Results 1 to 25 of 29
Thread: Enabling SSH for customers
-
06-10-2011, 01:42 AM #1Newbie
- Join Date
- Dec 2010
- Posts
- 18
Enabling SSH for customers
Hi, I am new to the world of web hosting, well not completely new because I have been paying for hosting for last 5 or 6 years, and now I manage a dedicated server. Which leads me to my question, which is probably a simple one. But, if I allow SSH access to a customer with there own IP address and they SSH in and modify their my.cnf file will they also be editing my my.cnf file as well. Thanks.
-
06-10-2011, 02:22 AM #2Disabled
- Join Date
- Dec 2007
- Posts
- 3,597
I suppose that decision of providing SSH to the client is up to you and you and only you decide if you can provide that for the client or not. As rule such kind access is provided to the trusted clients only and only by their request.
-
06-10-2011, 02:32 AM #3Aspiring Evangelist
- Join Date
- Aug 2005
- Location
- behind my screen
- Posts
- 402
hi,
You can offer jailed shell this is limited to there own account so if they try to access any directory outside of there own account it will deny but ....
what are you doing with root acces if you do not even know that ? i mean a person with root access without the necesarry knowledge is a danger to his own server.Is this some kind of expensive "learning box" ? No offence intended but "root" should know what he/she is doing
-
06-10-2011, 02:36 AM #4Newbie
- Join Date
- Dec 2010
- Posts
- 18
I was looking for more of a yes or no answer, but I assume the answer is yes there is only one my.cnf file on the server. So if a user edits that file it will effect my sites. I am using plesk and have set up a different subscription for customers and resellers, and there will be an option for cPanel. But I wasn't sure if what ever changes they make will have an effect on my settings is all. Thanks.
-
06-10-2011, 02:56 AM #5Newbie
- Join Date
- Dec 2010
- Posts
- 18
hi,
There is an option from Plesk "Can allow access only to a chrooted environment" Is really what led me to this forum. I just searched jailed shell from parallels.com and it led me back there chrooted environment so that's probably the answer I was looking for.
And no offence taken. I am not a novice in shell but I know enough not to kill my server. It has taken months to get the server where it is now which is why I don't want just anybody with access. I mean I usually pay a tech if it's something other than the my.cnf file or Apache. Right now I need to find out more about the chrooted environment which I can probably get from paralells.. So thanks for the reply.
-
06-10-2011, 03:37 AM #6Disabled
- Join Date
- Nov 2010
- Posts
- 2,564
You should setup very strict ssh permission if you're going to offer this service. you might also ask your client to sign in personal information such as passport or driver license in case any potential abuse, this is the typical method used in the industry.
-
06-11-2011, 10:28 AM #7Web Hosting Evangelist
- Join Date
- Oct 2006
- Posts
- 452
I don't recommend enabling SSH access for customers, unless you can trust them and know exactly why they need it.
Fully customized hosting to your specific needs, no general plans found here!
'Read before you click I agree' - J
-
06-11-2011, 11:45 AM #8Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,816
If you're restricting ssh access for security reasons, you have no security and you're doing something wrong.
-
06-11-2011, 11:50 AM #9Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Agreed! I find it amusing when people say SSH access is a security risk, given that most exploits can still be run through other means. They might as well disable PHP, Perl, Cron Jobs and Python, etc. If your server is up to date, all reasonable security precautions have been taken, there is no harm in enabling SSH access for users.
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
06-12-2011, 07:08 AM #10Web Hosting Master
- Join Date
- Apr 2006
- Posts
- 2,204
-
06-12-2011, 07:14 AM #11Junior Guru Wannabe
- Join Date
- May 2011
- Location
- Tunisia, Sfax
- Posts
- 33
-
06-12-2011, 07:17 AM #12Web Hosting Evangelist
- Join Date
- Jan 2011
- Posts
- 453
Hello,
SSH access is really not recommended for users. One more thing that there is only one my.cnf for a server. I don't thinks its possible to create a custom my.cnf as custom php.ini. Please correct me if I am wrong." Your work is to discover your work and then with all your heart to give yourself to it. "
That's the mark of a true professional !
-
06-12-2011, 07:27 AM #13Junior Guru Wannabe
- Join Date
- May 2011
- Location
- Tunisia, Sfax
- Posts
- 33
Yes me too, I don't think so ... But They can access to other customers and have their Data bases and their private files... also they can access to password of accounts and change it sometimes...
So be careful ...
And I think that a customer who don't have access SSH, he can work normally without any problem ..
-
06-12-2011, 09:22 AM #14Disabled
- Join Date
- Sep 2010
- Posts
- 627
There's no way to have a custom my.cnf without running multiple mysqld's (one for each my.cnf).
-
06-12-2011, 10:50 AM #15Retired Moderator
- Join Date
- Feb 2005
- Location
- Australia
- Posts
- 5,849
Custom per-user my.cnf files do exist, but they're called .my.cnf, they're placed in the user's home directory and they only affect the single user's mysql client, not the server. They're typically used to store login information so it doesn't need to be entered on the command line.
To answer the original question: If the user could edit the main my.cnf file (/etc/my.cnf) then yes, they could affect all sites on the server. But file ownership and permissions should make it impossible for any regular user to change that file, whether you give them SSH access or not. This is very basic information any server administrator ought to know already. I'd suggest you get expert help to harden and manage your server before offering shared hosting, with or without SSH.Chris
"Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter
-
06-12-2011, 10:55 AM #16Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,816
-
06-12-2011, 10:56 AM #17Web Hosting Evangelist
- Join Date
- Jan 2011
- Posts
- 453
Hello Foobic,
I am aware of .my.cnf. But is it really possible to adjust mysql variables in it?" Your work is to discover your work and then with all your heart to give yourself to it. "
That's the mark of a true professional !
-
06-12-2011, 12:29 PM #18Newbie
- Join Date
- Apr 2011
- Location
- Europe, Germany, Hannover
- Posts
- 9
Why do you want to give your customers ssh access? ssh access can pose a security hole for your system
-
06-12-2011, 12:32 PM #19Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,816
-
06-12-2011, 12:34 PM #20Aspiring Evangelist
- Join Date
- Apr 2010
- Posts
- 421
imho, cpanel used jailled ssh as default setting for any ssh's clients.
please cmiiw always
-
06-12-2011, 12:35 PM #21Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
*bangs head against the wall* That's not true!
While using SSH can make it EASIER for someone to compromise a server, there must be an underlying security flaw already present for an exploit to occur. Let's say hypothetically that you are running an older Linux kernel that is vulnerable to a local root level exploit. Disabling SSH access isn't going to prevent someone from compromising you, it's only going to add one or two additional steps to the process. The attacker could upload a PHP shell, a Perl shell, or hell even craft an exploit to be executed via a cron job to get things done.
If you have a properly secured server, there is no reason at all that SSH should be considered a security risk... please stop spreading misinformation.RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
06-12-2011, 12:42 PM #22Newbie
- Join Date
- Apr 2011
- Location
- Europe, Germany, Hannover
- Posts
- 9
-
06-16-2011, 07:30 AM #23Web Hosting Master
- Join Date
- May 2008
- Location
- Germany
- Posts
- 680
For experienced customers, SSH access can be great to get things done quickly. It's certainly something some customers expect. I wouldn't enable it for all customers by default, however, I'd limit SSH access to those customers who specifically ask for it. And as others have pointed out, it's crucial to secure the server in general (that should be done anyway) and for SSH in particular.
█ CoderJosh | Web Application Developer and Linux Server Admin
█ Web & Mobile App Coding | Troubleshooting | Tuning | Hardening | SysAdmin Services
█ https://www.coderjosh.com/
-
07-22-2013, 05:48 AM #24New Member
- Join Date
- Jul 2013
- Posts
- 1
Beware of SSH for FTP users
Couldn't walk past this thread without sharing a little former experience with Plesk..
Yes, SSH can be very useful for non-root users, but..
• Most of the time they won't need it
• Over the years, Plesk has shipped with various vulnerabilities in FTP - meaning FTP credentials get sucked up. If SSH is enabled, then your FTP credentials give hackers shell access.
• When hackers have shell access, even jailed, they can then run processes that bypass email authentication, IP restrictions and such like, making great spam servers.
• Over the years, jailed shell has not proven entirely secure. Decent hackers will get out of the jailed environment. (Always employ firewall restrictions as a backup.)
-
07-22-2013, 11:43 AM #25Newbie
- Join Date
- Jul 2013
- Posts
- 7
Similar Threads
-
VPS Customers - SSH Keys
By UWebSmart in forum Running a Web Hosting BusinessReplies: 3Last Post: 01-20-2011, 07:07 AM -
disabling SSH root access but enabling SSH keys how to do that?
By sharmaine1111 in forum Hosting Security and TechnologyReplies: 7Last Post: 04-03-2009, 11:26 PM -
Asking for photographic ID for enabling SSH
By saj in forum Web HostingReplies: 9Last Post: 11-07-2005, 03:22 PM -
Allowing customers SSH access or not?
By outofspace in forum Web HostingReplies: 67Last Post: 08-31-2003, 11:39 PM -
Allowing customers SSH access or not POLL
By outofspace in forum Web HostingReplies: 0Last Post: 08-30-2003, 05:14 AM