Licensing restrictions on personal/personal plus discourage cybersecurity best practices

[sparek]

But giving blanket root access to any user with sudo is still akin to giving that user full root privileges.

What happens if the bad actor does all of his bad stuff and then issues a:

echo -n | sudo tee /var/log/auth.log

(Note: don't run this command because it will clear out your /var/log/auth.log file)

Then you've lost all of the tracking.

Sorry, it's just going to take a lot more to convince me that sudo is some magical governing system. Linux systems have one root user, period. Well... technically one root uid - 0 - you can have multiple root users sharing the same 0 uid, but doesn't really gain you anything.

Now... if you use sudo to restrict access to certain commands (i.e. not blanket root access) then yes, it can be useful. But again, this is the same concept of building your own application that uses it's own authentication system to validate an individual and then based on that authentication (however you've defined it) then that individual can do certain functions through a login-key based API call. Don't get me wrong, I'm not saying such an application would be fun to write - but that is essentially what a restricted sudo environment is doing.

 

[geekgirl]

But giving blanket root access to any user with sudo is still akin to giving that user full root privileges.

Yes. That is the point. People who are responsible for system administration need that kind of access. Now, with sudo, you could create junior admins who have less access. That's one of the beauty of it.

What happens if the bad actor does all of his bad stuff and then issues a:

echo -n | sudo tee /var/log/auth.log

(Note: don't run this command because it will clear out your /var/log/auth.log file)

Then you've lost all of the tracking.

Sorry, it's just going to take a lot more to convince me that sudo is some magical governing system. Linux systems have one root user, period. Well... technically one root uid - 0 - you can have multiple root users sharing the same 0 uid, but doesn't really gain you anything.

Now... if you use sudo to restrict access to certain commands (i.e. not blanket root access) then yes, it can be useful. But again, this is the same concept of building your own application that uses it's own authentication system to validate an individual and then based on that authentication (however you've defined it) then that individual can do certain functions through a login-key based API call. Don't get me wrong, I'm not saying such an application would be fun to write - but that is essentially what a restricted sudo environment is doing.

Well, if you want the truth, you don't ONLY store logs locally. That's what remote syslog is for... It takes a layered defense.

I'm just telling you what the industry standard practice is today. Is it perfect? Not in the least. But it is way better than having a single person with all the access going rogue, having their password cracked (or social engineered), or dying and leaving you with no way to administer a machine and having to rebuild from scratch.

 

[sparek]

Well keep in mind, if the one server administrator gets incapacitated in some way then depending on who can legally execute decisions on that person's behalf, the server itself can always be rebooted into single user mode - where a new root password can be established without having to know the old root password.

Then once you have root access to the server you can reset the password for the admin user from the root shell and gain access into DirectAdmin.

Is it an easy process? No. But I don't think it's suppose to be easy.

 

[geekgirl]

Do you have

Well keep in mind, if the one server administrator gets incapacitated in some way then depending on who can legally execute decisions on that person's behalf, the server itself can always be rebooted into single user mode - where a new root password can be established without having to know the old root password.

Then once you have root access to the server you can reset the password for the admin user from the root shell and gain access into DirectAdmin.

Is it an easy process? No. But I don't think it's suppose to be easy.

Do you have any idea how long going through a legal process would take? In the mean time, an attacker could be playing havoc with the machine. Even without an attack, waiting months to be able to get back in and make needed changes is unacceptable. Sorry, not a reasonable solution.

 

[geekgirl]

I will say that I found a possible backdoor solution... You can go in on the command line, create a separate account, add it to the sudo group, and set up SSH key exchange. In the event of any emergency, you could SSH to the box, completely wipe DA, and then reinstall it. What a pain. And all because they won't support something that is needed.

 

[Richard G]

That is actually LESS options.

No it's more options because you want extra accounts which do not come with the license you have. And the Pro pack is no issue as this is not delivered with this license anyway.

You, yourself, argued against the need for 2FA to prevent unauthorized administrative access through password cracking,

Ehmz... Against 2FA? I think either you must have misunderstood me then, or I must have made some typo. I gave choices, I did not argued against 2FA as far as I remember. I think 2 FA is a good thing.

I see that the vast majority of attacks coming from hijacked ISP rent-a-servers that are managed by CP and DA and the likes

Really? Well, let me disagree with you in that experience on my behalve, because last few weeks I monitored that and I'm using Abuseipdb. In the last weeks I reported over 2000 ip's, which were mostly VPS systems, just without CP or DA. And if panels, then maybe CP more than DA. But most attacks were from cloud vps servers from providers who do not even provide DA for their cloudvps systems. Or dedi servers without DA.
The only thing I see mostly coming from DA and CP servers is spam via hacked accounts, but not very much attacks as mostly more access is needed to do decent attacks.

This really needs to stop. Password cracking is but one attack vector; we should take all vectors off the table that we can.

We don't agree about that. But there are more methods to do this, more people should report abuse and block hosters who are providing abuse and do nothing about it when complaints are made.

In any case, this experience has really turned me off to DA.

Sorry to hear that, but unfortunately, it will be the same for the other professional panels out there (CP and Plesk) because they are not different, you only get what you want in the more expensive licences.
I really understand your intentions about security, but we do not all agree about everything you have in mind, just like the world is not even agreeing about the benefit of SPF and DKIM, it will be a hard time to get something like this done while available in more expensive versions. For company's that is not interesting enough.

 

[geekgirl]

Really? Well, let me disagree with you in that experience on my behalve, because last few weeks I monitored that and I'm using Abuseipdb. In the last weeks I reported over 2000 ip's, which were mostly VPS systems, just without CP or DA. And if panels, then maybe CP more than DA. But most attacks were from cloud vps servers from providers who do not even provide DA for their cloudvps systems. Or dedi servers without DA.
The only thing I see mostly coming from DA and CP servers is spam via hacked accounts, but not very much attacks as mostly more access is needed to do decent attacks.

I think you missed a key phrase. "I see that the vast majority of attacks coming from hijacked ISP rent-a-servers that are managed by CP and DA ***and the likes***." In other words, rented ISP cloud servers (aka VPS, dedicated, or shared servers). Doesn't have to have specifically have CP or DA. I get sprayed with brute force login attacks from this type of server all the time. I also get constant Wordpress exploit attacks. There is most certainly malware running on the servers from which these originate. That has nothing to do with spam. Those servers are trying to attack my servers using usernames and passwords. Hence, 2FA + brute force protection that automatically blocks IPs that attempt this. It is MY responsibility to protect my servers and make sure they aren't hijacked and used to attack other servers.

 

[Ohm J]

if you share with other, it not call personal, it call Group.

Also Personal Plus design for who want to seperate their site to other user instead of "admin" that can help protect from malware site. it still personal.

but propack doesn't increase price, the price alway be like this.

you paid $2/month to get 1user:10 domain.
personal plus is $5/month price. 2user:20 domain.

so how much do you want to pay to get 3user:10 domain ? $3 ? $4 or more than $6?
So it will become unfair price for Directadmin Team.

 

[geekgirl]

you paid $2/month to get 1user:10 domain.
personal plus is $5/month price. 2user:20 domain.

so how much do you want to pay to get 3user:10 domain ? $3 ? $4 or more than $6?
So it will become unfair price for Directadmin Team.

In comparison to the Personal Plus plan, how is it an "unfair price" if I have reduced domains (say 5 => so 15 less) and only one additional admin (3, so one more)? The license would actually support managing only 25% of the domains. That's a *huge* reduction in capability and seems more than fair.

 

[geekgirl]

but propack doesn't increase price, the price alway be like this.

Actually, DA already did exactly this. They are doing away with the personal plan that doesn't include the Pro Pack and forcing low end users into a larger license (Personal Plus) that includes Pro Pack at an increase of 250%. Suggest you read here: https://directadmin.com/pricing.php

 

[geekgirl]

if you share with other, it not call personal, it call Group.

There is no DA license called "group". Personal Plus is really misnamed, as it supports two accounts. There is no reason for an admin to have two separate accounts as the admin can access the end-user panel already and do any end-user only actions. The additional account only makes sense when giving to another person who needs to access a domain's DA management console. So by your definition, it is a "group" license, albeit a group of only two.

 

[Ohm J]

There is no DA license called "group". Personal Plus is really misnamed, as it supports two accounts. There is no reason for an admin to have two separate accounts

I meant, "Personal" and "Personal Plus" is use for your own and not share with other. if you want to have 3 Account, so it need more plan, maybe it could calling "Small Group Plan", it good thing to have more plan for suitable with your bussiness.

There have a reason to separate account. Imagine you have wordpress site, and you don't want malware to mess with your Admin roles.

 

[geekgirl]

I meant, "Personal" and "Personal Plus" is use for your own and not share with other. if you want to have 3 Account, so it need more plan, maybe it could calling "Small Group Plan", it good thing to have more plan for suitable with your bussiness.

Thank you for acknowledging my needs. Mine is not a business, which the larger plans may be better suited for. Mine is a pet project with a few other geographically-dispersed colleagues. The project has no funding. We volunteer our time for this project for the good of the community. We have a very small website with two subdomains. We just have no need for 10-20 domains. We do have a need for multiple volunteer colleagues (all of whom are cybersecurity professionals) to access the admin panel. I am betting for really small businesses, their needs are not too dissimilar. I'm having trouble imagining a business (other than a web reseller) needing that many domains.

 

[Richard G]

I think you missed a key phrase.

I didn't miss that key phrase, I just wanted to make clear that in my experiences it in most cases the "and the alikes" and fairly seldom the cp and da servers. That's all.
Ofcourse I know of malware servers, but very often I check the attacking ip's and as said, in most cases they are cloud vps systems and "alikes" and not from providers even providing DA or CP as panel.

It is MY responsibility to protect my servers and make sure they aren't hijacked and used to attack other servers.

That is -every- admins responsibililty yes indeed, we agree on that.

As for pricing, I don't agree, but as said I didn't want to start a discussion anyway so for me it ends here.
I understand what you need, but that comes with a price, just as antivirus scanners came with a price for windows servers too. To me it's all business and DA software with a software like business model as to more you want, the more you pay. Even for security, if present.
It's still possible to create a seperate OS user account in the su group which is not in DA but could rescue your system if needed.