problems: authentication keys, rkhunter , dovecot-wrap jailexec jailshell

[corporathostin]

greetings.

first i have been member a decade. bad at password email remembering so have had 4 accounts!

my experience and server info:

using cpanel since 2001. have pretty much run servers since 1998, online 1992.

server using csf, modsec, exploit scanner, hardened passwords. most security items checked and altered to correct security. no usr shell or jail shell, no 777 files, dovecot, pure ftp, non sftp. . server has 30 accounts we own.

first

1) decided to use pub keys. set it up, works fine as long as we place root in "data" in putty and have #rootlogin yes --with/or without "#"

2) works with authentication "no" in webhostmgr and ssh config file works fine as long as #rootlogin yes --with/or without "#"

3) when logging in, it says "root" using public key.

4) when we turn off root login, it returns a statement "though key is recognized by server, server is not accepting key" [not exact statement words, been 22hrs]

5) if we change to "#allowrootlogin yes"

6) works flawlessly

second

7) during the many hours i ran chkroot and rkhunter.

rkhunter provided warnings including

warning dovecot-wrap*
warning jailexec*
warning jailshell

these are just "warning"

8)when i checked the files in the directory

/usr/local/cpanel/bin/adduser

9) these are highlighted "red" like a stroke from red highlighter

dovecot-wrap*
jailexec*
jailshell

again, they are all highlighted in "red"

10) i spent 5 hours trying to discover if these files should be highlighted red .. i cannot remember ever seeing this.

i checked file chmod/chown.

when i made backups, such as jailshell-backup, they also were in red.

so,

10- any comment on red highlighter looking files

11- with vi/pico should all three be text script files?

[sounds crazy but i am that confused, vi and one look like half binary with text]

12 any comment on shell keys with root login yes verses no

thanks in advance. i could never have operated my own servers w/o this great forum.

rock scarfone
goldsmithworks

 

[corporathostin]

meaning and reason these major files have red and yellow highlighted names

figured i would try here....

i have a post concerning keys, but this portio of that post will assist me greatly

i have been online since 1992 and admin servers beginning 1998 --old blue racks lol...

for some reason unknown to me-- though i have "shelled" for 15 years... files in /etc/sbin and other directories are highlighted/ 7 hours of search produces no explanation, i simply do not recall even thinking about this.

root to shell

cd to directory, say - /etc/sbin

ls -la

and the file names are "illuminated green"

except for these

two are yellow highlight marker looking
the rest red highlight looking


crontab*
gpasswd*
sudo*
sudoedit*
quota*
passwd*
xorg*
exim
sendmail
suexec
sendmail
crontab

these files vary from red to yellow highlight with white letters

highlight--like going over with highlighter

someone put me out of my misery!

and enlighten me!

thanks in advance
rock
goldsmithworks

 

[quizknows]

File highlighting by ls is usually based on your .bashrc or .bash_profile files for the user. That or whatever ls is aliased as in your environment. If you type just ls at a prompt, then hit crtl+alt+e it will expand and show you what ls is aliased to. Usually --color=auto at the least. This trick works to expand any aliased commands you've typed in. I.e. ls in my case becomes:

/bin/ls --color=tty -F -a -b -T 0

/usr/local/cpanel/bin/adduser is a symbolic link on my system to /scripts/adduser. Symlinks are often red, blue, or green. Red symlinks may mean a target file is missing.

[[email protected] ~]# ls -lha /usr/local/cpanel/bin/adduser
lrwxrwxrwx 1 root root 16 Dec 30  2011 /usr/local/cpanel/bin/adduser -> /scripts/adduser*

In my case, the link is blue and target file (/scripts/adduser) green. This means the target is there. If /scripts/adduser is gone, or you're missing your symlink from scripts -> /usr/local/cpanel/scripts/ then this may explain a red symlink.

--

Regarding SSH keys with "PermitRootLogin" setting:

First off, any value in the sshd_config file that's commented out is just showing you the default option for that setting if it were not set. So, PermitRootLogin defaults to yes, which explains why it allows root login if you set "no" but comment it out.

So that being said, PermitRootLogin needs to be on in some fashion to allow root login, be it via password or key. However, there's an option called "PermitRootLogin without-password" which will let your private/public key pair work but not keyboard interactive logins.

--

Verifying a file flagged by rkhunter is pretty easy. Just use rpm -qf on the file to see what RPM owns it, then rpmverify -v $packagename to see if any md5's changed on the binaries. Sometimes rkhunter just needs the property update run after RPM updates. You can also use "rpm -q --changelog $packagename | head " to see the most recent patches/backports to a binary on a centos system.

 

[cPanelMichael]

dovecot-wrap*
jailexec*
jailshell

with vi/pico should all three be text script files?

[sounds crazy but i am that confused, vi and one look like half binary with text]

No, these files are not intended for reading or editing through a text editor.

Thank you.

 

[rockscarfone]

fantastic.. perfect. appreciate the detailed answer. plus the education.... rock

- - - Updated - - -

thanks, i believed that was the case... appreciate the time you took to post

rock