Results 1 to 14 of 14
  1. #1
    Join Date
    Jun 2003
    Location
    United States of America
    Posts
    1,847

    * Shell Types Do YOU Offer?

    I was just woundering if you offer shell access to your servers what kind of system shells allowed. Is there one that could allow users /clients features without having to worry about other users miss-using the shell feature. For types I can offer:
    /bin/sh
    /bin/bash
    /sbin/nologin
    /bin/bash2
    /bin/ash
    /bin/tcsh
    /bin/csh
    /bin/rbash

    thanks for the input
    gilbert
    Computer Steroids - Full service website development solutions since 2001.
    (612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.

  2. #2
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,616
    bash and tcsh I would say. Maybe ksh as well. However unless a customer really wants it I wouldn't give shell access

    Rus
    Russ Foster - Industry Curmudgeon
    Freelance Sysadmin for Hire - email vaserv@gmail.com

  3. #3
    Join Date
    Jun 2003
    Location
    United States of America
    Posts
    1,847
    thanks for the input
    Computer Steroids - Full service website development solutions since 2001.
    (612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.

  4. #4
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    If you're going to allow users to have shell access, make sure their actions are heavily controlled.

    - Limit compiler access.

    - Disable outgoing telnet / ssh.

    - Have your firewall block everything outgoing that could be used as a DoS attack.

    - Log the users actions, and tell them that you are logging their sessions.

    - Secure the server so that unused packages and suid binaries are removed.

    - Limit what the user can see: Only allow them to view their processes in ps, disable them from viewing whos logged in or who has logged in lately.

    These are just a few...

  5. #5
    Most of my users have /sbin/nologin

    regards,
    M.
    Powered by AMD & FreeBSD.
    "Documentation is like sex:
    when it is good, it is very, very good;
    and when it is bad, it is better than nothing."

  6. #6
    Join Date
    Feb 2002
    Location
    Vestal, NY
    Posts
    1,381
    jailshells are good too. A fully chrooted environment is very good for security.
    H4Y Technologies LLC .. Since 2001!!
    "Smarter, Cheaper, Faster" - SMB, Reseller, VPS, Dedicated, Colo hosting done right.

    ZERO PACKETLOSS, ZERO DOWNTIME Dedicated and Colo - USA: IA, CA, NC, OR, NV
    **http://h4y.us** **http://iwfhosting.net**
    Voice: (866)435-5642. *** askus at host4yourself d0t com

  7. #7
    Join Date
    Mar 2004
    Location
    [BC]
    Posts
    161
    None at all in my opinion. It's not worth the potential risk. Then number of customers who refuse to come onboard because you don't offer shell access, are minor compared to the number of customers you'll lose if some malicious person takes down the server.
    | Priority support (Since July 2001) | 99.9%+ uptime (Alertra stats available) |
    | Dual Xeon servers at local data center | Premium PEER1 bandwidth |
    | Visit us today | www.webulex.com |

  8. #8
    Join Date
    Feb 2002
    Location
    Vestal, NY
    Posts
    1,381
    I bet that most hosts who don't offer it are afraid their users know more than they do. It shouldn't be a concern if you secure your system properly and run a secure kernel.
    Afterall, you are going to have kiddies getting user "nobody" access to a shell all the time if you allow your customers to install their own CGI or PHP scripts. We have way more hack attempts by people using a shell through a PHP script exploit than we do allowing our own users secure shell access. If you don't allow shell access, chances are there is still nothing major preventing any user from obtaining shell access anyway. There are so many ways to send commands to a shell when granted regular user access to services such as Apache w/ CGI or PHP, MySQL, etc.
    But we also use fraud prevention techniques to ensure our users are who they say they are before they are granted any access.
    Don't think that because you don't offer shell access, you are any safer. It takes some knowledge of security to properly offer shell access, but removing shell access while not having that knowledge doesn't make you much safer.
    I'm not saying anyone here is not knowledgable.. I just thought it would be a good time to rant about why most hosts don't offer shell access and how it adds barely any or no extra protection in most circumstances.
    H4Y Technologies LLC .. Since 2001!!
    "Smarter, Cheaper, Faster" - SMB, Reseller, VPS, Dedicated, Colo hosting done right.

    ZERO PACKETLOSS, ZERO DOWNTIME Dedicated and Colo - USA: IA, CA, NC, OR, NV
    **http://h4y.us** **http://iwfhosting.net**
    Voice: (866)435-5642. *** askus at host4yourself d0t com

  9. #9
    Join Date
    Mar 2004
    Location
    [BC]
    Posts
    161
    Well, if you want to put it that way, NOTHING will make you secure. Even software + hardware firewal on top of triple, quadruple layers of security, none can stop a professional from breaking in.

    The idea here is to slow them down, and not granting shell access is one of those ways to slow them down.

    You can have all the fraud prevention you want, what can you do if some client loses or gives away his/her password to a malicious person? All the fraud prevention won't make any difference!
    | Priority support (Since July 2001) | 99.9%+ uptime (Alertra stats available) |
    | Dual Xeon servers at local data center | Premium PEER1 bandwidth |
    | Visit us today | www.webulex.com |

  10. #10
    Join Date
    Apr 2002
    Location
    Southampton, UK
    Posts
    1,025
    I bet that most hosts who don't offer it are afraid their users know more than they do. It shouldn't be a concern if you secure your system properly and run a secure kernel.
    Exactly. Shell access in itself is NOT a risk whatsoever as long as you are a competant system administrator and know how to upgrade the kernel / patch it, and also upgrade individual packages such as OpenSSH.

    Well, if you want to put it that way, NOTHING will make you secure. Even software + hardware firewal on top of triple, quadruple layers of security, none can stop a professional from breaking in.
    You're missing the point, the fact is that as long as the machine has been properly set up and configured, SSH is not a risk whatsoever, no matter who gets their hands on it. The only risk is the client's files, and then that's their concern if they use a weak password.
    Regards,
    Stephen Marsh

    UrbanServers.com - Premium UK SSD Virtual Servers

  11. #11
    Join Date
    Mar 2004
    Location
    [BC]
    Posts
    161
    Then maybe you could explain to me why the majority (if not all) of larger hosts do not offer it? I don't think it's because they are afraid of anything!
    | Priority support (Since July 2001) | 99.9%+ uptime (Alertra stats available) |
    | Dual Xeon servers at local data center | Premium PEER1 bandwidth |
    | Visit us today | www.webulex.com |

  12. #12
    Join Date
    Apr 2002
    Location
    Southampton, UK
    Posts
    1,025
    Originally posted by wb-Edgar
    Then maybe you could explain to me why the majority (if not all) of larger hosts do not offer it? I don't think it's because they are afraid of anything!
    That's their choice. All I am saying is that, with the proper configuration, shell access is not a risk.
    Regards,
    Stephen Marsh

    UrbanServers.com - Premium UK SSD Virtual Servers

  13. #13
    Join Date
    Feb 2002
    Location
    Vestal, NY
    Posts
    1,381
    Which larger hosts do not offer SSH access?
    H4Y Technologies LLC .. Since 2001!!
    "Smarter, Cheaper, Faster" - SMB, Reseller, VPS, Dedicated, Colo hosting done right.

    ZERO PACKETLOSS, ZERO DOWNTIME Dedicated and Colo - USA: IA, CA, NC, OR, NV
    **http://h4y.us** **http://iwfhosting.net**
    Voice: (866)435-5642. *** askus at host4yourself d0t com

  14. #14
    Join Date
    Mar 2004
    Location
    [BC]
    Posts
    161
    Valeweb as an example. No shell access on shared accounts
    | Priority support (Since July 2001) | 99.9%+ uptime (Alertra stats available) |
    | Dual Xeon servers at local data center | Premium PEER1 bandwidth |
    | Visit us today | www.webulex.com |

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •