__/ [ Allis ] on Tuesday 28 February 2006 16:45 \__
> Knowing the little foolery that wise men have makes a great show, Roy
> Schestowitz has proclaimed :
>
>> __/ [ Allis ] on Tuesday 28 February 2006 16:34 \__
>>
>>> Knowing the little foolery that wise men have makes a great show, Roy
>>> Schestowitz has proclaimed :
>>>
>>>> __/ [ jim ] on Tuesday 28 February 2006 08:37 \__
>>>>
>>>>> I've been out of the web design business for about 2 years. This
>>>>> month I signed up several clients...however, one client already had
>>>>> a two year contract with a hosting service, the full cpanel set of
>>>>> options including ssh access.
>>>>>
>>>>> The problem is this: the hosting service is requiring a photo id to
>>>>> active the shh service. I know at some hosting services you have to
>>>>> ask for ssh to be activated, but I've never heard of a hosting
>>>>> service requiring a photo id...I mean they took the guy's money and
>>>>> credit card and didn't require photo id...
>>>>>
>>>>> Is this usual these days???? Has something changed?? Oh, the
>>>>> hosting service is bluehost.com
>>>>>
>>>>> thanks....
>>>>>
>>>>> jim
>>>>
>>>> What does the client need SSH access for? Any X-forwarding involved?
>>>> A quick session with the GIMP? If not, phpshell can be used as well,
>>>> merely as a powerful alternative.
>>>>
>>>> Many hosts dread the thought of clients connecting to their vital
>>>> machines unless they have known the client in question for many
>>>> years and believe him/her to be a trustworthy person. So, there's
>>>> your question you need to ask yourself or have the client ask
>>>> him/herself: has sufficient trust been established?
>>>>
>>>> Roy
>>>>
>>>
>>> Adding a note: Be careful of just adding a phpshell to the account
>>> without the host's knowledge.
>>> Many of these are abused, and hosts run server searches for them,
>>> disable and shut off the account for doing so.
>>
>> You are the second person who has told me this. *gasp* Now I'm getting
>> a little worried.
>>
>> Well, I put it in a password-protected directory, phpshell itself is
>> password-protected and I only ever use it for very fundamental things.
>> I am aware of people who got the server under fire because of poor
>> password choices or negligence.
>>
>> What about phpproxy? Any restrictions on that? I soon
>> password-protected that small-yet-powerful program. It could lead to
>> any arbitrary type of traffic and can cripple the server.
>
> When in doubt, ask your host ;)
> Honestly, many put up phpshells, proxies and uploaders and know nada
> about their security issues. This is what worries hosts most, and hurts
> host most also. Just like a simple contact form can be injected.
I guess I would be able to use Apache's directory protection as an argument
of defence. Frankly, it is only myself who ever bothers to get access to
these tools. I no longer make any tool/package public unless it has earned
some reputation.
Many thanks for the advice, Allis.
Roy
|
|