Cpanel demo account still unsafe?

http://www.cpaneldemos.com/

$5 a month and you get your demo and can't possibly be rooted.

 

Take a look at this thread.

 

That helps for e-mail a bit, but does nothing for other security issues. Demos are still susceptible to other things, like cgi-telnets, php shell scripts, etc.. The biggest issue that is still around is that ftp is still allowed in demo mode. You also need to do some chmod's to avoid mail from being used above what is in that other thread.

We've done certain scripts and cronjobs to monitor everything that happens on the server to be notified within 5 minutes of an issue.

Do not take this as self promotion, but even I don't keep a demo on a server with hosting clients and never would.

 

To disable ftp
Add username on

/etc/ftpusers

Description:
Deny FTP access. The ftpusers file is used to deny FTP access to specific users. The format is a simple text file listing the restricted users one per line.


To disable cron

cd /var/spool/cron
touch demousername
chattr +i demousername

 

Just an FYI on the ftpusers file, it only works for Proftp not for Pure-ftp.

 

How intuitive! What time of day was that decision made?

 

Years ago. Its been in ProFTPd for as long as I can remember ever using it as an FTP server (my experience at least 2 years)

Jesse Rehmer
www.blueworldhosting.com

 

That's why it does not work for some, some of us use pure-ftp and not proftp.

 

Then I guess thats something you'd need to pick up with the developers of Pure-FTP as its a feature that is lacking in pure-ftp obviously.

Also, why do people use pure-ftpd? Never could figure out why anyone would want to do that on a cpanel box when it does NOT calculate bandwidth, doesn't log username/domain properly in log files, and it simply is slower from what I can tell????

What are you're reasons for running pure-ftpd?

 

IIRC, wuftpd uses it too. Shame pure-ftpd doesn't and that it's not as configurable as proftpd :p

 

Other than the bandwidth count and access, I disagree with the others. Like it even states in WHM:

Pure-Ftp
* Faster Login Time
* Smaller Memory Footprint
* Allows Virtual Access on any ip address
* Better Security Model Guess this is not true now though
* Deals better with Software Raid systems

Plus for us, never had an issue with it, where as with ProFtp we had to many issues with clients not being able to connect consistantly.

 

The only thing in that list that I would agree with is the smaller memory footprint, because it's less sophisticated. Though the difference is probably negligable. I've no problem if people want to use pure-ftpd, so long as they don't get rid of proftpd, since, IMHO, you can't find a more configurable, durable and extendable FTP daemon. Never had a problem with it, and a few extra tweaks that cPanel haven't bothered putting in (despite being asked to) and it doesn't suffer the slowness that most see.

 

Hehe. My question was rhetorical social commentary :D

 

Sorry, you caught me in a bad, non-humorous morning mood. I just came back to re-read the thread again because I couldn't exactly remember why I posted what I posted this morning, but damn I was a biatch.

Sorry!

www.blueworldhosting.com

 

Hardly! No problems mate. There was nothing to apologize for. You simply gave a straight answer to my not so straight question

 

Just want to get this back to the overall question if possible.

What can be done to secure the demo account to reasonable standards?
I have a client who insists on providing it, even though a psybnc was successfully installed through it once, so I disabled demo account, then the client re-enabled it, and within 2 days had numerous php & cgi shells installed as well as another psybnc.

I find it quite ridiculous that this function is provided with soo little thought put into making it reasonably secure.

dgbaker: seems you have a very smart offering, and I may have to make use of it, if demo mode cannot be secured well. Although I think it would be a SAD sign for cpanel users if we all have to start paying other services to be able to provide features that are poorly implemented in cpanel!

 

Is the cPanel demo still considered not secure?

 

i'd like to know too