You can now execute commands on any of your remote servers right from the Site24x7 console. This helps to analyze and resolve server issues faster, especially during late hours or when the terminal is inaccessible.
Highlights:
- Quicker debugging, thus reducing your mean time to repair (MTTR)
- History of all terminal sessions and executed commands by date
- Login only by Super Admin or Admin
Let us know your feedback in the comments section below. For any questions or concerns, you can get in touch with us at support@site24x7.com.
This is a huge security risk, and I am surprised and dismayed that Site24x7 implemented this.
When I questioned support about this, I was told:
Please rest assured that we do not have remote access to any of your critical server resources. We only login using the S247 agent user account which doesn't have any access to the critical resources (it has access only to the agent). If someone requires to use this terminal to execute commands they need to login as a different user with the necessary permissions. This feature is only for facilitating the user with an option to debug further in case of any issue.
However with only a few minutes of testing, I could easily get to things I should not have been able to get to.
I have removed your agents from all of my servers, and will discontinue use of Site24x7.
It's unfortunate that no one foresaw the security risk that this is before trying to add such a feature.
One can be in favor or against this feature. It can be disabled in the Admin Settings, so that's a plus. Question is indeed whether it is ok for Security Audits like ISO27001... Is there an option to have it removed from an MSP account all together?
I also don't see this additional feature listed here: www.site24x7.com/help/server-agent-release-notes.html#linux-mar-2018-new
Hi,
Thanks for the feedback. We understand your concerns, and we have removed this feature for all users.
Watch out this space for future updates.
Regards,
Mathangi
Hi,
At Site24x7, customer security is of utmost importance and something that we take very seriously. Before any new feature is released, the Standard protocol is to apply security best practices from all angles for the feature, and after we receive clearance from every security level with no vulnerabilities, only then does the feature proceed to a GA release for customers.
Following are the security measures we have taken towards the Live Terminal feature:
1. The feature can only be accessed by the Super Admin and Admin user roles in Site24x7.
2. If a user does not want to use this feature, it can simply be disabled in the account by navigating to Admin -> Server Monitor -> Settings -> Disable Live Terminal (Removed now).
3. Only one Live Terminal connection is allowed per Server Monitor.
4. If a session stays idle for more than 2 minutes, it will be timed out and closed automatically. This is applicable for a continuous command as well.
5. Agent level security - Commands passed in live terminal are given to agent. Agent in turn executes the commands via user 'site24x7-agent' present in the server. Only commands will be executed under scope of 'site24x7-agent' user.
We are also analyzing to provide this feature with additional Security level to connect the feature Live Terminal like OTP enabled, verifying Site24x7 Account Password etc.
Site24x7's Web Client and its Data Center Security:
Site24x7's web client security framework is aligned with ISO 27001:2013 and OWASP standards to ensure no security risks like cross-site scripting and security misconfigurations occur.
As with our data centers, they are hosted in some of the most secure facilities that are well protected from physical and logical attacks as well as natural disasters.
1. The data centers are guarded seven days a week, 24 hours a day, each and every day of the year by private security guards.
2. Each data center is monitored 7x24x365 with night vision cameras.
3. Biometric and Two-Factor Authentication must be used to enter the data center
4. Zoho servers are located inside generic-looking, undisclosed locations and guarded safely inside bullet-resistant walls
To read on our network security, and other best practices for managing security and data protection risk, refer our security document.
To know more about Site24x7 Security Practices, Policies & Infrastructure.
For any further queries, please reply the post.
Regards,
Muralikrishnan