enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
Hello,

We have recently been having a big issue with trying to log into our VPS. This VPS is ours which we have running in Azure so there is nobody to truly call as the virtual server is ours. Recently it's almost impossible to login and right now I can't login at all. Most think this problem would be with brute force feature but the problem is we can't login to even turn it off or whitelist our IP address. The last time I got logged in I had to try for over a day and when I did I didn't a chance to look at the brute force feature before my login timed out (was running out of the office late.) Is there ANYTHING we can do to get logged into this thing? I can't even SSH into it. At first that was what I was trying to do and it was driving me insane making me think I forgot my password but also thought that was impossible since I was using KeePass.

I have a feeling I know the answer to this but figured it was worth asking. I could reboot the server but I would rather not do that it would be a last resort.

Thanks for any assistance.
 

enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
Hi,

Have you tried longing in using a different IP ?


Regards
Yes, I should have said that in my original post but I had tried from numerous outside IPs. I have remote connections to clients of mine via RDP and LogMeIn.

Since I first posted this I was now able to get back in. When I look at the brute force history it does not show my IP but what I am guessing is that because there is a setting to lock out when too many attempts are on an account I bet that it was locking out the root account no matter what IP I was trying to login from... I made that zero. I don't want the root account getting locked out because someone is trying to hack it. Doing it IP based is fine but not solely on the root account.
 

enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
Well root should be disabled either way for security reasons.
I'm not sure I follow you, if you are using an IP-based brute force attack prevention why would you want an account to be locked out? The last thing I want is for me to not be able to access my own server which has happened several times. We're not going to be able to stop attacks completely and it's obvious that the most targeted account would be "root".
 

enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
Hi,

That's why you want the "root" not to be able to connect but instead you can create an other user and then su root, that way most attacks to "root" would stop the minute they type "root" as user.
After I sent that reply I realized what you meant. I am not a Linux guru by any means so I guess I am always "scared" to make any changes to the root account other than password changes. Do you have any easily accessible links or documents that would explain how to block the root user from accessing SSH, FTP or any other protocol necessary? I would like to do this to stop this from happening and based upon best practices.
 

enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
Hi,

That's why you want the "root" not to be able to connect but instead you can create an other user and then su root, that way most attacks to "root" would stop the minute they type "root" as user.
By the way, I disabled the ability for the root user to get in via SSH but it just simply tells you that access is denied when trying to login as "root". It doesn't really stop the moment they type "root" and hit enter. Does this seem right? Wouldn't cPHulk BF still try to lock out the root account in this situation if turned on?
 

enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
Yes, it's not allowing the root user to log into SSH now as I know I am typing the password correctly and it is stating "Access Denied". I am just going by your description as to what should happen. Typing the "root" and hitting enter then prompts me to enter a password. After that I get denied although I am typing the password correctly. From your description I thought the moment I type "root" and hit enter it would not work...ie not even prompt me for a password.
 

enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
That's correct, what I said previously works with ssh password authorization = no
Meaning you need to log on using ssh Keys


Edit: Screenshot by Lightshot
Ah, I didn't know or think you had mentioned turning off "ssh password authorization". If by doing this would it cause users to not be able to utilize SFTP? Lack of knowledge being said I thought SFTP is no different than pretty much SSH. I don't want my users to lose the SFTP ability or make it overly complicated. Since this VPS is in Azure, FTP can be an issue but SFTP works flawlessly. Worse case is the root account no longer has SSH abilities so turning off "Maximum Failures by Account" should not matter.
 

enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
There shouldn't be a problem between SSH and SFTP those are 2 different protocols you are talking about.
Great! Thanks for all the replies. I am going to lockdown SSH using non-password authentication but read up on it a bit first so I don't lock my self out due to lack of knowledge. :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
There shouldn't be a problem between SSH and SFTP those are 2 different protocols you are talking about.
This is not accurate. SFTP is essentially FTP over SSH, and SFTP configuration changes are also made in the SSH configuration file (/etc/ssh/sshd_config). That being said, you can still use key authentication with SFTP if you prefer to disable password authentication.

Thank you.
 

enahs

Member
Apr 1, 2013
20
0
1
cPanel Access Level
Root Administrator
This is not accurate. SFTP is essentially FTP over SSH, and SFTP configuration changes are also made in the SSH configuration file (/etc/ssh/sshd_config). That being said, you can still use key authentication with SFTP if you prefer to disable password authentication.

Thank you.
See that is what I thought...my reasoning is I noticed that when using SFTP it is using port 22. I guess I need to better understand how one authenticates when using key authentication. I don't want to have to provide a "key" for every person who wants to use SFTP. That would be something I simply would not want to manage. Again that was being said w/o reading up on how it works.