Disable Host Access Control

[flashweb]

Hi,

I restrict root SSH access to my server with /etc/hosts.allow and hosts.deny.

Now if some get WHM root access, they can modify Host Access Control and login to SSH.

Is there anyway i can disable "Host Access Control" feature in WHM so no can modify /etc/hosts.allow ?

Thanks,

Yujin

 

[georgeb]

Hi,

I restrict root SSH access to my server with /etc/hosts.allow and hosts.deny.

Now if some get WHM root access, they can modify Host Access Control and login to SSH.

Is there anyway i can disable "Host Access Control" feature in WHM so no can modify /etc/hosts.allow ?

Thanks,

Yujin

Why you don't use sshd_config with option "AllowUsers noroot" so the "root" user can't access ssh only user "noroot"
or "AllowUsers [email protected]" only allow user "noroot" fom ip "xx.xx.xx.xx" to connect via ssh.
Please be careful because you can bloock your access to server.

You can check in the background if file was modified or do this file "sshd_conf" immutable with chattr -i .



Regards,
George B.

 

[flashweb]

Why you don't use sshd_config with option "AllowUsers noroot" so the "root" user can't access ssh only user "noroot"

I don't want to disable root SSH login.

or "AllowUsers [email protected]" only allow user "noroot" fom ip "xx.xx.xx.xx" to connect via ssh.

I want to allow access from multiple IP, example, home, office. Also you can restart SSH to default configuration through WHM. So whatever you do in sshd_config won't protect you if hacker have WHM root access.

What i want to do is secure SSH access even if hacker got root access to WHM.

If we can disable Host Access Control feature in WHM, even with root password, hacker won't be able to login to SSH.

Lets consider recent mass hacking

http://forums.cpanel.net/f185/sshd-rootkit-323962.html

Hacker got root password from Cpanel helpdesk. Lets say i open support ticket with Cpanel.net with root password. Hacker read the ticket, collect root password and started hacking my server. Hacker tried to login to SSH, he can't, because i restrict access with /etc/hosts.allow/deny and a non standard port. Hacker login to WHM. Restart SSH with default configuration. Remove rules from WHM > Security > Access Control. How he got SSH access, now they can install libkeyutils.so.9 and start sending spam mails.

 

[quietFinn]

Isn't it easier that you use the Host Access Control to deny access to whostmgrd (WHM) service?

 

[flashweb]

Isn't it easier that you use the Host Access Control to deny access to whostmgrd (WHM) service?

yes, but is not possible if you have resellers. If not, i would have just firewall-ed it.

 

[georgeb]

Also you can restart SSH to default configuration through WHM. So whatever you do in sshd_config won't protect you if hacker have WHM root access.

They can't if you read what I told you and make the file immutable like somebody else told you here: http://forums.cpanel.net/f185/disable-safesshrestart-238422.html

I don't want to disable root SSH login.

You are not disabling root.


It is like you are asking to disable the user root and in the same time to enable user root.
If I have access to your WHM with root user I'll remove everything on your server, I don't need ssh access, believe me.
Any way good luck.

Regards,
George B.

 

[flashweb]

They can't if you read what I told you and make the file immutable like somebody else told you here:

I used to do that. But i found on some of the servers, my other admin used to mess up the hosts.allow through WHM, so i thought WHM will remove "chattr +ia" and save. I have verified doing "chattr +ia" will solve the problem.

Thanks,

Yujin

 

[craigedmonds]

I restrict root SSH access to my server with /etc/hosts.allow and hosts.deny.

Now if some get WHM root access, they can modify Host Access Control and login to SSH.

Is there anyway i can disable "Host Access Control" feature in WHM so no can modify /etc/hosts.allow ?

Thanks,

Yujin

This is how I block ssh and whm access.

So mine works like this:

Daemon_______Access List______Action______Comment
ALL___________{myip}_________allow_______craigs ip
whostmgrd_____ALL____________deny_______block access to WHM
sshd__________ALL____________deny________block access to ssh

This still allows users to access cpanel but blocks everyones WHM access and SSH.

For additional security on SSH port, I change the SSH port to a different port number AND disable password auth.

Still waiting for cpanel to introduce two factor auth and when they do I will pt that on there too.

 

[electric]

Couple of things I want to point out:

1) Allowing direct root SSH login is not a good idea. Better to only allow non-root and then "su -" to root.

2) Run a login scanner (like configserver firewall) that will alert you whenever root user logs in or someone does sudo or su command, etc...

3) You should always change your root password after your cpanel support ticket is resolved. In fact, you should be changing root password regularly... There should not be any reason why your server is compromised if (when?) cpanel support system is hacked.

 

[craigedmonds]

2) Run a login scanner (like configserver firewall) that will alert you whenever root user logs in or someone does sudo or su command, etc...

Some good tips there.

However something not alot of people realise, CSF is actually not a real firewall. Its a GUI for iptables (and not a bad one really).

If you want a proper software firewall look at something like ASL from gotroot.com which sites in front of the kernel.

 

[quietFinn]

However something not alot of people realise, CSF is actually not a real firewall. Its a GUI for iptables (and not a bad one really).

I read here:
Firewall (computing) - Wikipedia, the free encyclopedia

In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on applied rule set.

It's "what it does", not "how it's done".