SSH Security.

[r0ger]

Hi everyone my name is Roger, I'm new here so nice to meet you all! :0)

Sadly my otherwise excellent (linux) host has pulled SSH on their shared servers. They say it is for security reasons: they are getting numerous attacks. They have no plans / timescale for re-instating it. Surely SSH can be done safely these days, even if you have numerous attackers daily?

What reasons could they have for not fixing it up? Are they just cutting corners / lasy / inept ?

I use SSH all the time, so obviously I'm pretty bummed about this :-/ consequently I must also ask... Anyone know of a good cheap reseller package that allows SSH tunneling / good Shell access? I am currently using the 'Mini Reseller' package from these guys: http://www.buyhttp.com/reseller_hosting.html

Thanks,

r0g

 

[Matthew]

I use powervps.com at the moment although they do offer VPS (not reseller). I am not sure if you will want to jump up another $15/month though which is their lowest plan.

 

[lowesthost]

host has pulled SSH on their shared servers. They say it is for security reasons:

that is the stance for many hosts not only the security but the resource usage for SSH. Sure there are a few extra tweaks a host can do to beef up security. but why bother with the added risk on a shared account.
If you ran your own server you would realize the ramifications of offering SSH access to everyone.

 

[tarsick]

that is the stance for many hosts not only the security but the resource usage for SSH. Sure there are a few extra tweaks a host can do to beef up security. but why bother with the added risk on a shared account.
If you ran your own server you would realize the ramifications of offering SSH access to everyone.

I think using SSH access makes running your web site safer. Many web hosting companies (**************.com, Site5.com, etc.) offer then in their shared web hosting package plans and they do it for the sake of safety. I don't thin it may lead to any bugs.

 

[XNL0]

Hi everyone my name is Roger, I'm new here so nice to meet you all! :0)

Sadly my otherwise excellent (linux) host has pulled SSH on their shared servers. They say it is for security reasons: they are getting numerous attacks. They have no plans / timescale for re-instating it. Surely SSH can be done safely these days, even if you have numerous attackers daily?

What reasons could they have for not fixing it up? Are they just cutting corners / lasy / inept ?

I use SSH all the time, so obviously I'm pretty bummed about this :-/ consequently I must also ask... Anyone know of a good cheap reseller package that allows SSH tunneling / good Shell access? I am currently using the 'Mini Reseller' package from these guys: http://www.buyhttp.com/reseller_hosting.html

Thanks,

r0g

Shell jailed access is offered on the majority of web hosting plans on request.

 

[r0ger]

Indeed, in terms of MY security it's great to have an encrypted connection. If I can tunnel to my sites admin pages I can tell apache to only serve them locally, which I like and FTP with it's plaintext logins has always made me squirm.

'Jail' shell access is fine for me, I don't want to look at the running processes or any folders outside my own. Is this a particularly hard thing to setup? Can people break out of this 'jail' if it's not maintained?

I appreciate it's not easy to maintain good security on shared servers and a VPS wouldn't suffer the same issues but equally, I'm not confident I'm up to maintaining security on my own, or that my budget can stretch to a managed VPS with c-panel.

r0g.

 

[Rob]

What we have done on a few of our servers is to change the SSH port from 22 to another number. We have also disabled SSH 1 so only 2 is allowed.

We also operate LFD on SSH and if any IP addresses which are not on the allowed list / client list try to login to SSH and fail they get banned from authenticating.

Securing SSH is not that hard and once its done all it needs is for it to be monitored.

 

[r0ger]

Thanks for all the responses,

CSF/LFD looks great, I have written to my host asking if they will consider using it. I'd quite like to see this data for my sites too, if they were to install it on their shared servers would I get a WHM icon for it or would that be for them only?

Sadly though I somehow doubt they'll want to install an entirely new firewall just for me but it's something to look for next time I'm shopping for server space

They had already tried the non standard port thing so I guess they must have had quite a problem, which I obviously sympathise with. I'm sure it can't be easy to secure your servers to a decent standard whilst still maintianing wide functionality for hundreds and thousands of user at a time but it's good to know it's not an impossible task either.

Roger.

 

[Rob]

would I get a WHM icon for it or would that be for them only?

I'm not sure what you mean by that - could you elaborate?

Yes CSF is a good piece of software. We use it on all our cpanel servers without any problems what so ever - its very easy to setup and configure.

I'm sure it can't be easy to secure your servers to a decent standard whilst still maintaining wide functionality

Not necessarily as long as you have the patience to do configure it correctly as once its done its done you just need to make sure its updated. We keep updating as we go along - everything is much easier to do now that we have cPanel 11.

PS: IMHO your hosting provider looks quite expensive for the features its offering in the link you supplied

 

[r0ger]

CSF: Well the website decribes how it generates alerts / keeps logs of failed logins and suchlike. It also mentions good integration with WHM so I was wondering if my service provider installed it would I then be able to get my hands on this info or configure any options for it myself via my WHM panel? Or would I see no evidence of it at all?

Hosting: Yes, I have been looking around recently and have found cheaper, although less is quite often turns out to be less right? I will switch eventually if SSH doesn't come back tho & looking round here is giving me ideas. This seems like a really great forum for finding hosting actually. I can see several people who's hosting plans look good already and I get the feeling I will be able to tell a good host from a bad one on the quality of their posts here, v.reassuring

Roger.

 

[r0ger]

The plot thickens...

I just got a response back from my host "We already use CSF/LFD with all servers however it doesn't protect from shell access vulnerabilities"

I'm sure this is true enough: if someone has swiped a login (or even bought one from you!) all the firewalls in the world won't stop them. So I guess they feel they can't 'jail' shell users well enough. Is it possible to use these jails to limit the damage done, or are they just to ward off the occasional script kiddie?

Obviously a pwnd shell account is a problem for host and owner alike but given they reckon they patch their servers daily how likely is it someone could root the average server anyway? Wouldn't most attempts to do that alert the admins or trigger whatever IDS they are using?

The other (maybe bigger) issue is data security... how safe is your data from other users of the same DBMS (setup the way it usually is on shared packages)? Would attackers be aim to, or be able to root the whole database from a bog satandard shell account, or is it more a case of anyone with default logins / out of date scripts would be hosed?

I had always assumed chroot / file permissions would prevent other non-root users from viewing your PHP scripts anyway and that exploits that would get you that kind of access rely on bugs in the hosts software which anyone up to date with all their patches shouldn't be at serious risk from. I had always assumed also that host would severely limit the list of programs you could run in the first place, so you couldn't see other peoples processes / command lines etc, is this actually done in practice or would this break too much stuff?

The other things hackers/kiddies might do with someone elses shell account like spamming and setting up subdomains to hock pirate software, viagra, whatever would seem to be more of a nuisance than a disaster & I would have thought a competent host would spot these quite quickly.

Sorry to ramble on and ask so many naive questions but I'd really like to get it clear in my head how well a shared servers can ever be secured. I'm not sure I can afford managed VPS yet, but equally I'm not sure if the people I build websites for can afford to get their datas pwnd either :-/

r0ger.

 

[rider]

SSH access is an essential thing in running web site. As fo me I use it alongside with many other features that the package plan from ************ offers.

 

[hostingpuppy]

We used to offer shell access, but pulled it several months ago. To be honest, it just wasn't worth the trouble.

Yes it can be secured, yes it can be monitored, yes it can be firewalled, but at the end of the day it's not worth the trouble. The VAST majority of web hosting customers have no idea what SSH is or why they would want it so the business case for expending the $$ and time to maintain it simply isn't there.

Having said that, we will offer jailed SSH on our premium packages with proper ID, but we only do it on request and nobody has ever asked for it (which is consistent with the fact that most people don't know what it is).

 

[Rob]

Is it possible to use these jails to limit the damage done

Yes jailed shell restricts the user from issuing special commands like 'execute' or 'reboot' it also stops them from accessing any files out of their directory.

What we also do is use a feature with cPanel 11 called Shell Fork Bomb Protection which stops the user from using up the server's resources and possibly crashing it. We also have compilers disabled by all users apart from root. We have just installed OSSEC which is an intrusion detection tool. It alerts us to any suspicious SSH activity like a user or script trying to issue special commands or send large amounts of email in one go.

Furthermore we encourage users to use RSA Key authentication as well as password. They just save the keyfile to their PC so SSH will know to proceed with the login. Just extra security.

 

[r0ger]

Now that's what I'm talking about! I think I've convinced myself to move host soon, I'll happily pay a bit more for a host that's prepared to take this kind of trouble Although your 'Xtreme' plan looks like it might work out cheaper anyway, and definately offers more storage & bandwidth!

Thanks,

Roger,

 

[amanda999]

Well i think using a SSH access will make site much safer...

 

[hostingpuppy]

Well i think using a SSH access will make site much safer...

How can allowing SSH access make a site much safer? I'll agree that there are several compelling arugments either way on whether offering SSH makes a site less secure, but how can it make a site more secure?

 

[r0ger]

Well it's not necessarily going to be more secure for the host, in fact it may be a liability for them in many circumstances but the main way I can think of tightening site security with ssh is the method I described earlier, namely: A user can ban access to his his sensitive pages / scripts with htaccess so they may ONLY be accessed via the local host i.e. by them ssh tunnelling in with a socks proxy. His/her data is then more secure as it both encrypted AND absolutely unaccessable from the web.

The host might also gain some security as even if somebody knew / brute forced a CMS admin account login or found a bug that would let them bypass the login the site's admin pages would remain invisible & they would have to eat your 403s In short, many of your users leaky out of date scripts would be considerably less vulnerable, and thus, less of a security headache for you IF... and it's a big IF!... you could persuade people to use that method. Something like SSH/Socks might make some users flinch but it's not that hard and you could write, or link to, a good tutorial.

Roger.

 

[hostingpuppy]

My lord - I'm quite sure we don't have a single user that would be interested in setting all that up. Well, maybe one but he's quite the exception. I would think that anyone advanced enough to know how to do what you suggest has long outgrown shared hosting and either has their own boxen or is on a VPS or dedicated server.

However, you answered my question. That set up could indeed make a box more secure.

 

[r0ger]

Yes I'm sure you'll never see more than a small percentage of your users wanting to implement such a setup but it is growing in popularity, especially in the Drupal community where I first learned about it, and where many people still use shared hosting.

I think there's quite a few developers out there who are working their way up to VPS hosting but don't have the confidence for it yet. The kind of discussions you see on here only go to reinforce peoples belief that it's hard / long to learn how to setup servers securely and probably best left to the professionals.

The time it takes to get up to speed on simple SSH/Socks is a day or two, a week if you really are green to the whole thing, where as learning to administer servers securely is a much more substantial commitment working, you may be looking at months / years of learning.

I think there is a niche for people who are concerned about security enough to spend a bit of time working on it but not their whole day, especially as if you don't take some measures to secure your clients data and somebody does pinch it you have little defense if it came to litigation.