I needed to ask whether it is possible to edit the WHM's DNS Zone Manager's configuration from terminal with SSH. If so, where should one navigate to perform those changes? Thank you.
By the configuration do you mean the zone files themselves? If so, those are in /var/named/<domain name>.db (remember if you manually change those files to update the serial number and also to reload the nameserver: I'm not sure how well manual changes propagate to slave nameservers).
If you mean change the configuration of the DNS Zone Manager itself, what sort of changes are you looking/trying to make?
If you mean change the configuration of the DNS Zone Manager itself, what sort of changes are you looking/trying to make?
Hi, and thank you for your prompt reply.
I am not trying to make any changes. Here's what's been going on:
Last night I edited the A record TTL of the `mydomain.tld.` of one of my users, which currently (still) is pointing to my current server IP. I changed that from 14400 to 300 because I was preparing for migration of my site to a new host.
Previously I had created a new user, and added them to the sudoers group. I had not given them access to the WHM though.
Today I noticed that all the other records have had their TTL changed from whatever value each was to 300. I asked my colleagues who have access to WHM if they have performed the change themselves, which they said they haven't.
I want to rule out that the change hasn't been performed by the new user via SSH. And to do that I need to know if it is possible to make such a change in the terminal, which then could be reflected in WHM as well.
I trust that the change I performed to that one A record should not have been applied to the remaining ones.
Hence my question.
I am not trying to make any changes. Here's what's been going on:
Last night I edited the A record TTL of the `mydomain.tld.` of one of my users, which currently (still) is pointing to my current server IP. I changed that from 14400 to 300 because I was preparing for migration of my site to a new host.
Previously I had created a new user, and added them to the sudoers group. I had not given them access to the WHM though.
Today I noticed that all the other records have had their TTL changed from whatever value each was to 300. I asked my colleagues who have access to WHM if they have performed the change themselves, which they said they haven't.
I want to rule out that the change hasn't been performed by the new user via SSH. And to do that I need to know if it is possible to make such a change in the terminal, which then could be reflected in WHM as well.
I trust that the change I performed to that one A record should not have been applied to the remaining ones.
Hence my question.
Yep, they could have made that change. You can check the modification date of the file by using "ls -al /var/named/<domain name>.db" or "stat /var/named/<domain name>.db".
You should be able to see if they used "sudo" by looking in /var/log/secure and/or /var/log/audit/audit.log and/or
journalctl -e /usr/bin/sudo and you might be able to see via /home/<username>/.bash_history .
cPanel/WHM just act like a "front end" to the server - they achieve everything they do by (practically) issuing commands on the command line to the server. If you've given someone root access via sudo (and not restricted the commands they can run via /etc/sudoers or /etc/ sudoers.d/ ), then you've given them a lot more access to your server than they would have even got via WHM!
(italics added to avoid the Cloudflare site security blocks)
You should be able to see if they used "sudo" by looking in /var/log/secure and/or /var/log/audit/audit.log and/or
journalctl -e /usr/bin/sudo and you might be able to see via /home/<username>/.bash_history .
cPanel/WHM just act like a "front end" to the server - they achieve everything they do by (practically) issuing commands on the command line to the server. If you've given someone root access via sudo (and not restricted the commands they can run via /etc/sudoers or /etc/ sudoers.d/ ), then you've given them a lot more access to your server than they would have even got via WHM!
(italics added to avoid the Cloudflare site security blocks)
Thanks for the advice. I have checked everything and it all is clear. Nothing to worry about there.
What log should i check on why everything has gone from their previous TTL to 300?
What log should i check on why everything has gone from their previous TTL to 300?
First of all, I'd check to see if the modification date on the file is close to what you would expect (i.e. is it close to the time you made the change) - if it isn't, I'd say have a look at /var/log/messages to see when the zone needed reloading after a change (
If you can't see their username in the sudo logs, then they probably haven't used the command.
(remove the ! symbols - damn Cloudflare WAF)
grep "/var/!named/!<zone>.db) needs reloading" /var/!log/!messages) . Otherwise I'm out of ideas (apart from checking backups etc).If you can't see their username in the sudo logs, then they probably haven't used the command.
(remove the ! symbols - damn Cloudflare WAF)
Nope, nothing there either. I asked them directly, and they said they did not mess with it at all. The logs confirm that. There must be something else that did it. Perhaps when I changed the primary A record that applied the change to the remaining records? It doesn't really matter tbh, as the transfer and propagation have completed, but I keep asking because I was wondering how could that be?
Thank you for your assistance; it has been very valuable to me.
Thank you for your assistance; it has been very valuable to me.