The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ssh tcp port forwarding may stop working

Discussion in 'General Discussion' started by cmw, Apr 13, 2005.

  1. cmw

    cmw Registered

    Joined:
    Apr 11, 2005
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Just posting here what happened to me to safe others some time that may run into this problem:
    I am a client of a hosting company that uses cPanel. I have been using SSH to tunnel my mysql database connections to port 3306 for a long time. A few days ago I suddenly could not connect anymore through the tunnel. I had noticed some broadcast message like "cPanel update in progress" in an SSH terminal window that happened to be open before that.

    Couple of emails to tech support of that hosting provider later I decided to look into this, since the person I was dealing with obviously didn't understand anything regarding ssh, port forwarding etc. Having just jailshell, I could not even see the /etc/ssh/ directory to check if sshd_config had been changed, since I suspected the problem had something to do with the cPanel update. I ran an ssh client in debug mode directly on the server to rule and a number of other problems and tested port fowarding: it was "administratively prohibited".

    I finally could convince a senior admin to check whether the cPanel script had inserted a line "AllowTcpForwarding No" into /etc/ssh/sshd_config. He indeed found it, changed it to yes, and now I have a secure connection to my databases again.

    I was wondering why cPanel did that. Since the senior admin gave me bash shell in the end to help them find the problem, I could check out /usr/local/cpanel/ChangeLog and found:
    +++ 11317 1109452067 10.0.0-BETA_132 Linux i686
    SECURITY: turn ssh tcp port forwarding off if it is not specified in sshd_config

    The default sshd_config doesn't even list that option (not even commented). So most probably it is not set on many machines. sshd switches port forwarding on by default (since it is one of their major features). I guess the cPanel folks thought it might be a good idea to force the server admins to switch it on if they want it.

    The problem with this is, that the people using cPanel are in the webhosting business, and not necessarily knowledgeable about configuration issues like this one. I did not find anything about it in the cPanel documentation available on the web.
     
    #1 cmw, Apr 13, 2005
    Last edited: Apr 13, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The reason this was done was due to a security risk. This was mentioned in the release notes around a month ago and the actual exploit documentation was posted to bugtraq around a week ago.

    I should just clarify, the vulnerability was only apparent if you have the demo account enabled (not a good idea anyway):
    http://www.securityfocus.com/archive/1/394700
     
    #2 chirpy, Apr 13, 2005
    Last edited: Apr 13, 2005
  3. cmw

    cmw Registered

    Joined:
    Apr 11, 2005
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for the explanation.

    It still looks to me like cPanel didn't handle the issue with the demo account correctly. Why not just configure that demo account so that it doesn't pose a thread to a production server, when it is obviously offered as a marketing tool for hosting companies.

    For the ssh aspect of this, there are all the configuration possibilities you want already built into ssh, from serverwide to fine grain at user account level. No need to use the sledgehammer and shut down an important security feature serverwide. Even that wasn't done consistently, since if the server admin had specified the AllowTcpForwarding option for some reason before the patch, the cPanel script would not have changed it. And you can still put it in the command that starts sshd as an -o option, overriding whatever is in sshd_config. So, the security risk mentioned by chirpy is not really addressed just modifying sshd_config to include a "AllowTcpForwarding No" line. If the server admin had specified that option already, no issues regarding the demo account would have been solved.

    The bugtraq article author recommended: "Turn off the demo account feature and delete any demo accounts. As an additional measure, turn off SSH port forwarding or specify explicitly which users are allowed SSH access in the sshd config, do not rely on a restricted shell to prevent users from being able to use other SSH features." - My wording would be: Dear cPanel developers, You misconfigured the demo account by allowing ssh port forwarding (or ssh at all), introducing a security hole to the servers that are managed by your software. You should disable that feature until you come up with a secure implementation of the demo account feature (if you insist on having it on production servers for marketing purposes). You might also want to have your program set up so that ssh access for new user accounts is disabled by default and needs to be activated by the web hosting admin for any client accounts they want to be able to have a command prompt on the server (with a notification that ssh also allows tcp port fowarding, which is not a security risk if the server and user account are set up correctly, which is what you pay cPanel for you to do).

    When I signed up with the cPanel-managed hosting company mentioned in my previous post, I didn't have ssh access at all. I had to call them to enable it. Good job there
     
  4. techworks

    techworks Registered

    Joined:
    May 22, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Finally Found It!

    Thank you, CMW.

    I have been searching for 2 weeks now and almost gave up looking for a solution :confused: to my SSH tunnel problem. This is my first time tunneling and thought I was doing something wrong all this time, until I got it to work on my old Ensim server yesterday (new hope).

    Thanks again,

    T
     
Loading...

Share This Page