Running SSH Do you allow it for shared and reseller hosting customers?

[Senad]

Well the title says it all...do you allow SSH access for your shared and reseller customers?


Myself I do not, it's too big of a security risk and I frankly don't think customers need it at that stage. During the VPS/Dedicated Stage I think that of course they recieve SSH access since the resources are split virtually.

What's your opinion on allowing SSH/Telnet on your shared/reseller hosting environment.

 

[webfreak08]

I'd say that hosts should provide SSH access, but to only those clients who demonstrate a genuine need.

 

[Senad]

I'd say that hosts should provide SSH access, but to only those clients who demonstrate a genuine need.

But isn't that in itself hard enough? I mean who's to say that they will use it for a genuine need?

 

[ldcdc]

I mean who's to say that they will use it for a genuine need?

No one. It remains a risk, but then again, so is to give them the ability to use PHP and Perl.

 

[ayksolutions]

Yeah, but with PHP and perl its a lot harder to hurt the server or network than with even jailed ssh. We used to offer it but do not anymore. We only, sometimes, allow it to long time customers for a short period of time.

If you think about it, you don't really need it if you do not have a dedicated. What you need it for? Chmodding can be done through FTP, I don't see a reason for it.

 

[Dediwebhost.com]

Telnet access is a definitely no no.

For shared hosting, it depends on the plan a customer is on. Higher end customers will get SSH account. But by default, all shared customers will not get it.

For resellers, yes.

 

[YUPAPA]

Why would they need SSH anyway?

A control panel should do most of the work they need. SSH can sometimes be helpful than FTP. For example, it takes longer to upload a list of files whereas you can simply untar a file containing the list of files using SSH ~ SSH is convenient for editing text files whereas you have to overwrite the files everytime you make changes to them with FTP ~

 

[rootsupport]

What I will suggest is you can provide SSH (Jailed shell) temporarily, that is if a client needs SSH you can enable SSH for him for an hour and also ask her/him for the purpose. And then after a time limit say for ex. 30 minutes you can disable SSH for the client.

 

[LucasG]

Shell allows you to work out things MUCH faster than with FTP. Instead, you can upload a zip and unzip it without having to upload 7,000 files with ftp which takes about 30 - 60 minutes. You should try to provide jailed shell just to those that request it and make sure you monitor them.

 

[ldcdc]

Instead, you can upload a zip and unzip it without having to upload 7,000 files with ftp which takes about 30 - 60 minutes.

I don't know about other control panels, but unzipping can be done via cPanel.

 

[Zachary McClung]

No, No, and No! None of our shared clients receive SSH. One thing that I have noticed is many of them do not know how to barely log in to their account little lone use SSH. Another site of ours has been on a server that did allow customers to use SSH back before we hosted our own and it caused some downtime because someone used it against the server.

 

[gr8support]

SSH access

I think that allowing SSH access to customers on shared and reseller environment is a bit risky task. As far as i am concerned it would be allowed only on a dedicated environment as the environment belongs to a sole person only. It involves a lot of risk allowing SSH access to any person who is not being used to it, or does not need it as a predetermined thing. If someone is being allowed such access he may be sometimes be a bit risky customer if he does anything unusual then again the host has to do it all over again to set the whole thing up again properly. It also involves wastage of time, which is a precious thing.

 

[chris_j]

To get a SSH access, the customer MUST prove that the task that he needs to do, can ONLY be done thru SSH & nothing else. If this is the case, then we provide a jailed SSH access.

 

[mrzippy]

We do not allow SSH on our shared servers. No exceptions. Ever.

This policy is in place, so that everyone is "equal" and knows that we do not allow it for any reason. We actually have some customers who specifically selected us because of this policy.

If someone needs some commands executed, we simply ask that they give them to our helpdesk and we'll take care of it immediately. Nobody has every complained about this.

 

[Rochen]

Providing SSH is configured properly (provided in a jailed environment etc.) and the server is secure there is no added security risk of offering the service. We have been offering SSH access for over five years now and I have yet to see one security issue arise from us offering this service.

In fact, most of the security issues we see arise are due to exploitable scripts (e.g. outdated versions of phpBB) because of customers not keeping these updated. I personally see something like Fantastico as a higher risk service than SSH.

That being said, we don't enable SSH access by default and require all customers who request it to show a competent level of command line knowledge before enabling it. This is mainly to protect customers from messing their accounts up more than anything else though.

- Chris

 

[bugmaster]

ssh

No need for SSH, and offering it usually is a ticket to inviting malicious users.

If you did/do offer it...

1. Do not make it public that you offer it
2. make sure you have a firewall above the server level for connection restrictions
3. make it static ip access only to that ip
4. jail your shells
5. cross your fingers and take some Xanax to remove anxiety

 

[RaviAgarwal]

I would say, you deny SSH to your customers to shared servers (if it is not a vps) from scratch and instead ask them to send details of tasks he/she wants to do via a ticket.

Support can do that on customer's behalf. Thus avoiding risks and charging a small fees for this special service.

 

[HMarker]

Hello,

Is it possible to enable SSH service for a specific host and disable for another? As far as know, if the SSH service is kept running, many hackers will try to find passwords for guessed usernames such as mysql, admin, root, test, etc.

In my opinion, Web Host should be very careful when leaving SSH service running and available to everybody.

 

[Blue]

Providing SSH is configured properly (provided in a jailed environment etc.) and the server is secure there is no added security risk of offering the service. We have been offering SSH access for over five years now and I have yet to see one security issue arise from us offering this service.

In fact, most of the security issues we see arise are due to exploitable scripts (e.g. outdated versions of phpBB) because of customers not keeping these updated. I personally see something like Fantastico as a higher risk service than SSH.

That being said, we don't enable SSH access by default and require all customers who request it to show a competent level of command line knowledge before enabling it. This is mainly to protect customers from messing their accounts up more than anything else though.

- Chris

Couldn't agree more.
The main reason not to offer ssh is not security, it is the extra work for the support staff to fix what an inexperienced ssh user screws up.