I know that a website can have some vulnerabilities that hackers could use even though the admin tries his/her best to make their website very secure. I want to make my website secure and by doing that I need to try my best to do so. First way to make it secure is to ask questions and below are the specific questions I want to ask.
These are my specific questions:
1. Can a hacker access my website's .htaccess file? And if so, can they edit it?
2. Can a hacker get my SSH root password even if the SSH password is 18+ characters long?
3. Can a hacker get my FTP username and password even if the FTP password is 18+ characters long?
4. Is SSH more secure than FTP?
NOTE: The below is just a general information which probably doesn't cover half of the subject, there are tons of things you need to make sure of but the below should give you a rough idea.
Can a hacker access my website's .htaccess file?
Yes, some scenarios this could happen:
If you configure wrong your httpd.conf allowing people to visite .ht* pages which is by default forbidden on the httpd.conf
If your server is meant for hosting and you or your users don't properly apply permission to their files so they are accessible within other accounts.
If your webserver don't deploy user and group protection to accounts
If accounts are not rooted to their folders.
And if so, can they edit it?
Yes and no, just accessing the file from a browser will not grant them access to edit it, however in some cases it may be possible for instance:
If one of your codes PHP, perl, etc have vulnerabilities then yes it may be possible
As mentioned early if your websever does not deploy per account user and group then others account will have access to the files from another account
If the permission set on the .htaccess file is for instance 777 which allows ANYONE to manipulate that file it will be editable and readable from others account.
Can a hacker get my SSH root password even if the SSH password is 18+ characters long?
Brute force is not the only way to grab someone's password, if your computer has been compromised, if your services are not up to date with the newest exploits and more, it's also possible to get your password.
The most common way to protect against this would be to make your SSH password-less, basically you will deny direct access to root, block any access using password and will only grant access to authorized keys that are generated from a pair of keys.
This key would allow you access to a pre-defined account that have that key allowed to be logged as.
From that account you've logged as, you can either use sudo to run commands as root or su - to switch the current account to root.
Change the SSH port to some other port.
Use your firewall to prevent and catch brute force attempts on certain ports and block it.
Use your firewall to allow only your IP to access the server if your IP is static.
Use your firewall to block access to unused ports of service that do not require external access for example if you do not offer MySQL remote access you can block access to the port 3306 as well as configuring your MySQL server to bind on the localhost only.
Can a hacker get my FTP username and password even if the FTP password is 18+ characters long?
Brute force is not the only way to grab someone's password, if your computer has been compromised, if your services are not up to date with the newest exploits and more, it's also possible to get your password.
Is SSH more secure than FTP?
They are different protocols and serve to different purpose and they can be equality insecure or equality secure it all depends on the System Administrator to keep it up to date and secure.
Related
I had a server that had a lot of users on it, its operating system was cloudlinux and had cpanel!
This server is used for Python projects and had bin/bash!!! access
Suddenly the command rm -rf * was typed on the server and all the data was deleted !!!
We quickly uploaded the backups and hacked the possibility and restricted ssh access to the root server!
But the next night we were hacked again, this time with the monitoring we had at whm! , we noticed that someone enters whm and quickly changes the password !!!
My question is whether users with access to bin/bash! can find the root password ???
We are now giving users access to JailShell in CPanel and full SSH access is closed. Do you have any idea how this happened?
Did you encounter a similar case?
Does bin/bash access allow the user to see the password?
Thank you for sharing your comments with us
It's difficult to obtain a Linux password, even with full access to the computer. That's because the passwords are stored in hashed form. Probably the only reliable way to get a password is to install a trick password change program, which does the change, but also sends the password somewhere else.
However, you don't need the password to get full access to a computer. There are several other ways in, and anyone who can access /bin/bash is likely to be able to test them and probably find one that works. Once they get full access, most intruders will install some other program that will let them in in the future, even if the original security hole is patched.
Once a machine is compromised, it's pretty important to burn it and start fresh. You can't trust it otherwise.
I read the question: How does the GitHub authentification work? and https://unix.stackexchange.com/questions/315615/is-ssh-public-key-associated-with-a-user Which is exactly what I am wondering. I am still missing a better answer.
When I test my SSH-key-pair I connect to user git#gitlab.com. My stored Public key has a fingerprint of base64. When the SSH Client(me) want to connect to the server(My gitlab/github account server) it sends its ID(fingerprint), the server checks it ".ssh/authorised_keys" and loops through the Fingerprints after the correct public key to encrypt the challenge.
On Github/Gitlab there are several thousand of users, they all use the same username ("git") to initiate a web (SaaS)session. So how is this separated on the server? I don't get root access on gitlab/github, of course. I only get access to my account though the generic user-session git#gitlab.com. But how is this implemented?
When I use SSH in other situations I have a specific username which I use to [my-username]#router.com
E.g.
If I would set up my own GitLab on a local NAS/Server. How can I create an account (User#local-gitlab.com) but the access rights are limited to the Fingerprint of the differents users SSH-key-pairs?
User: ID:001
User: ID:002
User: ID:003
Somehow I need to limit the access for ID:001 when he/she initiate a ssh-session with my server on account "User".
I can't speak for GitLab, but for GitHub, there is a dedicated service that terminates these connections, contacts the authentication service with the key in question, and then receives the response about whether the user is allowed to access that repo, and if so, contacts the servers storing the data.
GitHub has more than 65 million users, many users have multiple SSH keys, and there are also deploy keys for servers, so using the command directive with an OpenSSH authorized_keys file would be extremely slow, since it would involved parsing and reading probably gigabytes of data each time a connection was made.
If you need this yourself for a small set of users, the command directive in authorized_keys is a viable approach. If you need something more scalable, you can create a custom server with something like libssh and perform authentication yourself, either in that process, or in a separate process.
I found this question+answer: https://security.stackexchange.com/questions/34216/how-to-secure-ssh-such-that-multiple-users-can-log-in-to-one-account. Which highlights that you can put restrictions on authorised_keys. Don't know if that provides precise answer for my question, but it looks like it.
command="/usr/local/bin/restricted-app",from="192.0.2.0/24",no-agent-forwarding,no-port-forwarding,no-x11-forwarding ssh-rsa AAAA… git#gitlab.com
I guess there is several thousand of those lines at gitlabs/githubs servers in .ssh/authorized_keys where every single line points out access to only that gitlab/hub account.
Please comment if you don't agree.
Please guys help me, I want prevent my old developer from access to my VPS,WHM and cPanel what I should do. I don't want to lose my work.
I saw there is password for Virtuozzo Power Panel, WHM and cPanel there is my thing i need to change it.
like how I know if he have SSH access or not. or any recovery can he recover the passwords
If you have given Password, SSH and FTP access to your developer you can consider doing the following:
Change your WHM's root password
Change all of your cPanel accounts' passwords (or those that your
developer had access to, if he had access to the whole WHM - you
might want to change all passwords)
Make sure there aren't any authorized SSH keys for the root user.
This can be seen through WHM's interface, docs here
Make sure there aren't any authized SSH keys for any cPanel user as
well. This can be done through each cPanel account's SSH Access
tool
Check all cPanel accounts for unauthorized FTP accounts.
You can also take a look at the cron jobs that are running as well.
Ultimatively you should also consider looking for any backdoors that
might be present in the scripts that your developer was working on.
What is the most secure way to store usernames/password combinations for databases that are used by apache?
there must be something more secure than just storing cleartext passwords in a single file and putting them in a folder that only root and apache have access to.
Well, let me ask this: who are you protecting from? You want to be "more secure", but you haven't identified any attack vector.
External users
If you're trying to protect them from external users, you have two options:
Move the file outside of the webroot. Therefore, the attacker cannot get the file as Apache won't serve it.
Protect the file via permissions or DENY in Apache. That way Apache won't serve it.
The first option is better, as a misconfiguration can't expose the credentials.
Internal users (people who have access to the server)
You can't protect against them. If the attacker can get on the server, they can (in general at least) get access to the credentials.
Yes, you can encrypt the file. But Apache must know how to decrypt it, so the attacker can figure that out.
Your only defense is to set permissions on the file properly. Make it so that it can only be read by Apache (nobody).
In short, there's little to no gain to encrypting credentials, as if your server is properly configured there's no chance of them leaking to someone that they wouldn't leak to already.
Protect your application from other attack vectors (SQLi, Code Injection, XSS, etc) as they are more likely to be the ways that an attacker is going to get in...
I guess I'm being a little hesitant but I deal with vcs's occasionally and always get asked for some sort of prompt, of course I'm attempting to access an external machine which I'm sshing into.
Basically my question is, say I don't have root access on this machine, would it still be possible to set this up? I've skimmed through reading it a couple times and I'm pretty sure I got the method down - you generate pub/private keys, sftp to the machine and throw your public into some authorized_keys directory. How is this managed with multiple users for example? Could the generic file name ( the .pub ) get overwritten, or am I completely misunderstanding the process here and it's setup to allow multiple keys natively?
If I'm not a sudoer and one of the server's directories needs to be chmod'd to say 700 whereas it's 655, I can't really do anything other than ask for su access, right?
If you have ssh access to the remote machine, you can generate the key pair on your local machine, add the public key to the authorized_users file on the remote machine, and then use this for authentication. You don't need root privileges to do this. The keys and authorized_files usually reside under your home directory ( myhome/.ssh/authorized_keys etc) so they don't get confused between users.
Your questions about setting directory permissions is unrelated, but if you own the directory or its parent (or its parent...) you will be able to set any permissions on the file in that directory.
Sounds to me like it might be time to curl up with a general *nix administration book, perhaps? Not light reading, but it can be useful and I always find it most informative to learn the details when I'm actually struggling with them.
I ssh all the time into a machine that allows su or sudo. But, it's set up not to allow ssh via "ssh root#machine". So to answer your question, yes it's possible.
You can only change the directory permissions if you own the directory or if you have root access.