The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

problems: authentication keys, rkhunter , dovecot-wrap jailexec jailshell

Discussion in 'Security' started by corporathostin, Dec 19, 2013.

  1. corporathostin

    corporathostin Registered

    Joined:
    Dec 19, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    greetings.

    first i have been member a decade. bad at password email remembering so have had 4 accounts!

    my experience and server info:

    using cpanel since 2001. have pretty much run servers since 1998, online 1992.

    server using csf, modsec, exploit scanner, hardened passwords. most security items checked and altered to correct security. no usr shell or jail shell, no 777 files, dovecot, pure ftp, non sftp. . server has 30 accounts we own.

    first

    1) decided to use pub keys. set it up, works fine as long as we place root in "data" in putty and have #rootlogin yes --with/or without "#"

    2) works with authentication "no" in webhostmgr and ssh config file works fine as long as #rootlogin yes --with/or without "#"

    3) when logging in, it says "root" using public key.

    4) when we turn off root login, it returns a statement "though key is recognized by server, server is not accepting key" [not exact statement words, been 22hrs]

    5) if we change to "#allowrootlogin yes"

    6) works flawlessly

    second

    7) during the many hours i ran chkroot and rkhunter.

    rkhunter provided warnings including

    warning dovecot-wrap*
    warning jailexec*
    warning jailshell

    these are just "warning"

    8)when i checked the files in the directory

    /usr/local/cpanel/bin/adduser

    9) these are highlighted "red" like a stroke from red highlighter

    dovecot-wrap*
    jailexec*
    jailshell

    again, they are all highlighted in "red"

    10) i spent 5 hours trying to discover if these files should be highlighted red .. i cannot remember ever seeing this.

    i checked file chmod/chown.

    when i made backups, such as jailshell-backup, they also were in red.

    so,

    10- any comment on red highlighter looking files

    11- with vi/pico should all three be text script files?

    [sounds crazy but i am that confused, vi and one look like half binary with text]

    12 any comment on shell keys with root login yes verses no

    thanks in advance. i could never have operated my own servers w/o this great forum.

    rock scarfone
    goldsmithworks
     
  2. corporathostin

    corporathostin Registered

    Joined:
    Dec 19, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    meaning and reason these major files have red and yellow highlighted names

    figured i would try here....

    i have a post concerning keys, but this portio of that post will assist me greatly

    i have been online since 1992 and admin servers beginning 1998 --old blue racks lol...

    for some reason unknown to me-- though i have "shelled" for 15 years... files in /etc/sbin and other directories are highlighted/ 7 hours of search produces no explanation, i simply do not recall even thinking about this.

    root to shell

    cd to directory, say - /etc/sbin

    ls -la

    and the file names are "illuminated green"

    except for these

    two are yellow highlight marker looking
    the rest red highlight looking


    crontab*
    gpasswd*
    sudo*
    sudoedit*
    quota*
    passwd*
    xorg*
    exim
    sendmail
    suexec
    sendmail
    crontab

    these files vary from red to yellow highlight with white letters

    highlight--like going over with highlighter

    someone put me out of my misery!

    and enlighten me!

    thanks in advance
    rock
    goldsmithworks
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    File highlighting by ls is usually based on your .bashrc or .bash_profile files for the user. That or whatever ls is aliased as in your environment. If you type just ls at a prompt, then hit crtl+alt+e it will expand and show you what ls is aliased to. Usually --color=auto at the least. This trick works to expand any aliased commands you've typed in. I.e. ls in my case becomes:

    /bin/ls --color=tty -F -a -b -T 0

    /usr/local/cpanel/bin/adduser is a symbolic link on my system to /scripts/adduser. Symlinks are often red, blue, or green. Red symlinks may mean a target file is missing.

    Code:
    [root@new ~]# ls -lha /usr/local/cpanel/bin/adduser
    lrwxrwxrwx 1 root root 16 Dec 30  2011 /usr/local/cpanel/bin/adduser -> /scripts/adduser*
     
    In my case, the link is blue and target file (/scripts/adduser) green. This means the target is there. If /scripts/adduser is gone, or you're missing your symlink from scripts -> /usr/local/cpanel/scripts/ then this may explain a red symlink.

    --

    Regarding SSH keys with "PermitRootLogin" setting:

    First off, any value in the sshd_config file that's commented out is just showing you the default option for that setting if it were not set. So, PermitRootLogin defaults to yes, which explains why it allows root login if you set "no" but comment it out.

    So that being said, PermitRootLogin needs to be on in some fashion to allow root login, be it via password or key. However, there's an option called "PermitRootLogin without-password" which will let your private/public key pair work but not keyboard interactive logins.

    --

    Verifying a file flagged by rkhunter is pretty easy. Just use rpm -qf on the file to see what RPM owns it, then rpmverify -v $packagename to see if any md5's changed on the binaries. Sometimes rkhunter just needs the property update run after RPM updates. You can also use "rpm -q --changelog $packagename | head " to see the most recent patches/backports to a binary on a centos system.
     
    #3 quizknows, Dec 22, 2013
    Last edited: Dec 22, 2013
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    No, these files are not intended for reading or editing through a text editor.

    Thank you.
     
  5. rockscarfone

    rockscarfone Member

    Joined:
    Aug 30, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    fantastic.. perfect. appreciate the detailed answer. plus the education.... rock

    - - - Updated - - -

    thanks, i believed that was the case... appreciate the time you took to post

    rock
     
Loading...

Share This Page