Hello All

Well I am a student in Computer Science with a major in Encrptions and Algorythms. ( need to learn how to spell)

My teacher and I were discussing this.

Demo Accounts, one of the easiest ways to gain ssh access to a server, because its just a demo account.

As a person studying security I would never hack, cause its just stupid, ignorant, and quite childish, but i find it almost like a Flag that says hack me now by not locking down demo accounts.

I stress the concern to all to lock down demo accounts, make sure they are monitored and keep and I on them

As we can see in many cases any ssh access to a server even as a user level is dangerous. You may want to lock down user accounts to not be able to wheel to Super User.

Thoughts welcome but for security reasons, LOCK DOWN DEMO ACCOUNTS

Joe

Reading the splashost thread, I got to think if we ran a demo account, and infact yes we did, Cpanel has a demo option, but doesn't really lock the account down...


So I took about 30 minutes and made one and locked it down...


I'm willing to make a walk-thru if people are interested..

I think the reality of anything is that security should be focused on in all fronts.

Every account needs to be looked at and anyone who may or may not have access needs to be watched.


My CTO always says im anal about security but you cant ever be too anal if your plugged in

Joe

For cpanel owners, you can disable SSH/Telnet simply by executing this:

chsh -s /usr/local/cpanel/bin/noshell <username>

ie.. chsh -s /usr/local/cpanel/bin/noshell demo

You can never be too secure... We need to do some more security measures, but at this time, we can't....


I think a large thing is, confirming who your customers are, either getting them to fax you a contract back, or handly things over the phone/mail....

Originally posted by acetate
For cpanel owners, you can disable SSH/Telnet simply by executing this:

chsh -s /usr/local/cpanel/bin/noshell <username>

ie.. chsh -s /usr/local/cpanel/bin/noshell demo


That doesn't take care of all of it though...

The person can still FTP into the account, and call things from the web like:

http://yourmasteriphere/~demo/crash.cgi


You need to make the demo folders read only, and kill the FTP access for it...

Also remove the account entry from /etc/localdomains file would help also.

What the best thing to do is:

Edit the /etc/passwd file for demo:

From: demo:x:32034:648::/home/demo:/bin/bash

To: demo:x:32034:648::/dev/null:/dev/null


Also edit:

/etc/proftpd/demo

So it looks like this:

demo:dwj3DvQ7aoY9M:32034:648:demo:/dev/null:/dev/null


Then chmod the /home/demo dir to 444, and all the contents inside /home/demo to 444....

Also, make sure the person can't add things, like more ftp accounts, mail, etc, just set them to 0 with a disk space quota of 1mb....

There are a few other things, but that works...


The best security for a demo account, is not to have one at all, just save the HTML and the images, and make it a static demo...

Originally posted by JBIZ718
I stress the concern to all to lock down demo accounts, make sure they are monitored and keep and I on them

Yes you do need to learn how to spell :D:D

;)

Thanks for pointing that out too me,


Can you keep the post on track, as it is serious and your sarcasm isnt really needed.

Joe

Originally posted by JBIZ718
Thanks for pointing that out too me,


Can you keep the post on track, as it is serious and your sarcasm isnt really needed.

Joe


Sorry :)

On topic: I agree with you completely, for the moment our CPanel demo has been closend while we ensure that it is safe for us to have running.

Now I know this isn't exactly a Demo...

But, it does get alot of the point across as well as being extremely secure...

http://www.hostrocket.com/control/index.htm

cd /usr/local/cpanel/base/frontend
cp -a iconic/ demo/
cd demo/
pico index.html

[ now change all the links to <a href=""></a> ]

exit pico and save
remove all the files in the demo/ folder except index.html

thats it :)

What about putting screenshots of the control panel? That would be a preety good way. I think I am going to put screen shots or just link to plesk.com .

Kiwi.. it uses frames so that is just the file that assigns what page the frames should use.

We have edited the iconmain.html file in /usr/local/cpanel/base/frontend/demo and taken out all <a href>, if you just take out the URL, it will link to the folder, so it's best to remove the whole <a href="xxxxxxxx">