Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED New cPanel update cause SSH issue

Discussion in 'General Discussion' started by garconcn, May 15, 2017.

Tags:
  1. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    68
    I have following code in my ssh /etc/ssh/sshd_config file to allow our internal network to use password authentication.

    Code:
    Match address 192.168.1.0/24
        PasswordAuthentication yes
    However, the new cpanel update added following line to the bottom of /etc/ssh/sshd_config file which caused SSHD down because the "Match address" has to be on the bottom of the sshd config file. I've manually moved the "Match address" part to the bottom to fix the issue. I am wondering how to prevent this issue?

    Code:
    DenyGroups      cpaneldemo cpanelsuspended
     
    Yusuf Moola likes this.
  2. marques4ever

    marques4ever Registered

    Joined:
    May 15, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austin TX
    cPanel Access Level:
    Website Owner
    Same issue and thanks for the fix!
     
  3. cPanelJasonT

    cPanelJasonT Level 2 Technical Analyst
    Staff Member

    Joined:
    Oct 21, 2014
    Messages:
    55
    Likes Received:
    6
    Trophy Points:
    83
    cPanel Access Level:
    Root Administrator
    Hello,
    Thanks for bringing this up. The update to cPanel today introduced a change to the ssh configuration with the interest of increasing security. If there are MatchBlock entries in the ssh configuration, the new DenyGroups directive will interrupt the MatchBlock directive, causing configuration syntax errors. e
    When this is fixed, you will see case number CPANEL-13176 marked as fixed in the cPanel changelog at changelog.cpanel.net. I apologize for any inconvenience that this has caused.

    In the meantime, as a workaround, removing the new directive, or editing /etc/ssh/sshd_config to allow the new directive to work will allow ssh to work normally again.
     
    eva2000 likes this.
  4. cPanelJasonT

    cPanelJasonT Level 2 Technical Analyst
    Staff Member

    Joined:
    Oct 21, 2014
    Messages:
    55
    Likes Received:
    6
    Trophy Points:
    83
    cPanel Access Level:
    Root Administrator
    Hello,
    If you are unable to log into SSH but WHM is accessible, there is a script that will provide a minimal, default configuration of SSH to allow you to log in again. To use this script, you append the following to the url for WHM:

    Code:
    /scripts2/doautofixer?autofix=safesshrestart
    
    For example, if your server's address is 1.2.3.4, this url will provide a temporary ssh instance that will allow login:

    Code:
    https://1.2.3.4:2087/scripts2/doautofixer?autofix=safesshrestart
    
    Take note of the output from running that script, as it may restart ssh on a port other than 22 if somehow the previous ssh instance is still running.
     
    #4 cPanelJasonT, May 15, 2017
    Last edited by a moderator: May 15, 2017
    eva2000 likes this.
  5. Nahoo

    Nahoo Member

    Joined:
    Oct 7, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    151
    This shut me out of SSH too... What a great morning I've had... Thanks cPanel!
     
  6. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    113
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    This topic is not resolved!

    Yes - I also just had to deal with this on 4 servers. We also use the MatchBlock directive to limit SSH logins internally.

    The DenyGroups directive that was appended to the bottom of the sshd_config has prevented us from being able to access the server via ssh.

    What is this ? DenyGroups cpaneldemo cpanelsuspended

    Is it needed ? Is there any documentation on this new directive?

    We had to login via datacentre local machine (console) and used VI to edit sshd_config to fix the issue.

    However, it would be great if cPanel could enable the use of the MatchBlock not in the footer - in case of future additional new directives being added during updates - or maybe it's an openssh issue?
     
  7. cPanelJackson

    cPanelJackson Product Owner - cPanel Security Team
    Staff Member

    Joined:
    Aug 12, 2010
    Messages:
    23
    Likes Received:
    4
    Trophy Points:
    128
    cPanel Access Level:
    Root Administrator
    Hi there,

    The DenyGroups line is necessary to prevent potential abuse for suspended and demo accounts. We currently anticipate to publish an autofixer to remediate any broken ssh configurations by moving this line above any Match blocks in sshd_config. In the future, modifications to the sshd_config will always occur before any Match directives to prevent these sorts of issues.

    DenyGroups cpaneldemo cpanelsuspended can also be manually moved above any Match blocks if you are currently experiencing this issue.
     
  8. RichardDumoulin

    Joined:
    Jan 2, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We also got "hit" by this problem. I was lucky enough to get a KVM running or I would have to drive 4 hours to get to the physical console.

    Thanks for the WHM trick, it may save us also :)

    For "DenyGroups cpaneldemo cpanelsuspended", I have commented out the line.

    Could you please let us know if a fix for it will be released automatically or should I manually fix it?

    A solution could be a "Match all" between the "Match Group" and "DenyGroups cpaneldemo cpanelsuspended"?
     
  9. RichardDumoulin

    Joined:
    Jan 2, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Just saw your previous answer... Thanks!

    I just move the "DenyGroups..." before the "Match Group..." and restarted sshd.
     
  10. cPanelJasonT

    cPanelJasonT Level 2 Technical Analyst
    Staff Member

    Joined:
    Oct 21, 2014
    Messages:
    55
    Likes Received:
    6
    Trophy Points:
    83
    cPanel Access Level:
    Root Administrator
    Hello,
    Thank you for the feedback. These updates are part of the TSR-2017-003 security update. The information about these updates is scheduled to be released tomorrow. More about this update is available here:

    cPanel TSR-2017-0003 Announcement | cPanel Newsroom

    Typically with TSR updates, they are released with an announcement, then the disclosure is released after a time period to allow vulnerabilities to be fixed before they are explained.

    More information about this will be available when the disclosure is released tomorrow.

    Also, an autofixer script has been created to work around this, which has just been published.

    To fix this, one can either run the cPanel update or go to
    Code:
     https://1.2.3.4:2087/scripts2/doautofixer?autofix=sshd_denygroups
     
  11. RichardDumoulin

    Joined:
    Jan 2, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi!

    Thanks for the information! I have move the "Denygroup" to avoid the problem, everything should be fine (for future updated to CPanel and from a security point of view)?
     
  12. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    330
    Likes Received:
    13
    Trophy Points:
    318
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    why not insert the Denygroup automatically above any detected Match directives (1st instance found for Match) ?
     
  13. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,453
    Likes Received:
    12
    Trophy Points:
    148
    cPanel Access Level:
    DataCenter Provider
    As part of case CPANEL-13176 (to be released in v66+), the security team responsible for the original update is re-working the code that manages the ssh configuration to ensure a broad range of sshd_config customizations can be handled.

    In the mean time this was resolved via the auto-fix that was released as part of CPANEL-13178
     
Loading...

Share This Page