The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unauthorised shell access

Discussion in 'General Discussion' started by SallyM, Mar 22, 2007.

  1. SallyM

    SallyM Member
    PartnerNOC

    Joined:
    Jul 20, 2005
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Despite not allowing shell access to domains, over the last couple of weeks CSF has reported certain users accessing through shell on at least 3 servers!

    How? What is needed to prevent this from happening? While nothing untoward has happened yet, I am concerned that there may be a potential weak spot that could be breached.

    SallyM
    sally@dragon.com
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If you are certain that no one can SSH to your server, but you, then the best options are to change your password, and to change your Shell port, different than the default 22.
     
  3. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    like the above post mentioned its good to change sshd server port to different, and make sure you have disable direct root login too.

    if you want to see who can login using ssh, run this command
    Code:
     egrep -v  '(noshell|nologin)' /etc/passwd
    above will list users who can login using ssh, disable the users should not have access to the ssh,

    hope that helps.


    Note : above code will include the system user shell configuration too please ignore them

    hope that helps
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Actually, it can happen easily - users can still SSH authenticate into the cPanel noshell but will be denied further access and will be logged out immediately. I'd recommend reminding the clients in question that they don't have SSH access ;)
     
  5. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    You can also stop this in its tracks if you use the /etc/hosts.deny and /etc/hosts.allow file.

    ### NOTE: Leave your current SSH session open while you test this. Open a second
    ### ssh session to test your access before closing ssh... otherwise, you could lock
    ### yourself out of your server.

    # NOTE, if you use this method, you will need to know the origin IP of anyone (including
    # yourself) who you wish to allow to ssh to your server.

    ## STEP 1
    ## Backup current files
    cp /etc/hosts.deny /etc/hosts.deny.original
    cp /etc/hosts.allow /etc/hosts.allow.original

    ## STEP 2
    ## Edit the hosts.allow file to allow access via individual IPs

    # Open the /etc/hosts.allow file
    vi /etc/hosts.allow

    ### Type in an IP or IPs so YOU have access...
    ### Of course, replace X.X.X.X with the actual IP number

    sshd: X.X.X.X ## Your first IP
    sshd: X.X.X.X ## Your other IP, etc.
    sshd: X.X.X.X ## Customer 1
    sshd: X.X.X.X ## Customer 2, etc.

    ### Make sure your IPs are correctly entered into the file and then save hosts.allow file.

    ## STEP 3
    ## Edit the hosts.deny file to block access to SSH via all IPs by default.

    # Open the hosts.deny file
    vi /etc/hosts.deny

    # Insert the following
    sshd: ALL

    # Save /etc/hosts.deny file

    ### TEST IT BEFORE YOU CLOSE SSH !!
    Keep the current ssh session open and open a new SSH session. If you do not get
    the password prompt for the session, then something is wrong. Check your IP
    and make sure you added it to /etc/hosts.allow

    If you ever want to disable this, simply remove the hosts.deny file or rename it to something
    else.

    ### MY FAIL SAFE
    ### I use a fail safe by leaving one of my non-production server open to all IP access.
    ### In other words, I do not protect ssh access on that server with hosts.deny.
    ### I then add the IP of that server to the hosts.allow file of all of my other servers
    ### in case I am ever away from my office or home and need to have access to
    ### the servers I protect with hosts.allow. In this case, I simply login to the open
    ### server and ssh to the hosts.allow protected server.
     
  6. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    wouldn't a firewall like CSF or APF basically do the same thing ?

    Mickalo
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Blocking in the firewall would have the same effect, yes. There are advantages both ways. In the firewall you avoid any potential bugs in TCP Wrappers/SSH as the connection is dropped before it gets anywhere near the OS apps. In TCP Wrappers you're targetting the specific connection rather than adding an additional resource into iptables.
     
Loading...

Share This Page