Security Advisor Check Questions

flagkakis

Registered
Oct 5, 2019
1
0
1
Orlando Florida
cPanel Access Level
Root Administrator
Not sure what I am missing here and I have been following the conversation but sure I need some help,
I used the security advisor to check my VPS and I found the following issues,

Apache vhosts are not segmented or chroot()ed.
Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.
SSH password authentication is enabled.
Disable SSH password authentication in the “SSH Password Authorization Tweak” area
SSH direct root logins are permitted.
Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH in the “Restart SSH” area

1. The Jail Apache option is not available to me (am pretty sure am missing something here),
2. SSH Password authentication -> I keep on changing it to off and later on it comes back on, I have researched the web and pretty much could not find anything,
3. SSH direct root logins, I have been changing that and pass the advisor's checks but then it goes right back to on, not sure why this is happening I can't find any info,

Is there any way I could possibly get some help from you guys? Is there anything else I can check to figure out why the SSH stuff defaults to vulnerable settings rather than staying where I set them?

Thanks much for your time. :)
 
Last edited by a moderator:

httpdocs

Well-Known Member
Mar 9, 2018
57
8
83
United States
cPanel Access Level
Root Administrator
All is right.
Of course, with the current settings, there is no particular security issue for you.
In my opinion, just setting up "Change SSH Port" and "PermitRootLogin " and a secure password of more than 16 characters is enough. :)
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,012
762
263
Houston
cPanel Access Level
DataCenter Provider
Hi @flagkakis

Please keep in mind that the security advisor provides suggestions based on best practices for common webhosting environments and they aren't necessarily optimal for all uses.



1. The Jail Apache option is not available to me (am pretty sure am missing something here),
The Jail apache option is only available if the following conditions are met which are detailed in tweak settings:

If mod_ruid2 is compiled in via EasyApache, mod_ruid2 is enabled, and a user has their shell set to jailshell or noshell, enabling this option will chroot() a user's Apache Virtual Host into the cPanel® jailshell environment. Each user will require 14 bind mounts. While modern Linux supports a very large number of bind mounts, many processes read /proc/mounts. Reading /proc/mounts can be quite expensive when it becomes large.

2. SSH Password authentication -> I keep on changing it to off and later on it comes back on, I have researched the web and pretty much could not find anything,
When you disable password authorization at WHM>>Security Center>>SSH Password Authorization Tweak what is displayed on the screen?

3. SSH direct root logins, I have been changing that and pass the advisor's checks but then it goes right back to on, not sure why this is happening I can't find any info,
For direct root logins to be disabled you'd need to make manual edits as described in the Security Advisor:

Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH in the “Restart SSH” area