Portal Home > Knowledgebase > Articles Database > Plesk recommends blocking FTP and let customers use SFTP
Plesk recommends blocking FTP and let customers use SFTP
| Posted by flexyboy, 03-24-2010, 03:51 PM |
| Parallels says that most hacks/spamming is done via FTP with customer credentials and therefore recommends to block FTP(21) and make users use SFTP (22).
I have never been comfortable with offering customers shell access, as I all to well remember the default Plesk and cPanel installations of 2002 and 2003 that included quite a few holes. I have been into webhosting shells as a webhosting client where I was able to read data of other clients. Since these days, I have never trusted SSH-access for clients and SSH is very restricted protocol on our servers.
How risky is it to give clients access to /bin/bash or /bin/bash(chrooted) on Plesk servers? There are discussions going on at our company to take Parallels' advice and send new clients e-mails that recommend the use of SFTP over FTP, but so far we have not given clients SSH/SFTP access at all, as I have never been comfortable with it. I still do not see the need of SSH access for customers, except for importing giant databases, which is something our support personal will do for free.
Are you a webhoster provider that gives SSH access or not and what do you think of the idea to recommend SFTP over FTP, to improve security?
|
| Posted by Crashus, 03-24-2010, 04:36 PM |
| If someone can steal users ftp password it will use it for sftp as well, also it will give them ssh access to this is most-likely useless idea.
ssh MUST be very restricted, you know linux kernel exploits are going 1 in a month.
SSH must be given after request I think. At leas I wasn't able to use ssh until I've submitted a ticket to my prov. and even then I was needed to use non-standart ssh port and this is a clever move.
|
| Posted by marrtins, 03-24-2010, 06:04 PM |
| You can use restricted shell to forbid ssh access but allow sftp. See http://dragontoe.org/rssh/
However, as Crashus already mentioned above, SFTP does not help when someone steals or users lose their credentials themselves. SFTP just can prevent stealing users credentials when someone sniffing over network as SFTP use encrypted connection.
|
| Posted by agustan, 03-24-2010, 07:04 PM |
| My previous hosting company I worked for, did request and ask some valid verification process for all clients who wanted to have SSH/shell access.
We asked them to send their valid scanned ID, their ISP name as well as their IP addresses, etc., so that only valid clients whose IP were listed in the SSH would be able to access. We also did set the policy for them to use some combination between Big Caps, Small Caps and numeric for their passwords - to make it hard for hackers to break in.
|
| Posted by net, 03-24-2010, 07:14 PM |
| Just use FTP over explicit TLS/SSL.
|
| Posted by JustinAY, 03-24-2010, 11:49 PM |
| Agreed. There is absolutely no point in allowing SFTP over the above.
|
| Posted by prashant1979, 03-25-2010, 05:29 AM |
| The best option is to use FTP over explicit TLS/SSL.
|
| Posted by madaboutlinux, 03-25-2010, 06:15 AM |
| flexyboy
I won't recommend SSH access to clients since the security threat is more than allowing Ftp access. These are common problems on a shared servers. However, you need to make sure your clients set strong Ftp passwords and ask them to scan their local machines regularly for any virus, worms, keyloggers etc. If the number of domains hosted on the server are limited, you can allow Ftp access to your clients IPs only and block everyone else. It's better to follow these steps rather than enabling shell access for all the accounts.
|
Add to Favourites 
Print this Article
Also Read
