Results 1 to 21 of 21

Thread: SSH Access

  1. #1
    Join Date
    Jan 2004
    Location
    Orlando, FL
    Posts
    192

    Question SSH Access

    I am thinking of offering SSH access to some customers, but am worried about the security problems that may arise if customer's have local access to the server.

    If a cpanel server is kept up to date, how hard is it to root it locally? Is there a site on security that discusses this and shows what exploits are available so that I can make sure I am secure before offering SSH access?


    Thanks,


    Joel

  2. #2
    Join Date
    May 2003
    Location
    Ottawa
    Posts
    2,478
    SSH is a must for many people. Most of my own sites and scripts require permission changes to directories and files. By not offering it, you could be warding off a lot of potential clients.
    Webmaster Forum webmastertalk.net Webmaster Community Forum
    Website Tools domainfocus.com Webmaster Tools | IP Lookup | Domain Whois | PageRank Checker | HTTP Header Info | Link Analysis | Favicon Generator

  3. #3
    Join Date
    Jan 2004
    Location
    Orlando, FL
    Posts
    192
    I agree, but is it a security risk?

  4. #4
    Join Date
    Oct 2003
    Location
    Manchester, UK
    Posts
    108
    Permission changes can easily be done via ftp, so thats not really the matter here.

    I would say if your going to offer shell access, make sure you offer jailshell and take as many security procedures as possible, i.e a kernel recompile with grsecurity etc etc

  5. #5
    harden your kernel, jailshell, disable compilers, keep your boxes up2date, and have a good monitor script.... your box will be fine
    P4HOST.COM -- Specialize in quality Web Hosting solutions.
    Affordable -- Prices are very comparative
    Reliable -- Very low load average guaranteed. 60 day money back. Fast Support --Support Forum -- Providing hosting since 2003

  6. #6
    Join Date
    Jun 2003
    Location
    Oklahoma City, OK
    Posts
    2,112
    Today there are not a lot of reasons to give shell access. Permission and such changes can be made via ftp or a simple request to your web host. I would say if you are going to offer them keep security tight. Also I would recommend getting a copy of there ID and signature incase anything does happen.

  7. #7
    Greetings:

    There is a difference between must have and nice to have for certain things in life ;-)

    You can use (S)FTP to change permissins ;-)

    You can write CGI shell scripts to compile, etc.

    From our perspective, SSH jails can be broken out of easily; and it requires special training to validate documentation of who a person is in terms of feeling safe to grant SSH.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  8. #8
    Join Date
    Aug 2002
    Location
    Kelowna B.C.
    Posts
    1,687
    I say to all my clients, if anyone requires SSH access they can tell us what they need done, and we'll gladly do it for them.

    Generally, unless trying to debug some scripts, they will not need SSH access for less than a minute. So we don't offer it - it's one less security risk to worry about, and when things go wrong, you don't have the "x" factor of what the client may have done because you're the only one with access.

    You also have no control over whom the client gives the password out to.
    Hosting.Express | Affordable Web and Email Hosting
    Shared | Reseller | 24/7 Support | NSA Free
    SPECIAL OFFER - domain name, email and cPanel web hosting = $3.73 per month | Contact Us: 1-800-861-1888

  9. #9
    My view on the matter is that for the most part, if you are offering CGI/PHP, anything nasty they could do with the shell they could do with a script anyway. So why not?
    OmegaSphere - http://www.omegasphere.net/
    Vancouver co-location, Managed Services, Shared Hosting, SSL Certificates, Domain Names
    Your IT Experts - Located in beautiful Vancouver, BC, Canada
    604-618-0543 - 866-618-0543 - [email protected]

  10. #10
    Greetings:

    With shell, you have privacy issues.

    With CGI/PHP, I can use mod_security from http://www.modsecurity.org/ to keep most users at bay.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  11. #11
    How does that affect people writing script to perform functions they could otherwise perform at the shell?
    OmegaSphere - http://www.omegasphere.net/
    Vancouver co-location, Managed Services, Shared Hosting, SSL Certificates, Domain Names
    Your IT Experts - Located in beautiful Vancouver, BC, Canada
    604-618-0543 - 866-618-0543 - [email protected]

  12. #12
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,508
    We do not offer SSH access standard, if a customer shows that they absolutely need it's a $2 monthly charge for jailed SSH access, and required signed agreement before using.
    Linux junkie | steward.io

  13. #13
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    SSH access on a web server is an incredibly risky proposition in my own opinion. Best of luck to those who put that much faith on their hardened kernels and jailshells

  14. #14
    I am just hoping someone can explain to me how it is any different than letting people run programs of their choosing. I might agree if people were auditing any CGI with excruciating care before letting it be on the server, but that stopped being industry standard many years ago and I can't really see customers going for that.
    OmegaSphere - http://www.omegasphere.net/
    Vancouver co-location, Managed Services, Shared Hosting, SSL Certificates, Domain Names
    Your IT Experts - Located in beautiful Vancouver, BC, Canada
    604-618-0543 - 866-618-0543 - [email protected]

  15. #15
    Greetings:

    "I am just hoping someone can explain to me how it is any different than letting people run programs of their choosing. "

    1. Run mod_security.org with the right settings, and that will limit what can be done in CGI, PHP, etc. in terms of security and privacy.

    2. Remove direct access to compilers et all along with fetch like programs as well. That adds to security.

    3. Keep a tight lid on /tmp, /var/tmp, and /usr/tmp in what can run (yes, there is a way around the nonexec, nosuid; but most common hackers don't know it -- plus you use other measures just inc ase they do).

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  16. #16
    Join Date
    Apr 2003
    Location
    Los Angeles, CA
    Posts
    244
    I personally will never allow SSH access again. We had numerous attempts to break into our systems, even with latest kernels and everything up2date. In my experience, I have found it is quite easy for someone to break in within shell and sometimes even PHP. Even with safe mode on in php, I have seen ways around it.

    We ended up upsetting some of our clients about 6 months ago when disabled shell all together. But, all I can say is that it is the best thing to happen to us. After disabling shell altogether, we haven't had any security problems.

    Make sure to install APF or some firewall program. Allow only certain ports, and change your SSH port. And if your thinking about telnet, don't. All I can say is, I sleep much better now knowing that its more secure than before.

    The only disadvantage is that you always state your SSH port if you ever have a trouble ticket with your DC.
    There is always a hack or an exploit out there.

    Regards,
    Sam

  17. #17
    From my experience, a secure setup for offering ssh access would be:

    - chroot setup (per user skel)
    - patched openssh
    - patched kernel

    Things like chroot hardening, tpe and/or rbac acl's are the way to go.

    It's doable, but not at all trivial for junior...

  18. #18
    Join Date
    Jan 2004
    Location
    Quebec
    Posts
    164
    Originally posted by dynamicnet

    1. Run mod_security.org with the right settings, and that will limit what can be done in CGI, PHP, etc. in terms of security and privacy.

    Like jailshell do..

    But nothing is unbreakable.

  19. #19
    Greetings:

    That is why you run security in as many layers as you are comfortable to manage each and every day throughout the day.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  20. #20
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Its really not worth the security risk though

  21. #21
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,541
    we only offer jailshell to customers and then we only do it for customers who specifically ask and who we trust.... plus dont forget to keep an eye on what they get up to

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •