Okay Resellers-

I have been wrestling with this for about a week now, and maybe, just maybe, there is a flaw in my thought process. It seems to me that most resellers, while using SSH to secure the usernames/passwords for logins, are using cleartext authentication for FTP and Email. Even Qmail, which djb is claiming to be the be-all and end-all of email security, authenticates in cleartext by default- as far as I can tell. Am I just being paranoid, or is there really this huge whopping security whole in 90%+ of reseller's servers? Is it important to secure this via SSL? If not, why? What am I missing here?

Jake-beating my head against the wall-29

<<Cross posted, threads merged, post removed>>

if you offer normal pop3 and ftp as a hoster then you don't have to bother to disable telnet.
for my hosting company, I DO offer pop3 and ftp, but I also have sftp (ftp via ssh) available and customers kan use putty or another ssh client to tunnel their pop3 traffic through an encrypted link. that way everything should be secure :)
but i have to admit: i have mostly experienced customers. people that are not so tech-savvy might have difficulties setting up an ssh tunnel and things like that.

here is my big thing with ssh. Keep your box secure from the inside and out and you are OK. The big problem with an admin using telnet is suing to root. The password is sent over clear text. Now using SSH that isn't the case. So thats the big reason. It all comes down to this. If a hacker wants on your system chances are it'll happen, depending on the hackers skills and resources. Trust me its not that hard to get accounts on servers.

The short is answer is: Because you have to.

If you were to force your customers to use SCP tools for file transfer and force secure pop mail connections there is a very good chance you would lose customers, because every other host lets you use standard FTP and POP Mail to connect to their servers -- and your customers know that.


The trick is to secure your server so that if someone is able to get one of your customer's username and password that person can't do any damage to the file system of the server. You should also follow the best practices you described for all administrative accounts...never send password information for anyone who is part of the root wheel over clear text.

Its just one of the many compromises you have to make to run a business :).

You can think of it as a transitional state, so you get your customers to use the secure protocols as they are developed. It is also good for PR .. telling your customers that you don't allow the old security vulnerable telnet service on your servers.

It can be a good security practice if you use different passwords for POP3 and FTP than that of your system user.

qmail is calimed to be very secure as a piece of code, the problem is in the email standards.

uuallan-

Thank you!!! That makes a lot of sense. So without enforcing encrypted authentication, particular customer's sites/email may be compromised, but if their access is controlled on the server, the damage can be limited to a single user.

Ahmad-

That's a good idea- maybe set up a seperate virtual account for email and ftp that isn't related to authenticating against /etc/passwd. I've seen stuff like this that uses ldap etc. That would be another approach to keeping hackers from accessing the account.

T_E_O-

if it comes down to using unencrypted authentication, which compromises particular accounts, then it makes sense to offer the more technically savy customers an authenticated option. That way thier particular accounts can be more secure.

This has been a real eye opener. I should have asked earlier :). Thank you for your input.

Jake

sure one way to do it is use different passwords for all protocols. qmail can put them in a flatfile or db, so can many different ftpservers. The problem with that is your average user will still like to use the same one for all of them. No ones wants 3-4 different passwords to access shell/pop/ftp/etc

zupanm-

"No ones wants 3-4 different passwords to access shell/pop/ftp/etc". Right. On the other hand, no one want's their account compromised either. I could always require different passwords on the sign-up page, to "enforce" a difference. But I hear what your saying. I think uuallan had it right... it's a "give me conveinence, or give me death" sort of thing. :)

Jake

Originally posted by Jake29
uuallan-

Thank you!!! That makes a lot of sense. So without enforcing encrypted authentication, particular customer's sites/email may be compromised, but if their access is controlled on the server, the damage can be limited to a single user.


Exactly. That's part of risk management, you have to put as many security restrictions in place without hurting your business.

One way you can do that is to create a shell (do a search on the board for chroot) for each user, so when they do connect they can't access areas outside of their shell.

Of course, Ahmad is correct, if you offer SCP, Secure POP, etc that is going to be a selling point to those customers who are worried about security. So, it should be something you encourage. Eventually you may be able to switch over to using a fully secure system and not lose any customers in the process.

I think you have a legitimate concern. Telnet is a little easier to crack than most other protocols (especially if another happens to be logged on with shell access) - which is probably why hosting companies force SSH on a customer.

In the same vein, WHM/CPanel definately uses clear-text passwords every time a user logs in over anything except https. Nothing gets encrypted until it hits the server...

I'm an honest believer in SSH. I think it should be promoted as well as hosting companies incorporating SSL FTP. Unfortunately, most don't.

I use a program by VanDyke called SecureFX. This is an FTP 21 to SSH 22 port tunneling capable program and has brought a bit more security to the FTP end of the stick.

The program is faily new and doesn't really have all the functions that I would like to see, but anything that promotes security is fine with me.

I don't see this as being paranoid at all.

You can happily mix qmail and SSL I guess...or doesn't qmail support this feature?

You can also use SCP rather than FTP...

Well, in an ideal world :cool:

If SSH is already implemented, then one can use FTP over SSH :)

For secure FTP sessions I suggest you look at Safe-TP, which is an FTP wrapper, not an scp or SSH FTP wannabe. It lets you use your favorite full-featured FTP client, such as WS_FTP, CuteFTP, once set up is almost completely transparent to the end user, and lets you choose no security, control channel encryption only, contol and data channel encryption, automatically negotiates down to 959 compatibility mode when connecting to a server that does not support FTP, and works really well. :)

I have no affilliation with them, just been using it for about a year on my servers, and I love it.

see http://safetp.cs.berkeley.edu for info.

Originally posted by elsmore1
For secure FTP sessions I suggest you look at Safe-TP, which is an FTP wrapper, not an scp or SSH FTP wannabe. It lets you use your favorite full-featured FTP client, such as WS_FTP, CuteFTP, once set up is almost completely transparent to the end user, and lets you choose no security, control channel encryption only, contol and data channel encryption, automatically negotiates down to 959 compatibility mode when connecting to a server that does not support FTP, and works really well. :)

I have no affilliation with them, just been using it for about a year on my servers, and I love it.

see http://safetp.cs.berkeley.edu for info.


Interesting. Works Linux I would suppose?

Wow- thanks guys. This is one of the last peices of the puzzle.

BTW- I am considering using Teapop as my pop server. This can authenticate against a wide array of methods, including a simple .htpasswd file. This might not be the most efficient data store, but has the advantage of being simple to create and use.

Jake
I really appreciate all the good feedback. May it live in the archive for future hosts: secure email secure email secure email secure email secure ftp secure ftp secure ftp :)

Originally posted by NewMerchant



Interesting. Works Linux I would suppose?


I have it running on Linux.

I use postfix as my mail server and set up virtual user mail boxes that have passwords different to their system pwords. I then run courier imap which allows both imap and pop3 connection to the virtual mail boxes.

I run proftp so that users are chroot jailed into their home directory.