A long time ago, we used to give Telnet access - but we discontinued that, due to security issues. We now offer SSH access, upon request. Now, I'm starting to have doubts about offering that after we caught 3 different users snooping around one entire server, looking for possible exploits.

My question to other hosts is, do you offer SSH access and if not - why? What is your opinion on this subject?

--Tina

any type of shell access will give them ability to snoop around

They wont have access out side there realm, but limiting shell access is good.

Overall if no one other then u has access, it limits the potential problems

Joe

Limiting or not giving shell access is a good idea.

Yes, I realize this. I'm just wondering what other hosts do/think about SSH access.

--Tina

A long time ago, we used to give Telnet access - but we discontinued that, due to security issues.

No offence but please explain why you disable telnet access? Do you also offer FTP and e-mail via secure channels? What is point of having one session encrypted (ie. shell sessions) and other not (ie. ftp) when both are sending passwords to the server.


Now, I'm starting to have doubts about offering that after we caught 3 different users snooping around one entire server, looking for possible exploits.


Shell access can be a very useful tool in debugging, copying, moving, compiling programs/scripts etc... those that use it will sincerely miss it. Also so much can be done via CGI now that disabling direct shell access will only deter the weak. Users can still snoop via CGI/php scripts and also execute programs (even exeucte them in the background and let the cgi program finish), in fact there are many cgi telnet scripts available as well.

Originally posted by MattF
No offence but please explain why you disable telnet access? Do you also offer FTP and e-mail via secure channels? What is point of having one session encrypted (ie. shell sessions) and other not (ie. ftp) when both are sending passwords to the server.


We disabled Telnet because of the seeminly constant exploits that come out for it. OpenSSH has had less exploits.

As far as our rules. We supply shell for only two reasons. If the customer needs to do something that can't be done by the control panel like debugging and compiling or insists on it due to thats how they like to work.

As was said, it is just as easy to execute scripts without shell access but by keeping shell access to a minimum you will help prevent newbies screwing something up on accident.

Well, we offer SSH access to those who need it. However, we require a photo ID and reasons needed. We also log all activity (message stating so upon access).

Believe it or not, we have had people cancel because we require ID. Our point is that we would rather have a bit more control over the servers and not have everyone who just wants access to roam around and try and find exploits. It is beneficial to the customer who requests it, the customers who do not request it (they don't have to worry about every user on the shared servers) and it is beneficial to us.

Since implementing this, we have found that our servers are 100% + more secure. We do not have as many runaway scripts and the funny thing is, the servers are staying up without crashing. GO figure.

We atribute it to our measures, and to those who do not want to follow our procedures, I can recommend a few companies that do not implement these procedures, and you can have full reign of the servers along with everyone else.

Originally posted by WeinBar
Well, we offer SSH access to those who need it. However, we require a photo ID and reasons needed. We also log all activity (message stating so upon access).


I like that idea. Currently, we just require that they fill out a form stating exactly why they want it. I like the idea of adding the "photo ID" requirement. I think it will really make people think about how bad do they *really* need shell access.

--Tina

Yes, but watch out. People will start getting angry at you. They don't feel they NEED to. Be prepared to lose a few customers. If you do, then all the better. The one's that complain are usually the ones who will cause problems.

Originally posted by WeinBar
Yes, but watch out. People will start getting angry at you. They don't feel they NEED to. Be prepared to lose a few customers. If you do, then all the better. The one's that complain are usually the ones who will cause problems.

Yes, I believe you are correct. :)

--Tina

I would not sign-up for an account without telnet or ssh, unless I want to run my family site with a few pages of family photos. These are necessary if one wants to install, debug and run any kind of scripts.

Well, we offer SSH access to those who need it. However, we require a photo ID and reasons needed. We also log all activity (message stating so upon access).

May be that is the way to do it or charge more or something.

Nope, we do not charge more, just need the proper paperwork.

You can disable wget and su root.... alittle bit more secure :)

ive always thought, if you want SSH/Telnet then go buy your own dedicated server or buy a shell account. (

sometimes its easier to use something like pico to update your sites but most of the time imho people prefer to do the mods locally and upload them via FTP.

so yes, id agree, SSH is useless to anyone other than the technical people that are interested in total control over their web site and the ability to change sites very quickly via SSH.

Why not set up chroot, or install a restricted shell that won't let them move beyond their home directory... also, disable the services that may cause major security hazards.

Originally posted by Synergy
You can disable wget and su root.... alittle bit more secure :)
Why disable wget? That's a big reason (as a consumer and administrator) I use a shell. I don't want to download that huge .tar.gz file onto my pc from an http server and then upload it to the server. I'd rather use wget and get a very quick burst of data. I also wouldn't want to untar my program's files onto my pc, make the changes in the conf file, upload the conf file, find out I messed up, edit the conf file on my pc, reupload and test.... it's for the birds. I'd much rather type "vi sample.conf" make my change, save, exit, and check to see if it worked. Shell just simplifies things and creates efficiency. Sure, some may snoop around, but I can do that with a cgi/php program anyway -- big whoop.

What about bandwidth? If you use wget, there is no way (that I know of) to charge the transfer to your account. You could wget a 1GB file and never have to worry about the cost of the transfer.

Who charges for incoming traffic? Not my providers. I can wget 1GB files all day long and not get charged. At least that's what they say... :)

All traffic (incoming and outgoing) needs to be paid for. Bandwidth does not only include outgoing.

Well, we offer shell access (ssh), we had no problems whatsoever with abuse on the shell, probably because our contracts... if they do any harm they are in big trouble.... but besides that....(watch this, because i'm not a technican/linux guru, i'm just the owner :)) you can chown programs like wget to root dont you?... so no other user can use it, you can do this to everything... i don't see the problem actualy...

and like a person said before, you can do almost anything with perl and php, you don't NEED the shell access to walk on the server...

I agree that a user can do anything with FTP access and executing a script that they can do with shell access, but not giving them shell access makes it harder for them to do something fast, without getting caught.

We generally give shell access to anyone who NEEDS it, but here is what we have in the service agreement:

Shell access can usually be granted to a user if publishing of their web site absolutely requires it because there is no other method for accomplising the same task. For security and jurisdictional reasons, shell access for accounts will only be granted according to the following terms.

a) Residents of the United States may be required to mail in a photocopy of a valid state or nationally issued photo ID.
b) Residents of countries other than the United States may be required to mail in a photocopy of a valid passport with photo ID and wait until a 90 day probationary period has expired.
c) In some cases, shell access will not be granted under any circumstances, to be determined by an agent of Bitserve Systems.

Originally posted by archangel777
Why not set up chroot, or install a restricted shell that won't let them move beyond their home directory... also, disable the services that may cause major security hazards.

How does one go about doing such a thing with their shell?

Originally posted by WeinBar
All traffic (incoming and outgoing) needs to be paid for. Bandwidth does not only include outgoing.

Land-based internet circuits are full-duplex in every case I can think of. If you're a Web host, your outbound is anywhere between 6 and 10 times your inbound. Therefore, within reason, inbound traffic is free to you. It's not at all likely to exceed outbound, in which case it will never cause you to have to upgrade a circuit.

I believe that charging users for inbound traffic on a network that primarily does outbound transfers is, well, not right.

Back to the original question, though. If you can't secure your server to the point where a "user roaming a shell" isn't a threat, then you will eventually have security problems whether you run Telnet/SSH or not. Hardening a server is really, really important and shouldn't be glossed over by disabling one thing or another and forgetting about the whole issue.

If anything, we've benefitted from having users roam our servers. They get more powerful capabilities, and we learn to be vigilant.

Kevin

Originally posted by sigma


I believe that charging users for inbound traffic on a network that primarily does outbound transfers is, well, not right.



So, if you run a site that has users uploading gigs of data, your site should be free? Where is the logic in that. Basically, you should be charged for ALL traffic, not just outgoing. Whether you think it is right or wrong is irrelevant. I don't think it is right that the traffic laws in the US make you wear seat belts, but I do it anyway.

Not trying to be a comedian, I am only stating that we have to pay for all traffic, both inbound and outbound. If a user has shell access and they keep pulling data into their site without paying for it, then I, as the NOC, need to pay for it. Where do you expect that money to come from?

But, I do agree with you. The majority of sites traffic is derived from outound traffic, and thus, that is what is being metered. I am only looking at the very small percentage of sites that do not fall into this category.

Originally posted by WeinBar
So, if you run a site that has users uploading gigs of data, your site should be free? Where is the logic in that. Basically, you should be charged for ALL traffic, not just outgoing. Whether you think it is right or wrong is irrelevant. I don't think it is right that the traffic laws in the US make you wear seat belts, but I do it anyway.

Not trying to be a comedian, I am only stating that we have to pay for all traffic, both inbound and outbound. If a user has shell access and they keep pulling data into their site without paying for it, then I, as the NOC, need to pay for it. Where do you expect that money to come from?

But, I do agree with you. The majority of sites traffic is derived from outound traffic, and thus, that is what is being metered. I am only looking at the very small percentage of sites that do not fall into this category.

What kind of site primarily has inbound traffic? A remote backup service? I'm just talking about Web sites on a Web hosting network. Whether charging for inbound traffic is "right" or not I will set aside. But it surely isn't common. And if you're already paying for a certain level of connectivity based on outbound demand, the inbound demand only becomes relevant if it exceeds outbound overall.

I do know that in certain countries, some providers meter traffic in both directions. Australia comes to mind as an example.

Kevin

Originally posted by sigma


What kind of site primarily has inbound traffic?

I can think of a couple on our network. They take uploads from users to use in their diskspace.

But, that was not the meaning of my post. Basically, if a user has shell access, then they can (unless disabled) use wget and ftp that will allow for inbound traffic (they will be pulling from other sites). What we were faced with was an abuse on our systems that people were pulling large amounts of data from other sites (even their own PC using these shell programs) while eating up bandwidth that was never charged to the customer, only to us because all traffic is measured through our switch.

ANd for the second time, I totally agree with you that most sites do not fall into this category. But, the exception to the norm is what costs us money.

Originally posted by WeinBar

ANd for the second time, I totally agree with you that most sites do not fall into this category. But, the exception to the norm is what costs us money.


I agree - and the more customers you have, the more costly the "exception" becomes. If you have 1000s of customers, the "exception" could be 100 people each using 20 GB of unmetered bandwidth.

--Tina

Our provider takes the incoming and outgoing, adds them. Uses the 95% rule, and bills us. We have to charge for traffic both ways.