'Hardening' your dreamhost account - dreamhost users


#1

For users of Dreamhost, one of the many misunderstood concepts is your exposure of hackers from one directory to another. You’ve gotten your new dreamhost account and you immediately create a user MYUSER, you have a domain MYUSER.ORG and your all set to go! You pay for a second domain (NEWDOMAIN.COM) and you add this to MYUSER. So login to MYUSER and you see two directories MYUSER.ORG and NEWDOMAIN.COM. These files are ‘owned’ by the same user.

Let me explain why this is BAD! One of the most common hacks to a website is PHP code insertion, which if the hacker finds a weakness, allows him or her to insert THEIR code in YOUR php file. THEIR code is now running as if they were logged in. Any file associated with MYUSER is now readable assuming they know how to look around directories (trust me they do!).

Just as BAD are us old time users, who had our account before the ‘enhanced security’ feature; because DH didn’t know if we would be affected by enhancing security for us (ie. our website broke), they told us about it but didn’t enable it for existing users. This means that all the files are viewable across an entire DH account. Got 15 users? They can all see each others files unless ‘enhanced security’ is enabled.

Dreamhost allows you to get and unlimited number of USERS! If you have one user for each website AND AND AND you enable enhanced security, no information will leak between users. So instead of one user with many websites, you need to have many users each with one website and each with enhanced security enabled. If enhanced security is NOT enabled, then it’s the same as before, one hacker can take down all your website. So, MYUSER1 :: MYUSER.ORG, MYUSER2::NEWDOMAIN.COM!

So, two items for you to do right now
[list=1]
[]ensure that enhanced security is enabled on ALL your DH users
[
]Create new users if you have more than one website per user
[/list]
USERs are FREE for account holders! Use them!


#2

We like Free. We like Free a lot!


#3

Also don’t limit it to one user per domain.
Say you have a site and a blog and they are located at:
mysite.org
blog.mysite.org

Put the blog under its own user too.
Effectively the main site and the blog are two different websites, and this way they are isolated from each other.


#4

[quote=“kelly7552, post:1, topic:57192”]
Dreamhost allows you to get and unlimited number of USERS! If you have one user for each website AND AND AND you enable enhanced security, no information will leak between users.[/quote]

AND AND AND you don’t undo those settings with something stupid like:

[hr]

Yes, the more correct version of the advice is one user per app, not one user per domain.


#5

I already have the bad setup and I think it’s causing hacking problems. I just completely cleaned up a Wordpress site, following DH’s instructions – renamed the bad site, created a new directory, installed a fresh copy of Wordpress with just 2 themes, and installed only security plugins plus one that I always use (member access, which I’m going to delete). The site got hacked again – the hacker installed hacked themes and plugins. Although I changed the password for the username that owns the sites to one DH likes, I think they must be getting in through another site they previously hacked. I had a lot of sites hacked; it’s going to take forever to clean them up. If you already have a setup with too many things under one user, is there any way to change the main user who owns some of them?


#6

Yes, dreamhost even makes it easy. Go to mange domains in the panel, click edit for a domain and change the User dropdown to “create new user” this will add an option to the page that says “Move files to the new user?”


#7

Thank you, LakeRat!


#8

I created a new user and left the “move files to the new user” option clicked. Now I can log in as the new user and see only the one subdomain, which is what I want. But when I log in as the old user, I can still see the subdomain there as well. Shouldn’t it be gone from the old user?


#9

No it actually copies and doesn’t move. The wording on the panel option is misleading… After your sure it works and you no longer need the old, or need to change the user back, then you can rm -rf the old subdomain.


#10

Got it. Thanks.


#11

I appreciate the info here. I made the error of adding several domains under a single shell user and am in the process of fixing this, and would appreciate feedback greatly to be sure I understand the steps:

  1. Create a new user with its own strong pw for each domain. Does it matter if it is shell (preferred, I think) or sftp? If I understand correctly, this is not an irrevocable decision - I can change this later if I need. (Edit: And disallow ftp.)
  2. Enhanced security for each new user.
  3. ‘Move’ (which is really copy) each domain to a specific user.
  4. Test that I can access the domain by SSH or sftp as the new user.
  5. Go back to the original multidomain user and remove the domain from there - as it now should have been copied to the new user. Does it matter whether I do this simply by sftp and deleting the directory, as opposed to ssh and the unix rm -rf?
  6. What is the correct syntax for removing unwanteddomain.com from the multidomain user?

Thanks.

P[hr]
As an aside, I notice that the version of the site copied to the new unique user appears to be the ‘live’ site, as changes there appear when the site is visited but are NOT reflected in the files in the directory under the original multidomain user. That could get really messy and ugly.

Wish I had understood that at the outset - would have saved me work.

P


#12

I will try to answer my own questions, based on what some trial and error and reading have shown me:

  1. Easy to change user type. Still don’t know if there is any disadvantage to making the users all shell users, other than the ease of screwing up. The advantage is clearly that unix commands are MUCH faster.
  2. Essential.
  3. Yes.
  4. Yes.
  5. Deleting with sftp works, but have something else to do while you wait.
  6. Using Terminal on a Mac, it was straightforward: ssh username@domain.xxx and then enter the password when prompted, pwd to be sure I am where I think I am, ls -l to see what is there, rm -rf domaintoremove.xxx to get rid of it.

P


#13

The reason I suggested having shell users (while disallowing FTP) is it gives you the most flexibility to acutally ‘see’ and look at the files and issues. While S/FTP programs like filezilla can tell you many things, once you get used to the terminal interface, it’s much faster to diagnose and fix problems that come up, or really look at log files, and generally poke around.


#14

Thanks for mentioning that! I wouldn’t have realized that I was leaving copies of sites around, confusing me and giving hackers more to hack.


#15

Ironically, those copies lying around actually saved me the one time I’ve been hacked. I hadn’t had a chance to clean up after separating each app into its own user, so one user was filled with a dozen directories which looked like web roots. Only one was really serving pages though. The hacker was confused as to which was actually live which left copious footprints in the log files. I think it may actually be useful to have a few dummy directories and name the actual document root as something very inconspicuous.


#16
  1. While I agree, naming your directories something inconspicuous could help, I would be cautious not to become confused myself.

  2. How do you spot footprints in your log files? Is it something specific you personally do or a pattern of actions…?