Jailed Shell and Root Logins

[tryingwebman]

I have 2 security alerts left in my panel.

Apache vhosts are not segmented or chroot()ed.Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

When i turn on jailed shell access for the user i can no longer access any of my sites. Am i doing it wrong?

SSH direct root logins are permitted.Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “no”, then restart SSH in the “Restart SSH” area

Are there any negative consequences of doing this?

 

[Jcats]

When i turn on jailed shell access for the user i can no longer access any of my sites. Am i doing it wrong?

When you say you cannot access them, what error are you seeing is it a 403, 500, etc?

SSH direct root logins are permitted.Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “no”, then restart SSH in the “Restart SSH” area

You cannot log directly into SSH using the user root, you would need to log in as a cPanel user or some other linux user and 'su' into root. This is safe as it completely nulls the ability for someone to log into your server using root which means they now have full control over your server. There are many things you can do security wise and many different opinions out there, for me personally I allow direct root logins but I disable password authentication and change the default SSH port. You would need to generate an SSH key to log in via SSH using this method but its very secure and completely eliminates someones ability to brute force your root password. If you are the only one who is going to be logging into SSH, you could even take it a step further and just close the SSH port and whitelist your IP in the firewall which completely eliminates all threats since that port is no longer accessible from the outside world.

 

[tryingwebman]

When you say you cannot access them, what error are you seeing is it a 403, 500, etc?


You cannot log directly into SSH using the user root, you would need to log in as a cPanel user or some other linux user and 'su' into root. This is safe as it completely nulls the ability for someone to log into your server using root which means they now have full control over your server. There are many things you can do security wise and many different opinions out there, for me personally I allow direct root logins but I disable password authentication and change the default SSH port. You would need to generate an SSH key to log in via SSH using this method but its very secure and completely eliminates someones ability to brute force your root password. If you are the only one who is going to be logging into SSH, you could even take it a step further and just close the SSH port and whitelist your IP in the firewall which completely eliminates all threats since that port is no longer accessible from the outside world.

When i enable Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell and then add my reseller account to Jailed shell access my sites give.

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

-------

I may be being nieve here but if i disabled the root login that would also mean i can't login as root either? I really like the idea of whitelisting my IP and closing ports but i may login from another location so i can't do that. Ill look into change my port would this be any port under 1024?

 

[Jcats]

Can you run this in SSH and let me know what it shows:

/usr/local/cpanel/bin/rebuild_phpconf --current

I may be being nieve here but if i disabled the root login that would also mean i can't login as root either

Do you mean root access via WHM, if so, then no, disabling it for SSH is strictly for SSH not WHM.

Ill look into change my port would this be any port under 1024?

Nope, any port under 65535

 

[tryingwebman]

Can you run this in SSH and let me know what it shows:

/usr/local/cpanel/bin/rebuild_phpconf --current

Do you mean root access via WHM, if so, then no, disabling it for SSH is strictly for SSH not WHM.


Nope, any port under 65535

Running that shows.

[email protected] [~]# /usr/local/cpanel/bin/rebuild_phpconf --current

Available handlers: suphp dso cgi none

DEFAULT PHP: 5

PHP4 SAPI: none

PHP5 SAPI: suphp

SUEXEC: enabled

RUID2: enabled

---

I mean root access to both if i turn it off via SSH how will i turn it back on if i require it again?

---

Ok ill look into that soon

Thanks you again jcats id still be at the starting point if it wasn't for you!

 

[Jcats]

You are running suphp which is why enabling the setting in Tweak Settings is breaking your sites, in order to use it you have to be running DSO. Go into WHM:

• Home » Service Configuration » Configure PHP and suEXEC

For "PHP 5 Handler" switch it to DSO.

When the screen refreshes, it should say "Apache Ruid2" installed and DSO. Now you should be switch back to jailed shell. Keep in mind DSO requires a good amount of memory compared to suphp.

I mean root access to both if i turn it off via SSH how will i turn it back on if i require it again?

You would log into SSH as a cPanel user or other Linux user, then run the command 'su' it will ask for your root password, that will log you in as root.

 

[tryingwebman]

You are running suphp which is why enabling the setting in Tweak Settings is breaking your sites, in order to use it you have to be running DSO. Go into WHM:

• Home » Service Configuration » Configure PHP and suEXEC

For "PHP 5 Handler" switch it to DSO.

When the screen refreshes, it should say "Apache Ruid2" installed and DSO. Now you should be switch back to jailed shell. Keep in mind DSO requires a good amount of memory compared to suphp.


You would log into SSH as a cPanel user or other Linux user, then run the command 'su' it will ask for your root password, that will log you in as root.

If I'm the only reseller account on the server is it really necessary? As id rather keep the extra memory.

I see! that clears that up.

Thanks jcats

 

[Jcats]

That security isn't specifically for reseller accounts, its for cPanel accounts in general, it prevents them from being able to possibly exploit other accounts if say one of the cPanel accounts were compromised, and in worse case scenarios allowing them to root the server. The safest thing you could do is just disable shell access entirely for the cPanel users. You could also go with CloudLinux which is the best option because of cagefs and many other features they have.

 

[cPanelMichael]

[email protected] [~]# /usr/local/cpanel/bin/rebuild_phpconf --current

Available handlers: suphp dso cgi none

DEFAULT PHP: 5

PHP4 SAPI: none

PHP5 SAPI: suphp

SUEXEC: enabled

RUID2: enabled

Hello

It's important to note that suPHP and Mod_Ruid2 are not compatible. More information is available at:

Mod_Ruid2 Considerations

Thank you.

 

[davellan]

I have these exact issues as well, so I want to be sure I have this right.

1. I do want to have root access, so I followed jcats suggestions regarding disabling password auth, generating a key with password, closed all ports and whitelisted my ip:

You cannot log directly into SSH using the user root, you would need to log in as a cPanel user or some other linux user and 'su' into root. This is safe as it completely nulls the ability for someone to log into your server using root which means they now have full control over your server. There are many things you can do security wise and many different opinions out there, for me personally I allow direct root logins but I disable password authentication and change the default SSH port. You would need to generate an SSH key to log in via SSH using this method but its very secure and completely eliminates someones ability to brute force your root password. If you are the only one who is going to be logging into SSH, you could even take it a step further and just close the SSH port and whitelist your IP in the firewall which completely eliminates all threats since that port is no longer accessible from the outside world.

So if I understand this correctly, even if someone was able to spoof my IP somehow, they would still need the key and the password for the key on top of that, right? That would seem pretty rock solid. This would also mean I can ignore that warning, right?

2. All users do NOT have shell access (and don't foresee that ever happening as I control everything). Can I safely ignore the jailshell warning?

 

[cPanelMichael]

So if I understand this correctly, even if someone was able to spoof my IP somehow, they would still need the key and the password for the key on top of that, right? That would seem pretty rock solid.

Hello

Yes, that's true. This thread is useful if you want to secure SSH on your system:

[Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening)

2. All users do NOT have shell access (and don't foresee that ever happening as I control everything). Can I safely ignore the jailshell warning?

One of the purposes of this option is to help prevent Apache symlink attacks. You can implement one of the alternatives listed at:

Symlink Race Condition Protection - EasyApache - cPanel Documentation

Thank you.