One question we naturally get asked a lot is how ServerAuth impacts the security of your servers. With a strong background in server management and security, our team has followed and developed industry-leading practices to ensure the highest levels of security when using ServerAuth.
How we access your server
If you are using our 'Basic' agent integration, ServerAuth never has access to your server. We don't even need to know its IP address. This method of access works by your server calling our API to retrieve your team's public SSH keys, and by sending us your server monitoring statistics if you take advantage of this feature.
This is of course a very limited set of features and intentionally allows you to take full advantage of our SSH Key Management service without needing to give away too many details or any kind of access to your server.
The source code for the agent that you install on your server is available publicly on our GitHub account, and can of course be compiled by hand should you wish to be extra safe.
Our advanced integration allows our private backend to perform select tasks on your server, which means we're able to provide a huge number of features that wouldn't be possible with the Basic integration.
For this to work, during the setup process, we ask you to provide us with your server's IP address. To log into your server for the first time we require either a password (which we only use once and do not store), or we'll give you the option of adding our public key.
Once our setup work is done our private backend will have access to your server via a special ServerAuth user, which can perform important security updates and run any requested tasks on your server. This is an 'offline' system with no web access and all credentials stored using industry-standard encryption (AES-256).
All communication from our private backend is done using TLS, and where possible signed offline with our GPG key.
Due to how our 'closed' system operates our support staff can't access your server without you providing them with a team account. This is by design to ensure the security of your infrastructure.
Unlike other server management providers our customer focused control panel does not have any direct communication with your server, and instead hands off requests to our isolated system. It does not have the ability to send 'raw' commands to be run on your server, meaning that should an account be compromised by a malicious actor they would not have the ability to execute code on your server from your ServerAuth control panel.
If you make use of ServerAuth's built in firewall management we will automatically configure it to allow our backend to access your servers. This adds an additional layer of protection when paired with a strong set of firewall restrictions, all of which can be configured from inside your ServerAuth customer control panel.
Automated security updates
Where possible ServerAuth will automatically apply essential operating system security updates. If you are using one of the latest versions of a supported operating system these typically configure this out of the box for you. This ensures your server is kept up to date with the latest security patches.
Your online account
Your online ServerAuth account is hosted on our web servers, securely separated from our server management infrastructure. Your account provides the ability to use Two-Factor Authentication (aka 2FA) to increase account security, something which we strongly recommend enabling.
Your account password is hashed using industry-standard Bcrypt and Argon2. We do not use insecure hashing algorithms (E.g MD5 and SHA1), nor do we at any point store account passwords in plain text.
All payments made via ServerAuth are handled by our payment provider, Stripe who use standard bank-grade encryption. We do not store or transmit your credit/debit card details - this is strictly handled by Stripe.
Team Access Controls
We provide a range of permission-based access controls for your team. This allows you to create and modify user groups, controlling who can access what. Additional access controls are provided on each server allowing you to restrict management access down to the server level.