The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is it possible to change root access to another user?

Discussion in 'General Discussion' started by tomdorrian, Apr 14, 2011.

  1. tomdorrian

    tomdorrian Registered

    Joined:
    Dec 14, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I am looking to change root access so that another user has full access rights and then disable root access as my server is being probed and attacked by hackers. Is it possible to transfer root ownership to another user on the server?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,463
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can't disable root user. You can create another user, for example a reseller account and give that user limited or full access via Reseller Center in WHM. That won't stop the problems you're hoping it will though.

    Can you be more specific? For example if you're seeing in your logs IP addresses attempting to login via SSH on port 22, we change the port SSH uses, make sure it works, and then disable port 22. No one else knows your new SSH port number and those entries stop appearing in your logs.
     
  3. tomdorrian

    tomdorrian Registered

    Joined:
    Dec 14, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi there,

    Yes i can be more specific I have Brute Force enabled and someone from Japan tried logging in as root last night (Day time thier time) as this was emailed to me when this activity happened by the Brute Force protection. This was definately via root via my IP address and using :2086 so disabling port 22 wont make any difference.
     
  4. tomdorrian

    tomdorrian Registered

    Joined:
    Dec 14, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi there, This person has additionally tried logging in today and here is the log:
    Apr 14 09:29:54 tiger sshd[9695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=rootApr 14 09:29:56 tiger sshd[9695]: Failed password for root from 118.159.231.205 port 54377 ssh2Apr 14 09:29:58 tiger sshd[9764]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=rootApr 14 09:30:00 tiger sshd[9764]: Failed password for root from 118.159.231.205 port 54556 ssh2Apr 14 09:30:00 tiger sshd[9799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.159.231.205 user=root
    Good old Brute Force has put a permenant block on his IP address.
    Is there anything else I can do to secure my server up?
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,463
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That snip of your log shows that the user was trying to login via SSH, not WHM. This is also, quite common.
    Do you have CSF installed as well? ConfigServer Security & Firewall If not you should look into it, IMHO.

    Strong, very hard to guess passwords that you change on a regular basis can also be very helpful.
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You could use Host Access Control in WHM to limit sshd and whostmgrd logins to your IP address(es) and then deny all other IP addresses. If you do that, then you won't have to worry about them even trying to brute your machine because all IPs that aren't allowed will be blocked from connecting.

    To allow your IP(s) and then deny all others for sshd and whostmgrd, you'd put this into WHM > Host Access Control area:

    Code:
    [b]Daemon 	   Access List  Action  Comment[/b]
    sshd 	   1.2.3.4 	allow 	My home IP for SSH
    sshd 	   1.2.3.5  	allow 	My office IP for SSH
    sshd 	   ALL 	        deny 	Deny access from all other IPs for SSH
    whostmgrd  1.2.3.4      allow   My home IP for WHM
    whostmgrd  1.2.3.5  	allow  	My office IP for WHM
    whostmgrd  ALL 	  	deny 	Deny access from all other IPs for WHM
    In the above example, 1.2.3.4 and 1.2.3.5 are your IPs to allow for SSH and WHM access. Please note that the order does matter. The deny lines must be below the allow lines. If you deny before you allow, you'll block all IPs on the machine. As such, please ensure that you put your allow lines on top of (above) the deny ones.
     
  7. chrisnpg

    chrisnpg Member

    Joined:
    Aug 30, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    So is whostmgrd adding these entries via IPtables or is there another file these entries are being placed?

    My question is, what happens if my IP were to change and cannot access WHM? My only access then would be via console and would need to know how and where to update the IP to a new one to regain access to WHM.

    Thank you
    Chris
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Chris,

    The Host Access Control entries are placed into /etc/hosts.allow file for both the allow and deny rules for whostmgrd.

    Thanks!
     
Loading...

Share This Page