The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel demo account still unsafe?

Discussion in 'General Discussion' started by damainman, Sep 27, 2004.

  1. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    I know in the past peoples servers have been compromised by utilizing Cpanel Demo accounts. Has Cpanel fixed these security issues, or is it still a problem?

    I would like to give potential users a demo, but not if it will compromised my server.

    Thank you in advance for your replies.
     
  2. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
  3. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    That helps for e-mail a bit, but does nothing for other security issues. Demos are still susceptible to other things, like cgi-telnets, php shell scripts, etc.. The biggest issue that is still around is that ftp is still allowed in demo mode. You also need to do some chmod's to avoid mail from being used above what is in that other thread.

    We've done certain scripts and cronjobs to monitor everything that happens on the server to be notified within 5 minutes of an issue.

    Do not take this as self promotion, but even I don't keep a demo on a server with hosting clients and never would.
     
  5. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    To disable ftp
    Add username on

    /etc/ftpusers

    Description:
    Deny FTP access. The ftpusers file is used to deny FTP access to specific users. The format is a simple text file listing the restricted users one per line.


    To disable cron

    cd /var/spool/cron
    touch demousername
    chattr +i demousername
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Just an FYI on the ftpusers file, it only works for Proftp not for Pure-ftp.
     
  7. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    How intuitive! What time of day was that decision made?
     
  8. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO

    Years ago. Its been in ProFTPd for as long as I can remember ever using it as an FTP server (my experience at least 2 years)

    Jesse Rehmer
    www.blueworldhosting.com
     
  9. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    That's why it does not work for some, some of us use pure-ftp and not proftp.
     
  10. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    Then I guess thats something you'd need to pick up with the developers of Pure-FTP as its a feature that is lacking in pure-ftp obviously.

    Also, why do people use pure-ftpd? Never could figure out why anyone would want to do that on a cpanel box when it does NOT calculate bandwidth, doesn't log username/domain properly in log files, and it simply is slower from what I can tell????

    What are you're reasons for running pure-ftpd?
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IIRC, wuftpd uses it too. Shame pure-ftpd doesn't and that it's not as configurable as proftpd :p
     
  12. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Other than the bandwidth count and access, I disagree with the others. Like it even states in WHM:

    Pure-Ftp
    * Faster Login Time
    * Smaller Memory Footprint
    * Allows Virtual Access on any ip address
    * Better Security Model Guess this is not true now though :)
    * Deals better with Software Raid systems

    Plus for us, never had an issue with it, where as with ProFtp we had to many issues with clients not being able to connect consistantly.
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The only thing in that list that I would agree with is the smaller memory footprint, because it's less sophisticated. Though the difference is probably negligable. I've no problem if people want to use pure-ftpd, so long as they don't get rid of proftpd, since, IMHO, you can't find a more configurable, durable and extendable FTP daemon. Never had a problem with it, and a few extra tweaks that cPanel haven't bothered putting in (despite being asked to) and it doesn't suffer the slowness that most see.
     
  14. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Hehe. My question was rhetorical social commentary :D
     
  15. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    Sorry, you caught me in a bad, non-humorous morning mood. I just came back to re-read the thread again because I couldn't exactly remember why I posted what I posted this morning, but damn I was a biatch.

    Sorry!

    www.blueworldhosting.com
     
  16. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Hardly! No problems mate. There was nothing to apologize for. You simply gave a straight answer to my not so straight question :)
     
  17. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Just want to get this back to the overall question if possible.

    What can be done to secure the demo account to reasonable standards?
    I have a client who insists on providing it, even though a psybnc was successfully installed through it once, so I disabled demo account, then the client re-enabled it, and within 2 days had numerous php & cgi shells installed as well as another psybnc.

    I find it quite ridiculous that this function is provided with soo little thought put into making it reasonably secure.

    dgbaker: seems you have a very smart offering, and I may have to make use of it, if demo mode cannot be secured well. Although I think it would be a SAD sign for cpanel users if we all have to start paying other services to be able to provide features that are poorly implemented in cpanel!
     
  18. joshstein

    joshstein Active Member

    Joined:
    Feb 23, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Is the cPanel demo still considered not secure?
     
  19. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page