I rent a dedicated server from a datacenter here in the US. Today
I found that my provider has logged on to the server without my
permission.

Can they do this? I haven't asked them what they were doing
yet... or tried to do...

If they sent me an email telling me that "we are logging on to
your server right now because ..." I wouldn't react. But when they
log on and I first find out during a security check a few days
later I find it rather suspicious.

Check your contracts with your provider. If you dont know why they needed to login you may want to ask them why they were in your box?

Also you may want to think about changing your root password. Just a thought.

What did your agreement say when you signed up?
Why didn't you change the root password when you took over the server?

It all depends on their aus/tos, some places request that they have the root/admin password for the servers in their data centers.

No matter what your root pass, if they have physical access to the box, they can still login via single user mode....

Check your bash history for root access.
If they delete it or do something you did not like, then it's time to move to new NOC :)

phpjames and smartbackups,
I am reading through the TOC and AUP right now. I did also
change the root password for the server, but when I look back
in old support tickets I find that the provider asked for our
root password once because they needed to modify a backup
script. It hasn't been changed after that, but in my opinion I
should be able to trust my own, well known, datacenter provider.

I will of course change the root password again after this.

I have read the agreement and it's not mentioned anywhere
that 'the provider' reserves a right to login to my server in order
to make any changes etc.

If its a dedicated server and not a colo box, then they own it and can pretty much do as they like I would guess.

-Brendan

Man, just email them and ask them why they logged into your box.

You should be able to check yourself as most servers keep a history of what the rootman did.

is this *****?
***** did this to my server while back
i hear they do it to all servers

except they do it on a different port

It is common practive for many dedicated server providers to log in as root to systems on their network...especially if it is a managed dedicated server. I know we do it all them for various reasons including:
soft reboots
hanging systems
hardware upgrades/swaps
software upgrades
spamming issues
security patches
and just to plain old see why apache/httpd is down on a server...

It IS OUR JOB to log into the machines and get it running right if something is wrong or needs be updated...that is what we are paid to do...

Sean R.
BurstNET

Well, this is not a managed server. It has been running for more
than 400 days and I have asked for assistance only one or two
times because telnet/ssh has been unavailable etc. I am only
paying for bandwidth and the rental of the server itself. Nothing
else.

I have no kind of support plan saying that the provider will restart
any services that goes down etc.

I did email them and the answer was that they upgraded my
backup script. I was also able to guess that from the bash history.

Anyway, in my opinion, they should have sent me an email when
they logged on just to explain what they were planning to do.
Even if the agreement said (which it doesn't) that they were
allowed to do whatever they wanted on the server, I think they
should have the courtesy to send me an email. They don't
necessarily have to wait for my "go", but just logging on to the
server without saying anything creates a lot of extra work. I'm
the one who have to do all the investigation.

Change your root password, and mark the console as "insecure"; that way anyone trying to log in at the console (even for single-user mode) will have to enter a password.

They could get around that by booting off of a CDROM, but I'd hope that being asked for the root password (and not knowing it) would send them the message that their intrusion is unwanted.

Check /var/log/messages or /var/log/secure for suspicious activity. If you've locked down the box, they shouldn't be able to do this.

Dan

They own the server and have a TOS so they have every right to log into your server to check out what material you host on their server and such.

hah
i have a dedicated server in above.net's noc (West coast)

it isnt a managed server
the only time i would ever want anyone from above or my host or anyone to login my server is when i tell them to..

e.g. one time, i messed up on changing ips... i typed the subnet wrong, so the box didnt come back up
i had an above.net tech plug in a keyboard and sit with me ont he fone to get it to work
surpringsly he didn't know a damn thing about linux
kind of sad.

=\

took like 20 mins for him to login
then su root
lol

If it is a managed server you are essentially *renting* the machine from them.

If it is co-located then *you* buy the machine and they hold it in their racks.

Big difference -- managed they can control 100% but co-loced they have zero right to log in under *any* account unless you explicitly grant them access (either via a contract or some sort of troubleshooting agreement).

We have 2 servers hosted @ DialTone and they occationally log in as root and apply the latest security patches and updates. I have no problem with that -- it's great of them to do that and I don't have to worry about it! :D