The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Jailed Shell and Root Logins

Discussion in 'Security' started by tryingwebman, Sep 28, 2015.

  1. tryingwebman

    tryingwebman Well-Known Member

    Joined:
    Sep 27, 2015
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I have 2 security alerts left in my panel.

    Apache vhosts are not segmented or chroot()ed.Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

    When i turn on jailed shell access for the user i can no longer access any of my sites. Am i doing it wrong?

    SSH direct root logins are permitted.Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “no”, then restart SSH in the “Restart SSH” area

    Are there any negative consequences of doing this?
     
    #1 tryingwebman, Sep 28, 2015
    Last edited by a moderator: Oct 2, 2015
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    When you say you cannot access them, what error are you seeing is it a 403, 500, etc?

    You cannot log directly into SSH using the user root, you would need to log in as a cPanel user or some other linux user and 'su' into root. This is safe as it completely nulls the ability for someone to log into your server using root which means they now have full control over your server. There are many things you can do security wise and many different opinions out there, for me personally I allow direct root logins but I disable password authentication and change the default SSH port. You would need to generate an SSH key to log in via SSH using this method but its very secure and completely eliminates someones ability to brute force your root password. If you are the only one who is going to be logging into SSH, you could even take it a step further and just close the SSH port and whitelist your IP in the firewall which completely eliminates all threats since that port is no longer accessible from the outside world.
     
  3. tryingwebman

    tryingwebman Well-Known Member

    Joined:
    Sep 27, 2015
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    When i enable Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell and then add my reseller account to Jailed shell access my sites give.

    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator at server@domain.domain.com to inform them of the time this error occurred, and the actions you performed just before this error.

    More information about this error may be available in the server error log.

    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    -------

    I may be being nieve here but if i disabled the root login that would also mean i can't login as root either? I really like the idea of whitelisting my IP and closing ports but i may login from another location so i can't do that. Ill look into change my port would this be any port under 1024?
     
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Can you run this in SSH and let me know what it shows:
    Code:
    /usr/local/cpanel/bin/rebuild_phpconf --current
    Do you mean root access via WHM, if so, then no, disabling it for SSH is strictly for SSH not WHM.

    Nope, any port under 65535
     
  5. tryingwebman

    tryingwebman Well-Known Member

    Joined:
    Sep 27, 2015
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Running that shows.

    root@server1 [~]# /usr/local/cpanel/bin/rebuild_phpconf --current

    Available handlers: suphp dso cgi none

    DEFAULT PHP: 5

    PHP4 SAPI: none

    PHP5 SAPI: suphp

    SUEXEC: enabled

    RUID2: enabled

    ---

    I mean root access to both if i turn it off via SSH how will i turn it back on if i require it again?

    ---

    Ok ill look into that soon

    Thanks you again jcats id still be at the starting point if it wasn't for you!
     
  6. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    You are running suphp which is why enabling the setting in Tweak Settings is breaking your sites, in order to use it you have to be running DSO. Go into WHM:
    • Home » Service Configuration » Configure PHP and suEXEC
    For "PHP 5 Handler" switch it to DSO.

    When the screen refreshes, it should say "Apache Ruid2" installed and DSO. Now you should be switch back to jailed shell. Keep in mind DSO requires a good amount of memory compared to suphp.

    You would log into SSH as a cPanel user or other Linux user, then run the command 'su' it will ask for your root password, that will log you in as root.
     
    #6 Jcats, Sep 28, 2015
    Last edited by a moderator: Oct 2, 2015
  7. tryingwebman

    tryingwebman Well-Known Member

    Joined:
    Sep 27, 2015
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    If I'm the only reseller account on the server is it really necessary? As id rather keep the extra memory.

    I see! that clears that up.

    Thanks jcats
     
    #7 tryingwebman, Sep 28, 2015
    Last edited by a moderator: Oct 2, 2015
  8. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    That security isn't specifically for reseller accounts, its for cPanel accounts in general, it prevents them from being able to possibly exploit other accounts if say one of the cPanel accounts were compromised, and in worse case scenarios allowing them to root the server. The safest thing you could do is just disable shell access entirely for the cPanel users. You could also go with CloudLinux which is the best option because of cagefs and many other features they have.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's important to note that suPHP and Mod_Ruid2 are not compatible. More information is available at:

    Mod_Ruid2 Considerations

    Thank you.
     
  10. davellan

    davellan Member

    Joined:
    Jun 26, 2014
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Daniels, WV
    cPanel Access Level:
    Root Administrator
    Twitter:
    I have these exact issues as well, so I want to be sure I have this right.

    1. I do want to have root access, so I followed jcats suggestions regarding disabling password auth, generating a key with password, closed all ports and whitelisted my ip:

    So if I understand this correctly, even if someone was able to spoof my IP somehow, they would still need the key and the password for the key on top of that, right? That would seem pretty rock solid. This would also mean I can ignore that warning, right?

    2. All users do NOT have shell access (and don't foresee that ever happening as I control everything). Can I safely ignore the jailshell warning?
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, that's true. This thread is useful if you want to secure SSH on your system:

    [Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening)

    One of the purposes of this option is to help prevent Apache symlink attacks. You can implement one of the alternatives listed at:

    Symlink Race Condition Protection - EasyApache - cPanel Documentation

    Thank you.
     
Loading...

Share This Page