Page 1 of 2 12 LastLast
Results 1 to 25 of 29
  1. #1

    Enabling SSH for customers

    Hi, I am new to the world of web hosting, well not completely new because I have been paying for hosting for last 5 or 6 years, and now I manage a dedicated server. Which leads me to my question, which is probably a simple one. But, if I allow SSH access to a customer with there own IP address and they SSH in and modify their my.cnf file will they also be editing my my.cnf file as well. Thanks.

  2. #2
    I suppose that decision of providing SSH to the client is up to you and you and only you decide if you can provide that for the client or not. As rule such kind access is provided to the trusted clients only and only by their request.

  3. #3
    Join Date
    Aug 2005
    Location
    behind my screen
    Posts
    402
    hi,

    You can offer jailed shell this is limited to there own account so if they try to access any directory outside of there own account it will deny but ....

    what are you doing with root acces if you do not even know that ? i mean a person with root access without the necesarry knowledge is a danger to his own server.Is this some kind of expensive "learning box" ? No offence intended but "root" should know what he/she is doing

  4. #4
    I was looking for more of a yes or no answer, but I assume the answer is yes there is only one my.cnf file on the server. So if a user edits that file it will effect my sites. I am using plesk and have set up a different subscription for customers and resellers, and there will be an option for cPanel. But I wasn't sure if what ever changes they make will have an effect on my settings is all. Thanks.

  5. #5
    Quote Originally Posted by cpanellover View Post
    hi,

    You can offer jailed shell this is limited to there own account so if they try to access any directory outside of there own account it will deny but ....

    what are you doing with root acces if you do not even know that ? i mean a person with root access without the necesarry knowledge is a danger to his own server.Is this some kind of expensive "learning box" ? No offence intended but "root" should know what he/she is doing
    hi,

    There is an option from Plesk "Can allow access only to a chrooted environment" Is really what led me to this forum. I just searched jailed shell from parallels.com and it led me back there chrooted environment so that's probably the answer I was looking for.

    And no offence taken. I am not a novice in shell but I know enough not to kill my server. It has taken months to get the server where it is now which is why I don't want just anybody with access. I mean I usually pay a tech if it's something other than the my.cnf file or Apache. Right now I need to find out more about the chrooted environment which I can probably get from paralells.. So thanks for the reply.

  6. #6
    You should setup very strict ssh permission if you're going to offer this service. you might also ask your client to sign in personal information such as passport or driver license in case any potential abuse, this is the typical method used in the industry.

  7. #7
    Join Date
    Oct 2006
    Posts
    452
    I don't recommend enabling SSH access for customers, unless you can trust them and know exactly why they need it.
    Fully customized hosting to your specific needs, no general plans found here!
    'Read before you click I agree' - J

  8. #8
    Join Date
    Mar 2009
    Posts
    3,816
    If you're restricting ssh access for security reasons, you have no security and you're doing something wrong.

  9. #9
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by quantumphysics View Post
    If you're restricting ssh access for security reasons, you have no security and you're doing something wrong.
    Agreed! I find it amusing when people say SSH access is a security risk, given that most exploits can still be run through other means. They might as well disable PHP, Perl, Cron Jobs and Python, etc. If your server is up to date, all reasonable security precautions have been taken, there is no harm in enabling SSH access for users.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  10. #10
    Quote Originally Posted by Patrick View Post
    Agreed! I find it amusing when people say SSH access is a security risk, given that most exploits can still be run through other means. They might as well disable PHP, Perl, Cron Jobs and Python, etc. If your server is up to date, all reasonable security precautions have been taken, there is no harm in enabling SSH access for users.
    As someone wrote earlier, I think in one of the other threads you posted in, Patrick; I wish there was a "like" button on WHT!

  11. #11
    Join Date
    May 2011
    Location
    Tunisia, Sfax
    Posts
    33
    Quote Originally Posted by Henrik View Post
    As someone wrote earlier, I think in one of the other threads you posted in, Patrick; I wish there was a "like" button on WHT!
    Maybe That's soon ... But writing is the best than like without active participation ....

  12. #12
    Join Date
    Jan 2011
    Posts
    453
    Hello,

    SSH access is really not recommended for users. One more thing that there is only one my.cnf for a server. I don't thinks its possible to create a custom my.cnf as custom php.ini. Please correct me if I am wrong.
    " Your work is to discover your work and then with all your heart to give yourself to it. "

    That's the mark of a true professional !

  13. #13
    Join Date
    May 2011
    Location
    Tunisia, Sfax
    Posts
    33
    Quote Originally Posted by cptechie View Post
    Hello,

    SSH access is really not recommended for users. One more thing that there is only one my.cnf for a server. I don't thinks its possible to create a custom my.cnf as custom php.ini. Please correct me if I am wrong.
    Yes me too, I don't think so ... But They can access to other customers and have their Data bases and their private files... also they can access to password of accounts and change it sometimes...
    So be careful ...
    And I think that a customer who don't have access SSH, he can work normally without any problem ..

  14. #14
    There's no way to have a custom my.cnf without running multiple mysqld's (one for each my.cnf).

  15. #15
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Custom per-user my.cnf files do exist, but they're called .my.cnf, they're placed in the user's home directory and they only affect the single user's mysql client, not the server. They're typically used to store login information so it doesn't need to be entered on the command line.

    To answer the original question: If the user could edit the main my.cnf file (/etc/my.cnf) then yes, they could affect all sites on the server. But file ownership and permissions should make it impossible for any regular user to change that file, whether you give them SSH access or not. This is very basic information any server administrator ought to know already. I'd suggest you get expert help to harden and manage your server before offering shared hosting, with or without SSH.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  16. #16
    Join Date
    Mar 2009
    Posts
    3,816
    Quote Originally Posted by Host Tounsi View Post
    Yes me too, I don't think so ... But They can access to other customers and have their Data bases and their private files... also they can access to password of accounts and change it sometimes...
    So be careful ...
    And I think that a customer who don't have access SSH, he can work normally without any problem ..
    what..

    no, are you kidding?

  17. #17
    Join Date
    Jan 2011
    Posts
    453
    Hello Foobic,

    I am aware of .my.cnf. But is it really possible to adjust mysql variables in it?
    " Your work is to discover your work and then with all your heart to give yourself to it. "

    That's the mark of a true professional !

  18. #18
    Join Date
    Apr 2011
    Location
    Europe, Germany, Hannover
    Posts
    9
    Why do you want to give your customers ssh access? ssh access can pose a security hole for your system

  19. #19
    Join Date
    Mar 2009
    Posts
    3,816
    Quote Originally Posted by 1Deluxe View Post
    Why do you want to give your customers ssh access? ssh access can pose a security hole for your system
    again, if ssh access is a security hole, get the hell out of this business

  20. #20
    Join Date
    Apr 2010
    Posts
    421
    imho, cpanel used jailled ssh as default setting for any ssh's clients.
    please cmiiw always

  21. #21
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by 1Deluxe View Post
    Why do you want to give your customers ssh access? ssh access can pose a security hole for your system
    *bangs head against the wall* That's not true!

    While using SSH can make it EASIER for someone to compromise a server, there must be an underlying security flaw already present for an exploit to occur. Let's say hypothetically that you are running an older Linux kernel that is vulnerable to a local root level exploit. Disabling SSH access isn't going to prevent someone from compromising you, it's only going to add one or two additional steps to the process. The attacker could upload a PHP shell, a Perl shell, or hell even craft an exploit to be executed via a cron job to get things done.

    If you have a properly secured server, there is no reason at all that SSH should be considered a security risk... please stop spreading misinformation.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  22. #22
    Join Date
    Apr 2011
    Location
    Europe, Germany, Hannover
    Posts
    9
    Quote Originally Posted by Patrick View Post
    If you have a properly secured server, there is no reason at all that SSH should be considered a security risk... please stop spreading misinformation.
    yes if it's a secured server it should not be a security risk..

  23. #23
    Join Date
    May 2008
    Location
    Germany
    Posts
    680
    For experienced customers, SSH access can be great to get things done quickly. It's certainly something some customers expect. I wouldn't enable it for all customers by default, however, I'd limit SSH access to those customers who specifically ask for it. And as others have pointed out, it's crucial to secure the server in general (that should be done anyway) and for SSH in particular.
    CoderJosh | Web Application Developer and Linux Server Admin
    █ Web & Mobile App Coding | Troubleshooting | Tuning | Hardening | SysAdmin Services
    https://www.coderjosh.com/

  24. #24

    * Beware of SSH for FTP users

    Couldn't walk past this thread without sharing a little former experience with Plesk..

    Yes, SSH can be very useful for non-root users, but..

    • Most of the time they won't need it
    • Over the years, Plesk has shipped with various vulnerabilities in FTP - meaning FTP credentials get sucked up. If SSH is enabled, then your FTP credentials give hackers shell access.
    • When hackers have shell access, even jailed, they can then run processes that bypass email authentication, IP restrictions and such like, making great spam servers.
    • Over the years, jailed shell has not proven entirely secure. Decent hackers will get out of the jailed environment. (Always employ firewall restrictions as a backup.)

  25. #25
    Quote Originally Posted by designgroop View Post
    Couldn't walk past this thread without sharing a little former experience with Plesk..

    Yes, SSH can be very useful for non-root users, but..

    • Most of the time they won't need it
    • Over the years, Plesk has shipped with various vulnerabilities in FTP - meaning FTP credentials get sucked up. If SSH is enabled, then your FTP credentials give hackers shell access.
    • When hackers have shell access, even jailed, they can then run processes that bypass email authentication, IP restrictions and such like, making great spam servers.
    • Over the years, jailed shell has not proven entirely secure. Decent hackers will get out of the jailed environment. (Always employ firewall restrictions as a backup.)

    Exactly. SSH might not pose a security hole, per say, but rather a legal hole where you can be blamed for spam. Give someone SSH access, jailed or not, they certainly could write a simple bash or C++ script to spam. Easy.

Page 1 of 2 12 LastLast

Similar Threads

  1. VPS Customers - SSH Keys
    By UWebSmart in forum Running a Web Hosting Business
    Replies: 3
    Last Post: 01-20-2011, 07:07 AM
  2. disabling SSH root access but enabling SSH keys how to do that?
    By sharmaine1111 in forum Hosting Security and Technology
    Replies: 7
    Last Post: 04-03-2009, 11:26 PM
  3. Asking for photographic ID for enabling SSH
    By saj in forum Web Hosting
    Replies: 9
    Last Post: 11-07-2005, 03:22 PM
  4. Allowing customers SSH access or not?
    By outofspace in forum Web Hosting
    Replies: 67
    Last Post: 08-31-2003, 11:39 PM
  5. Allowing customers SSH access or not POLL
    By outofspace in forum Web Hosting
    Replies: 0
    Last Post: 08-30-2003, 05:14 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •