when offering SSH access to customers

L

lkbryant

Verified User
Joined
Aug 16, 2005
Messages
283
when offering ssh access to customers, are there things I should be aware of?
i dont have jailed ssh nor do i have suPHP.

if i allow ssh access, what should i look out for especially?
 
We prefer to only extend shell access on a case-by-case basis, when a customer can really justify needing it, and are able to provide proper identification for us to keep on file.

Also keep in mind that if use 2Checkout as your payment processor, you are not allowed to offer SSH to your clients.
 
does this mean all other webhosts that do offer ssh like hostmonster are vulnerable to exploits?

in other words, jailed ssh alone is still not enough?
 
Randy said:
No, but chmod files like 'wget', 'telnet' etc to 700 (root only) will help!
Click to expand...
If you grant shell access to somebody who really knows what he/she is doing, they can access root. That said, chmod binary packages or any files/directories for that matter won't help to stop him/her from doing whatever they please to the system.
 
lkbryant said:
does this mean all other webhosts that do offer ssh like hostmonster are vulnerable to exploits?
Click to expand...

Every service connected to the internet is vulnerable to exploits, so it comes down to doing all that you can to reduce the odds of being compromised. Security hardening is a never-ending job, as is learning all that you can about defending your servers. There's more to learn each and every day than there is time to learn it, it seems.

As for what the mega-sized hosting companies offer, that is their business. Their bean counters know to the penny what an exploit costs them, and you can be sure that such incidences are factored into their pricing.
 
rtaylor said:
Also keep in mind that if use 2Checkout as your payment processor, you are not allowed to offer SSH to your clients.
Click to expand...
Can you point out where that is in their terms?
andyreed said:
If you grant shell access to somebody who really knows what he/she is doing, they can access root.
Click to expand...
Really? Even ifall the passwords are good, and all the software up-to-date, and you, yourself, are a good admin, and watch over your server?

I'd say that in general you may be right, but the person will have to know quite a bit, and even then it's going to be quite unlikely they're actually going to break in.

That said, we seldom allow shell access.

Jeff
 
Thanks. Hopefully there's a difference between shell accounts and offering shell access as part of a webhosting solution. We'd never offer stand-alone shell accounts but we've never had a problem offering shell access under controlled circumstances (see elsewhere in this thread) as part of a webhosting solution.

I wonder what they're going to say when we let them know we're moving away from 2CO if we can't offer shell access as part of our webhosting solutions.

They may say goodbye.

I'll try contacting them on Monday and I'll try to remember to post again.

Jeff
 
I just spoke to a friendly lady in the risk department.

I explained that we do NOT sell stand-alone shell access accounts but that we do from time to time offer shell access upon application to our webhosting customers.

I asked them if we could sell those accounts through 2Checkout.

Her response was yes, and she so noted our account (which is not under the name NoBaloney Internet Services, so don't bother asking them about us :)).

I suggest that if you do what we do, you check with the risk department.

In the United States their toll free number is 877-294-0273, extension 192. I'm not sure of how to reach them outside the U.S., but if you use them you probably have that information.

Jeff
 
You must log in or register to reply here.
Back
Top