The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SFTP/SSH really concerns me! Security!

Discussion in 'Security' started by mr.wonderful, Jun 13, 2004.

  1. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    Im running WS_FTP 8.0.3. I configured it to connect to my own site using SFTP/SSH and i was able to connect to my own site using this however i was really shocked when i clicked on the little green arrow at the top of my screen and moved out of my own webspace. Not only was i able to view the passwrd file but i was able to pretty much see a whole bunch of directories that i think should not be available to anyone using SFTP/SSH.

    I was even able to download a copy of the servers password file. The following directories were displayed when i moved out of my own virtual space

    /bin
    /dev
    /etc
    /home/myhdomain
    /lib
    /proc
    /tmp
    /usr
    /var
    checkvirtfs :confused:

    So this means all my users connecting via SFTP/SSH have been able to see all this? I realize they can see these directories even when jailed but at least they cannot download files from the server.

    The point being, my account is JAILED yet i can see everthing.
     
    #1 mr.wonderful, Jun 13, 2004
    Last edited: Jun 13, 2004
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Welcome to server security! That's all perfectly normal.

    If you couldn't read the passwd file you wouldn't be able to login. Bearing in mind, of course, that your passwords are not stored in the /etc/passwd file. They're in /etc/shadow which should be rw only to root.

    One option available that helps a little with regard to viewing everyones files in /home is to use /scripts/enablefileprotect
     
  3. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Don't use SSH with SFTP, I wrote a little how-to here and at ev1 forums on how to use plain old SFTP. You can't leave your own directories doing it this way (it uses SSL rahter than SSH). You don't need to give anybody shell access this way.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Bearing in mind that this is just one layer of security. It is still trivial to browse to all readable directories and files on the server whether you have shell or jailshell enabled or not.
     
  5. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Nothing to do with shell, jailshell or SSH. Just pure FTP under SSL.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I didn't mean to imply that my comment was to do with shell access. Don't believe for one minute that you're secure using FTP over SSL, that would be a completely false sense of security - it is still trivial as a user account holder to list all the readable files on the server, including those of others hosting on the server.

    The only advantage of FTP over SSL os that your username/password/data is not sent in plain-text.

    As I said, such implementations are just one security layer which might slow someone down a little, but not much.
     
Loading...

Share This Page