Jailed Shell and Root Logins

When you say you cannot access them, what error are you seeing is it a 403, 500, etc?

You cannot log directly into SSH using the user root, you would need to log in as a cPanel user or some other linux user and 'su' into root. This is safe as it completely nulls the ability for someone to log into your server using root which means they now have full control over your server. There are many things you can do security wise and many different opinions out there, for me personally I allow direct root logins but I disable password authentication and change the default SSH port. You would need to generate an SSH key to log in via SSH using this method but its very secure and completely eliminates someones ability to brute force your root password. If you are the only one who is going to be logging into SSH, you could even take it a step further and just close the SSH port and whitelist your IP in the firewall which completely eliminates all threats since that port is no longer accessible from the outside world.

 

Can you run this in SSH and let me know what it shows:

Code:

/usr/local/cpanel/bin/rebuild_phpconf --current

Do you mean root access via WHM, if so, then no, disabling it for SSH is strictly for SSH not WHM.

Nope, any port under 65535

 

You are running suphp which is why enabling the setting in Tweak Settings is breaking your sites, in order to use it you have to be running DSO. Go into WHM:

• Home » Service Configuration » Configure PHP and suEXEC

For "PHP 5 Handler" switch it to DSO.

When the screen refreshes, it should say "Apache Ruid2" installed and DSO. Now you should be switch back to jailed shell. Keep in mind DSO requires a good amount of memory compared to suphp.

You would log into SSH as a cPanel user or other Linux user, then run the command 'su' it will ask for your root password, that will log you in as root.

 

That security isn't specifically for reseller accounts, its for cPanel accounts in general, it prevents them from being able to possibly exploit other accounts if say one of the cPanel accounts were compromised, and in worse case scenarios allowing them to root the server. The safest thing you could do is just disable shell access entirely for the cPanel users. You could also go with CloudLinux which is the best option because of cagefs and many other features they have.

 

I have these exact issues as well, so I want to be sure I have this right.

1. I do want to have root access, so I followed jcats suggestions regarding disabling password auth, generating a key with password, closed all ports and whitelisted my ip:

So if I understand this correctly, even if someone was able to spoof my IP somehow, they would still need the key and the password for the key on top of that, right? That would seem pretty rock solid. This would also mean I can ignore that warning, right?

2. All users do NOT have shell access (and don't foresee that ever happening as I control everything). Can I safely ignore the jailshell warning?