In this thread:
http://forum.rackshack.net/showthread.php?...=&threadid=9462

I brought up the fact that resellers could still grant access to their sites even though you don't allow it.

My main concern was resellers could grant shell access to their customer's site, up til now I had not known of a way to stop it.

Before you start, create a fake reseller account on your ensim box. You will notice you can't restrict what a reseller can and can't give.

Now with that reseller account go and start to create a new site, and click the advance button. They can give their sites any access they want.

My telnet is off and I don't want to extend SSH (shell) to just anyone. It was recommended to move SSH to another port, but if the reseller's user stumbled onto the port they could login.

I came across a post at ensim's forum that explained how to turn off tomcat to a reseller (due to the high server load tomcat produces)

http://www.ensim.com/ubb/Forum11/HTML/000269.html

So I thought, lets try this with SSH and Telenet services.

- SSH into your box as root

- type "hide_service telnet"

(this will shut the telnet service off as well if it is on, it should not be due to security problems)

- It will tell you to "Please restart the appliance server to refresh the GUI."

- Type "/etc/rc.d/init.d/webppliance restart"

After this is done.

- now type "hide_service ssh"

- It will tell you to "Please restart the appliance server to refresh the GUI."

- First start your SSH up by typing "service sshd start" (the ssh service will be on, but will no longer show in the GUI)

- then type "/etc/rc.d/init.d/webppliance restart"

Login with your fake reseller account, add a site, click advanced and you will now notice that the telnet and SSH services are gone!

To restore these all you need to do is the same as above except where it says type "hide_service" type "unhide_service"

hmm, interesting fix -- nice job.

Now if only someone could figure out how to do this per-reseller... Anyone from Ensim in here?

While I agree it would be nice for Ensim to at some point create a reseller template that allows us to control what they can and cannot sell, this is a nice solution of rthe time being that will effect all resellers.. Mouse

hide_service mivamerchant

does the trick for miva also

very nice indeed!

Question, do these stay in affect even after server reboots ?

I checked the Ensim documentation, and it seems that this trick works for ANY service that can be assigned to domains -- even apache.

I tried to turn off the "development tools" with no luck, any suggestions?

You'd need to know the service name. The doc from Ensim doesn't have it -- and it looks like it's from 3.0, not 3.1. Here's the list I have:

files
analog
telnet
ssh
imap
bind

You might try contacting Ensim regarding the name of the service. You could also try their forums -- but it's hard to get an answer there.

Some more to add to the list.. I apologize if a couple have allready been posted.. Mouse

usage hide_service servicename

mivamerchant
tomcat4
files file manager
anonftp disables someone from setting up anon FTP
vhbackup if you want to, this is the backup util (dont reccomend hiding this one..
bandwidth
bind
cgi
frontpage
imap
majordomo keep them from setting up mailing lists if you like
sqmail kinda obvious
develenv Development Tools

thnx ljprevo for the great find.. Mouse

Ah no problem Mouse, you have been great with your howto's I thought it was time I shared something I found.

Just came across something.

I accidentally shut my ssh down and had it hid from th GUI.

I about crapped myself.

Well I issued this this the browser and it came back on, whew!

While logged into the admin control panel, issue this line in the same browser:
https://myserver.com:19638/webhost/services...ctlist:list=ssh
(be sure to change "myserver.com" to your own server domain or IP)

hrm...

thats not cool, anyone could start and stop your services?!?

have you experimented stopping/starting other things or
am I jumping the gun about this being a serious stability
problem if it gets into the wrong hands ?

No you have to be logged in to your admin control panel first, sorry for not mentioning that.

Is it possilbe to show things? such as things that are included in ensim but not available on your box? obviously couldnt use them, but an option would be there, meh im just wacked out at the moment =/.

No, this would only work for services that Ensim knows about, and can manag.

as LHP mentioned.. there is a directory of services which Ensim can control in this method and only those services when called as ljprevo, LHP and myself listed will work.. Mouse

all of a sudden the file manager is not allowing file uploads,
I get a ssl message about the page containing both secure and unsecure content.

Try to upload a file and it goes to a 404 error page cannot be found
?:eek: :eek: :eek:

This is the last thing I was playing around with on the server and when I removed tomcat I got a notice about ssl cannot be enabled for name based sites, and now ssl is also not an option when resellers add name based sites.

Any ideas ? please!

SSL was NEVER an option for name-based sites

I think you remember incorrectly.

I know that, what I am saying is when i did hide_service tomcat4
it spit out an array of error msgs about ssl not being available for name based sites.

[root@ensim /]# hide_service tomcat4
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
Please restart the appliance server to refresh the GUI.

Why would it give that warning unless one of the sites on this box has enabled ssl and is a name based site, correct ?

It is redesigning the GUI, that is what you are seeing for each name based site you have.

Ah, thanks for the info.

also found and fixed my file manager problem,
apparently the file appl_uploadfile.cgi located
in /var/www/cgi-bin is the script for file uploads
in 3.1 (3.0 is different)

I didn't recognize the file while browsing the other
day, and I renamed it "to be safe" since it was
in my friggin cgi-bin, then I tested around to see
if the box was hacked or not...well turns out we aren't
hacked and ensim 3.1 needs it for the file manager...sigh

I got this problem. can anyone tell me how to fix this when I try to hide ssh
Traceback (most recent call last):
File "virtualhosting/virthost.py", line 3052, in hide_service
File "/home/build/fcs/serverxchange/3.1.0/25/lwp/build25/WebGui/base/services/vh3/reseller/virthost_actions.py", line 111, in hide_service
UnboundLocalError: local variable 'status' referenced before assignment

Hmmm, unfortunately this doesn't seem to work if you've already enabled SSH access on any sites:

[root@server1 /root]# hide_service ssh
Hide service: Hide Service Check failed
- (ERROR: 01ff000000000061): Cannot hide service ssh as these sites have it enabled:
site1
site48
site63

[root@server1 /root]#

Anyone got a workaround for this?

Apply the patch from here http://www.ensim.com/support/sxc/faqs/16.1.html

Thats what i needed to do,

NOTE, when you run the command

gzip -d resller.pyc.gz

it wont work, because it is misspelled.. it should be

gzip -d reseller.pyc.gz

This is strange?

I rebooted server and I lost my SSH and I could not get access via telenet because it was switched off.

I issued the command: unhide_service ssh

and got the following error:

Traceback (most recent call last):
File "/usr/local/bin/unhide_service", line 27, in ?
import cmdlnpopen
ImportError: No module named cmdlnpopen

Any ideas?

Brian

P.S.

I dont want to reboot server and find that I will loose ssh again?

If you could not get into ssh or telnet, how did you issue that command?

Anyway, if you have SSH back, then you'll need to go into /etc/rc.d/rc3.d and make sure there's a script in there that STARTS ssh. If there isn't, put one there, then wonder why it was removed.

Solved the unhide problem by installing this update from here http://www.ensim.com/support/sxc/faqs/16.1.html and it worked ok.

I will look into the /etc/rc.d/rc3.d and see if the commands are in there.

Thanks,

Brian

How does one hide the "Domain Aliasing" that shows in the Site Summary of a client?

Thanks,
Ilir.

ilir > Please do not double-post your questions when it can be avoided. Secondly, your original post was ON-TOPIC, however, this one is rather OFF-TOPIC. This thread is about hiding SERVICES (such as SSH, FTP, etc) as where you wish to remove a link that is hard-coded into the GUI. Personally, I think that it would be impossible to remove it -- but who knows, maybe someone will figure it out. However, ensim has informed me that the functionality (much like the /admin redirects) are hard-coded, and cannot be changed for all sites, and then be not over-written on a site edit.

...but I like it!

Can some1 help me. I applied the patch and rebooted but i still get error. Im on 3.1.1

[root@ensim /root]# hide_service ssh
openssl: Write service plan warning
- (WARNING: 1700000000000001) field 'enabled': SSL cannot be enabled in name based plans. Not supported for name based sites yet
Traceback (most recent call last):
File "virtualhosting/virthost.py", line 3145, in hide_service
File "virtualhosting/virthost.py", line 3260, in _hide_service
File "virtualhosting/virthost.py", line 1382, in write_plan_file
File "/home/build/fcs/serverxchange/3.1.1/28/lwp/prakash28/WebGui/base/services/vh3/mod_perl/virthost_actions.py", line 66, in write_plan_file
File "/home/build/fcs/serverxchange/3.1.1/28/lwp/prakash28/WebGui/base/services/vh3/mod_perl/virthost_actions.py", line 40, in verify_dict
TypeError: unsubscriptable object

Go into the Ensim admin panel and make sure that there are no sites running or have SSH turned on.

Your will be able to see them by the icom on the site page.

Brian

It told me who had ssh and i remvoed them.
What do you mean *running*?

Ignore the word running. I should of used the word enabled.

Now that all your sites have SSH disabled. Try running the update or reboot again and see if the error shows up.

Brian

no luck.

Ive fixed it a bit now when i do something like hide_service telnet the command will hang. Any suggestions?

Just as i thought, webppliance needed to be rebooted after my last change. I sitll get warnings, but works

Installed Ensim path but got this error:

ls /lib/opcenter/rpmscripts
i did that for a list of different opcenter specific features -- not all can be controlled by hide_service/unihide_service but it does give you a decent base of the names for applicable usage.

I get command not found error when I try to type hide_service_telnet ...Oh I'm logged in as root where am I doing wrong :confused:

Oh just found my mistake ...its" hide_service telnet "

Anybody know how fix my problem?

restart webpplaince 2 times.

WOW!!! ITS WORK!!!

After running hide_service telnet, ssh and anonftp and restarting the GUI after each one, I am unable to connect to my server via ssh. Putty automatically says " network error: connection refused" when attempting to open ssh to my server IP#.

Could this be because of hiding the service? or could it be a random error of some sort unrelated? I was under the impression that even if I hid the service I would still be able to use ssh as admin and root.

I answered this further back in this thread.

After you hide service you have to manually restart it so it still works.

oh thanks, sorry, I don't know why i didn't see that before, thank you!

Oh no problem, did you get your SSH running again?

When that happened to me I about crapped myself

I was thinking reboot, but if SSH was off it would not come on at reboot.

Having shell access is very important, esp. remotely.

Result : start for service OpenSSH Secure Shell succeeded.

Thanks for the help!

Now does this make ssh available to resellers again, or just to admin?

Should just be the admin.

I am not sure, if you had sites that had this enabled.

If you have no sites that had SSH enabled, then only
the admin can access SSH and the resellers can't give that access no more.

yeah well I had to disable all the site's ssh before hiding the service so that would mean that now only admin has ssh.

So do I have to turn this on in the browser after every time I reboot the server?