The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Security Advisor

Discussion in 'Security' started by psytanium, May 20, 2016.

  1. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi, I scanned my vps server with the advisor tool and it returned with some notifications, if someone have few minutes to explain.

    1 - Apache vhosts are not segmented or chroot()ed.
    But when i search for "jailapache" i found it greyed and cannot turn it on.

    2 - No symlink protection detected
    I was reading the documentation, but is there some easy instruction to do it ?

    3 - The MySQL service is currently configured to listen on all interfaces: (bind-address=*)
    I opened /etc/my.cnf but couldn't find bind-address=127.0.0.1

    4 - SSH direct root logins are permitted.
    I couldn't find PermitRootLogin in /etc/ssh/sshd_config , should I add it ? how ?

    Thanks :)
     
  2. sarath8372

    sarath8372 Active Member

    Joined:
    Jan 6, 2015
    Messages:
    35
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Kochi, India
    cPanel Access Level:
    Root Administrator
    Hello,

    • This option is only available if you compile Apache through EasyApache and installed mod_ruid2 version 0.9.4a or later. So you will need to install mod_ruid2 to be able to enable the option.
    • You can use this option with CentOS or RHEL 5, 6, or 7, or Amazon Linux. The mod_ruid2 module is not compatible with CloudLinux™.
    • This option is unavailable on systems that run CentOS or RHEL 5 with 256 or more users.

    Warning:

    cPanel strongly recommends not to use the setting with CentOS or Red Hat® Enterprise Linux (RHEL) 5, because these operating systems distribute older kernels with limitations. The Linux kernel versions for these operating systems and the number of bind mounts that VirtFS requires make it difficult to ensure system stability.

    Refer : Tweak Settings - Security - Documentation - cPanel Documentation.

    Best option would be mod_ruid2 + jailshell .

    For that, you will need to compile Apache (through EasyApache) and install mod_ruid2 first (Also required for 1st one). Then enable "EXPERIMENTAL: Jailshell Virtual Hosts using mod_ruid2" and "cPanel jailshell" in WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings).

    Refer : Symlink Race Condition Protection - EasyApache - cPanel Documentation

    So 1 and 2 requires mod_ruid2 installed. Please note that enabling mod_ruid2 will automatically disable Cache, Disk Cache, Cache Disk, MemCache, Mod FastCGI v2.3.9, Mono, Tomcat, and UserDir. I won't recommend installing mod_ruid2 if you do not know how to administer it. You can find full documentation of mod_ruid2 at : Apache Module: ModRuid2 - EasyApache - cPanel Documentation

    Simply add it, if my.cnf already don't have bind-address defined.

    Yes, you can add it.

    Code:
    PermitRootLogin no
    If you are disabling root login, you can use wheel users to access the server via SSH. Once logged in, you can switch to root. Please refer : Manage Wheel Group Users - Documentation - cPanel Documentation
     
  3. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    sarath8372

    Thank you for the explanations, i appreciate it.
    I think I should learn more about ModRuid2 - EasyApache, before I install it.
    I modified the file my.cnf. it worked.
    I modified the file sshd_config but the advisor still giving the same error.

    Can I post here the content of sshd_config ?

    Thanks again.
     
  4. sarath8372

    sarath8372 Active Member

    Joined:
    Jan 6, 2015
    Messages:
    35
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Kochi, India
    cPanel Access Level:
    Root Administrator
    Hello,

    Did you restart SSH service after modifying /etc/ssh/sshd_config ?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,664
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Yes I restarted the SSH service
     
  7. masun

    masun Registered

    Joined:
    May 23, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Just from experience, I installed mod_ruid2 on a server and it broke several scripts and software and I had to uninstall it. I would recommend upgrading to Cloud Linux to resolve that issue.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,664
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Were any of the instructions in the document helpful? You can post the contents of your /etc/ssh/sshd_config file in CODE tags here, but remember to hide any identifying server information, and to hide any custom ports you have configured.

    Thank you.
     
  9. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Code:
    #    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    # Disable legacy (protocol version 1) support in the server for new
    # installations. In future the default will change to require explicit
    # activation of protocol 1
    Protocol 2
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024
    
    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    # Authentication:
    
    #LoginGraceTime 2m
    #PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile    .ssh/authorized_keys
    #AuthorizedKeysCommand none
    #AuthorizedKeysCommandRunAs nobody
    
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication    no
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication    no
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    #KerberosUseKuserok yes
    
    # GSSAPI options
    #GSSAPIAuthentication no
    GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes
    GSSAPICleanupCredentials yes
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    #UsePAM no
    UsePAM    yes
    
    # Accept locale-related environment variables
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #ShowPatchLevel no
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10:30:100
    #PermitTunnel no
    #ChrootDirectory none
    
    # no default banner path
    #Banner none
    
    # override default of no subsystems
    Subsystem    sftp    /usr/libexec/openssh/sftp-server
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #    X11Forwarding no
    #    AllowTcpForwarding no
    #    ForceCommand cvs server
    UseDNS    no
    Match User root
        PasswordAuthentication yes
    
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,664
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You can change the following line:

    Code:
    #PermitRootLogin no
    To:

    Code:
    PermitRootLogin no
    Then, restart SSH, and check "WHM >> Security Advisor" again to see if the warning persists. Keep in mind this disables authentication via SSH as "root".

    Thank you.
     
  11. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    same results

    Code:
    #    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    # Disable legacy (protocol version 1) support in the server for new
    # installations. In future the default will change to require explicit
    # activation of protocol 1
    Protocol 2
    
    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    
    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024
    
    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    # Authentication:
    
    #LoginGraceTime 2m
    PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    
    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile    .ssh/authorized_keys
    #AuthorizedKeysCommand none
    #AuthorizedKeysCommandRunAs nobody
    
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication    no
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication    no
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    #KerberosUseKuserok yes
    
    # GSSAPI options
    #GSSAPIAuthentication no
    GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes
    GSSAPICleanupCredentials yes
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    #UsePAM no
    UsePAM    yes
    
    # Accept locale-related environment variables
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #ShowPatchLevel no
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10:30:100
    #PermitTunnel no
    #ChrootDirectory none
    
    # no default banner path
    #Banner none
    
    # override default of no subsystems
    Subsystem    sftp    /usr/libexec/openssh/sftp-server
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #    X11Forwarding no
    #    AllowTcpForwarding no
    #    ForceCommand cvs server
    UseDNS    no
    Match User root
        PasswordAuthentication yes
    
     
  12. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The advisor status still exist, but now I cannot connect though Filezilla ! how can I undo the changes ?
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,664
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Are you using FileZilla to access the server via SSH? You can revert the change you made to the SSH configuration file and then restart SSH. As mentioned, making that change disables authentication via SSH as the "root" user.

    Thank you.
     
  14. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Now I cannot connect to server via Filezilla.
    I can login to WHM as root.
    I cannot login as root using SSH Putyy
    I can use a tool from BlueHost "System Console", very similar to Putty but it run on the browser.
    I contacted Bluehost, they cannot reset sshd_config

    Please let me know to reverse things. Thanks
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,664
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to try running a temporary instance of SSH to see if it allows you to access your server to investigate:

    Code:
    https://IP:2087/cpsess12345678/scripts2/doautofixer?autofix=safesshrestart
    You would replace "IP" with the server's IP address and the session number with what's displayed in your address bar after logging in to WHM. Note that this is simply a temporary instance of SSH that will run on a different port, so you can login and determine what's wrong with the standard SSH service.

    Thank you.
     
  16. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Solved, using "System Console" from BlueHost, and the command pico -w /etc/ssh/sshd_config
    Then I modified and saved the file
     
Loading...

Share This Page