The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

i cant login to server by root

Discussion in 'General Discussion' started by preleaf, Oct 4, 2004.

  1. preleaf

    preleaf Well-Known Member

    Joined:
    Aug 25, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    this reason is I want to access to user diep then I su again root so .I repaid a some in sshd_config following:
    1.login to sever
    2. Copy and paste this line to edit the file for SSH logins
    pico -w /etc/ssh/sshd_config

    3. Find the line
    Protocol 2, 1

    4. Uncomment it and change it to look like
    Protocol 2

    5. Next, find the line
    PermitRootLogin yes

    6. Uncomment it and make it look like PermitRootLogin no

    7. Save the file Ctrl+X then Y then enter

    8. Now you can restart SSH
    /etc/rc.d/init.d/sshd restart
    then i login to root it is display inform :access denied.But I login to user "diep"then i su to root it is inform:permission denied .NOW WHAT DO MUST I ?IM LOOKINH FOWARD HEARING FROM YOU.THANK YOU SO MUCH
     
  2. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Log into WHM and add a regular user to the wheel group, "Manage Wheel Group Users", enable regular ssh for that user, then you can su to root

    In your case just add diep to the wheel group
     
  3. preleaf

    preleaf Well-Known Member

    Joined:
    Aug 25, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    thank AbeFroman so much.I have just make allow your guide and now i can access to myserver by user diep and su root ,ok .thanks you so much
     
  4. preleaf

    preleaf Well-Known Member

    Joined:
    Aug 25, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    PLS GUIDE ME .when i login to WinSCP .how to I su root .Bcs I wanna tranfer file but when i login by user diep i cant go on to other directory .Help me,Please
     
  5. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    You need to create a secret user with UID 0 (set to UID and GID 0 in /etc/passwd) and a very difficult to guess password, then use that user with winscp. You have to comprimise security slightly to be able to use winSCP.
     
  6. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    I was wondering about that myself. I've wanted to disable direct root login, but that's how I connect via SFTP.

    Which is safer? Leaving root login enabled, or disable it and create the secret user? Assuming a complex password in both cases.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    From the WinSCP FAQ:
    http://winscp.sourceforge.net/forum/viewtopic.php?t=948

    Personally, I don't bother. It is one level of security, but just that. It slows them down. However, I do use key authentication for login to the root account instead of password authentication.
     
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Well if you disable root login, someone would have to know that your secret user's, user name, AND they would have to know that the secret user has UID 0, AND they would have to brute force the password. Most hackers aren't looking out for a second UID 0 user.

    So, disabling root log in and creating a secret user is considerably safer then just leaving root logins open.
     
  9. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Key only access to root is even safer than SU to root, since even if someone DID know your key password, they'd physically need your private key to log in. It's more convenient, also.

    SU to root is safe, and should be used if you (or one of your admins) can't use keys for some reason. The problem is with SU, it's hard to hack because there are 2 passwords, but that doesn't make it impossible, especially with some of the silly passwords people use to make them easier to remember.

    You should also add a line to your root .bashrc so you get an e-mail when someone logs in as root, just to be on the safe side.

    Keeping a STRONG root password is important since even if you use the SU to root option, if a hacker figures out the root password, they can get into root via WHM by adding a user to wheel.
     
    #9 Aric1, Oct 6, 2004
    Last edited: Oct 6, 2004
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, you get a nice variety of opinion ;)

    I actually disagree with leaving root login open is that much more secure gievn the provisos below. It's a risk, but it's not a huge risk. As Aric said, you should be auditing your root login successes, but you should also be logging the failures too. On my servers, 4 wrong password attempts and you're never connecting from that IP again.

    If someone gains access to a user account with shell, it's just a matter of looking in /etc/passwd to get your "secret" account. Also, a hack into a user account can often led to a trivial local root exploit.

    For optimum security, I'd stick with key authentication and a sound secure root password that you change regularly.

    As I said before, it's all layers and if you implement one layer or another is neither here nor there - it's the whole approach and implementation of security on your server that is important.
     
  11. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    True, I'd like to rephase my answer, if you create a second user with UID 0 make sure its by using the ssh adduser command and not by adding an account in cpanel, adding a second UID 0 user is not recommonded, the best way is to copy the files to an underprivledged user to and underprivledged user in winSCP or regular scp, and them move them where you want with root and change ownership.
     
    #11 AbeFroman, Oct 6, 2004
    Last edited: Oct 6, 2004
  12. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Yes... all of this is nice...

    However easily breakable by any "GOOD" cracker....

    Dont get mislead and a false sense of security...

    Make sure you have everything else down as well.

    Sheldon
     
  13. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Indeed, there is much more you should be doing, but this isn't a general security thread... It only discusses how to secure root (which is a good first step).

    Frankly, the only real way to protect your server from hackers is to take it off the Internet completely, turn it off and lock it in a vault. Even then, with careful social engineering the data could still be compromised.

    It's a very fine line to walk, balancing tight security with the need to offer shared hosting. You need to make your server secure without unduly chasing away customers. If you offer low- to mid-end shared hosting, Joe Q. Public isn't going to care as much whether the security is tighter than Fort Nox (most of them don't realize the danger), but they will care when your security measures stop them from running their favorite script, Gallery, and may well leave you for someone else.

    There is a lot that can be done, however, that is more or less transparent to the clients and a good off-site backup solution is a must.
     
  14. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Thanks. I won't bother making any changes then. I use root with key authentication as well as a very complex password that I change every month. I also have my server emailing me every time someone logs in or attempts to log in as root.

    As Sheldon said, I'll worry more about other security issues.
     
Loading...

Share This Page