Recently my company has been getting a lot of requests through our helpdesk and
through email inquiries asking if we offer 'shell accounts' or 'can we run backend processes'

So I got to thinking, I seem to have the potential clients for this, I should get another
server and offer it. But what I don't know is what truly are the security risks doing
this. What features and what should the pricing be in the packages I offer..



If someone could give me their 2cents I would appreciate it.

Thanks,
Timothy Sheehan


Sorry if this isn't in the right category.

Security risks? Well...

Some of your clients might rise the anger of so called script-kiddies, who are willed to start a DoS attack against your server.

Having shell access on your server means that you need to secure your box even better than currently because your potential enemies have got access to the console of your box.

Hmm. That are the 2 main risks that come to my mind. What about pricing/features I'd say that you should evaluate the prices and features of your enemies on the market. Do a search on google.com and gain as much knowledge as you need. This question would take quite some time to answer, so I don't.


HTH,
d.

Also i dont think any bandwidth used at the shell can be tracked by any control panel out there yet.

So someone might be able to use your bandwidth without being charged for it.

All our hosting accounts come with an SSH (Secure Shell) account, but the SSH accounts are only activated at the users request. This cuts out the biggest danger which is dormant SSH accounts. We also monitor bandwidth closely. Server logs are better for this than information supplied by control panels. As for back-end processes, we support CGI, PHP version 4.1.1, and Perl version 4.6 and we haven't had any security problems. If you're worried about security, how about moving your servers to a more secure data centre?

Originally posted by HostFox
If you're worried about security, how about moving your servers to a more secure data centre?

It's not all about the data centre. What about an exploit in the Apache software which is not patched immediately and offering intruders the possibilty to gain root on the box - This is one of the standard attacking methods and the data centre has nothing to do with the users box.

Or are we talking about managed hosting? I assume it's all about dedicated server(s) being turned into (a) shell hosting box(es).

Originally posted by Duchz


It's not all about the data centre. What about an exploit in the Apache software which is not patched immediately and offering intruders the possibilty to gain root on the box - This is one of the standard attacking methods and the data centre has nothing to do with the users box.

I'm assuming that anyone running a web hosting company would keep all of their software up to date and be aware of the latest security issues, exploits, patches, etc.

Bandwidth I am not too worried about, I can track that through the logs, and I think Bandmin tracks all traffic per IP per type of traffic.

I wouldn't have to worry about Apache or anything, I am just offering Shell accounts, that’s it, it would be a dedicated server (to clarify, not a Dedicated Server from a hosting provider, a Co-Loed server that I own in the datacenter, if that really makes any difference, but since it was brought up just want to mention it) just for shell, so clients can run their backend processes.... an extra service I would offer, because there is no way in hell I will let just anyone run backend processes on my main servers.

If you have time to watch every little move your people make, latest and most patched operating systems and good clients - sure why not?

Originally posted by whw
Also i dont think any bandwidth used at the shell can be tracked by any control panel out there yet.

So someone might be able to use your bandwidth without being charged for it.

ipfw

I guess basically the point now is, if you were looking for just shell account, what would you want and what would you expect to pay. (I purposely ask what would you expect to pay, because I know what kind of answer I would get if I asked what would you pay)

Originally posted by whw
Also i dont think any bandwidth used at the shell can be tracked by any control panel out there yet.

So someone might be able to use your bandwidth without being charged for it.
Ensim tracks it

Ensim can track bandwidth used at the shell? I guess I learn something new every day :eek:

Most of the clients who request shell and background processes want to run irc bots :)
And you know that irc bots attrack sometimes DDos attacks to channel takeovers/splits etc. So watch out...

(always a good idea is to accept only fax orders and offer SSH, not telnet for shell account providers)

If you are paranoid, asking for a copy of the ID card is a possibility you could use as well.

We've only allowed shell accounts twice, each for 30 minutes only as they requested to do some mysql stuff with it. Actually from then on, we just volunteered to do all the mysql things for our customers free if the file was too large for phpMyAdmin.

We have never had a hacker/malicious script ever, and I believe it is due to our prohibition of shell accounts ;)

*knocking on wood*

We don't allow SSH either. Almost everything the user wants to do can be done via FTP or CPanel. We just explain to them that if we allow SSH, then their scripts (some including passwords) can be read by a user with a little Linux/Unix knowledge. We've lost a few customers because of this, but there haven't been many. It's worh keeping your servers just a little more secure and minimizing attacks and downtimes.

Originally posted by Global-Host2

Ensim tracks it

h-sphere doesn't.