A user can access all account :(

[cosmin]

Hi!

A user send to me today a e-mail with how can access all account throught SSH.

Another user modify a mysql db from other account...

How can I stop this?
In WHM I have Enabled Shell Fork Bomb Protection ((


Who can help me please?

Thanks!

 

[hst]

Set root password

Have you set the root password for MySQL with WHM. If not give that a try, since without it you will have problems like this.

 

[itf]

Don't permit SSH on your system to all of your clients, as well as you permit you would involve in risky operation like this!!!

 

[masood]

Even if you permit one person on SSH (say a reseller), that one user can access almost everything. :p

How can I protect someones billing software being stolen? :-(

php-cgiwrap?

zend-optimzer (php), suexec (cgi) work fine. but not everyone has zend-encoder (php).

How about code inside cpanel themes?

zend-optimzer inside cpanel themes? will it work?

directory permissions on cpanel themes to only allow &cpanel& to read files? (tried it, didn't work)

any other ideas?

 

[TRAIN YARD SOFTWARE]

We are told this is how SSH works on UN*X

 

[Dotcoms]

chmod 711 all of your important directories is one way.

 

[itf]

[quote:f014265911][i:f014265911]Originally posted by Dotcoms[/i:f014265911]

chmod 711 all of your important directories is one way.[/quote:f014265911]

Can’t help much more, when you permit someone to use SSH, it’s a bit like opening your front door while you have security alarms installed in your house. It changes to a heaven for hackers if you have mod_perl or PHP installed.

Shared Hosting is not as much secure as you think. :p

 

[cosmin]

Sollutions?

Practicaly no sollutions?

I can't stop Shell access for my users. She need this...

Just Masood have a sollution?

 

[cosmin]

SSH access

How can I give/stop SSH access for an active account?

 

[itf]

[quote:5f5b252fb4][i:5f5b252fb4]Originally posted by cosmin[/i:5f5b252fb4]

How can I give/stop SSH access for an active account?[/quote:5f5b252fb4]
There are three ways you can use choose one of them to Enable/disable SSH

Method 1)
Modify your hosting package and then use Account Functions -& Upgrade/Downgrade

Method 2)
Use this command

chsh USERNAME

Then change it to /usr/local/cpanel/bin/noshell

Method 3)

pico /etc/passwd

in front of that certain user name change /bin/bash to /usr/local/cpanel/bin/noshell

If you want to enable SSH for a certain user change its shell to /bin/bash

 

[masood]

[quote:1f8e322d8a][i:1f8e322d8a]Originally posted by TRAIN YARD SOFTWARE[/i:1f8e322d8a]

We are told this is how SSH works on UN*X[/quote:1f8e322d8a]

Nope. SSH or Shell on a system can be secured in a lot of ways. You just need the right permissions on files and directories.

 

[masood]

[quote:16f4036415][i:16f4036415]Originally posted by cosmin[/i:16f4036415]

Practicaly no sollutions?

I can't stop Shell access for my users. She need this...

Just Masood have a sollution?[/quote:16f4036415]

:p What are your concerns on shell access?

 

[ehsan]

Masood,

You are right buy There are directories that you can not chmod them to what you want,

I personally dont even like to see ls /home by a reseller !

while i can not chmod for example /etc/passwd , so i better dont even give them shell access, specially when you have 100 domains on each box, you should think about your customers privacy too...

so, my advice is dont even give them shell access at all! dont offer it in your packages, tell them for security reasons and your own convenience, we dont offer it!

 

[mesranet]

Well ... its can do with so many solutions, two of it is 'Korn Shell Programming' & 'chroot jail'

 

[ehsan]

so can you disable users listing /home ?
or can you disable user pico so many of your scripts and files ?!

i am not talking about changing, just watching stuffs is too much for some pople

 

[masood]

Well.. the shell access is required by advanced user anyway, and you can't tell them: &we do not provide shell access for security reason&.

If I'm a customer, I would wonder what kind of hosting company is this? :p

On shared hosting listing /home is no concern for me, but

a) reading files of other users (like config.php with db passwords)
b) reading php code in /usr/local/cpanel/base/frontend/my_super_cool_php_theme

IS A NIGHTMARE for me!!!

The solution is available, but looks like unfortunately Cpanel does not use it!! (Except suExec for cgi scripts)

SOLUTION:

for (a) php-cgiwrap
for (b) zend_optimizer or cpanel directories to be read only by &cpanel& user.

:-(

Nick what do you say?

 

[masood]

ehsan,

Even if you just provide FTP account, all user files are open to read by anyone with an FTP account :p

that means all db passwords as well in php files :p

 

[SHSaeed]

[quote:3a4edcce68][i:3a4edcce68]Originally posted by masood[/i:3a4edcce68]

Even if you just provide FTP account, all user files are open to read by anyone with an FTP account :p

that means all db passwords as well in php files :p[/quote:3a4edcce68]

That's not true. If you set a users FTP root directory to /home/user then they can not read /home or any other directory outside of /home/user.

 

[Radio_Head]

[quote:76a117f66b][i:76a117f66b]Originally posted by ehsan[/i:76a117f66b]

Masood,

You are right buy There are directories that you can not chmod them to what you want,

I personally dont even like to see ls /home by a reseller !

while i can not chmod for example /etc/passwd , so i better dont even give them shell access, specially when you have 100 domains on each box, you should think about your customers privacy too...

so, my advice is dont even give them shell access at all! dont offer it in your packages, tell them for security reasons and your own convenience, we dont offer it![/quote:76a117f66b]

and if a client ask you to back up his site via ssh ?
and if a client ask you to backup his mysql database via ssh ?

if we cannot provide ssh we cannot be competitive....
client will go away ....

 

[SHSaeed]

One thing you can do is if you have 2 different servers, put all clients that require SSH on one server and the rest on the other server. This way you can let your clients know about the riscs involved in everyone having SSH access.

[edit]
I'm also seen some web hosts offer SSH to clients that provide two types of identification.
[/edit]