SSH direct root logins are permitted

keat63

Well-Known Member
Nov 20, 2014
1,407
115
93
cPanel Access Level
Root Administrator
Security advisor states that SSH logins are permitted for root.
Before I start asking questions about creating new users and adding to the wheel group(what ever this means), could I ask the following.

My dedicated server will be used for work only, i will be the only user logging in.
I've added every subnet except my work, my home and the server provider to CPhulk.
I've enabled logins from verified IP's only.

Do i still need to consider tightening root logins through SSH ?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
You should consider either closing the SSH port itself and whitelisting your IPs, or making use of a wheel group user.

Users in the "wheel" group can use the "su - " command to reach a root prompt. This means you'd ssh as whatever username you added to the wheel group, auth as that user, and then use "su - " to get a root prompt.There is a thread on sshd hardening stickied in this section of the forums. http://forums.cpanel.net/f185/tutorial-interested-increasing-security-your-server-read-sshd-hardening-403381.html
 

keat63

Well-Known Member
Nov 20, 2014
1,407
115
93
cPanel Access Level
Root Administrator
Before I start reconfiguring and creating wheel users etc.
I have tightenedd CPHulk and narrowed this down to just 3 IP address.
Does this work for WHM and SSH ?
 

keat63

Well-Known Member
Nov 20, 2014
1,407
115
93
cPanel Access Level
Root Administrator
chaps, i'm still desperately seeking advise on this.

I will be the only person logging in to our dedicated server. well me and the server providors.
So i've configured CPHulk to accept only a small list of IP addresses. Everything else is blacklisted.
Iv'e also granted a small number of IP's access via Host Access control to WHM and SSHD.
all other ip's are denied acces to WHM and SSHD.

Is this enough to keep the bad guys out.
Is there any point in denying root access and creating a wheel group or changing the SSH port.
To me, it looks impenetrable, but my knowledge of SSH and WHM is no more than a week old.
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
If your IP address(es) are literally the only ones that can access the SSH / WHM port, then changing the port doesn't really matter. Disabling direct root login wouldn't matter a whole lot either at that point.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
Access to the SSH port is often allowed so users can use SFTP (which is actually file transfer over SSH, not actual ftp, and is much more secure than "normal" FTP).

Access to WHM is granted in some situations for reseller accounts to manage their own cPanel accounts.
 

keat63

Well-Known Member
Nov 20, 2014
1,407
115
93
cPanel Access Level
Root Administrator
I'm not a reseller.
There will only be our own domains on there.

Using Host manager, ive narrowed down SSH, WHM and FTP to just a hand full of IP's.
Could anyone suggest any other protocols to block ?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363
Using Host manager, ive narrowed down SSH, WHM and FTP to just a hand full of IP's.
Could anyone suggest any other protocols to block ?
You could restrict access to any service that you do not plan on opening up to the public. Note that you may still want to install a third-party firewall such as CSF.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,407
115
93
cPanel Access Level
Root Administrator
I installed CSF this afternoon, but there's so much config to consider, i now have less of a clue. :-(
I have noticed some default High, Medium and Low configs.
I assume it's safe for me to apply any of these ?
 

keat63

Well-Known Member
Nov 20, 2014
1,407
115
93
cPanel Access Level
Root Administrator
I noticed in the CSF monitor the following entry.

(sshd) Failed SSH login from 220.xxx.xxx.xxx (CN/China/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]

If I have SSHD denied in "Host Access Control", does this mean CSF has blocked it first ?
 

keat63

Well-Known Member
Nov 20, 2014
1,407
115
93
cPanel Access Level
Root Administrator
I think I answered my own question.

SSH is locked down in WHM to only 2 x IP's.
I tried to log in to SSH using Putty from a 3rd IP, (which had WHM access but not SSH.)
Putty hung, and I was booted out of WHM
When I checked, CSF had blaclisted my IP.

I whitelisted it, and tried again, this time Putty still hung, but i was no longer blacklisted in CSF.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363
I am happy to see you were able to determine the reason that happened. Thank you for updating us with the outcome.