problems: authentication keys, rkhunter , dovecot-wrap jailexec jailshell
greetings.
first i have been member a decade. bad at password email remembering so have had 4 accounts!
my experience and server info:
using cpanel since 2001. have pretty much run servers since 1998, online 1992.
server using csf, modsec, exploit scanner, hardened passwords. most security items checked and altered to correct security. no usr shell or jail shell, no 777 files, dovecot, pure ftp, non sftp. . server has 30 accounts we own.
first
1) decided to use pub keys. set it up, works fine as long as we place root in "data" in putty and have #rootlogin yes --with/or without "#"
2) works with authentication "no" in webhostmgr and ssh config file works fine as long as #rootlogin yes --with/or without "#"
3) when logging in, it says "root" using public key.
4) when we turn off root login, it returns a statement "though key is recognized by server, server is not accepting key" [not exact statement words, been 22hrs]
5) if we change to "#allowrootlogin yes"
6) works flawlessly
second
7) during the many hours i ran chkroot and rkhunter.
rkhunter provided warnings including
warning dovecot-wrap*
warning jailexec*
warning jailshell
these are just "warning"
8)when i checked the files in the directory
/usr/local/cpanel/bin/adduser
9) these are highlighted "red" like a stroke from red highlighter
dovecot-wrap*
jailexec*
jailshell
again, they are all highlighted in "red"
10) i spent 5 hours trying to discover if these files should be highlighted red .. i cannot remember ever seeing this.
i checked file chmod/chown.
when i made backups, such as jailshell-backup, they also were in red.
so,
10- any comment on red highlighter looking files
11- with vi/pico should all three be text script files?
[sounds crazy but i am that confused, vi and one look like half binary with text]
12 any comment on shell keys with root login yes verses no
thanks in advance. i could never have operated my own servers w/o this great forum.
rock scarfone
goldsmithworks
-
meaning and reason these major files have red and yellow highlighted names figured i would try here.... i have a post concerning keys, but this portio of that post will assist me greatly i have been online since 1992 and admin servers beginning 1998 --old blue racks lol... for some reason unknown to me-- though i have "shelled" for 15 years... files in /etc/sbin and other directories are highlighted/ 7 hours of search produces no explanation, i simply do not recall even thinking about this. root to shell cd to directory, say - /etc/sbin ls -la and the file names are "illuminated green" except for these two are yellow highlight marker looking the rest red highlight looking crontab* gpasswd* sudo* sudoedit* quota* passwd* xorg* exim sendmail suexec sendmail crontab these files vary from red to yellow highlight with white letters highlight--like going over with highlighter someone put me out of my misery! and enlighten me! thanks in advance rock goldsmithworks 0 -
File highlighting by ls is usually based on your .bashrc or .bash_profile files for the user. That or whatever ls is aliased as in your environment. If you type just ls at a prompt, then hit crtl+alt+e it will expand and show you what ls is aliased to. Usually --color=auto at the least. This trick works to expand any aliased commands you've typed in. I.e. ls in my case becomes: /bin/ls --color=tty -F -a -b -T 0 /usr/local/cpanel/bin/adduser is a symbolic link on my system to /scripts/adduser. Symlinks are often red, blue, or green. Red symlinks may mean a target file is missing. [root@new ~]# ls -lha /usr/local/cpanel/bin/adduser lrwxrwxrwx 1 root root 16 Dec 30 2011 /usr/local/cpanel/bin/adduser -> /scripts/adduser*
In my case, the link is blue and target file (/scripts/adduser) green. This means the target is there. If /scripts/adduser is gone, or you're missing your symlink from scripts -> /usr/local/cpanel/scripts/ then this may explain a red symlink. -- Regarding SSH keys with "PermitRootLogin" setting: First off, any value in the sshd_config file that's commented out is just showing you the default option for that setting if it were not set. So, PermitRootLogin defaults to yes, which explains why it allows root login if you set "no" but comment it out. So that being said, PermitRootLogin needs to be on in some fashion to allow root login, be it via password or key. However, there's an option called "PermitRootLogin without-password" which will let your private/public key pair work but not keyboard interactive logins. -- Verifying a file flagged by rkhunter is pretty easy. Just use rpm -qf on the file to see what RPM owns it, then rpmverify -v $packagename to see if any md5's changed on the binaries. Sometimes rkhunter just needs the property update run after RPM updates. You can also use "rpm -q --changelog $packagename | head " to see the most recent patches/backports to a binary on a centos system.0 -
[quote="corporathostin, post: 1533591">dovecot-wrap* jailexec* jailshell with vi/pico should all three be text script files? [sounds crazy but i am that confused, vi and one look like half binary with text]
No, these files are not intended for reading or editing through a text editor. Thank you.0 -
fantastic.. perfect. appreciate the detailed answer. plus the education.... rock [COLOR="silver">- - - Updated - - - thanks, i believed that was the case... appreciate the time you took to post rock 0
Please sign in to leave a comment.
Comments
4 comments