Is it possible to change root access to another user?

tomdorrian

Registered
Dec 14, 2010
4
0
51
I am looking to change root access so that another user has full access rights and then disable root access as my server is being probed and attacked by hackers. Is it possible to transfer root ownership to another user on the server?
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
You can't disable root user. You can create another user, for example a reseller account and give that user limited or full access via Reseller Center in WHM. That won't stop the problems you're hoping it will though.

...my server is being probed and attacked by hackers.
Can you be more specific? For example if you're seeing in your logs IP addresses attempting to login via SSH on port 22, we change the port SSH uses, make sure it works, and then disable port 22. No one else knows your new SSH port number and those entries stop appearing in your logs.
 

tomdorrian

Registered
Dec 14, 2010
4
0
51
Hi there,

Yes i can be more specific I have Brute Force enabled and someone from Japan tried logging in as root last night (Day time thier time) as this was emailed to me when this activity happened by the Brute Force protection. This was definately via root via my IP address and using :2086 so disabling port 22 wont make any difference.
 

tomdorrian

Registered
Dec 14, 2010
4
0
51
Hi there, This person has additionally tried logging in today and here is the log:
Apr 14 09:29:54 tiger sshd[9695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=rootApr 14 09:29:56 tiger sshd[9695]: Failed password for root from 118.159.231.205 port 54377 ssh2Apr 14 09:29:58 tiger sshd[9764]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=rootApr 14 09:30:00 tiger sshd[9764]: Failed password for root from 118.159.231.205 port 54556 ssh2Apr 14 09:30:00 tiger sshd[9799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=root
Good old Brute Force has put a permenant block on his IP address.
Is there anything else I can do to secure my server up?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You could use Host Access Control in WHM to limit sshd and whostmgrd logins to your IP address(es) and then deny all other IP addresses. If you do that, then you won't have to worry about them even trying to brute your machine because all IPs that aren't allowed will be blocked from connecting.

To allow your IP(s) and then deny all others for sshd and whostmgrd, you'd put this into WHM > Host Access Control area:

Code:
[b]Daemon 	   Access List  Action  Comment[/b]
sshd 	   1.2.3.4 	allow 	My home IP for SSH
sshd 	   1.2.3.5  	allow 	My office IP for SSH
sshd 	   ALL 	        deny 	Deny access from all other IPs for SSH
whostmgrd  1.2.3.4      allow   My home IP for WHM
whostmgrd  1.2.3.5  	allow  	My office IP for WHM
whostmgrd  ALL 	  	deny 	Deny access from all other IPs for WHM
In the above example, 1.2.3.4 and 1.2.3.5 are your IPs to allow for SSH and WHM access. Please note that the order does matter. The deny lines must be below the allow lines. If you deny before you allow, you'll block all IPs on the machine. As such, please ensure that you put your allow lines on top of (above) the deny ones.
 

chrisnpg

Member
Aug 30, 2006
6
0
151
So is whostmgrd adding these entries via IPtables or is there another file these entries are being placed?

My question is, what happens if my IP were to change and cannot access WHM? My only access then would be via console and would need to know how and where to update the IP to a new one to regain access to WHM.

Thank you
Chris
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello Chris,

The Host Access Control entries are placed into /etc/hosts.allow file for both the allow and deny rules for whostmgrd.

Thanks!