Receiving SSH login alert emails for user that has shell access disabled

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Hello, i would like to ask if i can anyhow completelly disable shell access to

user. As im receiving emails from config server firewall with subject "SSH login

alert for user USERNAMEHERE from IPHERE" and in the content is "Method:

keyboard-interactive/pam authentication"
while i have disabled SSH access for that cpanel user account in WHM? (i go to

account modiffy page and i see "Shell Access" unticked..

I did commands:
# cat /etc/passwd | grep bfzagjtm
bfzagjtm:x:849:858::/home/bfzagjtm:/usr/local/cpanel/bin/noshell

then i did:
# usermod -s /sbin/nologin bfzagjtm

then again:
# cat /etc/passwd | grep bfzagjtm
bfzagjtm:x:849:858::/home/bfzagjtm:/sbin/nologin

but im still receiving that SSH login emails

here is SSH log:
Code:
# tail /var/log/secure
Mar 10 10:43:28 hostname sshd[1633]: pam_unix(sshd:session): session closed for user bfzagjtm
Mar 10 10:43:53 hostname sshd[6789]: Accepted keyboard-interactive/pam for bfzagjtm from IPHERE port 50383 ssh2
Mar 10 10:43:53 hostname sshd[6789]: pam_unix(sshd:session): session opened for user bfzagjtm by (uid=0)
Mar 10 10:43:53 hostname sshd[6822]: subsystem request for sftp
Mar 10 10:44:55 hostname sshd[6789]: pam_unix(sshd:session): session closed for user bfzagjtm
Mar 10 10:46:00 hostname sshd[8189]: Accepted keyboard-interactive/pam for bfzagjtm from IPHERE port 46570 ssh2
Mar 10 10:46:00 hostname sshd[8189]: pam_unix(sshd:session): session opened for user bfzagjtm by (uid=0)
Mar 10 10:46:01 hostname sshd[8210]: subsystem request for sftp
Mar 10 10:47:03 hostname sshd[8189]: pam_unix(sshd:session): session closed for user bfzagjtm
Mar 10 10:58:29 hostname usermod[16040]: change user 'bfzagjtm' shell from '/usr/local/cpanel/bin/noshell' to '/sbin/nologin'
should i block that IP or can i do anything else?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

This is the expected behavior. Upon login, the user will receive a notification such as:

Shell access is not enabled on your account!
If you need shell access please contact support
You can restrict SSH access to specific IP addresses via the "Host Access Control" option in Web Host Manager if you want to block the login completely.

Thank you.