The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable Host Access Control

Discussion in 'Security' started by flashweb, Feb 27, 2013.

  1. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi,

    I restrict root SSH access to my server with /etc/hosts.allow and hosts.deny.

    Now if some get WHM root access, they can modify Host Access Control and login to SSH.

    Is there anyway i can disable "Host Access Control" feature in WHM so no can modify /etc/hosts.allow ?

    Thanks,

    Yujin
     
    #1 flashweb, Feb 27, 2013
    Last edited: Feb 27, 2013
  2. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    Why you don't use sshd_config with option "AllowUsers noroot" so the "root" user can't access ssh only user "noroot"
    or "AllowUsers noroot@xx.xx.xx.xx" only allow user "noroot" fom ip "xx.xx.xx.xx" to connect via ssh.
    Please be careful because you can bloock your access to server.

    You can check in the background if file was modified or do this file "sshd_conf" immutable with chattr -i .



    Regards,
    George B.
     
  3. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I don't want to disable root SSH login.

    I want to allow access from multiple IP, example, home, office. Also you can restart SSH to default configuration through WHM. So whatever you do in sshd_config won't protect you if hacker have WHM root access.

    What i want to do is secure SSH access even if hacker got root access to WHM.

    If we can disable Host Access Control feature in WHM, even with root password, hacker won't be able to login to SSH.

    Lets consider recent mass hacking

    http://forums.cpanel.net/f185/sshd-rootkit-323962.html

    Hacker got root password from Cpanel helpdesk. Lets say i open support ticket with Cpanel.net with root password. Hacker read the ticket, collect root password and started hacking my server. Hacker tried to login to SSH, he can't, because i restrict access with /etc/hosts.allow/deny and a non standard port. Hacker login to WHM. Restart SSH with default configuration. Remove rules from WHM > Security > Access Control. How he got SSH access, now they can install libkeyutils.so.9 and start sending spam mails.
     
    #3 flashweb, Feb 27, 2013
    Last edited: Feb 27, 2013
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Isn't it easier that you use the Host Access Control to deny access to whostmgrd (WHM) service?
     
  5. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    yes, but is not possible if you have resellers. If not, i would have just firewall-ed it.
     
  6. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    They can't if you read what I told you and make the file immutable like somebody else told you here: http://forums.cpanel.net/f185/disable-safesshrestart-238422.html

    You are not disabling root.


    It is like you are asking to disable the user root and in the same time to enable user root.
    If I have access to your WHM with root user I'll remove everything on your server, I don't need ssh access, believe me.
    Any way good luck.

    Regards,
    George B.
     
    #6 georgeb, Feb 27, 2013
    Last edited: Feb 27, 2013
  7. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I used to do that. But i found on some of the servers, my other admin used to mess up the hosts.allow through WHM, so i thought WHM will remove "chattr +ia" and save. I have verified doing "chattr +ia" will solve the problem.

    Thanks,

    Yujin
     
  8. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    This is how I block ssh and whm access.

    So mine works like this:

    Daemon_______Access List______Action______Comment
    ALL___________{myip}_________allow_______craigs ip
    whostmgrd_____ALL____________deny_______block access to WHM
    sshd__________ALL____________deny________block access to ssh

    This still allows users to access cpanel but blocks everyones WHM access and SSH.

    For additional security on SSH port, I change the SSH port to a different port number AND disable password auth.

    Still waiting for cpanel to introduce two factor auth and when they do I will pt that on there too.
     
  9. electric

    electric Well-Known Member

    Joined:
    Nov 5, 2001
    Messages:
    697
    Likes Received:
    1
    Trophy Points:
    18
    Couple of things I want to point out:

    1) Allowing direct root SSH login is not a good idea. Better to only allow non-root and then "su -" to root.

    2) Run a login scanner (like configserver firewall) that will alert you whenever root user logs in or someone does sudo or su command, etc...

    3) You should always change your root password after your cpanel support ticket is resolved. In fact, you should be changing root password regularly... There should not be any reason why your server is compromised if (when?) cpanel support system is hacked.

    :)
     
  10. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    Some good tips there.

    However something not alot of people realise, CSF is actually not a real firewall. Its a GUI for iptables (and not a bad one really).

    If you want a proper software firewall look at something like ASL from gotroot.com which sites in front of the kernel.
     
  11. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I read here:
    Firewall (computing) - Wikipedia, the free encyclopedia
    It's "what it does", not "how it's done".
     
Loading...

Share This Page