The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unauthorised SSH Login on Demo Account ?

Discussion in 'Security' started by Harlequin, Apr 22, 2017.

Tags:
  1. Harlequin

    Harlequin Active Member

    Joined:
    Sep 4, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Santa Cruz de Tenerife, Spain
    cPanel Access Level:
    Reseller Owner
    Twitter:
    A quick question with what I hope will be a quick answer.

    I've setup a cPanel account and set it as a demo account.

    When I look at "Manage Shell Access" for this account I see this:
    prntscr.com/ezn5xm

    However, I've received mails notifying me of an SSH login:
    "SSH login alert for user cPanelAccountNameHere from IP.Address.Here"

    And the following message:

    Time: Sat Apr 22 18:16:01 2017 +0100
    IP: 62.183.127.86 (RU/Russian Federation/-)
    Account: cPanelAccountNameHere
    Method: password authentication

    Is this correct...? Even though SSH is disabled someone logged in or am I reading this wrong...?
     
    #1 Harlequin, Apr 22, 2017
    Last edited by a moderator: Apr 23, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. Harlequin

    Harlequin Active Member

    Joined:
    Sep 4, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Santa Cruz de Tenerife, Spain
    cPanel Access Level:
    Reseller Owner
    Twitter:
    It's identical to the notifications I receive when I login over SSH so yes, it's a login alright. Not a happy bunny guys. I had to shut the website down and now I have no idea if that login then uploaded anything without my knowledge.

    I hope it's a false positive report but think it's unlikely.
     
  4. Harlequin

    Harlequin Active Member

    Joined:
    Sep 4, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Santa Cruz de Tenerife, Spain
    cPanel Access Level:
    Reseller Owner
    Twitter:
    This gets interesting...

    I checked the log file as you suggested and saw this entry for the IP address:
    serv sshd[18020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=37.78.111.37 user=cPanelAccountNameHere

    So either LFD is reporting a login falsely and cPanel is correct or cPanel is reporting a failure and LFD is correct if my maths is right.

    What do you think...?
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Changing your SSH port / Listening IP address might be helpful.
     
  6. Harlequin

    Harlequin Active Member

    Joined:
    Sep 4, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Santa Cruz de Tenerife, Spain
    cPanel Access Level:
    Reseller Owner
    Twitter:
    Change the port...? I have 2 available ports in the privileged list and there's a plethora of posts out there on why I shouldn't do that too.

    But before I get into that. Could you answer my question please. I'm trying to be as specific as I can and I'm a bit concerned that you just ignored my response and suggested I change the port number.

    I may be being a bit thick here but it seems to me that one of the reports is false, but which one...?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    That shows a login failure. CSF/LFD will report login attempts, but that doesn't mean the login was successful. As far as any cPanel notifications, could you post them to this thread as well? I'm only seeing the notification from CSF/LFD.

    Thank you.
     
  8. Harlequin

    Harlequin Active Member

    Joined:
    Sep 4, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Santa Cruz de Tenerife, Spain
    cPanel Access Level:
    Reseller Owner
    Twitter:
    I know that shows a login failure but LFD shows a login success:
    "SSH login alert for user..."

    So which is right is my question. You can understand my concern, no...?
     
  9. Harlequin

    Harlequin Active Member

    Joined:
    Sep 4, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Santa Cruz de Tenerife, Spain
    cPanel Access Level:
    Reseller Owner
    Twitter:
    Here's the entry from the "secure" log:

    Apr 23 08:17:09 serv unix_chkpwd[18023]: password check failed for user (xxxcPanelUsernamexxx)
    Apr 23 08:17:09 serv sshd[18020]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=37.78.111.37 user=xxxcPanelUsernamexxx
    Apr 23 08:17:10 serv sshd[18020]: Failed password for xxxcPanelUsernamexxxfrom 37.78.111.37 port 50213 ssh2
    Apr 23 08:17:16 serv sshd[18021]: Received disconnect from 37.78.111.37: 13: User request
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Changing the SSH port number and the IP address from the one your demo is on is a valid idea. This is explained in the link Michael posted above:
    [Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening)

    The secure log entry stating the login failed is the one to go with. You can set CSF to auto block after 3 failed SSH login attempts.

    In your demo account, have you restricted any features or just enabled a demo account? Is the SSH icon visible? Could it be that someone was properly logged in and was clicking around as an authenticated user? I'm just guessing here as I've never played around with a demo account. That is, other than the official cPanel demo site.

    IMHO, you might be more comfortable linking to that official cPanel demo instead of offering your own.
     
  11. Harlequin

    Harlequin Active Member

    Joined:
    Sep 4, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    Santa Cruz de Tenerife, Spain
    cPanel Access Level:
    Reseller Owner
    Twitter:
    Using the official demo sounds like a plan as clearly this isn't going to get resolved.

    Could you provide that link please...?
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    On top right of any page on these forums or cPanel.com, the link is titled Preview.
     
Loading...

Share This Page