: Is giving a "trusted'" 3rd party FTP access to a subdomain dangerous for the whole domain? I'm giving a "trusted" 3rd party (I say "trusted" because I've worked with them before, but in reality
I'm giving a "trusted" 3rd party (I say "trusted" because I've worked with them before, but in reality I don't know them...) access to a development version of my site x.mysite.com.
The site is static HTML/CSS/JavaScript, so there is no database or server-side scripting to play with/disrupt.
Are there any dangers in giving them FTP access to the subdomain, apart from them deleting everything there (I have a backup)?
Could they disrupt the hosting, or other subdomains/root domain?
Just to be clear: this is not root FTP access to the domain/server, and server-side scripting (PHP, Java, Python, etc...) are all disabled via Plesk, which they do not have access to.
More posts by @Gonzalez347
2 Comments
Sorted by latest first Latest Oldest Best
If somebody can put content onto a subdomain, they can read and modify any cookies of visitors that are set to the root domain.
They could damage your reputation by posting items at that subdomain that you would not approve of, but which would look like they came from you.
Most of the consequences of a Cross Site Scripting (XSS) vulnerability are possible, including running insecure code that allows untrusted third parties to perform XSS attacks.
Plesk is pretty good about setting up the proper security settings between domain accounts and subdomains, including FTP access.
Many sites do grant FTP access to 3rd parties that they work with because there's not as much risk with FTP, providing that root access isn't permitted, which can be set in Plesk (as it seems you already have done).
I would suggest making sure the FTP account username is specific to them so you can track login's in the server logs. Also be sure to use a password which is not close to any others that you might use elsewhere.
Other than that, I would monitor the FTP directory contents to make sure they, or someone else who potentially has their username/password, isn't serving anything unwanted from your FTP site. You can easily monitor the bandwidth to the domain account via Plesk to make sure this isn't being abused, and assign maximum bandwidth allowances and maximum FTP account sizes too.
Plesk also automatically manages things like abusive IP's that attempt to login repetitively (including FTP logins), so you won't have to be concerned about brute force attacks should their login information get exposed or your business relationship end; you'll only need to change the username and password to something else secure (or just deleted the FTP account).
In short, providing that you set FTP and bandwidth limits in Plesk, and monitor the FTP directory contents, you should be safe granting FTP access to a 3rd party you do business with.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.