The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disallowing root access

Discussion in 'General Discussion' started by magicalwonders, Sep 25, 2014.

  1. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I'm trying to get to grips with disallowing login to server using root as user and have found the following advice.

    Pretty straighforward, but I have a couple of questions.

    1. I'm not sure what privileges to grant the new user? If I'm not able to log back in as root after updating sshd config file, should it not be all privileges for everything for user?

    2. At the moment I've assigned an existing user for one of my domains. Is it not possible though to add a really obscure name by creating an account using a fictitious domain? Then just assign that user?

    Hope someone can advise. :)
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    1. Disabling root access for SSH does not disable it for Web Host Manager. You can still access Web Host Manager as "root" after disabling root access to SSH.

    2. Yes, you could create an account with an obscure username/domain name and use it to access WHM as a reseller. If you want the reseller to have all privileges, ensure you enable the "All Features" option in "Edit Reseller Nameservers and Privileges".

    Thank you.
     
  3. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks Michael,

    So I'd continue using my favourite SSH client Bitvise to login as the new user. But should I login to WHM as new user as well, or continue to login as root?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I seem to have run into a bit of an issue. I created an obscure domain name (which doesn't actually exist) and username, but when clicking create account it returns the following error -

    I went into Tweak settings and turned Allow unregistered domains [?] from Off to On, but I still get the same error.
    Not sure what I'm missing?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    That option is not associated with the error message you received. Make sure your IP addresses are not reserved in:

    "WHM Home » IP Functions » Show/Edit Reserved IPs"
    "WHM Home » Service Configuration » Apache Configuration » Reserved IPs Editor"

    Thank you.
     
  7. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Not showing as reserved in "WHM Home » IP Functions » Show/Edit Reserved IPs"

    In "WHM Home » Service Configuration » Apache Configuration » Reserved IPs Editor" the status for my two IP addresses say reserved, but the box next to it is unticked. So I'm guessing they are not reserved?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Right, that means no IP addresses are reserved. Try rebuilding the Apache configuration file via:

    Code:
    /scripts/rebuildhttpdconf
    Also, to clarify, are you signed in as "root" or as a reseller?

    Thank you.
     
  9. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Yes, I am signed in as root. I removed the reseller priviliges I previously assigned to an account so I could redo with a more obscure name.

    I'll run that command and update how it goes. :)
     
  10. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I ran the command and got the message - "Missing owner for domain server.yourdomain.com That's not the name of my server, so not sure how to fix that. However it appears to have rebuilt httpd.conf as in attached screenshot.

    I was able to create a new account and assigned it as a reseller granting all priviliges. But when I log on with Bitvise in the sftp screen I don't appear to be able to navigate or see that much. When I try to change folders I get "Permission denied" As attached
     

    Attached Files:

  11. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Update to last post. I've just tried to bring up a terminal. but it's complaining that shell access hasn't been granted. See attached screenshot.

    Do I just grant shell access to the user in Home »Account Functions »Manage Shell Access ?

    It looks like my choices are Normal or Jailed?

    EDIT. I've gone ahead and granted "Normal shell" access to my new user, and can now connect using the terminal. It's looks like the hostname issue is also resolved as it returns the correct name when queried.

    When viewing sftp in Bitvise however, I still can't view anything outside of the new account. I keep getting the permissions error. I've downloaded the error log from /usr/local/apache/logs but I can't find any mention of the failed process.
     

    Attached Files:

    #11 magicalwonders, Sep 25, 2014
    Last edited: Sep 26, 2014
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Wheel users are not automatically granted "root" SSH access. You still have to run "su root" after logging in via SSH to obtain root privileges. You may find this thread helpful:

    SSH Hardening

    Thank you.
     
  13. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks for the link Michael, :)

    It looks like I've got some reading to do! :) After I've done all this and got it setup properly, should I be able to navigate around the server using sftp when logged in as non-root user?

    EDIT. I've tried login in as non root user and then substituting user with su root command, but I'm getting the following error - (name of user changed)

     
    #13 magicalwonders, Sep 26, 2014
    Last edited: Sep 26, 2014
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, but you should likely use SSH instead of SFTP unless you have the need to upload files as "root". As for the error message, make sure the user is added to the wheel group in "WHM Home » Security Center » Manage Wheel Group Users".

    Thank you.
     
  15. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    OK, I'd missed that last bit. So now I can login as a wheel user, and use the command su root. Now I'm getting prompted for a password. I assume that this is the root password it wants. However, I seem unable to enter anything here. The cursor just keeps blinking and won't accept any input. ? If I hit enter, it returns "incorrect su password"
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  17. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    OK, that was a bit confusing. I'd already tried copying and pasting but it didn't look as though anything had happened! I think I've succeeded now. Getting the following returned -

    I don't seem to be able to sftp my way around the server though. That was really handy as a friendly interface for downloading error logs. Is that function lost to me now?
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    SSH is not the same thing as SFTP. You should likely begin learning the Linux environment so you can understand how to navigate using commands such as "cd" or "ls". You can use a search engine to find tutorials on how to use the command line in Linux.

    Thank you.
     
  19. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    OK thanks for all your help. I have some studying to do! :)

    From the documentation I've already looked at, if I've understood it correctly, it looks like my host has assigned a port that is not recommended. (1088). I should change this to an unused port below 1024, yes?
     
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, that is correct. Per that tutorial:

    NOTE: Anyone on the server can bind to ports 1024 and above. Only root can bind to ports below 1024. As such, it is imperative to use an available port below 1024.

    Thank you.
     
Loading...

Share This Page