A customer support of where my company host a VPS on asked me login detail, is this standard procedure?
We host our web application on a VPS, I maintain LAMP environment there to fulfill our client needs (I work on relatively small SaaS service provider), I also set up a script to backup the system regularly at night.
Our company had just upgraded all of our Linux VPS to specification of 5gb ram, 5 vcpu, 100gb ssd, etc., this is because my client complain about slow database processing, I thought it might have to do with low specification our VPS had before.
Still, the database problem persist, so my boss asked me to debug the mysql process on each VPS we have. From this I found that only one out of five core seem to be used, this also happens to another VPS.
I suspect that the provider enforce a CPU limit, so I headed out to their customer support to clarify this, first they asked me list of each VPS IP Address, so I handed them that (though I felt strange as why they couldn't do this by themselves ?). They say they will follow up my complain through email (I reached them via live chat on their website).
This morning an email from them landed on our company account, they asked for and I quote.
Dear Sir or Madam To follow up from our previous conversation, we need to access your VPS, please give us your port, user, and ssh password. We expect your replies.
This really surprised me as why do they need this information just to answer my question regarding their CPU policy, now I could never handing them this sensitive information. But is it really normal for an VPS support to request this information ?
No, this is not normal at all.
If you need to give them access, create a new account for them that exists only for as long as they need access. Only give them as much access as they need.
But they should have resource monitoring from the VPS side and shouldn't need local access to the server.