Is it possible to change root access to another user?

[tomdorrian]

I am looking to change root access so that another user has full access rights and then disable root access as my server is being probed and attacked by hackers. Is it possible to transfer root ownership to another user on the server?

[Infopro]

You can't disable root user. You can create another user, for example a reseller account and give that user limited or full access via Reseller Center in WHM. That won't stop the problems you're hoping it will though.

...my server is being probed and attacked by hackers.

Can you be more specific? For example if you're seeing in your logs IP addresses attempting to login via SSH on port 22, we change the port SSH uses, make sure it works, and then disable port 22. No one else knows your new SSH port number and those entries stop appearing in your logs.

[tomdorrian]

Hi there,

Yes i can be more specific I have Brute Force enabled and someone from Japan tried logging in as root last night (Day time thier time) as this was emailed to me when this activity happened by the Brute Force protection. This was definately via root via my IP address and using :2086 so disabling port 22 wont make any difference.

[tomdorrian]

Hi there, This person has additionally tried logging in today and here is the log:
Apr 14 09:29:54 tiger sshd[9695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=rootApr 14 09:29:56 tiger sshd[9695]: Failed password for root from 118.159.231.205 port 54377 ssh2Apr 14 09:29:58 tiger sshd[9764]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=rootApr 14 09:30:00 tiger sshd[9764]: Failed password for root from 118.159.231.205 port 54556 ssh2Apr 14 09:30:00 tiger sshd[9799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=root
Good old Brute Force has put a permenant block on his IP address.
Is there anything else I can do to secure my server up?

[Infopro]

That snip of your log shows that the user was trying to login via SSH, not WHM. This is also, quite common.
Do you have CSF installed as well? ConfigServer Security & Firewall If not you should look into it, IMHO.

Strong, very hard to guess passwords that you change on a regular basis can also be very helpful.

[cPanelTristan]

You could use Host Access Control in WHM to limit sshd and whostmgrd logins to your IP address(es) and then deny all other IP addresses. If you do that, then you won't have to worry about them even trying to brute your machine because all IPs that aren't allowed will be blocked from connecting.

To allow your IP(s) and then deny all others for sshd and whostmgrd, you'd put this into WHM > Host Access Control area:

Code:

Daemon 	   Access List  Action  Comment
sshd 	   1.2.3.4 	allow 	My home IP for SSH
sshd 	   1.2.3.5  	allow 	My office IP for SSH
sshd 	   ALL 	        deny 	Deny access from all other IPs for SSH
whostmgrd  1.2.3.4      allow   My home IP for WHM
whostmgrd  1.2.3.5  	allow  	My office IP for WHM
whostmgrd  ALL 	  	deny 	Deny access from all other IPs for WHM

In the above example, 1.2.3.4 and 1.2.3.5 are your IPs to allow for SSH and WHM access. Please note that the order does matter. The deny lines must be below the allow lines. If you deny before you allow, you'll block all IPs on the machine. As such, please ensure that you put your allow lines on top of (above) the deny ones.

[chrisnpg]

So is whostmgrd adding these entries via IPtables or is there another file these entries are being placed?

My question is, what happens if my IP were to change and cannot access WHM? My only access then would be via console and would need to know how and where to update the IP to a new one to regain access to WHM.

Thank you
Chris

[cPanelTristan]

Hello Chris,

The Host Access Control entries are placed into /etc/hosts.allow file for both the allow and deny rules for whostmgrd.

Thanks!