Results 1 to 14 of 14
Thread: Shell Types Do YOU Offer?
-
03-03-2004, 05:36 PM #1Web Hosting Master
- Join Date
- Jun 2003
- Location
- United States of America
- Posts
- 1,847
Shell Types Do YOU Offer?
I was just woundering if you offer shell access to your servers what kind of system shells allowed. Is there one that could allow users /clients features without having to worry about other users miss-using the shell feature. For types I can offer:
/bin/sh
/bin/bash
/sbin/nologin
/bin/bash2
/bin/ash
/bin/tcsh
/bin/csh
/bin/rbash
thanks for the input
gilbertComputer Steroids - Full service website development solutions since 2001.
(612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.
-
03-03-2004, 05:54 PM #2Web Hosting Master
- Join Date
- Jun 2003
- Location
- UK
- Posts
- 6,616
bash and tcsh I would say. Maybe ksh as well. However unless a customer really wants it I wouldn't give shell access
RusRuss Foster - Industry Curmudgeon
Freelance Sysadmin for Hire - email vaserv@gmail.com
-
03-03-2004, 05:58 PM #3Web Hosting Master
- Join Date
- Jun 2003
- Location
- United States of America
- Posts
- 1,847
thanks for the input
Computer Steroids - Full service website development solutions since 2001.
(612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.
-
03-03-2004, 06:04 PM #4Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
If you're going to allow users to have shell access, make sure their actions are heavily controlled.
- Limit compiler access.
- Disable outgoing telnet / ssh.
- Have your firewall block everything outgoing that could be used as a DoS attack.
- Log the users actions, and tell them that you are logging their sessions.
- Secure the server so that unused packages and suid binaries are removed.
- Limit what the user can see: Only allow them to view their processes in ps, disable them from viewing whos logged in or who has logged in lately.
These are just a few...
-
03-03-2004, 06:45 PM #5Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 985
Most of my users have /sbin/nologin
regards,
M.Powered by AMD & FreeBSD.
"Documentation is like sex:
when it is good, it is very, very good;
and when it is bad, it is better than nothing."
-
03-04-2004, 12:46 AM #6Web Hosting Master
- Join Date
- Feb 2002
- Location
- Vestal, NY
- Posts
- 1,381
jailshells are good too. A fully chrooted environment is very good for security.
H4Y Technologies LLC .. Since 2001!!
"Smarter, Cheaper, Faster" - SMB, Reseller, VPS, Dedicated, Colo hosting done right.
ZERO PACKETLOSS, ZERO DOWNTIME Dedicated and Colo - USA: IA, CA, NC, OR, NV
**http://h4y.us** **http://iwfhosting.net**Voice: (866)435-5642. *** askus at host4yourself d0t com
-
03-04-2004, 12:54 AM #7WHT Addict
- Join Date
- Mar 2004
- Location
- [BC]
- Posts
- 161
None at all in my opinion. It's not worth the potential risk. Then number of customers who refuse to come onboard because you don't offer shell access, are minor compared to the number of customers you'll lose if some malicious person takes down the server.
| Priority support (Since July 2001) | 99.9%+ uptime (Alertra stats available) |
| Dual Xeon servers at local data center | Premium PEER1 bandwidth |
| Visit us today | www.webulex.com |
-
03-04-2004, 01:07 AM #8Web Hosting Master
- Join Date
- Feb 2002
- Location
- Vestal, NY
- Posts
- 1,381
I bet that most hosts who don't offer it are afraid their users know more than they do. It shouldn't be a concern if you secure your system properly and run a secure kernel.
Afterall, you are going to have kiddies getting user "nobody" access to a shell all the time if you allow your customers to install their own CGI or PHP scripts. We have way more hack attempts by people using a shell through a PHP script exploit than we do allowing our own users secure shell access. If you don't allow shell access, chances are there is still nothing major preventing any user from obtaining shell access anyway. There are so many ways to send commands to a shell when granted regular user access to services such as Apache w/ CGI or PHP, MySQL, etc.
But we also use fraud prevention techniques to ensure our users are who they say they are before they are granted any access.
Don't think that because you don't offer shell access, you are any safer. It takes some knowledge of security to properly offer shell access, but removing shell access while not having that knowledge doesn't make you much safer.
I'm not saying anyone here is not knowledgable.. I just thought it would be a good time to rant about why most hosts don't offer shell access and how it adds barely any or no extra protection in most circumstances.H4Y Technologies LLC .. Since 2001!!
"Smarter, Cheaper, Faster" - SMB, Reseller, VPS, Dedicated, Colo hosting done right.
ZERO PACKETLOSS, ZERO DOWNTIME Dedicated and Colo - USA: IA, CA, NC, OR, NV
**http://h4y.us** **http://iwfhosting.net**Voice: (866)435-5642. *** askus at host4yourself d0t com
-
03-04-2004, 01:13 AM #9WHT Addict
- Join Date
- Mar 2004
- Location
- [BC]
- Posts
- 161
Well, if you want to put it that way, NOTHING will make you secure. Even software + hardware firewal on top of triple, quadruple layers of security, none can stop a professional from breaking in.
The idea here is to slow them down, and not granting shell access is one of those ways to slow them down.
You can have all the fraud prevention you want, what can you do if some client loses or gives away his/her password to a malicious person? All the fraud prevention won't make any difference!| Priority support (Since July 2001) | 99.9%+ uptime (Alertra stats available) |
| Dual Xeon servers at local data center | Premium PEER1 bandwidth |
| Visit us today | www.webulex.com |
-
03-04-2004, 05:21 AM #10Web Hosting Master
- Join Date
- Apr 2002
- Location
- Southampton, UK
- Posts
- 1,025
I bet that most hosts who don't offer it are afraid their users know more than they do. It shouldn't be a concern if you secure your system properly and run a secure kernel.
Well, if you want to put it that way, NOTHING will make you secure. Even software + hardware firewal on top of triple, quadruple layers of security, none can stop a professional from breaking in.
-
03-04-2004, 09:28 AM #11WHT Addict
- Join Date
- Mar 2004
- Location
- [BC]
- Posts
- 161
Then maybe you could explain to me why the majority (if not all) of larger hosts do not offer it? I don't think it's because they are afraid of anything!
| Priority support (Since July 2001) | 99.9%+ uptime (Alertra stats available) |
| Dual Xeon servers at local data center | Premium PEER1 bandwidth |
| Visit us today | www.webulex.com |
-
03-04-2004, 09:30 AM #12Web Hosting Master
- Join Date
- Apr 2002
- Location
- Southampton, UK
- Posts
- 1,025
Originally posted by wb-Edgar
Then maybe you could explain to me why the majority (if not all) of larger hosts do not offer it? I don't think it's because they are afraid of anything!
-
03-04-2004, 09:34 AM #13Web Hosting Master
- Join Date
- Feb 2002
- Location
- Vestal, NY
- Posts
- 1,381
Which larger hosts do not offer SSH access?
H4Y Technologies LLC .. Since 2001!!
"Smarter, Cheaper, Faster" - SMB, Reseller, VPS, Dedicated, Colo hosting done right.
ZERO PACKETLOSS, ZERO DOWNTIME Dedicated and Colo - USA: IA, CA, NC, OR, NV
**http://h4y.us** **http://iwfhosting.net**Voice: (866)435-5642. *** askus at host4yourself d0t com
-
03-04-2004, 09:49 AM #14WHT Addict
- Join Date
- Mar 2004
- Location
- [BC]
- Posts
- 161
Valeweb as an example. No shell access on shared accounts
| Priority support (Since July 2001) | 99.9%+ uptime (Alertra stats available) |
| Dual Xeon servers at local data center | Premium PEER1 bandwidth |
| Visit us today | www.webulex.com |