safely stop this process?

The sbadm daemon is mostly used for support issues. It gives our support team a secure, reliable way to access servers in the case of a problem or emergency. You may disable the daemon if you wish (via init scripts), but if you change any of your login information, you must remember to provide this information if you submit support tickets. Honestly, I don't like the idea of sending passwords through e-mail.

We have taken every precaution to make sure the daemon remains secure. sbadm only accepts key-based logins from two of our administrative servers. Since it is just sshd with a different name, it is just as secure as SSH .. maybe even more so, because the port is non-standard and inaccessible from the outside. Also, the daemon uses standard login procedures and logging, so you can tell when someone has used it.

-knightfoo

Thanks for the information -- I assumed that's what it was.

A few things:

1) If we don't disable this, then there is no need to send the password in a support ticket?

2) Why not encrypt the e-mail?

Originally posted by OOagent137
A few things:

1) If we don't disable this, then there is no need to send the password in a support ticket?

2) Why not encrypt the e-mail?

There are some cases where the root password is necessary, such as logging into control panels and certain types of debugging. sbadm is not a complete replacement for normal authentication, just a shortcut for certain cases. There may also be future support offerings which depend on it.

Ideally, passwords should never be passed over the Internet in plain-text. We are working on a tool that will allow you to update your password with ServerBeach support through a secure portal, so support can get updated password information without e-mailing it. For now, it is safe to leave your root password set to the installation default .. only ServerBeach staff has access to this information, and direct root logins are disabled so it would be useless to anyone who managed to intercept the e-mail. I would recommend changing your user account login, as long as you leave the "beach" account alone.

Encrypting e-mail is a good idea, but not everyones mail client supports it. It is a good idea to offer encrypted e-mail to those who can use it though. This is definitely something that we will take into consideration.

-knightfoo

heh, thats funny...ServerBeach installs their own user beach which also has an entry under /etc/sudoers:
beach ALL=(ALL) ALLIf sudo is installed and they are able to login to the machine, they would never need the root password :)

The "sudo" command would not allow support to log into something like WHM/CPanel, which uses /etc/passwd for user authentication. Both sudo and sbadm are only useful for shell level applications.

-knightfoo

indeed...I didnt even think of that.

However, you guys dont have any of the control panel stuff on debian yet do you?

Originally posted by Striker
indeed...I didnt even think of that.

However, you guys dont have any of the control panel stuff on debian yet do you?

Not yet :)

I can't imagine too many Debian users would want a control panel... (removing Webmin was the first thing I did when I got my server ;) )

All my personal debian boxes have webmin running.

Originally posted by knightfoo
We have taken every precaution to make sure the daemon remains secure. sbadm only accepts key-based logins from two of our administrative servers. Since it is just sshd with a different name, it is just as secure as SSH .. maybe even more so, because the port is non-standard and inaccessible from the outside. Also, the daemon uses standard login procedures and logging, so you can tell when someone has used it.

FWIW, it's setup to allow any root login from anywhere on my freshly installed system.

I've since tweaked it to only allow passwordless logins by root (key only), but it'd be nice to also know the IP's of the administrative servers to add to the authorized_keys file to further limit access.

Woops, that is a bug :) The default sshd_config is now configured to not allow root logins. The sbadm configuration does allow root logins, but this is because it does not accept passwords (only keys) and the port is filtered in our routers, so no one can access it anyway. The IP addresses of the admin servers may change and are different in our two datacenters. I would also rather not make the IP addresses public for security reasons. Again, since the port is filtered for anyone but us, it isn't much of a risk to leave it open. If you find another customer attempting to access this port, I will be happy to lart them for you. :)

-knightfoo

I will be happy to lart them for you.

I looked the word "lart" up and found no entries. So, I'm assuming this is some haXor terminology or it's a colloquialism. Can somebody define "lart"?

Originally posted by OOagent137
I looked the word "lart" up and found no entries. So, I'm assuming this is some haXor terminology or it's a colloquialism. Can somebody define "lart"?
It's computer jargon, see http://info.astrian.net/jargon/terms/l/LART.html

Thanks so much!