Portal Home > Knowledgebase > Articles Database > Is allowing clients SSH a security risk?
Is allowing clients SSH a security risk?
| Posted by grizzled, 08-04-2010, 01:58 PM |
| Hi if I give vps client's access to ssh,do I jeopardize my server's security?
|
| Posted by TmzHosting, 08-04-2010, 02:32 PM |
| Do you mean shared accounts under your VPS or actual VPS clients? Because it makes a huge difference.
- Daniel
|
| Posted by zomex, 08-04-2010, 02:47 PM |
| Giving your clients SSH access will always be a security issue but can be managed.
If you're talking about VPS clients then you will have to give them root access to their VPS otherwise it defeats the purpose of a VPS completely.
Regards,
Jack
|
| Posted by Patrick, 08-04-2010, 03:15 PM |
| Not really. If they have access to PHP, Perl (CGI), Cron Jobs they can do almost as much damage as they could with SSH ... it just takes a little bit longer. There's a huge myth that enabling SSH is bad or dangerous and that's simply an ignorant way of viewing things.
As long as your server is secure from any known threats, you're OK.
|
| Posted by keserhosting, 08-04-2010, 03:22 PM |
| If you are using shared hosting on the VPS then there is lot of risk in allowing ssh on shared as the server will shared with many clients. If its VPS client then you gave SSH access to the client.
|
| Posted by ImageLeet, 08-04-2010, 03:39 PM |
| I believe you are providing VPS to a client so there would not be any problems if you also provide SSH access to them.
|
| Posted by TmzHosting, 08-04-2010, 03:50 PM |
| Exactly why I asked him the question above.
- Daniel
|
| Posted by techstar, 08-05-2010, 03:01 AM |
| COnfusions
By VPS Clients, did you mean:
or
But it looks like 'grizzled' hasn't come back to check the replies.
Last edited by techstar; 08-05-2010 at 03:01 AM.
Reason: typo
|
| Posted by tcjtk, 08-05-2010, 10:34 AM |
| The Dragon Research Group (DRG) recently published some SSH password authentication insight and analysis recently, including a brief whitepaper. You might find it helpful. Being a new WHT member I can't post links, but if you search for sshpwauth and DRG it should be readily found in a net search. Note, I'm a volunteer with DRG.
John
|
| Posted by ZenMonk, 08-09-2010, 02:35 AM |
| Not unless you are proactive, that is doing frequent kernel updates,security updates etc.
|
| Posted by grizzled, 08-13-2010, 04:56 PM |
| I sell whole vps plan not only website,yes I also kinda thaught that SSH might had a little bad reputation to scare the skin of people but is good and harmless to give to clients,do you know if giving demos with cron jobs and php is risky?
|
| Posted by Patrick, 08-13-2010, 10:25 PM |
| Define demo. Are you taking about a demo of the VPS or a demo of the control panel?
|
| Posted by grizzled, 08-14-2010, 11:09 PM |
| A demo of the vps cpanel
|
| Posted by layer0, 08-14-2010, 11:19 PM |
| Giving a demo account in general is risky, if you're allowing access to the user to create cronjobs, upload php scripts, etc. That's enough to start sending out spam through your server. I'd only consider providing this once you've confirmed the user is not fraudulent, and that they have legitimate purpose for the account, i.e. testing an application. Even then, I'd monitor it closely.
A standard demo account that is locked down, only giving an idea of what graphic interface the user should expect is totally fine, though.
|
| Posted by DialANetwork, 08-14-2010, 11:23 PM |
| I would not really give out SSH to shared users, however it is safe if your server is secure.
If you mean the console inside things such as Hypervm and solusVM, this is generally OK. But they should just get root access anyway!
|
| Posted by tjohnson3757, 08-15-2010, 04:36 PM |
| I would never recommend giving customer's SSH access, it can be a security issue.
|
| Posted by techstar, 08-16-2010, 02:17 PM |
| If you are selling full VPS plans, you should give you clients full root access. I wouldn't recommend you allow a demo account with privileges to set cronjobs.
|
| Posted by grizzled, 08-19-2010, 02:50 AM |
| Do you mean that if I give ssh in a demo theyll get root access too?
|
| Posted by MattS, 08-22-2010, 08:03 AM |
| if properly done it shouldn't be an issue. Vps users always get ssh access on their own vps. For shared I always suggest jailed ssh.
|
| Posted by Lightwave, 08-22-2010, 08:24 AM |
| Doesn't it amaze and scare you the amount of sheep that just repeat the standard line without any specific reason?
What surprises me is that it seems this person wants to sell (or is already selling) VPS accounts, and has to even ask this question. But, then the WHT community as a whole is a bit destructive encouraging these sorts of "companies" getting started in the first place rather then telling them to gtfo.
|
| Posted by Patrick, 08-22-2010, 12:24 PM |
| Hehe. If you stick around in the Technical forums long enough, you'll come across much worse.
Last year there was a guy on WHT advertising his security services to the community and while that isn't uncommon here, the fact that not even four months beforehand he was asking such basic questions like how to recompile Apache or how to stop a DoS attack was frightening. How one goes from a beginner to a "security professional" in less than 6 months is beyond me...
.
.
|
| Posted by hostdl, 08-23-2010, 11:07 AM |
| I'm totally agree
SSH equals to phpshell/cgi shell to me
|
| Posted by Patrick, 08-24-2010, 09:59 AM |
| Read my first post in this thread to see why you're wrong. If someone wants to compromise your server using an existing exploit, they do not need SSH. As long as your server is secure from the latest known threats, there is absolutely no reason to not give SSH to users. When I hear people saying they don't give out SSH for security reasons, I smell lack of confidence in their security and operating system...
.
.
|
| Posted by UnixCabin, 08-24-2010, 09:03 PM |
| Well, take smartness, dedication, and determination drilling into one segment of study.... I don't see why not. If it was like a week span, then I'll be a little concerned. I don't think 6 months is a short period.
|
| Posted by topwebhosting, 08-25-2010, 06:05 AM |
| I agree to some of the guys here, i will never give SSH access to my customers as it could be a security risk.
<>
Last edited by bear; 08-25-2010 at 08:46 AM.
|
| Posted by Patrick, 08-25-2010, 09:22 AM |
| How is it a security risk? What can an attacker do that they cannot do via other means, that can only be orchestrated by having SSH access?
.
.
|
| Posted by Lightwave, 08-25-2010, 03:01 PM |
| It's a security risk because the other sheep say it is a security risk.
Just like you should definitely use SuPHP (if you're too dumb/lazy to configure FastCGI) because it's much gooder than running PHP with mod_php at least that's what I've lurned from the "experts" here.
Ya know what... I enjoy them outting themselves as clueless sheep. I just wish they'd make it more clear which company they were associated with so clients could know who to avoid before hand as well.
|
| Posted by StabilityAaron, 08-25-2010, 03:25 PM |
| Here is how we approach this.
Keep your boxes patched.
Phone verify clients.
Put SSHD into jail(8).
|
Add to Favourites 
Print this Article
Also Read
