Enhance SSH

gmakhs

How safe is giving users SSH access compared to in CL ?
Is it stable for production ?

Rich

As far as my understanding goes it's pretty equivalent, in that they both use name spaces and cgroups... CL uses a little more custom tweaking whereas enhance is more vanilia. Unlike CL, it would be more difficult to modify the client SSH if they required different apps.

Stable? How stable is your enhance machine...

Just test it out and make sure it's what you want to give to clients, that said if clients have access to their CP, then they have it anyways. You can't block it.

gmakhs

Rich there is the option to allow ssh access or not though, but thats not the point of the question, the question is how safe it is to the main server

rdbf

Rich

I don't like the fact that users can just browse through the whole server. I'm not sure what's standard with panels and not, but I'd absolutely want customers to be locked into their folder and not be able to browse around the server.

And it's very possible to block it, by just allowing only the admin user to login by editing the /etc/ssh/sshd_config file accordingly. But it might interfere with the core functionality of Enhance.

Rich

gmakhs as safe as cgroups and name spaces is. You need to determine if that's suitable risk for you.

Rich

gmakhs I see it's at the package level, I had to check.

twest

gmakhs since it's running inside the users container it's fairly safe. Things they can do to crap up the server could also be done from their website or from phpmyadmin, so preventing ssh access doesn't fully button things up imo, BUT I think ssh certainly makes it easier for users to crap things up.

My concern on a server level would be them logging in to their mysql and pasting some crap they generate on gpt which then creates some runaway processes or critical errors in their db that then consumes massive serverwide resources outside the control of cgroups... They can do that with phpmyadmin too, so maybe it's an unfounded fear of mine. But I do find users that request ssh are much more likely to paste crap in that they have no idea what it is or what it does.

Overall I discourage ssh. If they need ssh for something legitimate, they're always welcome to ask support for help doing whatever they're trying to do that needs ssh. Then we can help to make sure it's safe and they aren't just pasting in some random crap they find on the web that's going to wreck their site.

Adam

rdbf I don't like the fact that users can just browse through the whole server. I'm not sure what's standard with panels and not, but I'd absolutely want customers to be locked into their folder and not be able to browse around the server.

On Enhance they can't. When a customer connects with SSH, they are placed inside their application container. They have access to directories like /usr/bin from the host o/s (so they can run the PHP CLI, vim, nano, ssh, git, etc) but they can't see the /etc/passwd, they can't list /var/www, they can't see other processes running on the system, they can't even access the network stack which means they can't start a listening daemon.

I appreciate many hosting providers like to disable ssh but in my opinion this is no more risky than letting customers upload their own PHP scripts. The nature of shared hosting is that you're letting your customers run their own code on your servers, whatever that might be.

rdbf

Adam

I logged in with SSH as a normal user that has a website, and what I can see is the following:

ls -lh /var/mail/ lists all the users that have mail on the server, permission denied on opening the files though
ls -lh /etc/ssh lists a bunch of keys which are readable. I'm no ssh power user, so no idea if this is bad
/etc/passwd and /etc/passwd- are readable. The latter one with all users on the server
/etc/sysctl.conf is also readable, as is /etc/fail2ban/jail.d/<custom config>, which contains abuseipdb API keys

And so on, you get the point. Maybe I'm paranoid and not a hosting guru, but this feels uncomfortable. My clients are and all will be of the yoga teacher and passion project type, so I know they can't abuse anything even if stuff was wide open, but still.....

Adam

/etc/passwd- is a backup of your /etc/passwd, which I think gets created when you use useradd/usermod manually. You're right Enhance should hide this file, we will add this shortly.

fail2ban isn't something which Enhance installs so it doesn't know to "white out" that directory. Assuming it runs as root, you can/should probably set 600 permissions on the files containing the API keys to prevent other users reading them. PHP could read them just as easily.

gmakhs

Adam so he just proved that ssh in enhance is not safe, and probably there are other things that might have been missed out :/

JohnB

Adam wait so by default can user A view the files and their contents, of user B?

cPFence

gmakhs so he just proved that ssh in enhance is not safe, and probably there are other things that might have been missed out :/

To clarify, while I believe Enhance should improve this (especially since they are already using containers), it's important to note that this behavior is common among most popular control panels when users are granted SSH access. For instance, here are examples from Plesk and DirectAdmin, including a discussion about jailed shells.

Some control panels offer workarounds or solutions, while others simply recommend using CloudLinux. Although CloudLinux is probably the best option for managing SSH access on shared hosting servers, it’s still not 100% secure.

For those of us managing shared hosting servers, I personally don’t think it’s worth the hassle to provide SSH access to users. If a client needs temporary access, it can be handled via a support ticket. If they require permanent SSH access, moving them to a small VM is a better solution, especially since Enhance doesn’t charge for additional VMs.

cPFence

JohnB

No, he can't. However, it's still not recommended to provide SSH access on a shared hosting server.

By itself, /etc/passwd- is not catastrophic, but it does give an attacker a map of the system’s users and accounts, which can potentially be used as part of a broader attack. This issue should definitely be addressed by the Enhance team. Some hosting companies may allow users to have SSH access, but it should be carefully managed and restricted to prevent misuse.

ss88us

✅ cat /etc/passwd does not list any other users. I tried by logging in with the oldest and newest users created on the server.
⚠️ cat /etc/passwd- lists all users on the machine and their home directories. When you try to cd into a directory, it doesn't exist.
✅ cat /etc/shadow (and it's variants) = Permission denied
✅ ls -lh /var/log is empty
✅ ls -lh /var/www lists only the logged in user's folder.
⚠️ ls -lh /var/mail lists files with usernames. Not writable. Permission denied when opening.
⚠️ Keys in /etc/ssh are public host keys. Not writable. The private ones are permission denied.
✅ cat /etc/sudoers = Permission denied
⚠️ cat /etc/fstab is readable. Not writable.
✅ cd /root = Permission denied
⚠️ cat /etc/crontab and others i.e. cat /etc/cron.daily/XXX = Readable. Not writable.

Any other important files/directories?

josedieguez

this and many other things must have been addresed before waiting for v12.

JohnB

cPFence well said. Besides if someone is using shared hosting they can't expect the very best in security. Just isn't possible.

Shared hosting is like renting a room in a house. Door has a lock and a good landlord helps a lot but it will never be as secure as an apartment (VPS) or secured building (dedicated).

There is always a vulnerability if you share hardware with others. Could be vulnerability in KVM isolation even.

gmakhs

cPFence enhance doesn't charge but other licenses like Lite speed enterprise do cost .

Adam

If you want to hide the /etc/passwd- before 12.0.0, run:

find /var/local/enhance/containers/*/* -maxdepth 1 -name overlay -exec touch {}/etc/passwd- \;
killall -9 php-fpm lsphp

This will force a restart of all your PHP containers to apply the change, there will be around 30 seconds downtime. Otherwise it will apply on the next container restart.

cPFence

gmakhs enhance doesn't charge but other licenses like Lite speed enterprise do cost .

You can still run the command provided by Adam and then allow SSH access for your users if you choose. Many hosting companies do this, but typically only upon request ,it’s a common practice in the hosting industry.

With Enhance, you’ll get the same level of SSH security as older panels like Plesk and DirectAdmin. Despite being relatively new, Enhance even surpasses them in some aspects of security.