The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hardening my VPS, how can I qualify it's done correctly?

Discussion in 'Security' started by PhoenixUK, Aug 27, 2015.

  1. PhoenixUK

    PhoenixUK Member

    Joined:
    Sep 15, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi There,

    I'm going through the process of hardening my CentOS 6.7 VPS and I've created a new user via SSH, added the new password and I've also added this new user in the sudoers file, giving [ALL] root permissions.

    However, I'd like to see if there's a specific command I can use to actually check everything is as should be expected, before I go ahead and 'disable root login' for obvious reasons.

    It it also now lets me login to the server via ssh as the new user and it did let me run 'yum update' as this new user - of which it found an update and that was successful, but I'm just wondering if there's some other way that I can truly tell all is ok, before disabling root login.

    I look forward to hearing from you.

    Regards,
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Make sure you can 'su -' to root from the additional user. If you can, then you should be fine disabling direct root login in the ssh server configuration. Generally I don't use sudoers, I just add the additional user to the wheel group so that it can 'su -' to get root privileges in a way that requires a password. This way if the password for the additional user is compromised, they won't have root privileges without the root password as well.
     
  3. PhoenixUK

    PhoenixUK Member

    Joined:
    Sep 15, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi There,

    Thanks for the prompt reply and I have to admit having heard what you've put above, I maybe better carrying it out the way you mention via wheel group. Would I still leave my new user with root privileges in the sudoers, or need to remove this now and do it the wheel group way instead?

    Hmmm if I enter;

    su -

    to root from the newuser, I get the following;

    -bash: /bin/su: Permission denied

    So it would seem something isn't 100%, gutted I thought I was going well grrrr.

    I will await your feedback on the above before I do anything else.

    Thank you.
     
  4. PhoenixUK

    PhoenixUK Member

    Joined:
    Sep 15, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    My apologies, it does seem that I can but I got myself all confused.

    mynewuser@[~]# su -
    Password: entered root pass here
    root@vps [~]#

    Bingo.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It seems you have it straightened out, but if you add a user to the wheel group it allows them to run the 'su -' command. You would not need to leave the user in sudoers, and it is more secure this way given the password auth to run commands as root. Cheers.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page