Disallowing root access

[magicalwonders]

I'm trying to get to grips with disallowing login to server using root as user and have found the following advice.

On WHM > Resellers > Reseller Center

Assign the user which you want to give WHM access.

Then under Reseller Modifications > Edit Privileges/Nameservers
Assign that user which areas of WHM you would like to give

Pretty straighforward, but I have a couple of questions.

1. I'm not sure what privileges to grant the new user? If I'm not able to log back in as root after updating sshd config file, should it not be all privileges for everything for user?

2. At the moment I've assigned an existing user for one of my domains. Is it not possible though to add a really obscure name by creating an account using a fictitious domain? Then just assign that user?

Hope someone can advise.

 

[cPanelMichael]

Hello

1. Disabling root access for SSH does not disable it for Web Host Manager. You can still access Web Host Manager as "root" after disabling root access to SSH.

2. Yes, you could create an account with an obscure username/domain name and use it to access WHM as a reseller. If you want the reseller to have all privileges, ensure you enable the "All Features" option in "Edit Reseller Nameservers and Privileges".

Thank you.

 

[magicalwonders]

Hello

1. Disabling root access for SSH does not disable it for Web Host Manager. You can still access Web Host Manager as "root" after disabling root access to SSH.

2. Yes, you could create an account with an obscure username/domain name and use it to access WHM as a reseller. If you want the reseller to have all privileges, ensure you enable the "All Features" option in "Edit Reseller Nameservers and Privileges".

Thank you.

Thanks Michael,

So I'd continue using my favourite SSH client Bitvise to login as the new user. But should I login to WHM as new user as well, or continue to login as root?

 

[cPanelMichael]

You can continue accessing Web Host Manager as "root" unless you prefer to use a reseller user instead.

Thank you.

 

[magicalwonders]

I seem to have run into a bit of an issue. I created an obscure domain name (which doesn't actually exist) and username, but when clicking create account it returns the following error -

Account Creation Status: failed
Your system has run out of available IP addresses, or you do not have permission to use any more IP addresses. (Unable to find an IP address.)

I went into Tweak settings and turned Allow unregistered domains [?] from Off to On, but I still get the same error.
Not sure what I'm missing?

 

[cPanelMichael]

That option is not associated with the error message you received. Make sure your IP addresses are not reserved in:

"WHM Home » IP Functions » Show/Edit Reserved IPs"
"WHM Home » Service Configuration » Apache Configuration » Reserved IPs Editor"

Thank you.

 

[magicalwonders]

Not showing as reserved in "WHM Home » IP Functions » Show/Edit Reserved IPs"

In "WHM Home » Service Configuration » Apache Configuration » Reserved IPs Editor" the status for my two IP addresses say reserved, but the box next to it is unticked. So I'm guessing they are not reserved?

 

[cPanelMichael]

Right, that means no IP addresses are reserved. Try rebuilding the Apache configuration file via:

/scripts/rebuildhttpdconf

Also, to clarify, are you signed in as "root" or as a reseller?

Thank you.

 

[magicalwonders]

Yes, I am signed in as root. I removed the reseller priviliges I previously assigned to an account so I could redo with a more obscure name.

I'll run that command and update how it goes.

 

[magicalwonders]

I ran the command and got the message - "Missing owner for domain server.yourdomain.com That's not the name of my server, so not sure how to fix that. However it appears to have rebuilt httpd.conf as in attached screenshot.

I was able to create a new account and assigned it as a reseller granting all priviliges. But when I log on with Bitvise in the sftp screen I don't appear to be able to navigate or see that much. When I try to change folders I get "Permission denied" As attached

 

[magicalwonders]

Update to last post. I've just tried to bring up a terminal. but it's complaining that shell access hasn't been granted. See attached screenshot.

Do I just grant shell access to the user in Home »Account Functions »Manage Shell Access ?

It looks like my choices are Normal or Jailed?

EDIT. I've gone ahead and granted "Normal shell" access to my new user, and can now connect using the terminal. It's looks like the hostname issue is also resolved as it returns the correct name when queried.

When viewing sftp in Bitvise however, I still can't view anything outside of the new account. I keep getting the permissions error. I've downloaded the error log from /usr/local/apache/logs but I can't find any mention of the failed process.

 

[cPanelMichael]

Wheel users are not automatically granted "root" SSH access. You still have to run "su root" after logging in via SSH to obtain root privileges. You may find this thread helpful:

SSH Hardening

Thank you.

 

[magicalwonders]

Wheel users are not automatically granted "root" SSH access. You still have to run "su root" after logging in via SSH to obtain root privileges. You may find this thread helpful:

SSH Hardening

Thank you.

Thanks for the link Michael,

It looks like I've got some reading to do! After I've done all this and got it setup properly, should I be able to navigate around the server using sftp when logged in as non-root user?

EDIT. I've tried login in as non root user and then substituting user with su root command, but I'm getting the following error - (name of user changed)

[email protected] # su root
-bash: /bin/su: Permission denied
[email protected] # ^V

 

[cPanelMichael]

After I've done all this and got it setup properly, should I be able to navigate around the server using sftp when logged in as non-root user?

Yes, but you should likely use SSH instead of SFTP unless you have the need to upload files as "root". As for the error message, make sure the user is added to the wheel group in "WHM Home » Security Center » Manage Wheel Group Users".

Thank you.

 

[magicalwonders]

"...........As for the error message, make sure the user is added to the wheel group in "WHM Home » Security Center » Manage Wheel Group Users".

OK, I'd missed that last bit. So now I can login as a wheel user, and use the command su root. Now I'm getting prompted for a password. I assume that this is the root password it wants. However, I seem unable to enter anything here. The cursor just keeps blinking and won't accept any input. ? If I hit enter, it returns "incorrect su password"

 

[cPanelMichael]

It won't display the password as you enter it. You can either paste it or type it out and hit enter.

Thank you.

 

[magicalwonders]

It won't display the password as you enter it. You can either paste it or type it out and hit enter.

Thank you.

OK, that was a bit confusing. I'd already tried copying and pasting but it didn't look as though anything had happened! I think I've succeeded now. Getting the following returned -

root@hostname [/home/new-user]#

I don't seem to be able to sftp my way around the server though. That was really handy as a friendly interface for downloading error logs. Is that function lost to me now?

 

[cPanelMichael]

SSH is not the same thing as SFTP. You should likely begin learning the Linux environment so you can understand how to navigate using commands such as "cd" or "ls". You can use a search engine to find tutorials on how to use the command line in Linux.

Thank you.

 

[magicalwonders]

OK thanks for all your help. I have some studying to do!

From the documentation I've already looked at, if I've understood it correctly, it looks like my host has assigned a port that is not recommended. (1088). I should change this to an unused port below 1024, yes?

 

[cPanelMichael]

From the documentation I've already looked at, if I've understood it correctly, it looks like my host has assigned a port that is not recommended. (1088). I should change this to an unused port below 1024, yes?

Yes, that is correct. Per that tutorial:

NOTE: Anyone on the server can bind to ports 1024 and above. Only root can bind to ports below 1024. As such, it is imperative to use an available port below 1024.

Thank you.