gellenburg's Journal: Warning About ServerBeach

Here's a warning to current and potential ServerBeach customers:

ServerBeach tech support flat-out requires your box's root password before they will begin to troubleshoot. Per the following response from ServerBeach's Tech Support staff from a recent trouble-ticket of mine:

"If you wish us to investigate and correct your problem we will need
login credintials at the root level.

If you chose to provide them we will happily look into your problem.

As you are indicating you do not wish to provide them we are marking
this ticket resolved as we can do nothing for you."

In a reply to a complaint of mine to ServerBeach's tech-support manager, "Charnell," responded with: "You have every right to choose to not allow our support technicians access to your server, however in return they have every right not to provide support if they are limited in doing so."

Under normal circumstances, this would all be well and good, and if a customer was having problems getting Apache restarted say due to a configuration problem then I could perfectly understand.

However, the nature of my request (the first time I needed "real" support since I've been a customer) was a simple question. Plesk was doing something one way, I wanted it done another, and Plesk's documentation was ambiguous.

Contacting Plesk (SW-Soft) I was immediately referred to ServerBeach to answer my question. I did not have a configuration problem which was preventing Apache from starting, and aside from a minor annoyance everything was fine with the 70+ domains hosted on my box.

Ironically, after receiving the reply from ServerBeach's technical support, and after leaving a complaint with the tech-support manager, eighteen minutes later I received the answer I was looking for directly from Plesk and opening a new ticket with them and explaining that ServerBeach refused to provide assistance (Plesk's answer was spot-on, and without the need for my root login! Go figure.)

My boxes are locked down pretty tight (or at least as tight as I can make them given the infrastructure provided by ServerBeach). Root access isn't even available to anyone remotely and when needed requires something other than the standard PAM authentication modules which come out of the box with Linux and C2 (equivalent) security has been applied. (What? You think I'd actually *tell* you what it was? Hahaha.)

But, bottom line here though is that ServerBeach's policy of refusing to offer service without implicitly either requesting or receiving the root password is flawed.

It's flawed because in many instances the root password isn't even needed.

In addition, it's flawed because it exposes ServerBeach, and their customers, to increased risk and liability of something going wrong and getting accidentally fubar'ed.

Last, and this is the most important one to me, it's flawed because it unnecessarily exposes potentially confidential and proprietary information that may be on a customer's box to ServerBeach personnel.

Besides, ServerBeach always had their own "back-door" which they could have used at any time which, while I could have disabled it, I chose not to (other than locking down from which IP addresses and networks which could actually use it) because I, myself, may need that backdoor at some point in the unforeseen future.

So, if you are a current ServerBeach customer, or are considering becoming one, take this to heart! You may want to think twice about handing over your own login credentials willy nilly to an unsuspecting third-party.

But, for the record, I have been a customer now for 11 months and have generally been extremely satisfied with the level of service I have received. ServerBeach offers good value for the money in most cases. Perhaps this was just an isolated incident, but after receiving the reply that I did from "Charnell," I'm not so sure.