IRC and shell account's..

[shockym]

I had a recently new client put in a support ticket for wanting shell access, most don't do this for security reasons. This client has purchased a (cheap, as in our discounted rates) hosting plan with us, there is nothing on the site, after over 5 months of paying for hosting and then randomly asking for shell access to setup an IRCD.

Whats the first thought that comes to your mind here? :rolleyes2

 

[Lesli]

First reaction?

No.

No no no no no.

And no.

Not without many, many, many assurances that the person won't try something tricksy. They could have gotten the least expensive plan, tested your network's defences, found them to be compromisable, and are now planning to set up their 'bot network. Or there could be a completely logical, rational, nonabusive reason for setting up an IRC channel. Maybe they've just been too busy to do anything with the site until now. YNK (you never know.)

You could always set them up, watch them like a hawk, and shut down said channel (and report them to the authorities, since tampering with a communications network is a federal offense) at the first sign that their IRCD is compromising, or allowing the compromising of, network resources. I would only do this if I had the resources to watch this person's activities, though.

 

[shockym]

Two great minds think alike. While I do agree that its possible they had nothing to do on the site until now, I don't like the idea of having nothing then asking for a shell. It just doesnt sit well with me, and the answer for shells (even if its family or friends, even when I know they know what they are doing) its always the same - no.

 

[gigapros]

Your customer's behavior sounds too suspicious. It would not be wise to grant him the shell access. :disagree:

 

[shockym]

I would not grant shell access to my mom let alone some stranger. I know sometimes its all in my head that there are not as many bad people out there than what I though, but that is well past my suspicious bar, its more like a big olé reg flag.

 

[MisterV]

Agree with others here: If you do not have that service better do not provide that. Redirect him to the goggle or any other company that offers that like santrex.net. In that case you won't lose him and you won't provide that you can't

 

[~ServerPoint~]

I think that 5month old customer with such strange request cannot be considered as trusted one

 

[shockym]

Sever thats what I am thinking too. I did go ahead and poke around to send them to google and even recommended afew I had used in the past just to tinker around with and they were fine with it. I'm still a little on the hesitant side for them though.

 

[JcLusso]

seems very suspicious. I would not allow shell access at all like others have implied.

 

[webcs]

I had a recently new client put in a support ticket for wanting shell access, most don't do this for security reasons. This client has purchased a (cheap, as in our discounted rates) hosting plan with us, there is nothing on the site, after over 5 months of paying for hosting and then randomly asking for shell access to setup an IRCD.

Whats the first thought that comes to your mind here? :rolleyes2

Personally we ask for identification when someone suddenly needs SSH access. We have them fax in an ID. I know that's a little strict, but we are security nuts and our other customers need to be secure.

As for what I think of this specific case, if he has nothing on his site, what does he need it for? First, ask him. He might have a good answer. As a host it is definitely your business to know what he does with your servers. If its something you can do for him, like install a tar ball or something, might be better to do it for him. Or allow him SSH access for just a period of time.

Make sure the security of your server comes first.