The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Receiving SSH login alert emails for user that has shell access disabled

Discussion in 'Security' started by postcd, Mar 12, 2015.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    624
    Likes Received:
    6
    Trophy Points:
    18
    Hello, i would like to ask if i can anyhow completelly disable shell access to

    user. As im receiving emails from config server firewall with subject "SSH login

    alert for user USERNAMEHERE from IPHERE" and in the content is "Method:

    keyboard-interactive/pam authentication"
    while i have disabled SSH access for that cpanel user account in WHM? (i go to

    account modiffy page and i see "Shell Access" unticked..

    I did commands:
    # cat /etc/passwd | grep bfzagjtm
    bfzagjtm:x:849:858::/home/bfzagjtm:/usr/local/cpanel/bin/noshell

    then i did:
    # usermod -s /sbin/nologin bfzagjtm

    then again:
    # cat /etc/passwd | grep bfzagjtm
    bfzagjtm:x:849:858::/home/bfzagjtm:/sbin/nologin

    but im still receiving that SSH login emails

    here is SSH log:
    Code:
    # tail /var/log/secure
    Mar 10 10:43:28 hostname sshd[1633]: pam_unix(sshd:session): session closed for user bfzagjtm
    Mar 10 10:43:53 hostname sshd[6789]: Accepted keyboard-interactive/pam for bfzagjtm from IPHERE port 50383 ssh2
    Mar 10 10:43:53 hostname sshd[6789]: pam_unix(sshd:session): session opened for user bfzagjtm by (uid=0)
    Mar 10 10:43:53 hostname sshd[6822]: subsystem request for sftp
    Mar 10 10:44:55 hostname sshd[6789]: pam_unix(sshd:session): session closed for user bfzagjtm
    Mar 10 10:46:00 hostname sshd[8189]: Accepted keyboard-interactive/pam for bfzagjtm from IPHERE port 46570 ssh2
    Mar 10 10:46:00 hostname sshd[8189]: pam_unix(sshd:session): session opened for user bfzagjtm by (uid=0)
    Mar 10 10:46:01 hostname sshd[8210]: subsystem request for sftp
    Mar 10 10:47:03 hostname sshd[8189]: pam_unix(sshd:session): session closed for user bfzagjtm
    Mar 10 10:58:29 hostname usermod[16040]: change user 'bfzagjtm' shell from '/usr/local/cpanel/bin/noshell' to '/sbin/nologin'
    should i block that IP or can i do anything else?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This is the expected behavior. Upon login, the user will receive a notification such as:

    You can restrict SSH access to specific IP addresses via the "Host Access Control" option in Web Host Manager if you want to block the login completely.

    Thank you.
     
Loading...

Share This Page